lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20241105104020.GC10375@noisy.programming.kicks-ass.net>
Date: Tue, 5 Nov 2024 11:40:20 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: x86@...nel.org
Cc: linux-kernel@...r.kernel.org, alyssa.milburn@...el.com,
	scott.d.constable@...el.com, joao@...rdrivepizza.com,
	andrew.cooper3@...rix.com, jpoimboe@...nel.org,
	jose.marchesi@...cle.com, hjl.tools@...il.com,
	ndesaulniers@...gle.com, samitolvanen@...gle.com, nathan@...nel.org,
	ojeda@...nel.org, kees@...nel.org, alexei.starovoitov@...il.com
Subject: Re: [PATCH 09/14] x86/ibt: Implement IBT+

On Fri, Sep 27, 2024 at 09:49:05PM +0200, Peter Zijlstra wrote:

> +#ifdef CONFIG_X86_KERNEL_IBT_PLUS
> +__init_or_module void apply_direct_call_offset(s32 *start, s32 *end)
> +{
> +	s32 *s;
> +
> +	/*
> +	 * incompatible with call depth tracking
> +	 */
> +	if (cpu_feature_enabled(X86_FEATURE_CALL_DEPTH))
> +		return;
> +
> +	for (s = start; s < end; s++) {
> +		void *dest, *addr = (void *)s + *s;
> +		struct insn insn;
> +		int ret;
> +
> +		ret = insn_decode_kernel(&insn, addr);
> +		if (WARN_ON_ONCE(ret < 0))
> +			continue;
> +
> +		dest = addr + insn.length + insn.immediate.value;
> +		if (!is_endbr(dest))
> +			continue;
> +
> +		switch (insn.opcode.bytes[0]) {
> +		case CALL_INSN_OPCODE:
> +		case JMP32_INSN_OPCODE:
> +			apply_reloc(4, addr+1, 4);
> +			continue;
> +
> +		case JMP8_INSN_OPCODE:
> +		case 0x70 ... 0x7f: /* Jcc.d8 */
> +			apply_reloc(1, addr+1, 4);
> +			continue;

*sigh*... I have a clang-19 build (thanks 0day) that uses a jmp.d8 +0x7e
as a tail-call, guess how well it goes adding 4 to that :-(

Luckily the next instruction is a giant (alignment) NOP, so I *could* go
fix that up, but perhaps this is pushing things too far ...

> +
> +		case 0x0f:
> +			switch (insn.opcode.bytes[1]) {
> +			case 0x80 ... 0x8f:
> +				apply_reloc(4, addr+2, 4);
> +				continue;
> +
> +			default:
> +				break;
> +			}
> +			break;
> +
> +		default:
> +			break;
> +		}
> +
> +		printk("at: %pS, instruction: %*ph\n", addr, insn.length, addr);
> +		BUG();
> +	}
> +}
> +#else
> +__init_or_module void apply_direct_call_offset(s32 *start, s32 *end) { }
> +#endif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ