[PATCH] objtool/x86: objtool can confuse memory and stack access

[PATCH] objtool/x86: objtool can confuse memory and stack access

[Alexandre Chartre]

The encoding of an x86 instruction can include a ModR/M and a SIB
(Scale-Index-Base) byte to describe the addressing mode of the
instruction.

objtool processes all addressing mode with a SIB base of 5 as having
%rbp as the base register. However, a SIB base of 5 means that the
effective address has either no base (if ModR/M mod is zero) or %rbp
as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
an absolute address access with a stack operation.

For example, objtool will see the following instruction:

 4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12

as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).

[Note that this kind of weird absolute address access is added by the
 compiler when using KASAN.]

If this perceived stack operation happens to reference the location
where %r12 was pushed on the stack then the objtool validation will
think that %r12 is being restored and this can cause a stack state
mismatch.

This kind behavior was seen on xfs code, after a minor change (convert
kmem_alloc() to kmalloc()):

>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
---
 tools/objtool/arch/x86/decode.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c
index 3a1d80a7878d3..18a9140173326 100644
--- a/tools/objtool/arch/x86/decode.c
+++ b/tools/objtool/arch/x86/decode.c
@@ -412,6 +412,14 @@ int arch_decode_instruction(struct objtool_file *file, const struct section *sec
 		if (!rex_w)
 			break;
 
+		/*
+		 * If the SIB base is 5, and ModRM mod is 0 then there
+		 * is no base. But SIB decoding will set sib_base to
+		 * CFI_BP (register 5).
+		 */
+		if (have_SIB() && sib_base == CFI_BP && modrm_mod == 0)
+			break;
+
 		if (rm_is_mem(CFI_BP)) {
 
 			/* mov disp(%rbp), reg */
-- 
2.39.3

Re: [PATCH] objtool/x86: objtool can confuse memory and stack access

[Josh Poimboeuf]

On Thu, Mar 28, 2024 at 02:46:34PM +0100, Alexandre Chartre wrote:
> The encoding of an x86 instruction can include a ModR/M and a SIB
> (Scale-Index-Base) byte to describe the addressing mode of the
> instruction.
> 
> objtool processes all addressing mode with a SIB base of 5 as having
> %rbp as the base register. However, a SIB base of 5 means that the
> effective address has either no base (if ModR/M mod is zero) or %rbp
> as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
> an absolute address access with a stack operation.
> 
> For example, objtool will see the following instruction:
> 
>  4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12
> 
> as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).
> 
> [Note that this kind of weird absolute address access is added by the
>  compiler when using KASAN.]
> 
> If this perceived stack operation happens to reference the location
> where %r12 was pushed on the stack then the objtool validation will
> think that %r12 is being restored and this can cause a stack state
> mismatch.
> 
> This kind behavior was seen on xfs code, after a minor change (convert
> kmem_alloc() to kmalloc()):
> 
> >> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
> Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>

Nice, thanks for finding and debugging this.

Would it make sense to make the check more generic by putting it into
rm_is()?

-- 
Josh

Re: [PATCH] objtool/x86: objtool can confuse memory and stack access

[Alexandre Chartre]

On 3/29/24 02:39, Josh Poimboeuf wrote:
> On Thu, Mar 28, 2024 at 02:46:34PM +0100, Alexandre Chartre wrote:
>> The encoding of an x86 instruction can include a ModR/M and a SIB
>> (Scale-Index-Base) byte to describe the addressing mode of the
>> instruction.
>>
>> objtool processes all addressing mode with a SIB base of 5 as having
>> %rbp as the base register. However, a SIB base of 5 means that the
>> effective address has either no base (if ModR/M mod is zero) or %rbp
>> as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
>> an absolute address access with a stack operation.
>>
>> For example, objtool will see the following instruction:
>>
>>   4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12
>>
>> as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).
>>
>> [Note that this kind of weird absolute address access is added by the
>>   compiler when using KASAN.]
>>
>> If this perceived stack operation happens to reference the location
>> where %r12 was pushed on the stack then the objtool validation will
>> think that %r12 is being restored and this can cause a stack state
>> mismatch.
>>
>> This kind behavior was seen on xfs code, after a minor change (convert
>> kmem_alloc() to kmalloc()):
>>
>>>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0
>>
>> Reported-by: kernel test robot <lkp@intel.com>
>> Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
>> Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
> 
> Nice, thanks for finding and debugging this.
> 
> Would it make sense to make the check more generic by putting it into
> rm_is()?
> 

Yes. Making the change.

Thanks,

alex.