lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Mar 2024 18:39:32 -0700
From: Josh Poimboeuf <jpoimboe@...nel.org>
To: Alexandre Chartre <alexandre.chartre@...cle.com>
Cc: linux-kernel@...r.kernel.org, peterz@...radead.org
Subject: Re: [PATCH] objtool/x86: objtool can confuse memory and stack access

On Thu, Mar 28, 2024 at 02:46:34PM +0100, Alexandre Chartre wrote:
> The encoding of an x86 instruction can include a ModR/M and a SIB
> (Scale-Index-Base) byte to describe the addressing mode of the
> instruction.
> 
> objtool processes all addressing mode with a SIB base of 5 as having
> %rbp as the base register. However, a SIB base of 5 means that the
> effective address has either no base (if ModR/M mod is zero) or %rbp
> as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
> an absolute address access with a stack operation.
> 
> For example, objtool will see the following instruction:
> 
>  4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12
> 
> as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).
> 
> [Note that this kind of weird absolute address access is added by the
>  compiler when using KASAN.]
> 
> If this perceived stack operation happens to reference the location
> where %r12 was pushed on the stack then the objtool validation will
> think that %r12 is being restored and this can cause a stack state
> mismatch.
> 
> This kind behavior was seen on xfs code, after a minor change (convert
> kmem_alloc() to kmalloc()):
> 
> >> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0
> 
> Reported-by: kernel test robot <lkp@...el.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
> Signed-off-by: Alexandre Chartre <alexandre.chartre@...cle.com>

Nice, thanks for finding and debugging this.

Would it make sense to make the check more generic by putting it into
rm_is()?

-- 
Josh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ