lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 30 Nov 2023 14:36:30 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: peterz@...radead.org
Cc: paul.walmsley@...ive.com,
 palmer@...belt.com,
 aou@...s.berkeley.edu,
 tglx@...utronix.de,
 mingo@...hat.com,
 bp@...en8.de,
 dave.hansen@...ux.intel.com,
 x86@...nel.org,
 hpa@...or.com,
 davem@...emloft.net,
 dsahern@...nel.org,
 ast@...nel.org,
 daniel@...earbox.net,
 andrii@...nel.org,
 martin.lau@...ux.dev,
 song@...nel.org,
 yonghong.song@...ux.dev,
 john.fastabend@...il.com,
 kpsingh@...nel.org,
 sdf@...gle.com,
 haoluo@...gle.com,
 jolsa@...nel.org,
 Arnd Bergmann <arnd@...db.de>,
 samitolvanen@...gle.com,
 keescook@...omium.org,
 nathan@...nel.org,
 ndesaulniers@...gle.com,
 linux-riscv@...ts.infradead.org,
 linux-kernel@...r.kernel.org,
 netdev@...r.kernel.org,
 bpf@...r.kernel.org,
 linux-arch@...r.kernel.org,
 llvm@...ts.linux.dev,
 jpoimboe@...nel.org,
 joao@...rdrivepizza.com,
 mark.rutland@....com
Subject: [PATCH v2 0/2] x86/bpf: Fix FineIBT vs eBPF

Hi!

There's a problem with FineIBT and eBPF using __nocfi when
CONFIG_BPF_JIT_ALWAYS_ON=n, in which case the __nocfi indirect call can target
a normal function like __bpf_prog_run32().

Specifically the various preambles look like:

   FineIBT				JIT

   __cfi_foo:
      endbr64
      subl	$hash, %r10d
      jz	1f
      ud2
   1: nop
   foo:					foo:
      osp nop3				   endbr64
      ...				   ...

So while bpf_dispatcher_*_func() does a __nocfi call to foo()+0 and this
matches what the JIT generates, it does not work for regular FineIBT functions,
since their +0 endbr got poisoned and things go *boom*.

Cure this by teaching the BPF JIT about all the various CFI forms. Notably this
removes the last __nocfi call on x86.

If the BPF folks agree (and the robots don't find fail) I'd like to take this
through the x86 tree, because I have a few more patches that turn the non-fatal
'osp nop3' poison into a 4 byte ud1 instruction which is rather fatal. As a
result this problem will also surface on !IBT hardware.

Changes since v1:
 - added wee comment to asm/cfi.h (ast)
 - added asm comments to bytecode (ast)
 - renamed bpf_func_proto() to __bpf_prog_runX() (ast)
 - added bpf_prog_aux::ksym_prefix (ast)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ