lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 20 Nov 2023 15:46:42 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: peterz@...radead.org
Cc: paul.walmsley@...ive.com,
 palmer@...belt.com,
 aou@...s.berkeley.edu,
 tglx@...utronix.de,
 mingo@...hat.com,
 bp@...en8.de,
 dave.hansen@...ux.intel.com,
 x86@...nel.org,
 hpa@...or.com,
 davem@...emloft.net,
 dsahern@...nel.org,
 ast@...nel.org,
 daniel@...earbox.net,
 andrii@...nel.org,
 martin.lau@...ux.dev,
 song@...nel.org,
 yonghong.song@...ux.dev,
 john.fastabend@...il.com,
 kpsingh@...nel.org,
 sdf@...gle.com,
 haoluo@...gle.com,
 jolsa@...nel.org,
 Arnd Bergmann <arnd@...db.de>,
 samitolvanen@...gle.com,
 keescook@...omium.org,
 nathan@...nel.org,
 ndesaulniers@...gle.com,
 linux-riscv@...ts.infradead.org,
 linux-kernel@...r.kernel.org,
 netdev@...r.kernel.org,
 bpf@...r.kernel.org,
 linux-arch@...r.kernel.org,
 llvm@...ts.linux.dev,
 jpoimboe@...nel.org,
 joao@...rdrivepizza.com,
 mark.rutland@....com
Subject: [PATCH 0/2] x86/bpf: Fix FineIBT vs eBPF

Hi!

There's a problem with FineIBT and eBPF using __nocfi when
CONFIG_BPF_JIT_ALWAYS_ON=n, in which case the __nocfi indirect call can target
a normal function like __bpf_prog_run32().

Specifically the various preambles look like:

   FineIBT				JIT

   __cfi_foo:
      endbr64
      subl	$hash, %r10d
      jz	1f
      ud2
   1: nop
   foo:					foo:
      osp nop3				   endbr64
      ...				   ...

So while bpf_dispatcher_*_func() does a __nocfi call to foo()+0 and this
matches what the JIT generates, it does not work for regular FineIBT functions,
since their +0 endbr got poisoned and things go *boom*.

Cure this by teaching the BPF JIT about all the various CFI forms. Notably this
removes the last __nocfi call on x86.

If the BPF folks agree (and the robots don't find fail) I'd like to take this
through the x86 tree, because I have a few more patches that turn the non-fatal
'osp nop3' poison into a 4 byte ud1 instruction which is rather fatal. As a
result this problem will also surface on !IBT hardware.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ