lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <SN6PR12MB2702AC3C27D25414FE4260F994D4A@SN6PR12MB2702.namprd12.prod.outlook.com>
Date:   Thu, 19 Oct 2023 14:21:40 +0000
From:   "Kaplan, David" <David.Kaplan@....com>
To:     Borislav Petkov <bp@...en8.de>,
        Josh Poimboeuf <jpoimboe@...nel.org>
CC:     Ingo Molnar <mingo@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-tip-commits@...r.kernel.org" 
        <linux-tip-commits@...r.kernel.org>,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        "x86@...nel.org" <x86@...nel.org>,
        David Howells <dhowells@...hat.com>
Subject: RE: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't
 used at runtime

[AMD Official Use Only - General]

> -----Original Message-----
> From: Borislav Petkov <bp@...en8.de>
> Sent: Thursday, October 19, 2023 9:15 AM
> To: Josh Poimboeuf <jpoimboe@...nel.org>
> Cc: Ingo Molnar <mingo@...nel.org>; linux-kernel@...r.kernel.org; linux-tip-
> commits@...r.kernel.org; Kaplan, David <David.Kaplan@....com>; Peter
> Zijlstra (Intel) <peterz@...radead.org>; x86@...nel.org; David Howells
> <dhowells@...hat.com>
> Subject: Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't
> used at runtime
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Wed, Oct 18, 2023 at 11:59:28PM -0700, Josh Poimboeuf wrote:
> > One last idea, since the return thunk is used everywhere (even non-ABI
> > compliant functions) it might be possible the "call check_thunks" (and
> > its call to warn_printk) is clobbering some registers which some code
> > (exception handling entry code?) doesn't appreciate.
>
> Yeah, that is still unclean, I'd say. gcc doesn't know that we patch in a CALL insn
> in the alternative. What should work is to have
>
>         alternative_call
>
> there which alternates between two calls and gcc knows there's a call so it can
> act accordingly wrt callee-* regs.
>
> Considering how __x86_return_thunk is there only until alternatives have run,
> we could do something like
>
>         ALTERNATIVE_CALL nop, check_thunks
>
> where nop is a function which doesn't do anything.
>
> I say "ALTERNATIVE_CALL" because we don't have a _CALL asm macro yet.
>
> And then in check_thunks() we can do all kinds of screaming, tainting and
> setting mitigation status to vulnerable, etc.
>
> Anyway something along those lines.

The return thunk is used for all functions though, including assembly coded functions which may use non-standard calling conventions and aren't visible to gcc.  I think the only safe thing would be to preserve all GPRs across the call to check_thunks.  Something like PUSH_REGS/call check_thunks/POP_REGS.

--David Kaplan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ