Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't used at runtime

From: Nikolay Borisov
Date: Thu Feb 15 2024 - 03:30:46 EST

Next message: Arnd Bergmann: "[PATCH] [v2] kallsyms: ignore ARMv4 thunks along with others"
Previous message: Ard Biesheuvel: "Re: [PATCH v8 07/15] x86: Secure Launch kernel early boot stub"
In reply to: Nathan Chancellor: "Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't used at runtime"
Next in thread: Borislav Petkov: "Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't used at runtime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15.02.24 г. 5:20 ч., Nathan Chancellor wrote:

On Mon, Feb 12, 2024 at 02:13:39PM -0000, tip-bot2 for Josh Poimboeuf wrote:

The following commit has been merged into the x86/bugs branch of tip:

Commit-ID: 4461438a8405e800f90e0e40409e5f3d07eed381
Gitweb: https://git.kernel.org/tip/4461438a8405e800f90e0e40409e5f3d07eed381
Author: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
AuthorDate: Wed, 03 Jan 2024 19:36:26 +01:00
Committer: Borislav Petkov (AMD) <bp@xxxxxxxxx>
CommitterDate: Mon, 12 Feb 2024 11:42:15 +01:00

x86/retpoline: Ensure default return thunk isn't used at runtime

Make sure the default return thunk is not used after all return
instructions have been patched by the alternatives because the default
return thunk is insufficient when it comes to mitigating Retbleed or
SRSO.

Fix based on an earlier version by David Kaplan <david.kaplan@xxxxxxx>.

[ bp: Fix the compilation error of warn_thunk_thunk being an invisible
symbol, hoist thunk macro into calling.h ]

Signed-off-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Co-developed-by: Borislav Petkov (AMD) <bp@xxxxxxxxx>
Signed-off-by: Borislav Petkov (AMD) <bp@xxxxxxxxx>
Link: https://lore.kernel.org/r/20231010171020.462211-4-david.kaplan@xxxxxxx
Link: https://lore.kernel.org/r/20240104132446.GEZZaxnrIgIyat0pqf@fat_crate.local

This warning is now getting triggered for me in some of my builds,
specifically from Alpine Linux's configuration. A minimal reproducer on
top of defconfig:

$ echo 'CONFIG_X86_KERNEL_IBT=n
CONFIG_UNWINDER_ORC=n
CONFIG_UNWINDER_FRAME_POINTER=y' >arch/x86/configs/repro.config

I was able to reproduce this and it seems to go away if KERNEL_IBT=y. When looking at the disassembly of do_one_initcall it seems the 2 return sites are not patched at all, I see:

0xffffffff81001284 <+84>: call 0xffffffff81f2d000 <__x86_indirect_thunk_array+96>

0xffffffff810012e7 <+183>: jmp 0xffffffff81f2d760 <__x86_return_thunk>

The former should be rewritten to an indirect call as per patch_retpoline and the latter should be rewritten altogether. I wonder if objtool ignores the function for some reason ...

Next message: Arnd Bergmann: "[PATCH] [v2] kallsyms: ignore ARMv4 thunks along with others"
Previous message: Ard Biesheuvel: "Re: [PATCH v8 07/15] x86: Secure Launch kernel early boot stub"
In reply to: Nathan Chancellor: "Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't used at runtime"
Next in thread: Borislav Petkov: "Re: [tip: x86/bugs] x86/retpoline: Ensure default return thunk isn't used at runtime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]