Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups

From: Sami Tolvanen
Date: Wed Jun 08 2022 - 20:06:47 EST

Next message: Ian Rogers: "Re: [PATCH 2/4] perf: Align user space counter reading with code"
Previous message: Namhyung Kim: "Re: [PATCH 4/5] perf x86 evlist: Add default hybrid events for perf stat"
In reply to: Fāng-ruì Sòng: "Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 8, 2022 at 10:53 AM Fāng-ruì Sòng <maskray@xxxxxxxxxx> wrote:
>
> Hi Peter,
>
> On Tue, Mar 1, 2022 at 7:06 PM Peter Collingbourne <pcc@xxxxxxxxxx> wrote:
> >
> > Hi Peter,
> > One issue with this call sequence is that:
> >
> > On Fri, Feb 11, 2022 at 02:38:03PM +0100, Peter Zijlstra wrote:
> > > caller:
> > > cmpl $0xdeadbeef, -0x4(%rax) # 7 bytes
> >
> > Because this instruction ends in the constant 0xdeadbeef, it may
> > be used as a "gadget" that would effectively allow branching to an
> > arbitrary address in %rax if the attacker can arrange to set ZF=1.
>
> Do you mind elaborating how this instruction can be used as a gadget?
> How does it look like?

With the offset of -4, the je instruction here can be an indirect call
target because it's preceded by a valid type hash at the end of the
cmpl instruction. If we change the offset to -6, only the ud2
instruction is a potential call target in this sequence, which will be
less useful to an attacker.

> The information will be useful to the summary of Sami's KCFI LLVM
> patch: https://reviews.llvm.org/D119296

I'll add more information about the X86 preamble to the description.

Sami

Next message: Ian Rogers: "Re: [PATCH 2/4] perf: Align user space counter reading with code"
Previous message: Namhyung Kim: "Re: [PATCH 4/5] perf x86 evlist: Add default hybrid events for perf stat"
In reply to: Fāng-ruì Sòng: "Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]