From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763450AbcALS4L (ORCPT ); Tue, 12 Jan 2016 13:56:11 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57642 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1763409AbcALS4J (ORCPT ); Tue, 12 Jan 2016 13:56:09 -0500 Date: Tue, 12 Jan 2016 12:56:06 -0600 From: Josh Poimboeuf To: Borislav Petkov Cc: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org, live-patching@vger.kernel.org, Michal Marek , Peter Zijlstra , Andy Lutomirski , Linus Torvalds , Andi Kleen , Pedro Alves , Namhyung Kim , Bernd Petrovitsch , Chris J Arges , Andrew Morton , Jiri Slaby , Arnaldo Carvalho de Melo Subject: Re: [PATCH v15 13/25] x86/reboot: Add ljmp instructions to stacktool whitelist Message-ID: <20160112185606.GF310@treble.redhat.com> References: <20160112164711.GD22699@pd.tnic> <20160112174301.GD310@treble.redhat.com> <20160112175540.GI30558@pd.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20160112175540.GI30558@pd.tnic> User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 12, 2016 at 06:55:40PM +0100, Borislav Petkov wrote: > On Tue, Jan 12, 2016 at 11:43:01AM -0600, Josh Poimboeuf wrote: > > Well, these STACKTOOL_IGNORE whitelist markers are only needed in a > > handful of places, and only for code that does very weird things. Yes, > > they're a bit ugly, but IMO they also communicate valuable information: > > "be careful, this code does something very weird." > > Weird for whom? Well, for example, here are the 3 places in the code where I needed to use STACKTOOL_IGNORE: - machine_real_restart() does an "ljmp" (far jump) into real mode and never returns - xen_setup_gdt() does an "lret" (far return) - xen_cpuid() inserts some fake xen-specific (non-x86) asm instructions I'd say those are all weird things that C code should _normally_ not do (especially emitting fake instructions!). But yet they should be allowed for those specific rare cases where we can manually verify that they won't cause problems. > > As for whether to put the whitelist info in the code vs hard-coding it > > in stacktool, I think it's clearer and less "magical" to put them > > directly in the code. > > I don't think so. All that unnecessary clutter just gets in the way > of actually writing code. Sure, those tools are all good and nice but > again, they should *not* have to touch the code. We want people to > concentrate on writing code, not paying attention to gazillion tools > breaking from their changes. Generally I agree (but I don't know what other tools you're talking about which require adding clutter). We don't want the tools to get in the way. I've tried *very* hard to make stacktool as unobtrusive as possible. And I think I've done a good job at it. As I said there's hopefully only a handful of code locations which need the STACKTOOL_IGNORE stuff. > > It's also more resilient to future code changes, e.g. if the offending > > instruction gets moved or if the function gets renamed. > > So make your tool parse vmlinux properly. > > > And it gives you the ability to more granularly whitelist instructions > > rather than entire functions, which could cause other offending stack > > violations in the function to get overlooked. > > No no no, the moment you have to *whitelist* something is already wrong. > Normal kernel code shouldn't have to whitelist anything - the tools > should strive to be smart, instead. The tool *does* strive to be smart. It disassembles every instruction in both C and asm object files, follows every code path, understands the "alternatives" hot-patching stuff, jump tables, exception tables, gcc switch tables, tail function calls, etc, etc, etc. That's why we're now at v15 :-) Taking a hard line of "no whitelists" is just not very realistic when you take into account some of the special cases in the kernel. For example, how can it possibly grok a fake xen instruction without some kind of a whitelist, either hard-coded in the tool or annotated some other way? If you know of some other way to avoid all false positives without having to whitelist them, then I'm all for it. > > Another thing is that stacktool could be a nice general purpose tool for > > finding stack issues in other code bases, and so I think requiring it to > > have hard-coded knowledge about the code base would greatly limit its > > general usefulness. (Though maybe this problem could be remediated with > > a user-provided whitelist file which lists functions to be ignored.) > > I can use the same argument for me: all those other code bases would > need annotating too. Maybe so, although the kernel is more "special" than most code bases and is thus more likely to need annotations. But again, we really try to keep the annotations to a minimum. The tradeoff is worth it IMO. > Again, the onus should always be on the tool to do the right thing. > If it cannot, it should not say anything. Saying nothing at all in order to prevent false positives would also by definition allow some false negatives, which would make stacktool useless for its intended purpose of enabling reliable stack traces. -- Josh