Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1306572pxb; Sat, 30 Oct 2021 10:22:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkV3M/8PgdzdspwXxYyVuDsB2itYlvQJfT0tuZPj94BGhaNuUEQxtbQb7JpVMjyLewtiar X-Received: by 2002:a17:906:3acc:: with SMTP id z12mr22765917ejd.215.1635614540802; Sat, 30 Oct 2021 10:22:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635614540; cv=none; d=google.com; s=arc-20160816; b=FW7qCOdPuF4EeVJCyCJ4PMjgZFiIbJeD4KbC+t0IHhYw34ZvDRa9KRyLvzK8RRsXRp nRvvzGR2fZLshbKYe7160bDqHDgjphYE3Bdg9oh1xYOJExIcq8TR2Ijp24QWXVGPGr2J 3Rb+p3ATUAjrbvrEVVOqBsJYtEEfY9ii3paRS/2OVSvzrKtlCeh9pKmDmr3TEeehQxFr sYyNeoHHM3/3BPP9FYqHDFFEBXvbbRDfCLcX/t+rAsrK2lpzvc+TvCz3LqzXRPu6TXQ0 4+luaydeMyVmRawbasJ8nxpcyzGbVba2itqyiv6d5bG2NXx18pSRhN3HGkzHM0y8M7T9 pNBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=raolV5QwIhs0jA2CVtxDMa/CXCP/Foq+AV/tMtlJwjE=; b=HF/r+zCylNFpGr0lgIq/HW6zB8vf00CKq0zT0I5FVAFz5U6WNKNqJjLKZcuj+6qm1H ddrxuRtOBtfdLZFbH296+bAew6pNbkAXZhyvbguucY8zjUJHI5iOBgHg2HOcKhv69d34 WG+SxdJCp4C5XK4k0kBb3eidiwVd5RfK/n6uD6oLhsfyQgbItmhqdo9kJcqKM7vSgddZ 5H1/HPGLGXmyW5DrsPmW8U/tU8mb55OYYB4hBfIyQu+kYlsvTQsQN3xhihR9AaXZgAvT kT5nNN5yLYV29gFPQTquBEjhrcxCrzeDsUnMpdLUQPFwgS74c1QzG9JjUpmE7bR42Rin ce1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="VLS2F/hw"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z13si22238371edd.383.2021.10.30.10.21.55; Sat, 30 Oct 2021 10:22:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="VLS2F/hw"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230470AbhJ3RWl (ORCPT + 99 others); Sat, 30 Oct 2021 13:22:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:42300 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229474AbhJ3RWg (ORCPT ); Sat, 30 Oct 2021 13:22:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AFAFE60FC3; Sat, 30 Oct 2021 17:20:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635614405; bh=jisY5HPhWX9iNQ9+wevVVLZjayadNPZuYlW5MoiG98Y=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=VLS2F/hwY4ACE8G5VxNmv/ZcNE4TA3tOCJ0WRP67bfs7a4X2VeNTtQkM7s4AOR0ea Ko2XuDREhsx/cCNW1glbdhgSLHjsbrBnQ51MdsgM4X7kEP670ufn+xyM5jwBtiBVZp v06gsaBb4DaAKNQWRDBhXk1F5ctd39dDC6H4uTrfTHOqGZIbE9WtsVIajxMt7MR8Wu i3gmZtTVDVOYmhEWrxlQMTNvyMkulPPGwB8BHHa9w7FfEFNRHrQpKHvmlVinC30GXW TUVLhGOmmsT0KAf42i2GuxatgrrsrSXdOalstr4fVNjwx7lQsYJgCIQD+CEX9tiidm XnetkDBCG5fFg== Received: by mail-oi1-f173.google.com with SMTP id bm39so7767536oib.0; Sat, 30 Oct 2021 10:20:05 -0700 (PDT) X-Gm-Message-State: AOAM5301FuB1iL96bCfzVsGOQoAXCXmv5/PKdbYG+s0yzPqLUWGU0NiG 3LzXkK8DuOtvvgdKPD4UA+uXXL7gS4kO2t1Ymic= X-Received: by 2002:a05:6808:1805:: with SMTP id bh5mr18589992oib.47.1635614404947; Sat, 30 Oct 2021 10:20:04 -0700 (PDT) MIME-Version: 1.0 References: <20211026201622.GG174703@worktop.programming.kicks-ass.net> <20211027120515.GC54628@C02TD0UTHF1T.local> <20211027124852.GK174703@worktop.programming.kicks-ass.net> <20211029200324.GR174703@worktop.programming.kicks-ass.net> <20211030074758.GT174703@worktop.programming.kicks-ass.net> In-Reply-To: <20211030074758.GT174703@worktop.programming.kicks-ass.net> From: Ard Biesheuvel Date: Sat, 30 Oct 2021 19:19:53 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching To: Peter Zijlstra Cc: Sami Tolvanen , Mark Rutland , X86 ML , Kees Cook , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 30 Oct 2021 at 09:49, Peter Zijlstra wrote: > > On Fri, Oct 29, 2021 at 10:03:24PM +0200, Peter Zijlstra wrote: > > > So I had a bit of a peek at what clang generates: > > > > 3fa4: 48 c7 c7 00 00 00 00 mov $0x0,%rdi 3fa7: R_X86_64_32S __SCK__x86_pmu_handle_irq > > 3fab: 48 c7 c6 00 00 00 00 mov $0x0,%rsi 3fae: R_X86_64_32S __SCT__x86_pmu_handle_irq.cfi_jt > > 3fb2: e8 00 00 00 00 call 3fb7 3fb3: R_X86_64_PLT32 __static_call_update-0x4 > > > > So this then gives the trampoline jump table entry to > > __static_call_update(), with the result that it will rewrite the > > jump-table entry, not the trampoline! > > > > Now it so happens that the trampoline looks *exactly* like the > > jump-table entry (one jmp.d32 instruction), so in that regards it'll > > again 'work'. > > > > But this is all really, as in *really*, wrong. And I'm really sad I'm > > the one to have to discover this, even though I've mentioned > > static_call()s being tricky in previous reviews. > > The below makes the clang-cfi build properly sick: > > [ 0.000000] trampoline signature fail > [ 0.000000] ------------[ cut here ]------------ > [ 0.000000] kernel BUG at arch/x86/kernel/static_call.c:65! > > --- > Subject: static_call,x86: Robustify trampoline patching > > Add a few signature bytes after the static call trampoline and verify > those bytes match before patching the trampoline. This avoids patching > random other JMPs (such as CFI jump-table entries) instead. > > These bytes decode as: > > d: 53 push %rbx > e: 43 54 rex.XB push %r12 > > And happen to spell "SCT". > > Signed-off-by: Peter Zijlstra (Intel) I just realized that arm64 has the exact same problem, which is not being addressed by my v5 of the static call support patch. As it turns out, the v11 Clang that I have been testing with is broken wrt BTI landing pads, and omits them from the jump table entries. Clang 12+ adds them properly, which means that both the jump table entry and the static call trampoline may start with BTI C + direct branch, and we also need additional checks to disambiguate.