Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp801919imi; Thu, 21 Jul 2022 11:13:16 -0700 (PDT) X-Google-Smtp-Source: AGRyM1v1jUhW32lb59qSkF73R9zOAFdzABJRo+UYjq3FS9zHKFvm8Qec30defXK6htuAxEAlru0n X-Received: by 2002:a17:90a:6d63:b0:1f2:1669:7c30 with SMTP id z90-20020a17090a6d6300b001f216697c30mr12494989pjj.89.1658427196042; Thu, 21 Jul 2022 11:13:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658427196; cv=none; d=google.com; s=arc-20160816; b=kBXMGz6LuTN9R5dyur4txRRyZMioHr/F2p4Wo3zsGNGBt7crAcJqa3XEDRfFcJjWL2 XjVemtxRIV24gnnDYMA9WSoAvxCQgGzQ2L5297eyRSoL6xN3QJkUo5AWkBOOaL5UOXCo yN7nNUQfBHWbskDks2kePPSbdsIRIMtdDg5kJE5zY5QM0IDd6EQbWGL7/IwJ6sYef0yb KMVwrT5msgGhgpWcYmA8hxPpoZvmZpZQlzIpr4oLGIBDJSbWJbAipdWiFoVEslR1yu2h dU6ASRaQvoAvKJ0lPWhWQRiOa5bqaX4n3HUDlftWWWHEM4i8EKT0vZwSvhjs2OragDNX jArQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=aGCdA0oy0ExkilJgMyu6nxyVwVfsPF+6Fxmkt0K0bO4=; b=Oo5QxT3AROAmAoU5o0EvtfxG1JmYj7PQQcHqNqhtIFutOWnvqLIlY89mP09rEFImgr eXt5LPWqQMirDGAcOH1iEkJyhsWd0qWXr38NHLuHz9xvlbCcmkkN0Vt5EhuRvaCGWbdN G/Wn5Zr86weYlGxsP4cFlAsJcOcr4eGn/aSGXffZKpQXoCbD5gEhpRNU83X61EQ+A4xz bEZdGjDhQMjvJ/XPVXSsR33NXv2v9SK1j9VRJPWyK9fSaKbkoM1GaXLERimyJiwR4n2B afUd9D0a5vlqnQg0dff45IcMblc9Mp8onvBYrrJdjDpXSvKYEjMlPMIeVhPdJK07zra0 /6HQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=LWls5ks2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y22-20020a634b16000000b0041998718e9bsi3018186pga.528.2022.07.21.11.13.00; Thu, 21 Jul 2022 11:13:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=LWls5ks2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231927AbiGUR4i (ORCPT + 99 others); Thu, 21 Jul 2022 13:56:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229540AbiGUR4g (ORCPT ); Thu, 21 Jul 2022 13:56:36 -0400 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3F458810C for ; Thu, 21 Jul 2022 10:56:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=aGCdA0oy0ExkilJgMyu6nxyVwVfsPF+6Fxmkt0K0bO4=; b=LWls5ks2K60cBgc7+u3P5xJeUe hh0OUBx99MfBG4Wubbgh43z5J/oEJPjObRXlx1eZLY8GiI1VjK30OKZEUnk4CP9X5YkD3XwqECoGW EhYW6+Ot3fiFnDl9FJp9ITANPB6HxKf/7ezohrRCBLaR5t8g1+P3ADVdfjCAagvnekC8EA5kYiJx1 2tjB47lLBg9NYfIcSthR0vlW6UWkdELYGKmcEu82K1bASqoe1NurIA+vhr/WJTrtyPUUG4t5YijSV 0RwEYp+3ry5hfsxCOQoabZCbIgo+elHnsvn8e6/p6ciKtIQYQUlqNT4lDRfBQq51ZXvxhldjGaYTn fXBc2LDg==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=worktop.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1oEaOz-005bM6-1a; Thu, 21 Jul 2022 17:55:57 +0000 Received: by worktop.programming.kicks-ass.net (Postfix, from userid 1000) id CE05B980BD2; Thu, 21 Jul 2022 19:55:55 +0200 (CEST) Date: Thu, 21 Jul 2022 19:55:55 +0200 From: Peter Zijlstra To: Sami Tolvanen Cc: Linus Torvalds , Thomas Gleixner , Joao Moreira , LKML , the arch/x86 maintainers , Tim Chen , Josh Poimboeuf , "Cooper, Andrew" , Pawan Gupta , Johannes Wikner , Alyssa Milburn , Jann Horn , "H.J. Lu" , "Moreira, Joao" , "Nuzman, Joseph" , Steven Rostedt , "Gross, Jurgen" , Masami Hiramatsu , Alexei Starovoitov , Daniel Borkmann , Peter Collingbourne , Kees Cook Subject: Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation Message-ID: References: <87fsiyuhyz.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 21, 2022 at 05:54:38PM +0200, Peter Zijlstra wrote: > My very firstest LLVM patch; except it explodes at runtime and I'm not > sure where to start looking... > > On top of sami-llvm/kcfi Thanks Sami! this seems to work, let me go hack the kernel.. --- clang/lib/Driver/SanitizerArgs.cpp | 12 --------- llvm/lib/Target/X86/X86AsmPrinter.cpp | 11 -------- llvm/lib/Target/X86/X86MCInstLower.cpp | 47 ++++++++++++++++++++++------------ 3 files changed, 31 insertions(+), 39 deletions(-) diff --git a/clang/lib/Driver/SanitizerArgs.cpp b/clang/lib/Driver/SanitizerArgs.cpp index 373a74399df0..b6ebc8ad1842 100644 --- a/clang/lib/Driver/SanitizerArgs.cpp +++ b/clang/lib/Driver/SanitizerArgs.cpp @@ -719,18 +719,6 @@ SanitizerArgs::SanitizerArgs(const ToolChain &TC, D.Diag(diag::err_drv_argument_not_allowed_with) << "-fsanitize=kcfi" << lastArgumentForMask(D, Args, SanitizerKind::CFI); - - if (Arg *A = Args.getLastArg(options::OPT_fpatchable_function_entry_EQ)) { - StringRef S = A->getValue(); - unsigned N, M; - // With -fpatchable-function-entry=N,M, where M > 0, - // llvm::AsmPrinter::emitFunctionHeader injects nops before the - // KCFI type identifier, which is currently unsupported. - if (!S.consumeInteger(10, N) && S.consume_front(",") && - !S.consumeInteger(10, M) && M > 0) - D.Diag(diag::err_drv_argument_not_allowed_with) - << "-fsanitize=kcfi" << A->getAsString(Args); - } } Stats = Args.hasFlag(options::OPT_fsanitize_stats, diff --git a/llvm/lib/Target/X86/X86AsmPrinter.cpp b/llvm/lib/Target/X86/X86AsmPrinter.cpp index 5e011d409ee8..ffdb95324da7 100644 --- a/llvm/lib/Target/X86/X86AsmPrinter.cpp +++ b/llvm/lib/Target/X86/X86AsmPrinter.cpp @@ -124,23 +124,12 @@ void X86AsmPrinter::emitKCFITypeId(const MachineFunction &MF, OutStreamer->emitSymbolAttribute(FnSym, MCSA_ELF_TypeFunction); OutStreamer->emitLabel(FnSym); - // Emit int3 padding to allow runtime patching of the preamble. - EmitAndCountInstruction(MCInstBuilder(X86::INT3)); - EmitAndCountInstruction(MCInstBuilder(X86::INT3)); - // Embed the type hash in the X86::MOV32ri instruction to avoid special // casing object file parsers. EmitAndCountInstruction(MCInstBuilder(X86::MOV32ri) .addReg(X86::EAX) .addImm(Type->getZExtValue())); - // The type hash is encoded in the last four bytes of the X86::MOV32ri - // instruction. Emit additional X86::INT3 padding to ensure the hash is - // at offset -6 from the function start to avoid potential call target - // gadgets in checks emitted by X86AsmPrinter::LowerKCFI_CHECK. - EmitAndCountInstruction(MCInstBuilder(X86::INT3)); - EmitAndCountInstruction(MCInstBuilder(X86::INT3)); - if (MAI->hasDotTypeDotSizeDirective()) { MCSymbol *EndSym = OutContext.createTempSymbol("cfi_func_end"); OutStreamer->emitLabel(EndSym); diff --git a/llvm/lib/Target/X86/X86MCInstLower.cpp b/llvm/lib/Target/X86/X86MCInstLower.cpp index 16c4d2e45970..4ed23348aa7c 100644 --- a/llvm/lib/Target/X86/X86MCInstLower.cpp +++ b/llvm/lib/Target/X86/X86MCInstLower.cpp @@ -1340,22 +1340,37 @@ void X86AsmPrinter::LowerKCFI_CHECK(const MachineInstr &MI) { assert(std::next(MI.getIterator())->isCall() && "KCFI_CHECK not followed by a call instruction"); - // The type hash is encoded in the last four bytes of the X86::CMP32mi - // instruction. If we decided to place the hash immediately before - // indirect call targets (offset -4), the X86::JCC_1 instruction we'll - // emit next would be a potential indirect call target as it's preceded - // by a valid type hash. - // - // To avoid generating useful gadgets, X86AsmPrinter::emitKCFITypeId - // emits the type hash prefix at offset -6, which makes X86::TRAP the - // only possible target in this instruction sequence. - EmitAndCountInstruction(MCInstBuilder(X86::CMP32mi) - .addReg(MI.getOperand(0).getReg()) - .addImm(1) - .addReg(X86::NoRegister) - .addImm(-6) - .addReg(X86::NoRegister) - .addImm(MI.getOperand(1).getImm())); + const Function &F = MF->getFunction(); + unsigned Imm = MI.getOperand(1).getImm(); + unsigned Num = 0; + + if (F.hasFnAttribute("patchable-function-prefix")) { + if (F.getFnAttribute("patchable-function-prefix") + .getValueAsString() + .getAsInteger(10, Num)) + Num = 0; + } + + // movl $(~0x12345678), %r10d + EmitAndCountInstruction(MCInstBuilder(X86::MOV32ri) + .addReg(X86::R10D) // dst + .addImm(~Imm)); + + // negl %r10d + EmitAndCountInstruction(MCInstBuilder(X86::NEG32r) + .addReg(X86::R10D) // dst + .addReg(X86::R10D) // src + ); + + // cmpl %r10d, -off(%r11) + EmitAndCountInstruction(MCInstBuilder(X86::CMP32mr) + .addReg(MI.getOperand(0).getReg()) // base + .addImm(0) // scale + .addReg(0) // index + .addImm(-(Num+4)) // offset + .addReg(0) // segment + .addReg(X86::R10D) // reg + ); MCSymbol *Pass = OutContext.createTempSymbol(); EmitAndCountInstruction(