Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4439614yba; Tue, 9 Apr 2019 19:46:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqz3/hB4Sj7M0PcDJguH2ukIV/uj2ltuD8RIgPie3aSjquPgknWsSPZSu+q325giEWgF26+l X-Received: by 2002:a65:414a:: with SMTP id x10mr38748040pgp.237.1554864366854; Tue, 09 Apr 2019 19:46:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554864366; cv=none; d=google.com; s=arc-20160816; b=g6AlNhj9mk/QeZHAL9Qd6f7eZntM8AYAZCu564BIijclnErToC1+UvpjbPoKgEY2GT myXyJMXwZy3ZjzVRAhoDGmRSsXobKivzbniyRf4CO43KLN9hXy/xT/C/nhVKZqOKY0zG 9blLFReaVqaB4bkYGilKaBXSWXe4NP4QMDJ5ZhJghQUW12sz8BN1tlqSnhVYgywnh2qc BHHMZLXILPtruIIjYnBHgi+UPIizgTYfyOyvDdXDv0w02IhXM24zGdf/vINhnT6qeD3W 5D3D/EOlljaCIiyGLHnNm4uQM+QAzWdDZ+xGA3e7kT7TgCs6wWj8B0cg3IsnSYwNkmUi tWSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=tBGOpYya/Cr/iPg1mK14ZB4HEcz1/IfYa+AjwvEx4Ys=; b=OXmiuHob8nDH3Va4OJoGSF47fErEkNwSI/sV4OtrSTuasqGR55qtaoHjrNrQzNGiyE dfkBmn0cCMnqG89tBD9tDq4xCakCpUCaCk3sfyxVrXpa0I0qDy7Om3GqxctmtLFdm2rl GBLXQBxYB9VkYwnlepU9evi6vYi7zOxtuLLXfGN9Iq4UzJno/kvOLSzhKGR4dW+6PxF0 aiPKjWVwB3+vJVH1jtnPv6vEt++W+lxCY3SEFneuVzLRXvYZzdCToFzhdzm0xcqC9LeP Am9SeN/j7yJBuomnNzcx8xrbgs416OWYVBZuor5df0vAnDRoQtO4eWrQzKx0hd0wOf7Q BlKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qbkRJvZa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m79si31959096pfi.81.2019.04.09.19.45.50; Tue, 09 Apr 2019 19:46:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qbkRJvZa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726937AbfDJB5Z (ORCPT + 99 others); Tue, 9 Apr 2019 21:57:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:57780 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726513AbfDJB5Y (ORCPT ); Tue, 9 Apr 2019 21:57:24 -0400 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5380221906 for ; Wed, 10 Apr 2019 01:57:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554861442; bh=gfUIgnIg/DHbb+LXfQC2ld5G3sGfQ2zlEpyNZs+QkPk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=qbkRJvZadStHyhvBxN2bQbWJHa65/wJ9QQEkZCzqUpiiZk2dRQjWOa92Jom5ItCWv TbqJDm+nRBbTZemkLO1cY7YYMp8kN3IB81EJa/KZkHfXxzzca5jkpCmJB6mQ4ApDJQ WJAkbt35vbeDz/7gPqbIBtvu3N8Qxdc5O11mB8jA= Received: by mail-wm1-f42.google.com with SMTP id a184so744996wma.2 for ; Tue, 09 Apr 2019 18:57:22 -0700 (PDT) X-Gm-Message-State: APjAAAXU+NnOhRMXZty5LTwGpmmz3ER7A3j7m+txCbSf+g8VDczGlFAw 5uMFkd7VO1oGYktHsYc/VPKTJ7dR3krcN7WPO8mzWA== X-Received: by 2002:a1c:4e19:: with SMTP id g25mr847752wmh.9.1554861440757; Tue, 09 Apr 2019 18:57:20 -0700 (PDT) MIME-Version: 1.0 References: <11513896.2624.1554838336494.JavaMail.zimbra@efficios.com> <913288111.2663.1554842622822.JavaMail.zimbra@efficios.com> In-Reply-To: From: Andy Lutomirski Date: Tue, 9 Apr 2019 18:57:09 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: rseq/x86: choosing rseq code signature To: Zack Weinberg Cc: Mathieu Desnoyers , Thomas Gleixner , Peter Zijlstra , "H. Peter Anvin" , Andi Kleen , Ingo Molnar , Borislav Petkov , libc-alpha , linux-kernel , "Carlos O'Donell" , x86 Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 9, 2019 at 5:51 PM Zack Weinberg wrote: > > On Tue, Apr 9, 2019 at 4:43 PM Mathieu Desnoyers > wrote: > > ----- On Apr 9, 2019, at 3:32 PM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote: > > > > > > We are about to include the code signature required prior to restartable > > > sequences abort handlers into glibc, which will make this ABI choice final. > > > We need architecture maintainer input on that signature value. > > > > > > That code signature is placed before each abort handler, so the kernel can > > > validate that it is indeed jumping to an abort handler (and not some > > > arbitrary attacker-chosen code). The signature is never executed. > > > > > > Currently, tools/testing/selftests/rseq/rseq-x86.h defines RSEQ_SIG > > > as 0x53053053, and uses it as an immediate operand to the following > > > instruction opcodes (as suggested by Andy Lutomirski): > > > > > > x86-32: > > > - .byte 0x0f, 0x1f, 0x05: nopl > > > > > > x86-64: > > > - .byte 0x0f, 0x1f, 0x05: nopl (%rip) > > > > > > The current discussion thread on the glibc mailing list leads us towards > > > using a trap with uncommon immediate operand, which simplifies integration > > > with disassemblers, emulators, makes it easier to debug if the control > > > flow gets redirected there by mistake, and is nicer for some architecture's > > > speculative execution. > ... > > Peter Zijlstra suggested to use "invlpg" in user-space, which should generate > > a trap. The only concern would be emulators, but ideally they would not try to > > decode an instruction that is never executed. This would lead to the following > > patch. Any objections/ack ? > ... > > +/* > > + * RSEQ_SIG is used with the following privileged instructions, which trap in user-space: > > + * x86-32: 0f 01 3d 53 30 05 53 invlpg 0x53053053 > > + * x86-64: 0f 01 3d 53 30 05 53 invlpg 0x53053053(%rip) > > + */ > > #define RSEQ_SIG 0x53053053 > > On x86, you have to worry about what happens if control flow gets > redirected to an arbitrary byte address. The proposed sequence `0f 01 > 3d 53 30 05 53` is a trap instruction if control lands seven bytes > before the beginning of the abort handler, but if it lands anywhere > _else_ within the marker sequence, you get one of these instruction > sequences, none of which trap, all but one of which will corrupt the > process state, and three of which will consume three bytes from the > beginning of the abort handler's code, continuing execution with a > misaligned PC: > > 01 3d 53 30 05 53 add %edi,0x53053053(%rip) > 3d 53 30 05 53 cmp $0x53053053,%eax > 53 30 05 53 XX XX XX push %rbx; xor %al,0xXXXXXX78(%rip) > 30 05 53 XX XX XX xor %al,0xXXXXXX78(%rip) > 05 53 XX XX XX add $0xXXXXXX53,%eax > 53 push %rbx > > So I'm going to suggest instead the four-byte sequence CD CF CD CF. > That's INT $0xCF if control lands either two or four bytes before the > beginning of the abort handler, and IRET if it lands one or three > bytes before. I believe both of these possibilities are currently > also forbidden in user mode. It doesn't need to be longer, does it? > IRET works in user mode just fine. Why are you concerned about landing in the middle of the signature? A misaligned jump into code is screwy pretty much no matter what. It does seem genuinely useful to trap if you accidentally fall through to the beginning of the signature, but I don't see the point of worrying about jumping to the middle. There's some argument that, for consistency with CET, the last couple bytes of the signature should match ENDBR. Mathieu, how many bytes do we have for the signature?