All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Ingo Molnar <mingo@kernel.org>,
	Suleiman Souhlal <suleiman@google.com>, bpf <bpf@vger.kernel.org>,
	linux-kernel@vger.kernel.org, Borislav Petkov <bp@suse.de>,
	x86@kernel.org
Subject: Re: [PATCH v2 1/2] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK
Date: Thu, 8 Sep 2022 11:30:41 +0200	[thread overview]
Message-ID: <Yxm2QU1NJIkIyrrU@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20220908050855.w77mimzznrlp6pwe@treble>

On Wed, Sep 07, 2022 at 10:08:55PM -0700, Josh Poimboeuf wrote:
> On Thu, Sep 08, 2022 at 10:34:43AM +0900, Masami Hiramatsu (Google) wrote:
> > From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
> > 
> > Since the CONFIG_RETHUNK and CONFIG_SLS will use INT3 for stopping
> > speculative execution after RET instruction, kprobes always failes to
> > check the probed instruction boundary by decoding the function body if
> > the probed address is after such sequence. (Note that some conditional
> > code blocks will be placed after function return, if compiler decides
> > it is not on the hot path.)
> > 
> > This is because kprobes expects someone (e.g. kgdb) puts the INT3 as
> > a software breakpoint and it will replace the original instruction.
> > But these INT3 are not such purpose, it doesn't need to recover the
> > original instruction.
> > 
> > To avoid this issue, memorize the branch target address during decoding
> > and if there is INT3, restart decoding from unchecked target address.
> 
> Hm, is kprobes conflicting with kgdb actually a realistic concern?
> Seems like a dangerous combination

Yeah, not in my book. If you use kgdb you'd better be ready to hold
pieces anyway, that thing is terrible.

> Wouldn't it be much simpler to just encode the knowledge that
> 
>   	if (CONFIG_RETHUNK && !X86_FEATURE_RETHUNK)
> 		// all rets are followed by four INT3s
> 	else if (CONFIG_SLS)
> 		// all rets are followed by one INT3

At the very least that doesn't deal with the INT3 after JMP thing the
compilers should do once they catch up. This issue seems to keep getting
lost, but is now part of the AMD Branch Type Confusion (it was disclosed
in an earlier thing, but I keep forgetting what that was called).

Once that lands the rules are:

 0-5 INT3 after RET, !CONFIG_RETHUNK && !CONFIG_SLS: 0
                     CONFIG_SLS: 1
		     CONFIG_RETHUNK: 4-5 depending on compiler version

 0-1 INT3 after RET: !CONFIG_SLS: 0
		     CONFIG_SLS: 0-1 depending on compiler version

Now, given we know the compiler version at build time, this could be
determined and used in kprobes, but meh.

We also *should* put an INT3 after indirect jumps when patching the
retpolines. We don't appear to do so, but that's recommended even for
Intel I think.

Let me go do a patch.

  reply	other threads:[~2022-09-08  9:30 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-08  1:34 [PATCH v2 0/2] x86/kprobes: Fixes for CONFIG_RETHUNK Masami Hiramatsu (Google)
2022-09-08  1:34 ` [PATCH v2 1/2] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK Masami Hiramatsu (Google)
2022-09-08  5:08   ` Josh Poimboeuf
2022-09-08  9:30     ` Peter Zijlstra [this message]
2022-09-08 10:04       ` [PATCH] x86,retpoline: Be sure to emit INT3 after JMP *%\reg Peter Zijlstra
2022-09-08 14:01         ` Alexei Starovoitov
2022-09-09  8:16           ` Peter Zijlstra
2022-09-09 14:19             ` Alexei Starovoitov
2022-09-09 16:48             ` Josh Poimboeuf
2022-09-11 15:14               ` Peter Zijlstra
2022-09-15 14:24         ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2022-09-08 10:08       ` [PATCH v2 1/2] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK Peter Zijlstra
2022-09-08 13:03     ` Masami Hiramatsu
2022-09-08 15:01       ` [PATCH v3 0/2] x86/kprobes: Fixes for CONFIG_RETHUNK Masami Hiramatsu (Google)
2022-09-08 15:01         ` [PATCH v3 1/2] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK Masami Hiramatsu (Google)
2022-09-08 15:01         ` [PATCH v3 2/2] x86/kprobes: Fix optprobe optimization " Masami Hiramatsu (Google)
2022-12-15  3:31           ` Nadav Amit
2022-12-18 14:28             ` Masami Hiramatsu
2022-09-08 19:31         ` [PATCH v3 0/2] x86/kprobes: Fixes for CONFIG_RETHUNK Josh Poimboeuf
2022-09-08  1:34 ` [PATCH v2 2/2] x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK Masami Hiramatsu (Google)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yxm2QU1NJIkIyrrU@hirez.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=bp@suse.de \
    --cc=bpf@vger.kernel.org \
    --cc=jpoimboe@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    --cc=mingo@kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=suleiman@google.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.