Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4376090yba;
        Tue, 9 Apr 2019 17:55:11 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwfqpbCLfvWffhXtrh2EJuqo9ZPkpVg4fbGzaCvfvucQGVWCzbB/k9WthE8HWS+xVFgG10H
X-Received: by 2002:a63:ed4e:: with SMTP id m14mr38376624pgk.182.1554857711124;
        Tue, 09 Apr 2019 17:55:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554857711; cv=none;
        d=google.com; s=arc-20160816;
        b=vhK74Tqjw6rfgjDcqyPFy0ip/vPxAOgyKbu49BTJRhf4HeJCru1QHzmtkhj6K+WjuK
         UGucOJbq6AN/T32+uUKOmG3v1VMuA3zz2kQVArPcbuISXXG71RcGjPD3wP+ydd0vI8F+
         ZrwkSOqtwkTtEuyoyezia+ASk7uKamli+1J6YEKGHTycIhqKwKm87hUTOXFo+BEZf8MP
         FLMU8Kmx9CW8Ub9qeoPKDJbWMbK5bLnpP3LE0A396IFC+JSSPnASODJrjZ9lp7CzlT5r
         Djb2J0r4SDs79Gb6xlm0r4BdUw1jisQSt+5AF2BQpBMbOmEiff8vW9e4LLOM8piVAAQK
         cbKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version;
        bh=UdR+Zc9BL3VHuvKmgkeP33sRLrCTOhdK0gyTrE3ko40=;
        b=JyVCDzc2vdKpw1U+QvgyakrWD12bWOpFwmtp46VQ2ooFbVca+E7Unu0RvjbPVLyeEN
         AVcRAgtVV6LC4q1ZPZENIM2ZJ18P7YBKWkcvjq8Q5u/wusdbl11x02aRtaHIckRyhmeY
         M3/m3/Uk0V1/Rh1mzsCe/9cf0uR17iaFHo0/sq1AHNLh7oo1KxwfFu1oiGxaBGsmE73T
         6sDwRIVzT4tqz3weM6J8OD1utld+FTAL4Zj7At7rq831Fpq9ka/+HKgawe/qhI0ZgTep
         SMg4j4d08PCNgHyhZxF9K2pwiiDU11yrbg6LdtBi9pKeC3l42VCetCqGTkK13cnKIB/G
         rD6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w71si22109595pgd.470.2019.04.09.17.54.55;
        Tue, 09 Apr 2019 17:55:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726842AbfDJAvH (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 9 Apr 2019 20:51:07 -0400
Received: from mailbackend.panix.com ([166.84.1.89]:59008 "EHLO
        mailbackend.panix.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726766AbfDJAvH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Apr 2019 20:51:07 -0400
Received: from mail-oi1-f180.google.com (mail-oi1-f180.google.com [209.85.167.180])
        by mailbackend.panix.com (Postfix) with ESMTPSA id 44f5F21qTDz172F
        for <linux-kernel@vger.kernel.org>; Tue,  9 Apr 2019 20:51:01 -0400 (EDT)
Received: by mail-oi1-f180.google.com with SMTP id l203so287117oia.3
        for <linux-kernel@vger.kernel.org>; Tue, 09 Apr 2019 17:51:01 -0700 (PDT)
X-Gm-Message-State: APjAAAWl1n0ax183gRV+XopO7eGJitxtqyQEEnOs4b7BkN0fT823BSYh
        pzPXX8gC2PcQEYUkOw+P8kK1J7lSj4E0lqBlb8g=
X-Received: by 2002:aca:5387:: with SMTP id h129mr831258oib.52.1554857461021;
 Tue, 09 Apr 2019 17:51:01 -0700 (PDT)
MIME-Version: 1.0
References: <11513896.2624.1554838336494.JavaMail.zimbra@efficios.com> <913288111.2663.1554842622822.JavaMail.zimbra@efficios.com>
In-Reply-To: <913288111.2663.1554842622822.JavaMail.zimbra@efficios.com>
From:   Zack Weinberg <zackw@panix.com>
Date:   Tue, 9 Apr 2019 20:50:49 -0400
X-Gmail-Original-Message-ID: <CAKCAbMi6ZM0ehUrjxNfjR+SV_Xv_x7JkMjvB9nEVH=31JHNEPg@mail.gmail.com>
Message-ID: <CAKCAbMi6ZM0ehUrjxNfjR+SV_Xv_x7JkMjvB9nEVH=31JHNEPg@mail.gmail.com>
Subject: Re: rseq/x86: choosing rseq code signature
To:     Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Andy Lutomirski <luto@amacapital.net>,
        Peter Zijlstra <peterz@infradead.org>,
        "H. Peter Anvin" <hpa@zytor.com>, Andi Kleen <andi@firstfloor.org>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        libc-alpha <libc-alpha@sourceware.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        "Carlos O'Donell" <carlos@redhat.com>, x86 <x86@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 9, 2019 at 4:43 PM Mathieu Desnoyers
<mathieu.desnoyers@efficios.com> wrote:
> ----- On Apr 9, 2019, at 3:32 PM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote:
> >
> > We are about to include the code signature required prior to restartable
> > sequences abort handlers into glibc, which will make this ABI choice final.
> > We need architecture maintainer input on that signature value.
> >
> > That code signature is placed before each abort handler, so the kernel can
> > validate that it is indeed jumping to an abort handler (and not some
> > arbitrary attacker-chosen code). The signature is never executed.
> >
> > Currently, tools/testing/selftests/rseq/rseq-x86.h defines RSEQ_SIG
> > as 0x53053053, and uses it as an immediate operand to the following
> > instruction opcodes (as suggested by Andy Lutomirski):
> >
> > x86-32:
> > - .byte 0x0f, 0x1f, 0x05: nopl <sig>
> >
> > x86-64:
> > - .byte 0x0f, 0x1f, 0x05: nopl <sig>(%rip)
> >
> > The current discussion thread on the glibc mailing list leads us towards
> > using a trap with uncommon immediate operand, which simplifies integration
> > with disassemblers, emulators, makes it easier to debug if the control
> > flow gets redirected there by mistake, and is nicer for some architecture's
> > speculative execution.
...
> Peter Zijlstra suggested to use "invlpg" in user-space, which should generate
> a trap. The only concern would be emulators, but ideally they would not try to
> decode an instruction that is never executed. This would lead to the following
> patch. Any objections/ack ?
...
> +/*
> + * RSEQ_SIG is used with the following privileged instructions, which trap in user-space:
> + * x86-32:    0f 01 3d 53 30 05 53      invlpg 0x53053053
> + * x86-64:    0f 01 3d 53 30 05 53      invlpg 0x53053053(%rip)
> + */
>  #define RSEQ_SIG       0x53053053

On x86, you have to worry about what happens if control flow gets
redirected to an arbitrary byte address.  The proposed sequence `0f 01
3d 53 30 05 53` is a trap instruction if control lands seven bytes
before the beginning of the abort handler, but if it lands anywhere
_else_ within the marker sequence, you get one of these instruction
sequences, none of which trap, all but one of which will corrupt the
process state, and three of which will consume three bytes from the
beginning of the abort handler's code, continuing execution with a
misaligned PC:

    01 3d 53 30 05 53        add %edi,0x53053053(%rip)
    3d 53 30 05 53           cmp $0x53053053,%eax
    53 30 05 53 XX XX XX     push %rbx; xor %al,0xXXXXXX78(%rip)
    30 05 53 XX XX XX        xor %al,0xXXXXXX78(%rip)
    05 53 XX XX XX           add $0xXXXXXX53,%eax
    53                       push %rbx

So I'm going to suggest instead the four-byte sequence CD CF CD CF.
That's INT $0xCF if control lands either two or four bytes before the
beginning of the abort handler, and IRET if it lands one or three
bytes before.  I believe both of these possibilities are currently
also forbidden in user mode.  It doesn't need to be longer, does it?

zw