lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2024030404-conjoined-unlined-05c0@gregkh>
Date: Mon, 4 Mar 2024 11:55:08 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Rui Qi <qirui.001@...edance.com>
Cc: bp@...en8.de, mingo@...hat.com, tglx@...utronix.de, hpa@...or.com,
	jpoimboe@...hat.com, peterz@...radead.org, mbenes@...e.cz,
	stable@...r.kernel.org, alexandre.chartre@...cle.com,
	x86@...nel.org, linux-kernel@...r.kernel.org, yuanzhu@...edance.com
Subject: Re: [PATCH v2 0/3] Support intra-function call validation

On Mon, Mar 04, 2024 at 11:41:46AM +0100, Greg KH wrote:
> On Wed, Feb 28, 2024 at 10:45:32AM +0800, Rui Qi wrote:
> > Since kernel version 5.4.217 LTS, there has been an issue with the kernel live patching feature becoming unavailable. 
> > When compiling the sample code for kernel live patching, the following message is displayed when enabled:
> > 
> > livepatch: klp_check_stack: kworker/u256:6:23490 has an unreliable stack
> > 
> > Reproduction steps:
> > 1.git checkout v5.4.269 -b v5.4.269
> > 2.make defconfig
> > 3. Set CONFIG_LIVEPATCH=y态CONFIG_SAMPLE_LIVEPATCH=m
> > 4. make -j bzImage
> > 5. make samples/livepatch/livepatch-sample.ko
> > 6. qemu-system-x86_64 -kernel arch/x86_64/boot/bzImage -nographic -append "console=ttyS0" -initrd initrd.img -m 1024M
> > 7. insmod livepatch-sample.ko
> > 
> > Kernel live patch cannot complete successfully.
> > 
> > After some debugging, the immediate cause of the patch failure is an error in stack checking. The logs are as follows:
> > [ 340.974853] livepatch: klp_check_stack: kworker/u256:0:23486 has an unreliable stack
> > [ 340.974858] livepatch: klp_check_stack: kworker/u256:1:23487 has an unreliable stack
> > [ 340.974863] livepatch: klp_check_stack: kworker/u256:2:23488 has an unreliable stack
> > [ 340.974868] livepatch: klp_check_stack: kworker/u256:5:23489 has an unreliable stack
> > [ 340.974872] livepatch: klp_check_stack: kworker/u256:6:23490 has an unreliable stack
> > ......
> > 
> > BTW,if you use the v5.4.217 tag for testing, make sure to set CONFIG_RETPOLINE = y and CONFIG_LIVEPATCH = y, and other steps are consistent with v5.4.269
> > 
> > After investigation, The problem is strongly related to the commit 8afd1c7da2b0 ("x86/speculation: Change FILL_RETURN_BUFFER to work with objtool"),
> > which would cause incorrect ORC entries to be generated, and the v5.4.217 version can undo this commit to make kernel livepatch work normally. 
> > It is a back-ported upstream patch with some code adjustments,from the git log, the author also mentioned no intra-function call validation support.
> > 
> > Based on commit 6e1f54a4985b63bc1b55a09e5e75a974c5d6719b (Linux 5.4.269), This patchset adds stack validation support for intra-function calls, 
> > allowing the kernel live patching feature to work correctly.
> > 
> > Alexandre Chartre (2):
> >   objtool: is_fentry_call() crashes if call has no destination
> >   objtool: Add support for intra-function calls
> > 
> > Rui Qi (1):
> >   x86/speculation: Support intra-function call validation
> > 
> >  arch/x86/include/asm/nospec-branch.h          |  7 ++
> >  include/linux/frame.h                         | 11 ++++
> >  .../Documentation/stack-validation.txt        |  8 +++
> >  tools/objtool/arch/x86/decode.c               |  6 ++
> >  tools/objtool/check.c                         | 64 +++++++++++++++++--
> >  5 files changed, 91 insertions(+), 5 deletions(-)
> 
> All now queued up, thanks!

Nope, these break the build:

./arch/x86/include/asm/nospec-branch.h:313: Error: no such instruction: `unwind_hint_empty'
./arch/x86/include/asm/nospec-branch.h:313: Error: no such instruction: `unwind_hint_empty'

How did you test them?  I'll go drop them from the queue now, sorry.
Please fix them up and resend when you have something that works.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ