Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp622898rwn;
        Thu, 8 Sep 2022 06:40:33 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6zsl/uegtMZ0oaVa5WDwLKGmIPJgx3CtbPUsZPWYzEqxuICJlcvpb04ma8GSYghyF14UPh
X-Received: by 2002:a17:907:1690:b0:770:80d4:ec4c with SMTP id hc16-20020a170907169000b0077080d4ec4cmr5422774ejc.690.1662644433500;
        Thu, 08 Sep 2022 06:40:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1662644433; cv=none;
        d=google.com; s=arc-20160816;
        b=j68Zhh97mSCmoWCualtXFlmx2KZOm1tgsWQlL78uPmTKMK/PD70v9RBiB4mOZNLBPN
         AT012wsKTT0p9Na9uPt5L3JNglhIoPPomL66JZVqJLmJf6AuR9Tt0mlmxkLLP2jL1PGY
         Hb/Bpd71tgB1SEfIsQQyuVya3+KNZt1aXahaZxJfJ8cPlaHAQzDcBOucSIKNQ/qfTaFJ
         KiRhdwTTnUknlhYsGve2o35mqGldNPNOkOcMsDi9/TOlzIQ2Bc8kX+12wdawQdfjEh3x
         XWYNobM85oWDY5ZtvS/iKJ3ddw8OZZ4nEs09OYXG1H/shIAiAW9N5EzASMTkNqsefbpc
         iCKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=kAcjTQLrVORv6vqoPmiuQStCWhQhIlmz5ADn1dSH9RQ=;
        b=Tdqxjytcdyc75TNUEsBo5UOu60AHYwXLk+FsZZcVmRYO2WctqYejAwdDJFJzUlU5wF
         DCn0k3sZ+/u6OgmZG4SUAi0WlK8ywq/7o2mXXktqwVvkXsvOAOuZxnyNbPulxi/iQZKB
         HuGpuxKQQJnJ5MrKvAdbLunIUe7/Layi8015tho3raE1ipDqdsHfOIoWmBHWZ2OXO55A
         n19Rbhc0vQLO7f2L6D7CgBwIp7XhVHuNqnsplAXmGxHAPiXsCxaLM26voW8VgotqaTG/
         sqBaxIOmFO0EMuBr5lCDGlLNTTRys43ewKzOumX5KzUZx4gJEonD4JFDEvIMZp6I3kWU
         vL4Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HkIQkhRp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id t32-20020a056402242000b0044e723e8ca9si9805030eda.183.2022.09.08.06.40.08;
        Thu, 08 Sep 2022 06:40:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HkIQkhRp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232095AbiIHNED (ORCPT
        <rfc822;andriy.druk.mailinglists@gmail.com> + 99 others);
        Thu, 8 Sep 2022 09:04:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49586 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232091AbiIHNEB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Sep 2022 09:04:01 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45FA3D742E;
        Thu,  8 Sep 2022 06:04:00 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id CBDD061CEF;
        Thu,  8 Sep 2022 13:03:59 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 48AD2C433C1;
        Thu,  8 Sep 2022 13:03:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1662642239;
        bh=RNPjRQkS198xJIWi4rthy4+btO4cb14a8DHt8yLQeOk=;
        h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
        b=HkIQkhRp+uXeTKAVt9NNLs5t9OV4esVfbKzJNlULRmMDLGxyLqSbZNwWkJlLEZKcA
         eUix5rXrct29WRPNkT2wUqQc5degImAuLGEj/N/FkfSF/mhI2cDsopSHsaArdl7LAj
         pzJ/Pd7iWhHytZT0sQC8DBs9PX+m7HZANlZKyZ3xKOZKq4S9jujXYbnS4LPkvlnhob
         2l++v803TJf30cBhkTBVnOMMA6ILnE3TfjkNv84y9+hheWN9GZJsVSYNptFSpiLLwx
         bQIOHEVun+SOCKQ4NPYbnNXzyt60by1rPGNI+a7Hq+X48aEowfprAniVoRm4lSZhXM
         RMnZsUfscoE+w==
Date:   Thu, 8 Sep 2022 22:03:54 +0900
From:   Masami Hiramatsu (Google) <mhiramat@kernel.org>
To:     Josh Poimboeuf <jpoimboe@kernel.org>
Cc:     Steven Rostedt <rostedt@goodmis.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@kernel.org>,
        Suleiman Souhlal <suleiman@google.com>,
        bpf <bpf@vger.kernel.org>, linux-kernel@vger.kernel.org,
        Borislav Petkov <bp@suse.de>, x86@kernel.org
Subject: Re: [PATCH v2 1/2] x86/kprobes: Fix kprobes instruction boudary
 check with CONFIG_RETHUNK
Message-Id: <20220908220354.28c196c8bbe4e83c83afcb59@kernel.org>
In-Reply-To: <20220908050855.w77mimzznrlp6pwe@treble>
References: <166260087224.759381.4170102827490658262.stgit@devnote2>
        <166260088298.759381.11727280480035568118.stgit@devnote2>
        <20220908050855.w77mimzznrlp6pwe@treble>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-10.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,
        RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 7 Sep 2022 22:08:55 -0700
Josh Poimboeuf <jpoimboe@kernel.org> wrote:

> On Thu, Sep 08, 2022 at 10:34:43AM +0900, Masami Hiramatsu (Google) wrote:
> > From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
> > 
> > Since the CONFIG_RETHUNK and CONFIG_SLS will use INT3 for stopping
> > speculative execution after RET instruction, kprobes always failes to
> > check the probed instruction boundary by decoding the function body if
> > the probed address is after such sequence. (Note that some conditional
> > code blocks will be placed after function return, if compiler decides
> > it is not on the hot path.)
> > 
> > This is because kprobes expects someone (e.g. kgdb) puts the INT3 as
> > a software breakpoint and it will replace the original instruction.
> > But these INT3 are not such purpose, it doesn't need to recover the
> > original instruction.
> > 
> > To avoid this issue, memorize the branch target address during decoding
> > and if there is INT3, restart decoding from unchecked target address.
> 
> Hm, is kprobes conflicting with kgdb actually a realistic concern?
> Seems like a dangerous combination

I'm actually not sure, I don't recommend it. But it is safe just having
fail-safe.

> 
> Either way, this feels overengineered.  Sort of like implementing
> objtool in the kernel.
> 
> And it's incomplete: for a switch statement jump table (or C goto jump
> table like in BPF), you can't detect the potential targets of the
> indirect branch.

In that case, it just fails to detect instruction boundary (and anyway
optprobe just stops optimization if it finds the indirect jump). So it
is still fail safe.

> 
> Wouldn't it be much simpler to just encode the knowledge that
> 
>   	if (CONFIG_RETHUNK && !X86_FEATURE_RETHUNK)
> 		// all rets are followed by four INT3s
> 	else if (CONFIG_SLS)
> 		// all rets are followed by one INT3

Maybe we should just ask kgdb if it is using breakpoint on that
function, and if so, just reject kprobe on it. Then, all INT3
can be just skipped. That may be more realistic solution.

Thank you, 

-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>