| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250529093017.GJ31726@noisy.programming.kicks-ass.net> Date: Thu, 29 May 2025 11:30:17 +0200 From: Peter Zijlstra <peterz@...radead.org> To: Josh Poimboeuf <jpoimboe@...nel.org> Cc: Sean Christopherson <seanjc@...gle.com>, "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org, kys@...rosoft.com, haiyangz@...rosoft.com, wei.liu@...nel.org, decui@...rosoft.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com, pbonzini@...hat.com, ardb@...nel.org, kees@...nel.org, Arnd Bergmann <arnd@...db.de>, gregkh@...uxfoundation.org, linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org, kvm@...r.kernel.org, linux-efi@...r.kernel.org, samitolvanen@...gle.com, ojeda@...nel.org, xin@...or.com Subject: Re: [PATCH v2 00/13] objtool: Detect and warn about indirect calls in __nocfi functions On Wed, May 28, 2025 at 06:35:58PM +0200, Peter Zijlstra wrote: > On Wed, May 28, 2025 at 06:30:35PM +0200, Peter Zijlstra wrote: > > On Wed, May 28, 2025 at 09:44:52AM +0200, Peter Zijlstra wrote: > > > On Tue, May 06, 2025 at 12:18:49PM -0700, Josh Poimboeuf wrote: > > > > > > > Weird, I'm not seeing that. > > > > > > I Ate'nt Crazeh... > > > > > > https://lore.kernel.org/all/202505280410.2qfTQCRt-lkp@intel.com/T/#u > > > > > > I'll go poke at it, see if today is the day I can figure out WTF > > > happens. > > > > It manages to trip the CFI_UNDEFINED case in op->dest.reg == cfa->base > > in update_cfi_state(). > > > > I figured it ought to tickle the regular 'mov %rbp, %rsp' case above > > there, but it doesn't, for some reason it has cfa.base == SP at this > > point. > > > > This happens... /me looks in scrollback ... at POP_REGS 'pop > > %rbp'. ARGH!! > > More fun! > > So the sequence of fail is: > > > > push %rbp > > mov %rsp, %rbp # cfa.base = BP > > > > SAVE sub $0x40,%rsp and $0xffffffffffffffc0,%rsp This hits the 'older GCC, drap with frame pointer' case in OP_SRC_AND. Which means we then hard rely on the frame pointer to get things right. However, per all the PUSH/POP_REGS nonsense, BP can get clobbered. Specifically the code between the CALL and POP %rbp below are up in the air. I don't think it can currently unwind properly there. > > ... > > push %rbp > > ... > > pop %rbp # cfa.base = SP > > This is the POP !drap and dest==base case. > > > ... > > mov %rbp, %rsp # UNDEF > > nop # FAIL > > RESTORE > > > > Note that the MOV+NOP is the 4 bytes ERETS needs.
Powered by blists - more mailing lists