| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240104131210.GDZZauqoeKoZGpYwDd@fat_crate.local>
Date: Thu, 4 Jan 2024 14:12:10 +0100
From: Borislav Petkov <bp@...en8.de>
To: Josh Poimboeuf <jpoimboe@...nel.org>
Cc: "Kaplan, David" <David.Kaplan@....com>, Ingo Molnar <mingo@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-tip-commits@...r.kernel.org" <linux-tip-commits@...r.kernel.org>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
"x86@...nel.org" <x86@...nel.org>,
David Howells <dhowells@...hat.com>
Subject: Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't
used at runtime
On Wed, Jan 03, 2024 at 07:46:56PM +0100, Borislav Petkov wrote:
> If only I can remember now how we did trigger the warning in the first
> place in order to test it...
Ok, got tired of trying to make it use the default thunk - it seems
kinda hard to do - which is good - or I simply can't think of a good way
to trigger it.
So I went and replaced the jump to the actual thunk:
Dump of assembler code for function default_idle_call:
0xffffffff8197bda0 <+0>: nopw (%rax)
0xffffffff8197bda4 <+4>: nop
...
0xffffffff8197bdda <+58>: xchg %ax,%ax
0xffffffff8197bddc <+60>: sti
0xffffffff8197bddd <+61>: nop
0xffffffff8197bdde <+62>: jmp 0xffffffff81988420 <srso_return_thunk>
to what it is at build time. I.e., what should *not* happen after
patch_returns() as run:
Dump of assembler code for function default_idle_call:
0xffffffff8197bda0 <+0>: nopw (%rax)
0xffffffff8197bda4 <+4>: nop
...
0xffffffff8197bdda <+58>: xchg %ax,%ax
0xffffffff8197bddc <+60>: sti
0xffffffff8197bddd <+61>: nop
0xffffffff8197bdde <+62>: jmp 0xffffffff819884a0 <__x86_return_thunk>
and yap, it fires as expected:
[ 209.051694] **********************************************************
[ 209.053200] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 209.054435] ** **
[ 209.055687] ** unpatched return thunk in use. This should not **
[ 209.056911] ** on a production kernel. Please report this to **
[ 209.058133] ** x86@...nel.org. **
[ 209.059367] ** **
[ 209.060587] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 209.061808] **********************************************************
[ 209.063064] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.7.0-rc8+ #15
[ 209.064527] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 209.066086] Call Trace:
[ 209.066569] <TASK>
[ 209.066975] dump_stack_lvl+0x36/0x50
[ 209.067675] warn_thunk_thunk+0x1a/0x30
[ 209.068405] do_idle+0x1a5/0x1e0
[ 209.069403] cpu_startup_entry+0x29/0x30
[ 209.070147] rest_init+0xc5/0xd0
[ 209.070775] arch_call_rest_init+0xe/0x20
[ 209.071537] start_kernel+0x425/0x680
[ 209.072235] ? set_init_arg+0x80/0x80
[ 209.072931] x86_64_start_reservations+0x18/0x30
[ 209.073803] x86_64_start_kernel+0xb7/0xc0
[ 209.074590] secondary_startup_64_no_verify+0x175/0x17b
[ 209.075584] </TASK>
Lemme write a proper patch.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Powered by blists - more mailing lists