Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp6288662imb; Fri, 8 Mar 2019 13:56:49 -0800 (PST) X-Google-Smtp-Source: APXvYqx84T7jpdsTVANrzYB7jLcXXR7BhAob2zZs9YxVybvB9v8zLO6EbVYqlIellw3Ew/kSGHvT X-Received: by 2002:a63:2907:: with SMTP id p7mr18710804pgp.161.1552082209058; Fri, 08 Mar 2019 13:56:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1552082209; cv=none; d=google.com; s=arc-20160816; b=nlToFCFKhMfECbCkJsQQws01xXies9YalDqqw+OR1QhPddVCsTQuTkWaAJjSdls3au Zw2E2nwDtOMulLsQBuekIMkYDQjEwkN01TqFlmAwdo0PFt+hjMUXnhb0xgGCo8EE6o4i TBlZAnG0railNVv4TVFI/8rjU7q3n5NAEBF0L60PIlaOrh8aWsPISNlDekiWyi7mcbAb xJj9xHTT2+fMwLfOQncfqU5sYV3btmz17WM7YSYCAcjSNt4oJkC7/bqWTLaijjKA88yj gjaCQ3G5guDjmfoOihkqp50bzewBVTBGDdpVRR3IDkFZIpD2p2xFjLzpCNB7xcUTdnAP D7jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=S/FujK8idvLuFzDOD/67zecSJM44jMk1daPm52HoMNw=; b=lmm4Y6e0+PK67wM5k6e7rhf1fi7L9tPdIAZPM8uIzM2+TlCh+yJb4U1HHh6em5dEp9 dPALo375o3oZugLs+5Br0pnVvp6Nixb1X7pGWGllO6bd7CD7/R3SIO5kvRuE8wQLrvug PBlE20NMmU4HMjD3lA9qpGaCAHPKOBKWBeHSg/YVAbB85Y1HL0oljDTu0h+a90b/jmWa q7nKaOrXXsfdEbQTY/AowjD2fXD5GM0bVALWGXivXwZ73LPglDCq8pmP9PJ8mtKNr8V7 M6ixzVI+xl/+ffwv7NuziJ9BA6bM805AzGtgxmeMp57wtjOtPYpq0Q146U1n3rKJolLv OhnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g12si7640073plt.98.2019.03.08.13.56.31; Fri, 08 Mar 2019 13:56:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726351AbfCHVyy (ORCPT + 99 others); Fri, 8 Mar 2019 16:54:54 -0500 Received: from mx1.redhat.com ([209.132.183.28]:49990 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726267AbfCHVyy (ORCPT ); Fri, 8 Mar 2019 16:54:54 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 03171307B967; Fri, 8 Mar 2019 21:54:54 +0000 (UTC) Received: from treble (ovpn-123-151.rdu2.redhat.com [10.10.123.151]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A193258B2; Fri, 8 Mar 2019 21:54:51 +0000 (UTC) Date: Fri, 8 Mar 2019 15:54:49 -0600 From: Josh Poimboeuf To: Peter Zijlstra Cc: torvalds@linux-foundation.org, tglx@linutronix.de, hpa@zytor.com, julien.thierry@arm.com, will.deacon@arm.com, luto@amacapital.net, mingo@kernel.org, catalin.marinas@arm.com, james.morse@arm.com, valentin.schneider@arm.com, brgerst@gmail.com, luto@kernel.org, bp@alien8.de, dvlasenk@redhat.com, linux-kernel@vger.kernel.org, dvyukov@google.com, rostedt@goodmis.org Subject: Re: [PATCH 18/20] objtool: Add UACCESS validation Message-ID: <20190308215449.47xk64pt7svk4pef@treble> References: <20190307114511.870090179@infradead.org> <20190307115200.697533978@infradead.org> <20190308210209.usq2rpedccz25va5@treble> <20190308213155.GD2482@worktop.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20190308213155.GD2482@worktop.programming.kicks-ass.net> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Fri, 08 Mar 2019 21:54:54 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 08, 2019 at 10:31:56PM +0100, Peter Zijlstra wrote: > On Fri, Mar 08, 2019 at 03:02:09PM -0600, Josh Poimboeuf wrote: > > > +static const char *uaccess_safe_builtin[] = { > > > + /* KASAN */ > > > > A short comment would be good here, something describing why a function > > might be added to the list. > > There is; but I'm thinking it might be too short? I actually just meant a comment above uaccess_safe_builtin describing what the purpose of the list is and what the expectations are for the listed functions. i.e. these are functions which are allowed to be called with the AC flag on, and they should not clear it unless they're saving/restoring. > > > +++ b/tools/objtool/special.c > > > @@ -42,6 +42,7 @@ > > > #define ALT_NEW_LEN_OFFSET 11 > > > > > > #define X86_FEATURE_POPCNT (4*32+23) > > > +#define X86_FEATURE_SMAP (9*32+20) > > > > > > struct special_entry { > > > const char *sec; > > > @@ -107,8 +108,15 @@ static int get_alt_entry(struct elf *elf > > > * It has been requested that we don't validate the !POPCNT > > > * feature path which is a "very very small percentage of > > > * machines". > > > + * > > > + * Also, unconditionally enable SMAP; this avoids seeing paths > > > + * that pass through the STAC alternative and through the CLAC > > > + * NOPs. > > > > Why is this a problem? > > 'obvious' violation? > > STAC; .... RET; # an AC=1 leak > > .... CLAC; # spurious CLAC > > If we do the STAC we must also do the CLAC. If we don't do the STAC we > must also not do the CLAC. Makes sense now, can you add that last sentence to the paragraph? > > > + * > > > + * XXX: We could do this for all binary NOP/single-INSN > > > + * alternatives. > > > > Same question here. > > In general, validating NOPs isn't too interesting, so all NOP/INSN > binary alternatives could be forced on. Right, but it doesn't sound like there's any real benefit to adding extra logic. > > > */ > > > - if (feature == X86_FEATURE_POPCNT) > > > + if (feature == X86_FEATURE_POPCNT || feature == X86_FEATURE_SMAP) > > > alt->skip_orig = true; > > > } > > I've actually changed this to depend on --uaccess, when set we force on > FEATURE_SMAP, otherwise we force off. Ok. -- Josh