[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e95bd083-3501-465e-be48-aa8d37f4f55d@oracle.com>
Date: Fri, 29 Mar 2024 14:22:58 +0100
From: Alexandre Chartre <alexandre.chartre@...cle.com>
To: Josh Poimboeuf <jpoimboe@...nel.org>
Cc: linux-kernel@...r.kernel.org, peterz@...radead.org
Subject: Re: [PATCH] objtool/x86: objtool can confuse memory and stack access
On 3/29/24 02:39, Josh Poimboeuf wrote:
> On Thu, Mar 28, 2024 at 02:46:34PM +0100, Alexandre Chartre wrote:
>> The encoding of an x86 instruction can include a ModR/M and a SIB
>> (Scale-Index-Base) byte to describe the addressing mode of the
>> instruction.
>>
>> objtool processes all addressing mode with a SIB base of 5 as having
>> %rbp as the base register. However, a SIB base of 5 means that the
>> effective address has either no base (if ModR/M mod is zero) or %rbp
>> as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
>> an absolute address access with a stack operation.
>>
>> For example, objtool will see the following instruction:
>>
>> 4c 8b 24 25 e0 ff ff mov 0xffffffffffffffe0,%r12
>>
>> as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).
>>
>> [Note that this kind of weird absolute address access is added by the
>> compiler when using KASAN.]
>>
>> If this perceived stack operation happens to reference the location
>> where %r12 was pushed on the stack then the objtool validation will
>> think that %r12 is being restored and this can cause a stack state
>> mismatch.
>>
>> This kind behavior was seen on xfs code, after a minor change (convert
>> kmem_alloc() to kmalloc()):
>>
>>>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0
>>
>> Reported-by: kernel test robot <lkp@...el.com>
>> Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
>> Signed-off-by: Alexandre Chartre <alexandre.chartre@...cle.com>
>
> Nice, thanks for finding and debugging this.
>
> Would it make sense to make the check more generic by putting it into
> rm_is()?
>
Yes. Making the change.
Thanks,
alex.
Powered by blists - more mailing lists