Re: [PATCH] static_call,x86: Robustify trampoline patching
From: Peter Zijlstra
Date: Tue Nov 02 2021 - 14:17:40 EST
On Tue, Nov 02, 2021 at 07:14:25PM +0100, Peter Zijlstra wrote:
> On Tue, Nov 02, 2021 at 06:44:56PM +0100, Ard Biesheuvel wrote:
> > On Tue, 2 Nov 2021 at 16:15, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> > >
> > > On Tue, Nov 02, 2021 at 01:57:44PM +0100, Peter Zijlstra wrote:
> > >
> > > > So how insane is something like this, have each function:
> > > >
> > > > foo.cfi:
> > > > endbr64
> > > > xorl $0xdeadbeef, %r10d
> > > > jz foo
> > > > ud2
> > > > nop # make it 16 bytes
> > > > foo:
> > > > # actual function text goes here
> > > >
> > > >
> > > > And for each hash have two thunks:
> > > >
> > > >
> > > > # arg: r11
> > > > # clobbers: r10, r11
> > > > __x86_indirect_cfi_deadbeef:
> > > > movl -9(%r11), %r10 # immediate in foo.cfi
> > > > xorl $0xdeadbeef, %r10 # our immediate
> > > > jz 1f
> > > > ud2
> > > > 1: ALTERNATIVE_2 "jmp *%r11",
> > > > "jmp __x86_indirect_thunk_r11", X86_FEATURE_RETPOLINE
> > > > "lfence; jmp *%r11", X86_FEATURE_RETPOLINE_AMD
> > > >
> >
> > So are these supposed to go into the jump tables? If so, there still
> > needs to be a check against the boundary of the table at the call
> > site, to ensure that we are not calling something that we shouldn't.
> >
> > If they are not going into the jump tables, I don't see the point of
> > having them, as only happy flow/uncomprised code would bother to use
> > them.
>
> I don't understand. If you can scribble your own code, you can
> circumvent pretty much any range check anyway. But if you can't scribble
> your own code, you get to use the branch here and that checks the
> callsite and callee signature.
>
> The range check isn't fundamental to CFI, having a check is the
> important thing AFAIU.
That is, how is a jump-table/range-check better than a hash-value match
check?