Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1624592rwd;
        Thu, 15 Jun 2023 13:11:57 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4nTlr6vH3C8+46LSrVzCMbXot0XGU7Az4S8TFcANHE9Urzd8PyPcXzgoSPju3jq60KTmMn
X-Received: by 2002:a17:907:a45:b0:96f:678:d2fc with SMTP id be5-20020a1709070a4500b0096f0678d2fcmr70835ejc.22.1686859917611;
        Thu, 15 Jun 2023 13:11:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686859917; cv=none;
        d=google.com; s=arc-20160816;
        b=JWTYAPMCxg2rUJKYDdE0IT3MjYcfTEzEzYfyP8ulNLshdyGSrpaRFo5SszxpTc8m7Q
         j1EgcrdE3R8M9LdLxuV7VGaN5q8t6/kVYfQI590udG+O2/plxtPbQqtJlkR/reF4quyi
         iv16l1sD42JzwXOMxzp9xWmgC2gjlCdJJ+oZN5Oi/Uk0j0vzCmDU40IwR5irVYHhNWdl
         mPB3me8UMGkuWe5bFypvTC83kmFCDc76ihPxgR6mAjD3jlYwhrwncK9H+CJHYYnrvGZ4
         2wZruKC3/7pMBUBzf4vYGaC1oabzZTUL9qRP6juQsk/jIEM2LbDl3IicosNh/UA4PDDL
         iWig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:references:subject:cc:to:from:date
         :user-agent:message-id:dkim-signature;
        bh=5QR/G+Po7KVXkZ8pw8MI2J3h+jcGvJpJMtnZs0VY6Uw=;
        b=OdlXaxw2M2SHx6nuyW/Q4pltjWl1CfFD302PXI+HgwjLz6fTRFj0uSm158W37wlPIv
         f22IwQQZMTvMtP93nlBOYxCVgh+ABSy0NnDDehjsktxI7AjLlhVurqR9jNEO755aQXa3
         UptdSpIf+gkF3aOKK8W/SmGd40oZjFMpWif8my0I9vmIvpitky3x97/bPPiP33Bs+XKw
         tPioxy/U40v/dV2edFYuwYX06wHJc60yQgacZJz55WVkwsccQ9BhQTxUkbXyP46ALyAT
         BilK36LjfIOo6VKf8/JLgFundw1DfWdvTMRslOY+rQLLk8Kk+aYa6Osabx4Tv2P9U0Se
         nJbQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=VH+MQ2ph;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lf15-20020a170907174f00b00977d7890b81si6024783ejc.483.2023.06.15.13.11.33;
        Thu, 15 Jun 2023 13:11:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=VH+MQ2ph;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231713AbjFOTku (ORCPT <rfc822;ahmad.hassan612@gmail.com>
        + 99 others); Thu, 15 Jun 2023 15:40:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56826 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229572AbjFOTkn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Jun 2023 15:40:43 -0400
Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0724B2953
        for <linux-kernel@vger.kernel.org>; Thu, 15 Jun 2023 12:40:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=desiato.20200630; h=Content-Type:MIME-Version:References:
        Subject:Cc:To:From:Date:Message-ID:Sender:Reply-To:Content-Transfer-Encoding:
        Content-ID:Content-Description:In-Reply-To;
        bh=5QR/G+Po7KVXkZ8pw8MI2J3h+jcGvJpJMtnZs0VY6Uw=; b=VH+MQ2phJAjRHH/4i2FQnrxJXJ
        Of7AucP+aR7hJKYULJXBW0cOEdrBvHqOiYedgFVW3NEmFTRF6gYU/6Z4VXDhaSEHsV9Oxop2SBzZa
        Txm9EE9XsckO/OjI7qy0ID7RJnAVBWX4dQEWjbxuaoKvngR39LRNmBIGV8vK+ISJtY0/dfrqoxFWI
        ZOjeicpPcAjtcdc9s5AS46W7bjzGwDmnD/8y93CdPyQi4EzgDPRy37QR9CIbR7XshqofHeqZzq/4U
        iosEOH2iSmO1XhZ1YTF8iamxZyFGPJo9rvgzJlwMD0VqkLvIZwZkrNpzOUZb2y8n5+IQWEG6z25VH
        aqWvcIwg==;
Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net)
        by desiato.infradead.org with esmtpsa (Exim 4.96 #2 (Red Hat Linux))
        id 1q9spY-00BtUU-1s;
        Thu, 15 Jun 2023 19:40:29 +0000
Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (Client did not present a certificate)
        by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 14AA73003E1;
        Thu, 15 Jun 2023 21:40:27 +0200 (CEST)
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 0)
        id EC6C52461D7D2; Thu, 15 Jun 2023 21:40:26 +0200 (CEST)
Message-ID: <20230615193722.194131053@infradead.org>
User-Agent: quilt/0.66
Date:   Thu, 15 Jun 2023 21:35:48 +0200
From:   Peter Zijlstra <peterz@infradead.org>
To:     x86@kernel.org, alyssa.milburn@linux.intel.com
Cc:     linux-kernel@vger.kernel.org, peterz@infradead.org,
        samitolvanen@google.com, keescook@chromium.org,
        jpoimboe@kernel.org, joao@overdrivepizza.com,
        tim.c.chen@linux.intel.com
Subject: [PATCH 2/2] x86/fineibt: Poison ENDBR at +0
References: <20230615193546.949657149@infradead.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Alyssa noticed that when building the kernel with CFI_CLANG+IBT and
booting on IBT enabled hardware obtain FineIBT, the indirect functions
look like:

  __cfi_foo:
	endbr64
	subl	$hash, %r10d
	jz	1f
	ud2
	nop
  1:
  foo:
	endbr64

This is because clang currently does not supress ENDBR emission for
functions it provides a __cfi prologue symbol for.

Having this second ENDBR however makes it possible to elide the CFI
check. Therefore, we should poison this second ENDBR (if present) when
switching to FineIBT mode.

Fixes: 931ab63664f0 ("x86/ibt: Implement FineIBT")
Reported-by: "Milburn, Alyssa" <alyssa.milburn@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
---
 arch/x86/kernel/alternative.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -940,6 +940,17 @@ static int cfi_rewrite_preamble(s32 *sta
 	return 0;
 }
 
+static void cfi_rewrite_endbr(s32 *start, s32 *end)
+{
+	s32 *s;
+
+	for (s = start; s < end; s++) {
+		void *addr = (void *)s + *s;
+
+		poison_endbr(addr+16, false);
+	}
+}
+
 /* .retpoline_sites */
 static int cfi_rand_callers(s32 *start, s32 *end)
 {
@@ -1034,14 +1045,19 @@ static void __apply_fineibt(s32 *start_r
 		return;
 
 	case CFI_FINEIBT:
+		/* place the FineIBT preamble at func()-16 */
 		ret = cfi_rewrite_preamble(start_cfi, end_cfi);
 		if (ret)
 			goto err;
 
+		/* rewrite the callers to target func()-16 */
 		ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
 		if (ret)
 			goto err;
 
+		/* now that nobody targets func()+0, remove ENDBR there */
+		cfi_rewrite_endbr(start_cfi, end_cfi);
+
 		if (builtin)
 			pr_info("Using FineIBT CFI\n");
 		return;