Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp276078pxm; Wed, 2 Mar 2022 15:11:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJxn1SrkhVhbFG4ogSj+KwHE/+dOqBt2P/GpbEXuqkLh3rOogEkQ4crLbdFC7qDp6qPkI8Bj X-Received: by 2002:a17:902:d48a:b0:151:3b2e:5c95 with SMTP id c10-20020a170902d48a00b001513b2e5c95mr26274019plg.140.1646262715844; Wed, 02 Mar 2022 15:11:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646262715; cv=none; d=google.com; s=arc-20160816; b=A2TUBgqTqI+ROpkbANy5B1P4Fg02o4l2saDwWaMVVo6f6TFV5/jgnDseJJ5HI8yF1T 2LKoYAH8ck6tPw3qQFQJsCr0ewHHkZieuL5yRBuYxVgl8AD8hKxuEuTjyrxSqEOqbkjR sKFjfkalUeIZX/C2OUUWs619Jm3F4Tw7/SqLjWm5h3ZPmYOLS6oAGkzT6gkQRDY1zjiP VD4ghC2NoZj0XWyxGTY7PYxPQVsHi604GgKm5/HmTZrA7NcR7xOcVsYasjCZAR/iMNWS qMfP71pbK8OgrxJ1+XWeMKBvt7kexlEEOE4We842XaCmBzizcFwTGg2wPpjCPtL8whgO C/HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=4uQWZ5eZTfa9okHYlvMe6xuV/p7mWvmKZNg/Hz4Am3Y=; b=FFDwYk+LpM5U8Ta2pVEIDRIzD2d0VHYoJcZEoe6npsGGuhIw+OWvrcys8XaTLQ755P GVYrwxP2nPH1L+kk0aSAeOZvSsaQzNkLcs4X0fmFp0T6UbCE5ypcdl/C3X+IluW0skyD bgk5G4V2ieHUC/B+FjjRfxGsCS4sHFMz/GLz1xNxdgPvmtTXT/KiKpCo4SnG9SZeLzFc Drjrd5M8RAwqeC/IcoiL9zOz0J5rnLOD+6dM3uCcJW8LNh+ryDxkgs0NQlXlzM+8Q4Tz 5xEYj5fOhh5VgEL67AmHnTmS3Iys6hp2SZDfFa7saC2ImIyE3zDBlLEUgl/2Pd4tAvwu cQ8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=BIaD9FNr; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id i4-20020a635404000000b0037598406a93si388105pgb.274.2022.03.02.15.11.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Mar 2022 15:11:55 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=BIaD9FNr; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 16B0212E9C8; Wed, 2 Mar 2022 14:52:23 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236511AbiCBDHM (ORCPT + 99 others); Tue, 1 Mar 2022 22:07:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231334AbiCBDHJ (ORCPT ); Tue, 1 Mar 2022 22:07:09 -0500 Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED868AEF04 for ; Tue, 1 Mar 2022 19:06:27 -0800 (PST) Received: by mail-pf1-x436.google.com with SMTP id x18so681746pfh.5 for ; Tue, 01 Mar 2022 19:06:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=4uQWZ5eZTfa9okHYlvMe6xuV/p7mWvmKZNg/Hz4Am3Y=; b=BIaD9FNraSb6wiOQFQhZ5ISIkGwvyd5VR6/NcjkrFX7S08TfqnMNK8YIUrpyLk6U44 rtYy1wOKPCpGN7mmdUvzI9MlXebh+Gv2VLlAMbgAnJyOyDtdEl/yEP9ZfjuA5+9OLCf2 6fA1aYcN79lwfDOWzpZONi3fA7tNpVXfGIZGi0mEjMygD9qi1kPfxhBxr6XXxsVu9Fuy 32Ts+4tMk0GaetgE1nkkf/UFswX+wVmYIwO6S6NmtdgJ4eHQHgAU935WvAvX7uPV+pCO sZNeZAxfXwX5AuNs36WFYFvX+blKS8ruRyeVpgraWFnYVKJYZaH6i7Acqk7EQ77Mm6Rw vNbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=4uQWZ5eZTfa9okHYlvMe6xuV/p7mWvmKZNg/Hz4Am3Y=; b=kiQ5XbqdGWVL3C5NoKfM9LnamWs/7nq/M7mqepl+8R2mUKSlGj93l1oeTCxvIogEKx azQcp2kzWxu8mmSzlwBSWLFG6YZs/qhh6lnrwOB4YiqZcBSjbMvWKlD+yQ+vuVzQERYN y+I1Brq2QZIwhclhwqhdrjrxDNHmGma4IgPUPO6DQAnTWOcVbtg8/MCwMzWuc92xsN3j XvQlGD0G3/RqUYU4uw+m7eWbIK/uWYYEer8Mh3OdscKAxuah9zssgGvwh5jPA+tCp7Ma qTUQBvrdyXhUHpD++JOS4LMpvVHWvRTQfXF9tNgyHV2cKSlTzh5dmF6KxgCic2RAWhsZ bcrg== X-Gm-Message-State: AOAM533qRsTXwc62g5WG6nD09OvaUq+Y/3EJ/l/QylD5q7pUxBsaKj6F E/8nT8MtqztaMeuOt6dNijLZdQ== X-Received: by 2002:a63:d443:0:b0:364:51b7:c398 with SMTP id i3-20020a63d443000000b0036451b7c398mr24417257pgj.511.1646190387158; Tue, 01 Mar 2022 19:06:27 -0800 (PST) Received: from google.com ([2620:15c:2ce:200:367d:623c:c89d:99ef]) by smtp.gmail.com with ESMTPSA id f9-20020a056a00228900b004f3ba7d177csm19396666pfe.54.2022.03.01.19.06.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Mar 2022 19:06:26 -0800 (PST) Date: Tue, 1 Mar 2022 19:06:21 -0800 From: Peter Collingbourne To: Peter Zijlstra Cc: Joao Moreira , Kees Cook , x86@kernel.org, hjl.tools@gmail.com, jpoimboe@redhat.com, andrew.cooper3@citrix.com, linux-kernel@vger.kernel.org, ndesaulniers@google.com, samitolvanen@google.com, llvm@lists.linux.dev Subject: Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups Message-ID: References: <20211122170301.764232470@infradead.org> <20211122170805.338489412@infradead.org> <6ebb0ab131c522f20c094294d49091fc@overdrivepizza.com> <202202081541.900F9E1B@keescook> <202202082003.FA77867@keescook> <9ea50c51ee8db366430c9dc697a83923@overdrivepizza.com> <20220211133803.GV23216@worktop.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220211133803.GV23216@worktop.programming.kicks-ass.net> X-Spam-Status: No, score=-10.0 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Peter, One issue with this call sequence is that: On Fri, Feb 11, 2022 at 02:38:03PM +0100, Peter Zijlstra wrote: > caller: > cmpl $0xdeadbeef, -0x4(%rax) # 7 bytes Because this instruction ends in the constant 0xdeadbeef, it may be used as a "gadget" that would effectively allow branching to an arbitrary address in %rax if the attacker can arrange to set ZF=1. > je 1f # 2 bytes > ud2 # 2 bytes > 1: call __x86_indirect_thunk_rax # 5 bytes > > > .align 16 > .byte 0xef, 0xbe, 0xad, 0xde # 4 bytes > func: > endbr # 4 bytes > ... > ret I think we can avoid this problem with a slight tweak to your instruction sequence, at the cost of 2 bytes per function prologue. First, change the call sequence like so: cmpl $0xdeadbeef, -0x6(%rax) # 6 bytes je 1f # 2 bytes ud2 # 2 bytes 1: call __x86_indirect_thunk_rax # 5 bytes The key difference is that we've changed 0x4 to 0x6. Then change the function prologue to this: .align 16 .byte 0xef, 0xbe, 0xad, 0xde # 4 bytes .zero 2 # 2 bytes func: The end result of the above is that the constant embedded in the cmpl instruction may only be used to reach the following ud2 instruction, which will "harmlessly" terminate execution in the same way as if the prologue signature did not match. Peter