Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4784852imm;
        Fri, 18 May 2018 10:35:18 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrcTI0dW60D7z6XJRBBUnH9GUwkYV9+3zg07m51+gPZ8Yvbzi5Vjj/U409057ToFefjoR1y
X-Received: by 2002:a65:4945:: with SMTP id q5-v6mr6231035pgs.177.1526664918747;
        Fri, 18 May 2018 10:35:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526664918; cv=none;
        d=google.com; s=arc-20160816;
        b=lCskEY2X9SNFscpP7jfOIheLnAYL9dSbCptgEW48CRM9o+ex0xdySA8JCm3b+lp/Z/
         unQNr0moSIzqPsgL34PxL2I7IdIhGIGjitWjxvsLCZyntziJsxGoTqyoEKpPvxKAud76
         CpYL8XWB0GItwUUoow4pdUhYdde/RwajsWtIuHmiIJlYdeXqrA2GbQCNPC7mtd0LZQ0s
         z7h/1h6Te+1RfWVT3LCR+/1F5o1p5D3tOFI+wbmlW3XlcsdonJUiHuUh4dlpyq0lECgR
         1pOyhuYqAqkeIp6FYIXFxs3AA8XaRwg6XmUkcS5Y8NKUeKZUqIYr35AXjO2mKvHLQKg+
         XaiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=z9Z3WZYh9BSfQspcG3vzJj871iyIG839Y/urCXp+K7A=;
        b=N8u+CC4sg9d1UQjF/BuvKuK9XPhuTmgdZtoFk2EoC3iFY/QRjVdHY2wvQA24hem5nU
         E9xidgp8QKm0w/3d1JxzUdJTbJ8BUswNPZMXwalvcviot5P7TReWBX787sELbsxrjJJY
         gknlKzZrdvPplRA8yYfayq3uGDSR8klOS5+J2uXZBSQRb7MHZdfKQUJfo6JFR8Wlsiuu
         xQVT6gO8Rejh7glYw3OgXbXOG0tXYmkouR9ji9qvMnjS/O0DZkeGwYNmWODHLw2P8wVD
         fg0HhsQWC0fog0tP7iaK4cZxRFYxNfkuGtL30HSYUyEWCjBfqWRW26e+QKvr/NXCAHtc
         hrbg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IBH+QB7N;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b6-v6si8018777plm.153.2018.05.18.10.35.03;
        Fri, 18 May 2018 10:35:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IBH+QB7N;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751571AbeERRex (ORCPT <rfc822;mohamedabbas.us@gmail.com>
        + 99 others); Fri, 18 May 2018 13:34:53 -0400
Received: from mail-wm0-f67.google.com ([74.125.82.67]:38322 "EHLO
        mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750957AbeERRev (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 May 2018 13:34:51 -0400
Received: by mail-wm0-f67.google.com with SMTP id m129-v6so16507984wmb.3
        for <linux-kernel@vger.kernel.org>; Fri, 18 May 2018 10:34:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=z9Z3WZYh9BSfQspcG3vzJj871iyIG839Y/urCXp+K7A=;
        b=IBH+QB7NSkcJEBihSK6nqluhsJZoWCEp5KzDXyjWhuqbjveEchkVzcI5rM1CdOJNCW
         4d+cw29sZHkp70ZrZ9oJ8oRftBuHOweBr9iI4K64Mj6TIGCW1aG7i/8jFNBWblPy7hlz
         jFyhc70Bhy3Sm5uiXV3jmfg4eUgr71DBcaVhmhLMXmwgj4XOSRTDeBSkyedwGODBgsie
         BpszE0RVKg0W1bu1WH9PPnKd7vTyRwHpLkigAV0IRmt2VpBxUCO/UeDZkoHQ5oV6SVlm
         9oHXbpa/rPsc899WrcIlsggwFkkYpi3VHFgzr1exF/f21VBTIoNtIqZUj/rRo+2aRdo4
         EiCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=z9Z3WZYh9BSfQspcG3vzJj871iyIG839Y/urCXp+K7A=;
        b=uedUXO/36mo/ViUpOHy5EZl5KN4TOYGQ4/UmoDr1Yt/8+WChKuHul4RY7lTeYXKH2H
         Tbgv0qRhkKR3eHn6IcEwaluKvcFf9XkWvs3tnJ5lpe6QaTu2qrYC7MWHJrwng4icN3ot
         pNd5kliYwikIbq1dLJ+gWfbtjFiPq6EKdsVXQ/TxU1yJM0MWPQT02q04DAPUdEzELqq+
         lp7UxbVoBAaFd55hlso7VnBCj/T9M0NuWi88w/4ZLUqmUtksxrRsRc428wq3+aGsZo/p
         y/9AiCLKY/VaFWOzQ08U0l8VBs6LoMo8qIUfz2rlK8ZfWmN4fWQp0RzeTF7VkJK1SBSF
         kvIg==
X-Gm-Message-State: ALKqPwfn/ROxwlOKA85j15GJJk0ouT3ASScxFzDsxZanDbNAvLCvc3iA
        sqyLo2sCp9R8bIKYmv/ySA==
X-Received: by 2002:a1c:5451:: with SMTP id p17-v6mr901817wmi.26.1526664890351;
        Fri, 18 May 2018 10:34:50 -0700 (PDT)
Received: from avx2 (nat4-minsk-pool-46-53-177-92.telecom.by. [46.53.177.92])
        by smtp.gmail.com with ESMTPSA id q7-v6sm8040980wrf.49.2018.05.18.10.34.48
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 18 May 2018 10:34:49 -0700 (PDT)
Date:   Fri, 18 May 2018 20:34:46 +0300
From:   Alexey Dobriyan <adobriyan@gmail.com>
To:     Josh Poimboeuf <jpoimboe@redhat.com>
Cc:     Ingo Molnar <mingo@kernel.org>, tglx@linutronix.de,
        Peter Anvin <h.peter.anvin@intel.com>,
        kernel test robot <xiaolong.ye@intel.com>,
        Andrew Lutomirski <luto@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Brian Gerst <brgerst@gmail.com>,
        Denys Vlasenko <dvlasenk@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Peter Anvin <hpa@zytor.com>, tipbuild@zytor.com,
        LKP <lkp@01.org>, torvalds@linux-foundation.org, x86@kernel.org
Subject: Re: [PATCH v2] x86/asm: Pad assembly functions with INT3 instructions
Message-ID: <20180518173446.GA2055@avx2>
References: <20180515080033.GA7714@yexl-desktop>
 <20180515210757.GA12225@avx2>
 <C40DC70F50313144AB3AF8625D4F407F90689B42@ORSMSX101.amr.corp.intel.com>
 <20180515214337.GA18021@avx2>
 <CA+55aFy6_fJkmuWDZC=d_WE+_oYHtXXCbb=R31jyC1qDKZ8HJw@mail.gmail.com>
 <20180515225028.GA21902@avx2>
 <20180515225845.GB21902@avx2>
 <20180518073644.GA8593@gmail.com>
 <20180518130224.4bmp6s6wnjucypml@treble>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180518130224.4bmp6s6wnjucypml@treble>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 18, 2018 at 08:02:24AM -0500, Josh Poimboeuf wrote:
> On Fri, May 18, 2018 at 09:36:44AM +0200, Ingo Molnar wrote:
> > 
> > * Alexey Dobriyan <adobriyan@gmail.com> wrote:
> > 
> > > Use INT3 instead of NOP. All that padding between functions is
> > > an illegal area, no legitimate code should jump into it.
> > > 
> > > I've checked x86_64 allyesconfig disassembly, all changes looks sane:
> > > INT3 is only used after RET or unconditional JMP.
> > > 
> > > On i386:
> > > * promote ret_from_exception into ENTRY as it has corresponding END,
> > > * demote "resume_userspace" -- unused,
> > > * delete ALIGN directive in page_fault. It is leftover from x86 assembly
> > >   cleanups.
> > > 
> > >     commit d211af055d0c12dc3416c2886e6fbdc6eb74a381
> > >     i386: get rid of the use of KPROBE_ENTRY / KPROBE_END
> > > 
> > >   has ALIGN directive before branch target which makes sense.
> > >   All the code after ALIGN disappeared later.
> > > 
> > > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> > > ---
> > > 
> > >  arch/x86/entry/entry_32.S      |    6 +-----
> > >  arch/x86/include/asm/linkage.h |    2 +-
> > >  2 files changed, 2 insertions(+), 6 deletions(-)
> > > 
> > > --- a/arch/x86/entry/entry_32.S
> > > +++ b/arch/x86/entry/entry_32.S
> > > @@ -320,8 +320,7 @@ END(ret_from_fork)
> > >   */
> > >  
> > >  	# userspace resumption stub bypassing syscall exit tracing
> > > -	ALIGN
> > > -ret_from_exception:
> > > +ENTRY(ret_from_exception)
> > >  	preempt_stop(CLBR_ANY)
> > >  ret_from_intr:
> > >  #ifdef CONFIG_VM86
> > > @@ -337,8 +336,6 @@ ret_from_intr:
> > >  #endif
> > >  	cmpl	$USER_RPL, %eax
> > >  	jb	resume_kernel			# not returning to v8086 or userspace
> > > -
> > > -ENTRY(resume_userspace)
> > >  	DISABLE_INTERRUPTS(CLBR_ANY)
> > >  	TRACE_IRQS_OFF
> > >  	movl	%esp, %eax
> > > @@ -910,7 +907,6 @@ BUILD_INTERRUPT3(hv_stimer0_callback_vector, HYPERV_STIMER0_VECTOR,
> > >  ENTRY(page_fault)
> > >  	ASM_CLAC
> > >  	pushl	$do_page_fault
> > > -	ALIGN
> > >  	jmp common_exception
> > >  END(page_fault)
> > >  
> > > --- a/arch/x86/include/asm/linkage.h
> > > +++ b/arch/x86/include/asm/linkage.h
> > > @@ -18,7 +18,7 @@
> > >  	name:
> > >  
> > >  #if defined(CONFIG_X86_64) || defined(CONFIG_X86_ALIGNMENT_16)
> > > -#define __ALIGN		.p2align 4, 0x90
> > > +#define __ALIGN		.p2align 4, 0xCC
> > >  #define __ALIGN_STR	__stringify(__ALIGN)
> > >  #endif
> > 
> > So the question is, without objtool support, how will we find INT3-padding related 
> > crash bugs on 32-bit kernels?
> 
> Is the INT3 padding really worth it, even on x86-64?  What problem are
> we trying to solve?

It is a start: manual padding, then compiler inserted padding, then
kernel CFI (in the future).

The only ways processor can end up in the padding are memory corruption,
exploit, some kind of miscompilation or CPU bug. In every case it is better
to crash immediately.

> I've seen cases with GCC functions falling through, but with asm code,
> falling through could just be working as designed.

Manual NOP align still can be inserted, fallthough is not the common case.