Re: [PATCH v15 13/25] x86/reboot: Add ljmp instructions to stacktool whitelist

From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Borislav Petkov <bp@alien8.de>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
	x86@kernel.org, linux-kernel@vger.kernel.org,
	live-patching@vger.kernel.org, Michal Marek <mmarek@suse.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Andy Lutomirski <luto@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Andi Kleen <andi@firstfloor.org>, Pedro Alves <palves@redhat.com>,
	Namhyung Kim <namhyung@gmail.com>,
	Bernd Petrovitsch <bernd@petrovitsch.priv.at>,
	Chris J Arges <chris.j.arges@canonical.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Jiri Slaby <jslaby@suse.cz>,
	Arnaldo Carvalho de Melo <acme@kernel.org>
Subject: Re: [PATCH v15 13/25] x86/reboot: Add ljmp instructions to stacktool whitelist
Date: Tue, 12 Jan 2016 12:56:06 -0600	[thread overview]
Message-ID: <20160112185606.GF310@treble.redhat.com> (raw)
In-Reply-To: <20160112175540.GI30558@pd.tnic>

On Tue, Jan 12, 2016 at 06:55:40PM +0100, Borislav Petkov wrote:
> On Tue, Jan 12, 2016 at 11:43:01AM -0600, Josh Poimboeuf wrote:
> > Well, these STACKTOOL_IGNORE whitelist markers are only needed in a
> > handful of places, and only for code that does very weird things.  Yes,
> > they're a bit ugly, but IMO they also communicate valuable information:
> > "be careful, this code does something very weird."
> 
> Weird for whom?

Well, for example, here are the 3 places in the code where I needed to
use STACKTOOL_IGNORE:

- machine_real_restart() does an "ljmp" (far jump) into real mode and
  never returns

- xen_setup_gdt() does an "lret" (far return)

- xen_cpuid() inserts some fake xen-specific (non-x86) asm instructions

I'd say those are all weird things that C code should _normally_ not do
(especially emitting fake instructions!).  But yet they should be
allowed for those specific rare cases where we can manually verify that
they won't cause problems.

> > As for whether to put the whitelist info in the code vs hard-coding it
> > in stacktool, I think it's clearer and less "magical" to put them
> > directly in the code.
> 
> I don't think so. All that unnecessary clutter just gets in the way
> of actually writing code. Sure, those tools are all good and nice but
> again, they should *not* have to touch the code. We want people to
> concentrate on writing code, not paying attention to gazillion tools
> breaking from their changes.

Generally I agree (but I don't know what other tools you're talking
about which require adding clutter).  We don't want the tools to get in
the way.

I've tried *very* hard to make stacktool as unobtrusive as possible.
And I think I've done a good job at it.  As I said there's hopefully
only a handful of code locations which need the STACKTOOL_IGNORE stuff.

> > It's also more resilient to future code changes, e.g. if the offending
> > instruction gets moved or if the function gets renamed.
> 
> So make your tool parse vmlinux properly.
> 
> > And it gives you the ability to more granularly whitelist instructions
> > rather than entire functions, which could cause other offending stack
> > violations in the function to get overlooked.
> 
> No no no, the moment you have to *whitelist* something is already wrong.
> Normal kernel code shouldn't have to whitelist anything - the tools
> should strive to be smart, instead.

The tool *does* strive to be smart.  It disassembles every instruction
in both C and asm object files, follows every code path, understands the
"alternatives" hot-patching stuff, jump tables, exception tables, gcc
switch tables, tail function calls, etc, etc, etc.  That's why we're now
at v15 :-)

Taking a hard line of "no whitelists" is just not very realistic when
you take into account some of the special cases in the kernel.  For
example, how can it possibly grok a fake xen instruction without some
kind of a whitelist, either hard-coded in the tool or annotated some
other way?

If you know of some other way to avoid all false positives without
having to whitelist them, then I'm all for it.

> > Another thing is that stacktool could be a nice general purpose tool for
> > finding stack issues in other code bases, and so I think requiring it to
> > have hard-coded knowledge about the code base would greatly limit its
> > general usefulness.  (Though maybe this problem could be remediated with
> > a user-provided whitelist file which lists functions to be ignored.)
> 
> I can use the same argument for me: all those other code bases would
> need annotating too.

Maybe so, although the kernel is more "special" than most code bases and
is thus more likely to need annotations.  But again, we really try to
keep the annotations to a minimum.  The tradeoff is worth it IMO.

> Again, the onus should always be on the tool to do the right thing.
> If it cannot, it should not say anything.

Saying nothing at all in order to prevent false positives would also by
definition allow some false negatives, which would make stacktool
useless for its intended purpose of enabling reliable stack traces.

-- 
Josh