lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251125123301.GO4068168@noisy.programming.kicks-ass.net>
Date: Tue, 25 Nov 2025 13:33:01 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: x86@...nel.org
Cc: linux-kernel@...r.kernel.org, kees@...nel.org, acarmina@...hat.com,
	jpoimboe@...nel.org, mark.rutland@....com,
	torvalds@...uxfoundation.org, maciej.wieczor-retman@...el.com
Subject: Re: [PATCH v2 08/12] x86/bug: Add BUG_FORMAT basics

On Tue, Nov 25, 2025 at 12:17:50PM +0100, Peter Zijlstra wrote:
> On Mon, Nov 10, 2025 at 12:46:41PM +0100, Peter Zijlstra wrote:
> > Opt-in to BUG_FORMAT for x86_64, adjust the BUGTABLE helper and for
> > now, just store NULL pointers.
> > 
> > Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
> > ---
> >  arch/x86/include/asm/bug.h |   31 +++++++++++++++++++++----------
> >  1 file changed, 21 insertions(+), 10 deletions(-)
> > 
> > --- a/arch/x86/include/asm/bug.h
> > +++ b/arch/x86/include/asm/bug.h
> > @@ -50,33 +50,44 @@
> >  #define __BUG_ENTRY_VERBOSE(file, line)
> >  #endif
> >  
> > -#define __BUG_ENTRY(file, line, flags)					\
> > +#if defined(CONFIG_X86_64) || defined(CONFIG_DEBUG_BUGVERBOSE_DETAILED)
> > +#define HAVE_ARCH_BUG_FORMAT
> > +#define __BUG_ENTRY_FORMAT(format)					\
> > +	"\t" __BUG_REL(format)	"\t# bug_entry::format\n"
> > +#else
> > +#define __BUG_ENTRY_FORMAT(format)
> > +#endif
> > +
> > +#define __BUG_ENTRY(format, file, line, flags)				\
> >  	__BUG_REL("1b")		"\t# bug_entry::bug_addr\n"		\
> > +	__BUG_ENTRY_FORMAT(format)					\
> >  	__BUG_ENTRY_VERBOSE(file, line)					\
> >  	"\t.word " flags	"\t# bug_entry::flags\n"
> >  
> > -#define _BUG_FLAGS_ASM(ins, file, line, flags, size, extra)		\
> > +#define _BUG_FLAGS_ASM(ins, format, file, line, flags, size, extra)	\
> >  	"1:\t" ins "\n"							\
> >  	".pushsection __bug_table,\"aw\"\n\t"				\
> >  	ANNOTATE_DATA_SPECIAL						\
> >  	"2:\n\t"							\
> > -	__BUG_ENTRY(file, line, flags)					\
> > +	__BUG_ENTRY(format, file, line, flags)				\
> >  	"\t.org 2b + " size "\n"					\
> >  	".popsection\n"							\
> >  	extra
> >  
> >  #define _BUG_FLAGS(cond_str, ins, flags, extra)				\
> >  do {									\
> > -	asm_inline volatile(_BUG_FLAGS_ASM(ins, "%c0",			\
> > -					   "%c1", "%c2", "%c3", extra)	\
> > -		   : : "i" (WARN_CONDITION_STR(cond_str) __FILE__),	\
> > -		       "i" (__LINE__),					\
> > -		       "i" (flags),					\
> > -		       "i" (sizeof(struct bug_entry)));			\
> > +	asm_inline volatile(_BUG_FLAGS_ASM(ins, "%c[fmt]", "%c[file]",	\
> > +					   "%c[line]", "%c[fl]",	\
> > +					   "%c[size]", extra)		\
> > +		   : : [fmt] "i" (NULL),				\
> 
> This doesn't work right with KASLR on -- and I hadn't noticed because
> most of my machines have nokaslr because of debugability :/
> 
> When we relocate the kernel, everything shifts by kaslr_offset(), and
> that works just fine when both the __bug_table and the target string is
> shifted, because then the relative position is the same and so the
> relocation keeps working.
> 
> However, when the target is the absolute value 0, this breaks, because 0
> isn't shifted by kaslr_offset() but the __bug_table itself is.
> 
> So the relative entry:
> 
> 	.long 0 - .
> 
> and its inverse:
> 
> 	format = (const char *)&bug->format_disp + bug->format_disp;
> 
> then end up at kaslr_offset() and things are sad.
> 
> The relative entry has a SHN_UNDEF relocation, which is ignored by the
> relocs tool.
> 
> How is this supposed to be fixed?

This seems to work. Is this something we can all live with? It feels a
bit like a hack, but there doesn't appear to be anything better at hand.

---
diff --git a/lib/bug.c b/lib/bug.c
index 581a66b88c5c..8b470cc70afc 100644
--- a/lib/bug.c
+++ b/lib/bug.c
@@ -48,6 +48,7 @@
 #include <linux/rculist.h>
 #include <linux/ftrace.h>
 #include <linux/context_tracking.h>
+#include <asm/setup.h>
 
 extern struct bug_entry __start___bug_table[], __stop___bug_table[];
 
@@ -145,6 +146,10 @@ static const char *bug_get_format(struct bug_entry *bug)
 #ifdef HAVE_ARCH_BUG_FORMAT
 #ifdef CONFIG_GENERIC_BUG_RELATIVE_POINTERS
 	format = (const char *)&bug->format_disp + bug->format_disp;
+#ifdef CONFIG_RANDOMIZE_BASE
+	if ((unsigned long)format == kaslr_offset())
+		format = NULL;
+#endif
 #else
 	format = bug->format;
 #endif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ