Re: [RFC][PATCH 3/6] x86: Add ENDBR to IRET-to-Self

From: Kees Cook
Date: Tue Feb 08 2022 - 18:33:50 EST

Next message: Andrii Nakryiko: "Re: [PATCH 3/8] bpf: Add bpf_cookie support to fprobe"
Previous message: Eugene Shalygin: "Re: [PATCH] hwmon: (asus-ec-sensors) add CPU core voltage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 22, 2021 at 07:09:47PM +0100, Peter Zijlstra wrote:
> On Mon, Nov 22, 2021 at 06:03:04PM +0100, Peter Zijlstra wrote:
> > The IRET-to-Self chunks trigger forward code references without ENDBR,
> > fix that.
>
> Andy corrected me, IRET doesn't take ENBR, the alternative is the below.

Okay, good. I was scratching my head for a second there. :)

-Kees

>
> ---
> --- a/arch/x86/entry/entry_64.S
> +++ b/arch/x86/entry/entry_64.S
> @@ -1316,7 +1316,6 @@ SYM_CODE_START(asm_exc_nmi)
> iretq /* continues at repeat_nmi below */
> UNWIND_HINT_IRET_REGS entry=0
> 1:
> - ENDBR
> #endif
>
> repeat_nmi:
> --- a/arch/x86/include/asm/sync_core.h
> +++ b/arch/x86/include/asm/sync_core.h
> @@ -6,7 +6,6 @@
> #include <asm/processor.h>
> #include <asm/cpufeature.h>
> #include <asm/special_insns.h>
> -#include <asm/ibt.h>
>
> #ifdef CONFIG_X86_32
> static inline void iret_to_self(void)
> @@ -35,7 +34,6 @@ static inline void iret_to_self(void)
> "pushq $1f\n\t"
> "iretq\n\t"
> "1:"
> - ASM_ENDBR
> : "=&r" (tmp), ASM_CALL_CONSTRAINT : : "cc", "memory");
> }
> #endif /* CONFIG_X86_32 */
> --- a/tools/objtool/arch/x86/decode.c
> +++ b/tools/objtool/arch/x86/decode.c
> @@ -598,6 +598,7 @@ int arch_decode_instruction(struct objto
> op->dest.type = OP_DEST_REG;
> op->dest.reg = CFI_SP;
> }
> + *type = INSN_IRET;
> break;
> }
>
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -3587,7 +3587,7 @@ static int validate_ibt_reloc(struct obj
> static void validate_ibt_insn(struct objtool_file *file, struct instruction *insn)
> {
> struct reloc *reloc = insn_reloc(file, insn);
> - struct instruction *target;
> + struct instruction *target, *n;
> unsigned long offset;
>
> if (!reloc)
> @@ -3599,8 +3599,16 @@ static void validate_ibt_insn(struct obj
> offset = reloc->sym->offset + reloc->addend;
>
> target = find_insn(file, reloc->sym->sec, offset);
> - if (target && insn->func == target->func && target->this_ip)
> - return;
> + if (target && insn->func == target->func) {
> + if (target->this_ip)
> + return;
> +
> + for (n = insn; n->offset <= target->offset;
> + n = next_insn_same_func(file, n)) {
> + if (n->type == INSN_IRET)
> + return;
> + }
> + }
>
> WARN_FUNC("relocation to !ENDBR: %s+0x%lx",
> insn->sec, insn->offset,
> --- a/tools/objtool/include/objtool/arch.h
> +++ b/tools/objtool/include/objtool/arch.h
> @@ -27,6 +27,7 @@ enum insn_type {
> INSN_STD,
> INSN_CLD,
> INSN_ENDBR,
> + INSN_IRET,
> INSN_OTHER,
> };
>

--
Kees Cook

Next message: Andrii Nakryiko: "Re: [PATCH 3/8] bpf: Add bpf_cookie support to fprobe"
Previous message: Eugene Shalygin: "Re: [PATCH] hwmon: (asus-ec-sensors) add CPU core voltage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]