From: Alexandre Chartre <alexandre.chartre@oracle.com>
To: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: linux-kernel@vger.kernel.org, peterz@infradead.org
Subject: Re: [PATCH] objtool/x86: objtool can confuse memory and stack access
Date: Fri, 29 Mar 2024 14:22:58 +0100 [thread overview]
Message-ID: <e95bd083-3501-465e-be48-aa8d37f4f55d@oracle.com> (raw)
In-Reply-To: <20240329013932.vxqzc74szrckxqdq@treble>
On 3/29/24 02:39, Josh Poimboeuf wrote:
> On Thu, Mar 28, 2024 at 02:46:34PM +0100, Alexandre Chartre wrote:
>> The encoding of an x86 instruction can include a ModR/M and a SIB
>> (Scale-Index-Base) byte to describe the addressing mode of the
>> instruction.
>>
>> objtool processes all addressing mode with a SIB base of 5 as having
>> %rbp as the base register. However, a SIB base of 5 means that the
>> effective address has either no base (if ModR/M mod is zero) or %rbp
>> as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
>> an absolute address access with a stack operation.
>>
>> For example, objtool will see the following instruction:
>>
>> 4c 8b 24 25 e0 ff ff mov 0xffffffffffffffe0,%r12
>>
>> as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).
>>
>> [Note that this kind of weird absolute address access is added by the
>> compiler when using KASAN.]
>>
>> If this perceived stack operation happens to reference the location
>> where %r12 was pushed on the stack then the objtool validation will
>> think that %r12 is being restored and this can cause a stack state
>> mismatch.
>>
>> This kind behavior was seen on xfs code, after a minor change (convert
>> kmem_alloc() to kmalloc()):
>>
>>>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0
>>
>> Reported-by: kernel test robot <lkp@intel.com>
>> Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
>> Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
>
> Nice, thanks for finding and debugging this.
>
> Would it make sense to make the check more generic by putting it into
> rm_is()?
>
Yes. Making the change.
Thanks,
alex.
prev parent reply other threads:[~2024-03-29 13:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 13:46 [PATCH] objtool/x86: objtool can confuse memory and stack access Alexandre Chartre
2024-03-29 1:39 ` Josh Poimboeuf
2024-03-29 13:22 ` Alexandre Chartre [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e95bd083-3501-465e-be48-aa8d37f4f55d@oracle.com \
--to=alexandre.chartre@oracle.com \
--cc=jpoimboe@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.