Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp6255806imb; Fri, 8 Mar 2019 13:03:06 -0800 (PST) X-Google-Smtp-Source: APXvYqwtlXYV28MXiHBMfHFM2hjI9bnKmi6bNI5yTFB9W76yFiqvqqdPqLuDtv+tBKRT0mu/LLGk X-Received: by 2002:a17:902:b083:: with SMTP id p3mr4009657plr.148.1552078986546; Fri, 08 Mar 2019 13:03:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1552078986; cv=none; d=google.com; s=arc-20160816; b=MVJaGMFu6nt+vVef7FZrNQ30i4w2sigi5nsEItxJXQ6A9I1kakhtzzunwcXg5GjMp9 jkBEZGgGXqFc3Akia5FX146eFaW4H/o5mhmoZP4hfLt23SXTPxGDY99LR0MzHDJnI1QT xqGrs1Ww7UgxZWCUcYlmvIHCVvodTqzWYHNKKDRu1HCaR4oiVKYbogzj8Fiqp3f8VmqP 9O+JETzLQVpfdXEEmmmJN2C4PPZb3B/aN+QiKkEE1v6hczOpn9sx9hS5unItZfY6AVid Fi4uAYI3NjRA7fIJ7jb4R+K7ChtaOmv2nJcnuGMbYf55DyQerBnpVsTEaevD1415vPBk vveA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=IAO3FxAzmd9JwtNR3/9iMzlaeZ5rIGs2Yr0toWf/JG8=; b=ULEwv4+j8NqH5sSjWRm40fMtllKsqLw4MLHuAWYUup0U+vkF+dQL43raTerDYNzBIt kuefDAZX77euSHENCsFakrozWg5rRZGeCLOQ+yiY6grLra0Nrh8el9Y9WDt44BMRPMM8 nFTF2G9hkYu2iS6/jZeRRFQ0xqVLadY89vFSEPvsNHrolSCY5JEHXVr/pYq2V2sSC5bt mFqJVVz3QFW51ql88MDTBT0cTaaVTIaGGazWV58tqOcyxwhOGgA8mxTzkq5EIfMjF+eA qkLzrWQWlZYqueQHgBvRQg6H8qRQFo2rcVvArevJpfySzqF6tATyDv9pREEqr9ki2iKl TyJQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 42si7921764pld.383.2019.03.08.13.02.48; Fri, 08 Mar 2019 13:03:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726755AbfCHVCP (ORCPT + 99 others); Fri, 8 Mar 2019 16:02:15 -0500 Received: from mx1.redhat.com ([209.132.183.28]:56058 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726536AbfCHVCO (ORCPT ); Fri, 8 Mar 2019 16:02:14 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 137995944A; Fri, 8 Mar 2019 21:02:14 +0000 (UTC) Received: from treble (ovpn-123-151.rdu2.redhat.com [10.10.123.151]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B338B600C1; Fri, 8 Mar 2019 21:02:11 +0000 (UTC) Date: Fri, 8 Mar 2019 15:02:09 -0600 From: Josh Poimboeuf To: Peter Zijlstra Cc: torvalds@linux-foundation.org, tglx@linutronix.de, hpa@zytor.com, julien.thierry@arm.com, will.deacon@arm.com, luto@amacapital.net, mingo@kernel.org, catalin.marinas@arm.com, james.morse@arm.com, valentin.schneider@arm.com, brgerst@gmail.com, luto@kernel.org, bp@alien8.de, dvlasenk@redhat.com, linux-kernel@vger.kernel.org, dvyukov@google.com, rostedt@goodmis.org Subject: Re: [PATCH 18/20] objtool: Add UACCESS validation Message-ID: <20190308210209.usq2rpedccz25va5@treble> References: <20190307114511.870090179@infradead.org> <20190307115200.697533978@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20190307115200.697533978@infradead.org> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 08 Mar 2019 21:02:14 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 07, 2019 at 12:45:29PM +0100, Peter Zijlstra wrote: > --- a/tools/objtool/arch/x86/decode.c > +++ b/tools/objtool/arch/x86/decode.c > @@ -369,7 +369,19 @@ int arch_decode_instruction(struct elf * > > case 0x0f: > > - if (op2 >= 0x80 && op2 <= 0x8f) { > + if (op2 == 0x01) { > + > + if (modrm == 0xca) { > + > + *type = INSN_CLAC; > + > + } else if (modrm == 0xcb) { > + > + *type = INSN_STAC; > + > + } Style nit, no need for all those brackets and newlines. > --- a/tools/objtool/check.c > +++ b/tools/objtool/check.c > @@ -442,6 +442,81 @@ static void add_ignores(struct objtool_f > } > } > > +static const char *uaccess_safe_builtin[] = { > + /* KASAN */ A short comment would be good here, something describing why a function might be added to the list. > + "memset_orig", /* XXX why not memset_erms */ > + "__memset", > + "kasan_poison_shadow", > + "kasan_unpoison_shadow", > + "__asan_poison_stack_memory", > + "__asan_unpoison_stack_memory", > + "kasan_report", > + "check_memory_region", > + /* KASAN out-of-line */ > + "__asan_loadN_noabort", > + "__asan_load1_noabort", > + "__asan_load2_noabort", > + "__asan_load4_noabort", > + "__asan_load8_noabort", > + "__asan_load16_noabort", > + "__asan_storeN_noabort", > + "__asan_store1_noabort", > + "__asan_store2_noabort", > + "__asan_store4_noabort", > + "__asan_store8_noabort", > + "__asan_store16_noabort", > + /* KASAN in-line */ > + "__asan_report_load_n_noabort", > + "__asan_report_load1_noabort", > + "__asan_report_load2_noabort", > + "__asan_report_load4_noabort", > + "__asan_report_load8_noabort", > + "__asan_report_load16_noabort", > + "__asan_report_store_n_noabort", > + "__asan_report_store1_noabort", > + "__asan_report_store2_noabort", > + "__asan_report_store4_noabort", > + "__asan_report_store8_noabort", > + "__asan_report_store16_noabort", > + /* KCOV */ > + "write_comp_data", > + "__sanitizer_cov_trace_pc", > + "__sanitizer_cov_trace_const_cmp1", > + "__sanitizer_cov_trace_const_cmp2", > + "__sanitizer_cov_trace_const_cmp4", > + "__sanitizer_cov_trace_const_cmp8", > + "__sanitizer_cov_trace_cmp1", > + "__sanitizer_cov_trace_cmp2", > + "__sanitizer_cov_trace_cmp4", > + "__sanitizer_cov_trace_cmp8", > + /* UBSAN */ > + "ubsan_type_mismatch_common", > + "__ubsan_handle_type_mismatch", > + "__ubsan_handle_type_mismatch_v1", > + /* misc */ > + "csum_partial_copy_generic", > + "__memcpy_mcsafe", > + "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */ > + NULL > +}; > + > +static void add_uaccess_safe(struct objtool_file *file) > +{ > + struct symbol *func; > + const char **name; > + > + if (!uaccess) > + return; > + > + for (name = uaccess_safe_builtin; *name; name++) { > + func = find_symbol_by_name(file->elf, *name); > + if (!func) > + continue; This won't work if the function name changes due to IPA optimizations. I assume these are all global functions so maybe it's fine? > @@ -1914,6 +2008,16 @@ static int validate_branch(struct objtoo > switch (insn->type) { > > case INSN_RETURN: > + if (state.uaccess && !func_uaccess_safe(func)) { > + WARN_FUNC("return with UACCESS enabled", sec, insn->offset); > + return 1; > + } > + > + if (!state.uaccess && func_uaccess_safe(func)) { > + WARN_FUNC("return with UACCESS disabled from a UACCESS-safe function", sec, insn->offset); > + return 1; > + } > + > if (func && has_modified_stack_frame(&state)) { > WARN_FUNC("return with modified stack frame", > sec, insn->offset); > @@ -1929,17 +2033,32 @@ static int validate_branch(struct objtoo > return 0; > > case INSN_CALL: > - if (is_fentry_call(insn)) > - break; > + case INSN_CALL_DYNAMIC: > +do_call: > + if (state.uaccess && !func_uaccess_safe(insn->call_dest)) { > + WARN_FUNC("call to %s() with UACCESS enabled", > + sec, insn->offset, insn_dest_name(insn)); > + return 1; > + } > > - ret = dead_end_function(file, insn->call_dest); > - if (ret == 1) > + if (insn->type == INSN_JUMP_UNCONDITIONAL || > + insn->type == INSN_JUMP_DYNAMIC) > return 0; > - if (ret == -1) > - return 1; > > - /* fallthrough */ > - case INSN_CALL_DYNAMIC: > + if (insn->type == INSN_JUMP_CONDITIONAL) > + break; > + > + if (insn->type == INSN_CALL) { > + if (is_fentry_call(insn)) > + break; > + > + ret = dead_end_function(file, insn->call_dest); > + if (ret == 1) > + return 0; > + if (ret == -1) > + return 1; > + } > + > if (!no_fp && func && !has_valid_stack_frame(&state)) { > WARN_FUNC("call without frame pointer save/setup", > sec, insn->offset); > @@ -1956,6 +2075,8 @@ static int validate_branch(struct objtoo > sec, insn->offset); > return 1; > } > + goto do_call; > + These gotos make my head spin. Again I would much prefer a small amount of code duplication over this. > +++ b/tools/objtool/special.c > @@ -42,6 +42,7 @@ > #define ALT_NEW_LEN_OFFSET 11 > > #define X86_FEATURE_POPCNT (4*32+23) > +#define X86_FEATURE_SMAP (9*32+20) > > struct special_entry { > const char *sec; > @@ -107,8 +108,15 @@ static int get_alt_entry(struct elf *elf > * It has been requested that we don't validate the !POPCNT > * feature path which is a "very very small percentage of > * machines". > + * > + * Also, unconditionally enable SMAP; this avoids seeing paths > + * that pass through the STAC alternative and through the CLAC > + * NOPs. Why is this a problem? > + * > + * XXX: We could do this for all binary NOP/single-INSN > + * alternatives. Same question here. > */ > - if (feature == X86_FEATURE_POPCNT) > + if (feature == X86_FEATURE_POPCNT || feature == X86_FEATURE_SMAP) > alt->skip_orig = true; > } > > > -- Josh