Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2188081pxb; Sun, 31 Oct 2021 09:45:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOG2bY/HMp2ar/aEP0zoZCtQxZzkzhOSjZPOFGHymoeHkktsa85GXaPrqHElv6VRUOOJTy X-Received: by 2002:a92:a304:: with SMTP id a4mr16052252ili.78.1635698720142; Sun, 31 Oct 2021 09:45:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635698720; cv=none; d=google.com; s=arc-20160816; b=WOhuukKHY4Kf3PEyTEp5d8FIxx+/Hg0mfU/3zYnFn9yC24F6y2Vp0bWZptmpmYdqtT xmkVVbjLZdjd5riLpLARJKLiyECOQZkGjFp3CQZFQMBHNAnhfDlzJsbaeNR2cvebYWWx e5DxXmQ+cmDeR5FM8haTe42V/8KT5fcqOkOr5hOd71qAsUdHmdDqRmU1I9petlguU5L2 DCXnhHX36OJSqBiUAbJsdnxMVKxqwqLDKZEWp4j/zhcAgRu/D2hLaWqeRxviLlDnCPCN zStm8XjHIrxSldvAlmAG8ZbVz9+IvUJzfb83Xyf+yICyU3IDUwW2Rzq4TBtf9aT4+8JA jSLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=KqBG5a72r0SwoJh6oXNmY014kyMvBMiK1GbA0SDqhtU=; b=WCKMPldnJ9sdXaQu78KKlb2B5Ued5oLxI0jmK2Vq+fSI6VE1aIoKKyM4Wxt3FyA0FF HpG0d681oU/pmk4xuSB33xbUSrR8IJ+qd+oR2/fBU03gwwXqDP0hmlWtymLGXK+czLnG PZFGigFwADTHFv6/IyumAeSgZ32fx+TY4fEX5Nf5xw3fNjxeuHpPLOrnvOA0Cle1DG2Y sDN9lc14PqSUSz0mAspDLlmZNrcnR2jQsm4b6n2fTT0aD7XAvyG2rQOtwHm8hPFWvBVV 8TfWDTHc8PHUJlzIg8EZrb4VVsjAaMBSYwEUlox9W/zUINZWn6uv3h4xs0puQsZz3QQ0 CFgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rrx3JAFt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d22si12329504ioi.111.2021.10.31.09.45.08; Sun, 31 Oct 2021 09:45:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rrx3JAFt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229853AbhJaQqt (ORCPT + 99 others); Sun, 31 Oct 2021 12:46:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:37994 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229579AbhJaQqs (ORCPT ); Sun, 31 Oct 2021 12:46:48 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8519860F9E; Sun, 31 Oct 2021 16:44:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635698656; bh=KqBG5a72r0SwoJh6oXNmY014kyMvBMiK1GbA0SDqhtU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=rrx3JAFte+bnvxLfREs8Zp20Ei3Bb1lLKJrtUB9esdLJCRgWdCgoHc+CGNMids0KG qnZAEUIuC8q4WXIK7jKkSrvCvHUVd3Bzk5eLs15cudtrXG4QgkPi1Hl/wcsLepl1RI Pti3Zv5ihR+DtzhZveeLN7XABULJ0VQtAog6jUrOKJup6Ix2Bx9i4/WIREjInGBeDD iX++m3Qql9J3u5vGjy+5PsNYR6GUJKxP5L5SfFh636t/wznOK9ttikuBaEV2SfcXVA RlaNSAJ4dEALQQlsrpU57OYGErMVpszXE8OqqEB2DdRQNGFCNoVShgeuRwmyCf2YFk txlOtPEE/WeGg== Received: by mail-oi1-f181.google.com with SMTP id n11so13416060oig.6; Sun, 31 Oct 2021 09:44:16 -0700 (PDT) X-Gm-Message-State: AOAM530ixAjzu4NgLNG0/5v+e9npOr9dRUXMbICWWjlsAKGYqxGgA0pg rY/Un144zCF8E31NJvgbR6Szux6SLjidFuImMak= X-Received: by 2002:a05:6808:4d9:: with SMTP id a25mr16521518oie.33.1635698655833; Sun, 31 Oct 2021 09:44:15 -0700 (PDT) MIME-Version: 1.0 References: <20211029200324.GR174703@worktop.programming.kicks-ass.net> <20211030074758.GT174703@worktop.programming.kicks-ass.net> <20211030180249.GU174703@worktop.programming.kicks-ass.net> <20211031163920.GV174703@worktop.programming.kicks-ass.net> In-Reply-To: <20211031163920.GV174703@worktop.programming.kicks-ass.net> From: Ard Biesheuvel Date: Sun, 31 Oct 2021 17:44:04 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching To: Peter Zijlstra Cc: Sami Tolvanen , Mark Rutland , X86 ML , Kees Cook , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 31 Oct 2021 at 17:39, Peter Zijlstra wrote: > > On Sun, Oct 31, 2021 at 05:24:13PM +0100, Ard Biesheuvel wrote: > > On Sat, 30 Oct 2021 at 20:55, Ard Biesheuvel wrote: > > > > > > On Sat, 30 Oct 2021 at 20:03, Peter Zijlstra wrote: > > > > > > > > On Sat, Oct 30, 2021 at 07:19:53PM +0200, Ard Biesheuvel wrote: > > > > > I just realized that arm64 has the exact same problem, which is not > > > > > being addressed by my v5 of the static call support patch. > > > > > > > > Yeah, it would. > > > > > > > > > As it turns out, the v11 Clang that I have been testing with is broken > > > > > wrt BTI landing pads, and omits them from the jump table entries. > > > > > Clang 12+ adds them properly, which means that both the jump table > > > > > entry and the static call trampoline may start with BTI C + direct > > > > > branch, and we also need additional checks to disambiguate. > > > > > > > > I'm not sure, why would the static_call trampoline need a BTI C ? The > > > > whole point of static_call() is to be a direct call, we should never > > > > have an indirect call to the trampoline, that would defeat the whole > > > > purpose. > > > > > > This might happen when the distance between the caller and the > > > trampoline is more than 128 MB, in which case we emit a veneer that > > > uses an indirect call as well. So we definitely need the landing pad > > > in the trampoline. > > > > Something like the below seems to work to prevent getting the wrong > > trampoline address into arch_static_call_transform: > > Is is also a terriblly gross hack. I really want the clang-cfi stuff to > improve, not add layers of hacks on top of it. I'm just as annoyed as you are about the apparent need for this. However, emitting an alias at build time is far better IMHO than adding a magic byte sequence and having to check it at runtime.