Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4541347pxb; Tue, 2 Nov 2021 11:24:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhG1+VnMQO41PunhiwnAXm4PVphvKlj4gDiyWN7E6berL33HY4omRNXD7jnlT6kPu9lRg6 X-Received: by 2002:aa7:db85:: with SMTP id u5mr52929444edt.234.1635877457523; Tue, 02 Nov 2021 11:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635877457; cv=none; d=google.com; s=arc-20160816; b=0jrS9f7w6z7aBm/4HbrSjRdjhoczZFLDB8FFIMBYh/vpQMijd88+ugdV1lNMOi/FsC gPlApHMAuA3rCf/fpLVlI4sC+7bxdq63bqCi0tYOVvqM1u5zg3tUYi1uK254e7mTF/Pe tQEumI28q1qXY+lrsj3u6sjKNsUNgG3oPUHxWQzgn024HoS19dzMvdFPW6k48XkTnumm XRDQpJPvjDuD6p6BoG2HxgcvQsRGZoa9Vk5tTB93AU4os3d6f8lO5qEJ127d3bEkgwin yR4P8X+9l/gzBXkQbAkv6kZTp79tgdJ043VR+TVPxGRr3715DeQ0Q26E+UuXUl12oxrU 4gHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=UZpQYKM8Sv8tGBtFeI62zyc7kjTZ8Hu+6gHMcm7bWd0=; b=D5YfUSQ85y2M46ruAXGLll/uZS+cAMze9xtDXEH2bkMccwhW+D/SiqQVlkIYEu7rzH 9XG50IhjdEWbwNbetdO7+FzpZiOrtPe2HaNGJl0sHimCgrhG6J2Evalb1gSO7Pd9lrla 6mjy2psFy9jj56i0SwJMggctl4yZlnrh6b46ePiQP2Q17wPUU+q6SDZ4Ntq3ClWNSfgb IxplEaVShbZHUFTklomADNz5b0kG0PKdULk2JBwIyedfsQtdep0YB2uBClhdHQXfJpjv loDEfFwQ4r3uZHDueywy9g8N4ioXCeJkf0jMUV9Vb3ZceqOff8WVMsDEXlkjPJph7l8a HFDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hWPt9XW3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bf27si11340580edb.524.2021.11.02.11.23.49; Tue, 02 Nov 2021 11:24:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hWPt9XW3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235071AbhKBSVu (ORCPT + 99 others); Tue, 2 Nov 2021 14:21:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:52802 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234908AbhKBSVm (ORCPT ); Tue, 2 Nov 2021 14:21:42 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D93C261050; Tue, 2 Nov 2021 18:19:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635877146; bh=h3FsxzoZsN4ni/4lI/yEk7+MdpyXKG1ci08/Ok2la5g=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=hWPt9XW3nVDGVvqzjQYUqgfumWPiYtangbEBaE3Px55WQTYw+sG9+3lqDRZvtAtkd cMztv0svVeIGV3boaaIBY7KkKd8Ur7AvJgZZBH//s5ck2FRxU9/2FzVPk61908Ub/o UbNm1lHX+/K03QzDQ9ta14+AjBh82tESzPS8oYU0mc4tl6D38z60esOoLSRzmf99k0 KnDVvRu2u0lviEd4yKUz9KUUOPJNmXprVe5P+/tPHQi7zkh+lOJ7HrdqXMNxZzrS9n CXf/M6djB7IPiGhmsYQQ8ERUM/HCn9wM05WDNguMIoqidIKbg8qyk0Dws9LM/BzN+j Ewnh7sIYbkuZA== Received: by mail-ot1-f48.google.com with SMTP id n13-20020a9d710d000000b005558709b70fso60024otj.10; Tue, 02 Nov 2021 11:19:06 -0700 (PDT) X-Gm-Message-State: AOAM5315cHEqGln/AOwgRWUjAgl2m6RW9KPyeI/+sufjVThJu9WI+WKu +N9GTavUD2DwAAtrXEFtVSpQFGoWRJz3RxN0oXM= X-Received: by 2002:a05:6830:1d6e:: with SMTP id l14mr28007931oti.147.1635877146217; Tue, 02 Nov 2021 11:19:06 -0700 (PDT) MIME-Version: 1.0 References: <20211101090155.GW174703@worktop.programming.kicks-ass.net> In-Reply-To: From: Ard Biesheuvel Date: Tue, 2 Nov 2021 19:18:53 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching To: Peter Zijlstra Cc: Sami Tolvanen , Mark Rutland , X86 ML , Kees Cook , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev, joao@overdrivepizza.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2 Nov 2021 at 19:14, Peter Zijlstra wrote: > > On Tue, Nov 02, 2021 at 06:44:56PM +0100, Ard Biesheuvel wrote: > > On Tue, 2 Nov 2021 at 16:15, Peter Zijlstra wrote: > > > > > > On Tue, Nov 02, 2021 at 01:57:44PM +0100, Peter Zijlstra wrote: > > > > > > > So how insane is something like this, have each function: > > > > > > > > foo.cfi: > > > > endbr64 > > > > xorl $0xdeadbeef, %r10d > > > > jz foo > > > > ud2 > > > > nop # make it 16 bytes > > > > foo: > > > > # actual function text goes here > > > > > > > > > > > > And for each hash have two thunks: > > > > > > > > > > > > # arg: r11 > > > > # clobbers: r10, r11 > > > > __x86_indirect_cfi_deadbeef: > > > > movl -9(%r11), %r10 # immediate in foo.cfi > > > > xorl $0xdeadbeef, %r10 # our immediate > > > > jz 1f > > > > ud2 > > > > 1: ALTERNATIVE_2 "jmp *%r11", > > > > "jmp __x86_indirect_thunk_r11", X86_FEATURE_RETPOLINE > > > > "lfence; jmp *%r11", X86_FEATURE_RETPOLINE_AMD > > > > > > > > So are these supposed to go into the jump tables? If so, there still > > needs to be a check against the boundary of the table at the call > > site, to ensure that we are not calling something that we shouldn't. > > > > If they are not going into the jump tables, I don't see the point of > > having them, as only happy flow/uncomprised code would bother to use > > them. > > I don't understand. If you can scribble your own code, you can > circumvent pretty much any range check anyway. A function pointer is data not code. > But if you can't scribble > your own code, you get to use the branch here and that checks the > callsite and callee signature. > OK, so the call site has a direct branch to this trampoline then? That wasn't clear to me. > The range check isn't fundamental to CFI, having a check is the > important thing AFAIU. Agreed. If the call site has a direct branch, it doesn't need the range check.