lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251125151739.GP4068168@noisy.programming.kicks-ass.net>
Date: Tue, 25 Nov 2025 16:17:39 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: x86@...nel.org, ardb@...nel.org
Cc: linux-kernel@...r.kernel.org, kees@...nel.org, acarmina@...hat.com,
	jpoimboe@...nel.org, mark.rutland@....com,
	torvalds@...uxfoundation.org, maciej.wieczor-retman@...el.com
Subject: Re: [PATCH v2 08/12] x86/bug: Add BUG_FORMAT basics

On Tue, Nov 25, 2025 at 01:33:01PM +0100, Peter Zijlstra wrote:

> > > +	asm_inline volatile(_BUG_FLAGS_ASM(ins, "%c[fmt]", "%c[file]",	\
> > > +					   "%c[line]", "%c[fl]",	\
> > > +					   "%c[size]", extra)		\
> > > +		   : : [fmt] "i" (NULL),				\
> > 
> > This doesn't work right with KASLR on -- and I hadn't noticed because
> > most of my machines have nokaslr because of debugability :/
> > 
> > When we relocate the kernel, everything shifts by kaslr_offset(), and
> > that works just fine when both the __bug_table and the target string is
> > shifted, because then the relative position is the same and so the
> > relocation keeps working.
> > 
> > However, when the target is the absolute value 0, this breaks, because 0
> > isn't shifted by kaslr_offset() but the __bug_table itself is.
> > 
> > So the relative entry:
> > 
> > 	.long 0 - .
> > 
> > and its inverse:
> > 
> > 	format = (const char *)&bug->format_disp + bug->format_disp;
> > 
> > then end up at kaslr_offset() and things are sad.
> > 
> > The relative entry has a SHN_UNDEF relocation, which is ignored by the
> > relocs tool.
> > 
> > How is this supposed to be fixed?
> 
> This seems to work. Is this something we can all live with? It feels a
> bit like a hack, but there doesn't appear to be anything better at hand.

Ard came up with this glorious hack :-)

---
diff --git a/arch/x86/include/asm/bug.h b/arch/x86/include/asm/bug.h
index d0a96ff5c02c..812ec8932734 100644
--- a/arch/x86/include/asm/bug.h
+++ b/arch/x86/include/asm/bug.h
@@ -5,6 +5,7 @@
 #include <linux/stringify.h>
 #include <linux/instrumentation.h>
 #include <linux/objtool.h>
+#include <linux/compiler.h>
 #include <asm/asm.h>
 
 #ifndef __ASSEMBLY__
@@ -59,7 +60,7 @@ extern void __WARN_trap(struct bug_entry *bug, ...);
 #if defined(CONFIG_X86_64) || defined(CONFIG_DEBUG_BUGVERBOSE_DETAILED)
 #define HAVE_ARCH_BUG_FORMAT
 #define __BUG_ENTRY_FORMAT(format)					\
-	"\t" __BUG_REL(format)	"\t# bug_entry::format\n"
+	"3:\t" __BUG_REL(format)	"\t# bug_entry::format\n"
 #else
 #define __BUG_ENTRY_FORMAT(format)
 #endif
@@ -84,18 +85,20 @@ extern void __WARN_trap(struct bug_entry *bug, ...);
 	extra
 
 #ifdef CONFIG_DEBUG_BUGVERBOSE_DETAILED
-#define WARN_CONDITION_STR(cond_str) cond_str
+#define WARN_CONDITION_STR(cond_str, null_str) cond_str
 #else
-#define WARN_CONDITION_STR(cond_str) NULL
+#define WARN_CONDITION_STR(cond_str, null_str) null_str
 #endif
 
-#define _BUG_FLAGS(cond_str, ins, flags, extra)				\
+#define _BUG_FLAGS(cond_str, ins, flags, extra, id)			\
 do {									\
+	extern typeof(cond_str) id;					\
 	asm_inline volatile("1:\t" ins "\n"				\
 			    _BUG_FLAGS_ASM("%c[fmt]", "%c[file]",	\
 					   "%c[line]", "%c[fl]",	\
 					   "%c[size]", extra)		\
-		   : : [fmt] "i" (WARN_CONDITION_STR(cond_str)),	\
+			    ".set " __stringify(id) ", 3b\n"		\
+		   : : [fmt] "i" (WARN_CONDITION_STR(cond_str, id)),	\
 		       [file] "i" (__FILE__),				\
 		       [line] "i" (__LINE__),				\
 		       [fl] "i" (flags),				\
@@ -104,11 +107,11 @@ do {									\
 
 #define ARCH_WARN_ASM(file, line, flags, size)				\
 	"1:\t " ASM_UD2 "\n"						\
-	_BUG_FLAGS_ASM("0", file, line, flags, size, "")
+	_BUG_FLAGS_ASM("3b", file, line, flags, size, "")
 
 #else
 
-#define _BUG_FLAGS(cond_str, ins, flags, extra)  asm volatile(ins)
+#define _BUG_FLAGS(cond_str, ins, flags, extra, id)  asm volatile(ins)
 
 #endif /* CONFIG_GENERIC_BUG */
 
@@ -116,7 +119,7 @@ do {									\
 #define BUG()							\
 do {								\
 	instrumentation_begin();				\
-	_BUG_FLAGS("", ASM_UD2, 0, "");				\
+	_BUG_FLAGS("", ASM_UD2, 0, "", __UNIQUE_ID(bug));	\
 	__builtin_unreachable();				\
 } while (0)
 
@@ -133,7 +136,8 @@ do {								\
 do {									\
 	__auto_type __flags = BUGFLAG_WARNING|(flags);			\
 	instrumentation_begin();					\
-	_BUG_FLAGS(cond_str, ASM_UD2, __flags, ARCH_WARN_REACHABLE);	\
+	_BUG_FLAGS(cond_str, ASM_UD2, __flags, ARCH_WARN_REACHABLE,	\
+		   __UNIQUE_ID(warn));					\
 	instrumentation_end();						\
 } while (0)
 
diff --git a/lib/bug.c b/lib/bug.c
index 581a66b88c5c..9a598b7dfc11 100644
--- a/lib/bug.c
+++ b/lib/bug.c
@@ -144,7 +145,8 @@ static const char *bug_get_format(struct bug_entry *bug)
 	const char *format = NULL;
 #ifdef HAVE_ARCH_BUG_FORMAT
 #ifdef CONFIG_GENERIC_BUG_RELATIVE_POINTERS
-	format = (const char *)&bug->format_disp + bug->format_disp;
+	if (bug->format_disp)
+		format = (const char *)&bug->format_disp + bug->format_disp;
 #else
 	format = bug->format;
 #endif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ