lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <DAL9GRMH74F4.2IV0HN0NGU65X@bootlin.com>
Date: Fri, 13 Jun 2025 10:26:37 +0200
From: Alexis Lothoré <alexis.lothore@...tlin.com>
To: "Peter Zijlstra" <peterz@...radead.org>
Cc: "Alexei Starovoitov" <ast@...nel.org>, "Daniel Borkmann"
 <daniel@...earbox.net>, "Andrii Nakryiko" <andrii@...nel.org>, "Martin
 KaFai Lau" <martin.lau@...ux.dev>, "Eduard Zingerman" <eddyz87@...il.com>,
 "Song Liu" <song@...nel.org>, "Yonghong Song" <yonghong.song@...ux.dev>,
 "John Fastabend" <john.fastabend@...il.com>, "KP Singh"
 <kpsingh@...nel.org>, "Stanislav Fomichev" <sdf@...ichev.me>, "Hao Luo"
 <haoluo@...gle.com>, "Jiri Olsa" <jolsa@...nel.org>, "David S. Miller"
 <davem@...emloft.net>, "David Ahern" <dsahern@...nel.org>, "Thomas
 Gleixner" <tglx@...utronix.de>, "Ingo Molnar" <mingo@...hat.com>, "Borislav
 Petkov" <bp@...en8.de>, "Dave Hansen" <dave.hansen@...ux.intel.com>,
 <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, "Menglong Dong"
 <imagedong@...cent.com>, Björn Töpel
 <bjorn@...nel.org>, "Pu Lehui" <pulehui@...wei.com>, "Puranjay Mohan"
 <puranjay@...nel.org>, "Paul Walmsley" <paul.walmsley@...ive.com>, "Palmer
 Dabbelt" <palmer@...belt.com>, "Albert Ou" <aou@...s.berkeley.edu>,
 "Alexandre Ghiti" <alex@...ti.fr>, "Ilya Leoshkevich" <iii@...ux.ibm.com>,
 "Heiko Carstens" <hca@...ux.ibm.com>, "Vasily Gorbik" <gor@...ux.ibm.com>,
 "Alexander Gordeev" <agordeev@...ux.ibm.com>, "Christian Borntraeger"
 <borntraeger@...ux.ibm.com>, "Sven Schnelle" <svens@...ux.ibm.com>, "Hari
 Bathini" <hbathini@...ux.ibm.com>, "Christophe Leroy"
 <christophe.leroy@...roup.eu>, "Naveen N Rao" <naveen@...nel.org>,
 "Madhavan Srinivasan" <maddy@...ux.ibm.com>, "Michael Ellerman"
 <mpe@...erman.id.au>, "Nicholas Piggin" <npiggin@...il.com>, "Mykola
 Lysenko" <mykolal@...com>, "Shuah Khan" <shuah@...nel.org>, "Maxime
 Coquelin" <mcoquelin.stm32@...il.com>, "Alexandre Torgue"
 <alexandre.torgue@...s.st.com>, <ebpf@...uxfoundation.org>, "Thomas
 Petazzoni" <thomas.petazzoni@...tlin.com>, "Bastien Curutchet"
 <bastien.curutchet@...tlin.com>, <netdev@...r.kernel.org>,
 <bpf@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
 Björn Töpel <bjorn@...osinc.com>,
 <linux-riscv@...ts.infradead.org>, <linux-s390@...r.kernel.org>,
 <linuxppc-dev@...ts.ozlabs.org>, <linux-kselftest@...r.kernel.org>,
 <linux-stm32@...md-mailman.stormreply.com>,
 <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH bpf 2/7] bpf/x86: prevent trampoline attachment when
 args location on stack is uncertain

Hi Peter,

On Fri Jun 13, 2025 at 10:11 AM CEST, Peter Zijlstra wrote:
> On Fri, Jun 13, 2025 at 09:37:11AM +0200, Alexis Lothoré (eBPF Foundation) wrote:
>> When the target function receives more arguments than available
>> registers, the additional arguments are passed on stack, and so the
>> generated trampoline needs to read those to prepare the bpf context,
>> but also to prepare the target function stack when it is in charge of
>> calling it. This works well for scalar types, but if the value is a
>> struct, we can not know for sure the exact struct location, as it may
>> have been packed or manually aligned to a greater value.
>
> https://refspecs.linuxbase.org/elf/x86_64-abi-0.99.pdf
>
> Has fairly clear rules on how arguments are encoded. Broadly speaking
> for the kernel, if the structure exceeds 2 registers in size, it is
> passed as a reference, otherwise it is passed as two registers.

Maybe my commit wording is not precise enough, but indeed, there's not
doubt about whether the struct value is passed on the stack or through a
register/a pair of registers. The doubt is rather about the struct location
when it is passed _by value_ and _on the stack_: the ABI indeed clearly
states that "Structures and unions assume the alignment of their most
strictly aligned component" (p.13), but this rule is "silently broken" when
a struct has an __attribute__((packed)) or and __attribute__((aligned(X))),
and AFAICT this case can not be detected at runtime with current BTF info.

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ