Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp6288662imb;
        Fri, 8 Mar 2019 13:56:49 -0800 (PST)
X-Google-Smtp-Source: APXvYqx84T7jpdsTVANrzYB7jLcXXR7BhAob2zZs9YxVybvB9v8zLO6EbVYqlIellw3Ew/kSGHvT
X-Received: by 2002:a63:2907:: with SMTP id p7mr18710804pgp.161.1552082209058;
        Fri, 08 Mar 2019 13:56:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1552082209; cv=none;
        d=google.com; s=arc-20160816;
        b=nlToFCFKhMfECbCkJsQQws01xXies9YalDqqw+OR1QhPddVCsTQuTkWaAJjSdls3au
         Zw2E2nwDtOMulLsQBuekIMkYDQjEwkN01TqFlmAwdo0PFt+hjMUXnhb0xgGCo8EE6o4i
         TBlZAnG0railNVv4TVFI/8rjU7q3n5NAEBF0L60PIlaOrh8aWsPISNlDekiWyi7mcbAb
         xJj9xHTT2+fMwLfOQncfqU5sYV3btmz17WM7YSYCAcjSNt4oJkC7/bqWTLaijjKA88yj
         gjaCQ3G5guDjmfoOihkqp50bzewBVTBGDdpVRR3IDkFZIpD2p2xFjLzpCNB7xcUTdnAP
         D7jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=S/FujK8idvLuFzDOD/67zecSJM44jMk1daPm52HoMNw=;
        b=lmm4Y6e0+PK67wM5k6e7rhf1fi7L9tPdIAZPM8uIzM2+TlCh+yJb4U1HHh6em5dEp9
         dPALo375o3oZugLs+5Br0pnVvp6Nixb1X7pGWGllO6bd7CD7/R3SIO5kvRuE8wQLrvug
         PBlE20NMmU4HMjD3lA9qpGaCAHPKOBKWBeHSg/YVAbB85Y1HL0oljDTu0h+a90b/jmWa
         q7nKaOrXXsfdEbQTY/AowjD2fXD5GM0bVALWGXivXwZ73LPglDCq8pmP9PJ8mtKNr8V7
         M6ixzVI+xl/+ffwv7NuziJ9BA6bM805AzGtgxmeMp57wtjOtPYpq0Q146U1n3rKJolLv
         OhnQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g12si7640073plt.98.2019.03.08.13.56.31;
        Fri, 08 Mar 2019 13:56:48 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726351AbfCHVyy (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Fri, 8 Mar 2019 16:54:54 -0500
Received: from mx1.redhat.com ([209.132.183.28]:49990 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726267AbfCHVyy (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Mar 2019 16:54:54 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 03171307B967;
        Fri,  8 Mar 2019 21:54:54 +0000 (UTC)
Received: from treble (ovpn-123-151.rdu2.redhat.com [10.10.123.151])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id A193258B2;
        Fri,  8 Mar 2019 21:54:51 +0000 (UTC)
Date:   Fri, 8 Mar 2019 15:54:49 -0600
From:   Josh Poimboeuf <jpoimboe@redhat.com>
To:     Peter Zijlstra <peterz@infradead.org>
Cc:     torvalds@linux-foundation.org, tglx@linutronix.de, hpa@zytor.com,
        julien.thierry@arm.com, will.deacon@arm.com, luto@amacapital.net,
        mingo@kernel.org, catalin.marinas@arm.com, james.morse@arm.com,
        valentin.schneider@arm.com, brgerst@gmail.com, luto@kernel.org,
        bp@alien8.de, dvlasenk@redhat.com, linux-kernel@vger.kernel.org,
        dvyukov@google.com, rostedt@goodmis.org
Subject: Re: [PATCH 18/20] objtool: Add UACCESS validation
Message-ID: <20190308215449.47xk64pt7svk4pef@treble>
References: <20190307114511.870090179@infradead.org>
 <20190307115200.697533978@infradead.org>
 <20190308210209.usq2rpedccz25va5@treble>
 <20190308213155.GD2482@worktop.programming.kicks-ass.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20190308213155.GD2482@worktop.programming.kicks-ass.net>
User-Agent: NeoMutt/20180716
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Fri, 08 Mar 2019 21:54:54 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Mar 08, 2019 at 10:31:56PM +0100, Peter Zijlstra wrote:
> On Fri, Mar 08, 2019 at 03:02:09PM -0600, Josh Poimboeuf wrote:
> > > +static const char *uaccess_safe_builtin[] = {
> > > +	/* KASAN */
> > 
> > A short comment would be good here, something describing why a function
> > might be added to the list.
> 
> There is; but I'm thinking it might be too short?

I actually just meant a comment above uaccess_safe_builtin describing
what the purpose of the list is and what the expectations are for the
listed functions.  i.e. these are functions which are allowed to be
called with the AC flag on, and they should not clear it unless they're
saving/restoring.

> > > +++ b/tools/objtool/special.c
> > > @@ -42,6 +42,7 @@
> > >  #define ALT_NEW_LEN_OFFSET	11
> > >  
> > >  #define X86_FEATURE_POPCNT (4*32+23)
> > > +#define X86_FEATURE_SMAP   (9*32+20)
> > >  
> > >  struct special_entry {
> > >  	const char *sec;
> > > @@ -107,8 +108,15 @@ static int get_alt_entry(struct elf *elf
> > >  		 * It has been requested that we don't validate the !POPCNT
> > >  		 * feature path which is a "very very small percentage of
> > >  		 * machines".
> > > +		 *
> > > +		 * Also, unconditionally enable SMAP; this avoids seeing paths
> > > +		 * that pass through the STAC alternative and through the CLAC
> > > +		 * NOPs.
> > 
> > Why is this a problem?
> 
> 'obvious' violation?
> 
> STAC; .... RET; # an AC=1 leak
> 
> .... CLAC; # spurious CLAC
> 
> If we do the STAC we must also do the CLAC. If we don't do the STAC we
> must also not do the CLAC.

Makes sense now, can you add that last sentence to the paragraph?

> > > +		 *
> > > +		 * XXX: We could do this for all binary NOP/single-INSN
> > > +		 * alternatives.
> > 
> > Same question here.
> 
> In general, validating NOPs isn't too interesting, so all NOP/INSN
> binary alternatives could be forced on.

Right, but it doesn't sound like there's any real benefit to adding
extra logic.

> > >  		 */
> > > -		if (feature == X86_FEATURE_POPCNT)
> > > +		if (feature == X86_FEATURE_POPCNT || feature == X86_FEATURE_SMAP)
> > >  			alt->skip_orig = true;
> > >  	}
> 
> I've actually changed this to depend on --uaccess, when set we force on
> FEATURE_SMAP, otherwise we force off.

Ok.

-- 
Josh