lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dc7c570e-153e-4e46-ae40-d1590682d50c@citrix.com>
Date: Wed, 19 Feb 2025 17:31:39 +0000
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: Peter Zijlstra <peterz@...radead.org>, x86@...nel.org
Cc: linux-kernel@...r.kernel.org, alyssa.milburn@...el.com,
 scott.d.constable@...el.com, joao@...rdrivepizza.com, jpoimboe@...nel.org,
 jose.marchesi@...cle.com, hjl.tools@...il.com, ndesaulniers@...gle.com,
 samitolvanen@...gle.com, nathan@...nel.org, ojeda@...nel.org,
 kees@...nel.org, alexei.starovoitov@...il.com, mhiramat@...nel.org,
 jmill@....edu
Subject: Re: [PATCH v3 07/10] x86/ibt: Add paranoid FineIBT mode

On 19/02/2025 4:21 pm, Peter Zijlstra wrote:
> --- a/arch/x86/include/asm/cfi.h
> +++ b/arch/x86/include/asm/cfi.h
> @@ -1116,6 +1129,52 @@ extern u8 fineibt_caller_end[];
>  
>  #define fineibt_caller_jmp (fineibt_caller_size - 2)
>  
> +/*
> + * Since FineIBT does hash validation on the callee side it is prone to
> + * circumvention attacks where a 'naked' ENDBR instruction exists that
> + * is not part of the fineibt_preamble sequence.
> + *
> + * Notably the x86 entry points must be ENDBR and equally cannot be
> + * fineibt_preamble.
> + *
> + * The fineibt_paranoid caller sequence adds additional caller side
> + * hash validation. This stops such circumvetion attacks dead, but at the cost
> + * of adding a load.
> + *
> + * <fineibt_paranoid_start>:
> + *  0:   41 ba 78 56 34 12       mov    $0x12345678, %r10d
> + *  6:   45 3b 53 f7             cmp    -0x9(%r11), %r10d
> + *  a:   4d 8d 5b <f0>           lea    -0x10(%r11), %r11
> + *  e:   75 fd                   jne    d <fineibt_paranoid_start+0xd>
> + * 10:   41 ff d3                call   *%r11
> + * 13:   90                      nop
> + *
> + * Notably LEA does not modify flags and can be reordered with the CMP,
> + * avoiding a dependency. Again, using a non-taken (backwards) branch
> + * for the failure case, abusing LEA's immediate 0xf0 as LOCK prefix for the
> + * JCC.d8, causing #UD.
> + */

I don't know what to say.  This is equal parts horrifying and beautiful.

> +asm(	".pushsection .rodata				\n"
> +	"fineibt_paranoid_start:			\n"
> +	"	movl	$0x12345678, %r10d		\n"
> +	"	cmpl	-9(%r11), %r10d			\n"
> +	"	lea	-0x10(%r11), %r11		\n"
> +	"	jne	fineibt_paranoid_start+0xd	\n"

Maybe `jne . - 3` ?

Or perhaps `1: jne 1b - 1` ?

Both seem marginally less fragile than tying the reference to
fineibt_paranoid_start.

~Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ