On 32-bit, cmdline_find_option_bool() is used before paging is enabled,
from check_loader_disabled_bsp() in the early microcode loader.
Instrumentation options that insert accesses to global data will likely
crash or corrupt memory at this point.
cmdline_find_option{,_bool}() are only used during boot, so
instrumentation is not that useful anyway.
Disable instrumentation unconditionally, and additionally disable:
- GCOV
- UBSAN
- tracing: change -pg -> CC_FLAGS_FTRACE
- STACKLEAK_PLUGIN
- BRANCH_PROFILING
Signed-off-by: Arvind Sankar <[email protected]>
---
arch/x86/lib/Makefile | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
index aa067859a70b..0ad4ae9def44 100644
--- a/arch/x86/lib/Makefile
+++ b/arch/x86/lib/Makefile
@@ -15,17 +15,19 @@ CFLAGS_REMOVE_delay.o = $(CC_FLAGS_FTRACE)
endif
# Early boot use of cmdline; don't instrument it
-ifdef CONFIG_AMD_MEM_ENCRYPT
+GCOV_PROFILE_cmdline.o := n
KCOV_INSTRUMENT_cmdline.o := n
KASAN_SANITIZE_cmdline.o := n
+UBSAN_SANITIZE_cmdline.o := n
KCSAN_SANITIZE_cmdline.o := n
ifdef CONFIG_FUNCTION_TRACER
-CFLAGS_REMOVE_cmdline.o = -pg
+CFLAGS_REMOVE_cmdline.o = $(CC_FLAGS_FTRACE)
endif
CFLAGS_cmdline.o := -fno-stack-protector -fno-jump-tables
-endif
+CFLAGS_cmdline.o += $(DISABLE_STACKLEAK_PLUGIN)
+CFLAGS_cmdline.o += -DDISABLE_BRANCH_PROFILING
inat_tables_script = $(srctree)/arch/x86/tools/gen-insn-attr-x86.awk
inat_tables_maps = $(srctree)/arch/x86/lib/x86-opcode-map.txt
--
2.26.2
On Sun, Sep 06, 2020 at 11:46:37AM -0400, Arvind Sankar wrote:
> On 32-bit, cmdline_find_option_bool() is used before paging is enabled,
> from check_loader_disabled_bsp() in the early microcode loader.
> Instrumentation options that insert accesses to global data will likely
> crash or corrupt memory at this point.
What is the use case here, can you trigger an actual crash?
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
On Thu, Sep 17, 2020 at 11:40:55AM +0200, Borislav Petkov wrote:
> On Sun, Sep 06, 2020 at 11:46:37AM -0400, Arvind Sankar wrote:
> > On 32-bit, cmdline_find_option_bool() is used before paging is enabled,
> > from check_loader_disabled_bsp() in the early microcode loader.
> > Instrumentation options that insert accesses to global data will likely
> > crash or corrupt memory at this point.
>
> What is the use case here, can you trigger an actual crash?
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
Hm this is a bit embarassing.
I did have a crash and this patch fixed it, but it seems it was on a
branch where I was making changes to cmdline.c, which triggered clang to
use a jump table for cmdline_find_option_bool(). That was the cause of
the crash, and the reason this patch fixed it was because it enabled
-fno-jump-tables, rather than because it disabled instrumentation.
The instrumentation code does write data to random addresses, but
apparently that doesn't necessarily crash the system. This patch would
also be insufficient to fix it, since load_ucode_bsp() itself can have
instrumentation code in it.
Eg with GCOV_PROFILE_ALL enabled, the start of the function is:
c2a7706a <load_ucode_bsp>:
c2a7706a: 55 push %ebp
c2a7706b: 83 05 c0 4d ba c2 01 addl $0x1,0xc2ba4dc0
c2a77072: 83 15 c4 4d ba c2 00 adcl $0x0,0xc2ba4dc4
c2a77079: 89 e5 mov %esp,%ebp
but when it's called from arch/x86/kernel/head_32.S, paging is disabled
and the code is executing out of physical addresses, so it's going to
read/write data from garbage addresses.
Anyway, please ignore this patch and sorry for the noise.
Thanks.
On Thu, Sep 17, 2020 at 12:05:48PM -0400, Arvind Sankar wrote:
> I did have a crash and this patch fixed it, but it seems it was on a
> branch where I was making changes to cmdline.c, which triggered clang to
> use a jump table for cmdline_find_option_bool(). That was the cause of
> the crash, and the reason this patch fixed it was because it enabled
> -fno-jump-tables, rather than because it disabled instrumentation.
I see.
> The instrumentation code does write data to random addresses, but
> apparently that doesn't necessarily crash the system. This patch would
> also be insufficient to fix it, since load_ucode_bsp() itself can have
> instrumentation code in it.
Yeah, it better not have any.
> Eg with GCOV_PROFILE_ALL enabled, the start of the function is:
>
> c2a7706a <load_ucode_bsp>:
> c2a7706a: 55 push %ebp
> c2a7706b: 83 05 c0 4d ba c2 01 addl $0x1,0xc2ba4dc0
> c2a77072: 83 15 c4 4d ba c2 00 adcl $0x0,0xc2ba4dc4
> c2a77079: 89 e5 mov %esp,%ebp
>
> but when it's called from arch/x86/kernel/head_32.S, paging is disabled
> and the code is executing out of physical addresses, so it's going to
> read/write data from garbage addresses.
Right, so I'm sceptical to all this instrumentation nonsense - it is
fine and good if you have it but not everywhere. And certainly not when
the thing is loading microcode.
microcode/core.c contains all the code, early and late so it might make
some little sense to have instrumentation there for whatever reasons,
say KASANing (yah, I made a verb :)) the thing for leaks or whatnot,
but meh, I can't find it in me to care. So at some point, if it starts
getting in the way, we might remove all instrumentation from that thing
altogether.
> Anyway, please ignore this patch and sorry for the noise.
No worries.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette