From: tip-bot for Josh Poimboeuf <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: hpa@zytor.com, linux-kernel@vger.kernel.org, jpoimboe@redhat.com,
mingo@kernel.org, ndesaulniers@google.com, arnd@arndb.de,
tglx@linutronix.de, peterz@infradead.org
Subject: [tip:core/urgent] objtool: Fix seg fault on bad switch table entry
Date: Thu, 18 Jul 2019 12:21:33 -0700 [thread overview]
Message-ID: <tip-e65050b94d8c518fdbee572ea4ca6d352e1fda37@git.kernel.org> (raw)
In-Reply-To: <a9db88eec4f1ca089e040989846961748238b6d8.1563413318.git.jpoimboe@redhat.com>
Commit-ID: e65050b94d8c518fdbee572ea4ca6d352e1fda37
Gitweb: https://git.kernel.org/tip/e65050b94d8c518fdbee572ea4ca6d352e1fda37
Author: Josh Poimboeuf <jpoimboe@redhat.com>
AuthorDate: Wed, 17 Jul 2019 20:36:55 -0500
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Thu, 18 Jul 2019 21:01:10 +0200
objtool: Fix seg fault on bad switch table entry
In one rare case, Clang generated the following code:
5ca: 83 e0 21 and $0x21,%eax
5cd: b9 04 00 00 00 mov $0x4,%ecx
5d2: ff 24 c5 00 00 00 00 jmpq *0x0(,%rax,8)
5d5: R_X86_64_32S .rodata+0x38
which uses the corresponding jump table relocations:
000000000038 000200000001 R_X86_64_64 0000000000000000 .text + 834
000000000040 000200000001 R_X86_64_64 0000000000000000 .text + 5d9
000000000048 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000050 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000058 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000060 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000068 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000070 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000078 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000080 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000088 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000090 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000098 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000a0 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000a8 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000b0 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000b8 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000c0 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000c8 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000d0 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000d8 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000e0 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000e8 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000f0 000200000001 R_X86_64_64 0000000000000000 .text + b96
0000000000f8 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000100 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000108 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000110 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000118 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000120 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000128 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000130 000200000001 R_X86_64_64 0000000000000000 .text + b96
000000000138 000200000001 R_X86_64_64 0000000000000000 .text + 82f
000000000140 000200000001 R_X86_64_64 0000000000000000 .text + 828
Since %eax was masked with 0x21, only the first two and the last two
entries are possible.
Objtool doesn't actually emulate all the code, so it isn't smart enough
to know that all the middle entries aren't reachable. They point to the
NOP padding area after the end of the function, so objtool seg faulted
when it tried to dereference a NULL insn->func.
After this fix, objtool still gives an "unreachable" error because it
stops reading the jump table when it encounters the bad addresses:
/home/jpoimboe/objtool-tests/adm1275.o: warning: objtool: adm1275_probe()+0x828: unreachable instruction
While the above code is technically correct, it's very wasteful of
memory -- it uses 34 jump table entries when only 4 are needed. It's
also not possible for objtool to validate this type of switch table
because the unused entries point outside the function and objtool has no
way of determining if that's intentional. Hopefully the Clang folks can
fix it.
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Nick Desaulniers <ndesaulniers@google.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/a9db88eec4f1ca089e040989846961748238b6d8.1563413318.git.jpoimboe@redhat.com
---
tools/objtool/check.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 66f7c01385a4..a966b22a32ef 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -932,7 +932,7 @@ static int add_jump_table(struct objtool_file *file, struct instruction *insn,
break;
/* Make sure the destination is in the same function: */
- if (dest_insn->func->pfunc != pfunc)
+ if (!dest_insn->func || dest_insn->func->pfunc != pfunc)
break;
alt = malloc(sizeof(*alt));
next prev parent reply other threads:[~2019-07-18 19:21 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-18 1:36 [PATCH v2 00/22] x86, objtool: several fixes/improvements Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 01/22] x86/paravirt: Fix callee-saved function ELF sizes Josh Poimboeuf
2019-07-18 19:07 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 02/22] x86/kvm: Fix fastop function ELF metadata Josh Poimboeuf
2019-07-18 19:08 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 03/22] x86/kvm: Replace vmx_vmenter()'s call to kvm_spurious_fault() with UD2 Josh Poimboeuf
2019-07-18 8:17 ` Paolo Bonzini
2019-07-18 19:08 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 04/22] x86/kvm: Don't call kvm_spurious_fault() from .fixup Josh Poimboeuf
2019-07-18 8:22 ` Paolo Bonzini
2019-07-18 13:16 ` Sean Christopherson
2019-07-18 13:18 ` Paolo Bonzini
2019-07-18 14:12 ` Josh Poimboeuf
2019-07-18 14:13 ` Paolo Bonzini
2019-07-18 14:03 ` Josh Poimboeuf
2019-07-18 19:09 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 05/22] x86/entry: Fix thunk function ELF sizes Josh Poimboeuf
2019-07-18 19:10 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 06/22] x86/head/64: Annotate start_cpu0() as non-callable Josh Poimboeuf
2019-07-18 19:11 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 07/22] x86/uaccess: Remove ELF function annotation from copy_user_handle_tail() Josh Poimboeuf
2019-07-18 19:11 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 08/22] x86/uaccess: Don't leak AC flag into fentry from mcsafe_handle_tail() Josh Poimboeuf
2019-07-18 19:12 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 09/22] x86/uaccess: Remove redundant CLACs in getuser/putuser error paths Josh Poimboeuf
2019-07-18 19:13 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 10/22] bpf: Disable GCC -fgcse optimization for ___bpf_prog_run() Josh Poimboeuf
2019-07-18 19:14 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2020-04-29 21:51 ` BPF vs objtool again Josh Poimboeuf
2020-04-29 22:01 ` Arvind Sankar
2020-04-29 23:41 ` Alexei Starovoitov
2020-04-30 0:13 ` Josh Poimboeuf
2020-04-30 2:10 ` Alexei Starovoitov
2020-04-30 3:53 ` Josh Poimboeuf
2020-04-30 4:24 ` Alexei Starovoitov
2020-04-30 4:43 ` Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 11/22] objtool: Add mcsafe_handle_tail() to the uaccess safe list Josh Poimboeuf
2019-07-18 19:14 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 12/22] objtool: Track original function across branches Josh Poimboeuf
2019-07-18 19:15 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 13/22] objtool: Refactor function alias logic Josh Poimboeuf
2019-07-18 19:16 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 14/22] objtool: Warn on zero-length functions Josh Poimboeuf
2019-07-18 19:17 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 15/22] objtool: Change dead_end_function() to return boolean Josh Poimboeuf
2019-07-18 19:17 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 16/22] objtool: Do frame pointer check before dead end check Josh Poimboeuf
2019-07-18 19:18 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 17/22] objtool: Refactor sibling call detection logic Josh Poimboeuf
2019-07-18 19:19 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 18/22] objtool: Refactor jump table code Josh Poimboeuf
2019-07-18 19:20 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 19/22] objtool: Support repeated uses of the same C jump table Josh Poimboeuf
2019-07-18 19:20 ` [tip:core/urgent] " tip-bot for Jann Horn
2019-07-18 1:36 ` [PATCH v2 20/22] objtool: Fix seg fault on bad switch table entry Josh Poimboeuf
2019-07-18 19:21 ` tip-bot for Josh Poimboeuf [this message]
2019-07-18 1:36 ` [PATCH v2 21/22] objtool: convert insn type to enum Josh Poimboeuf
2019-07-18 19:22 ` [tip:core/urgent] objtool: Convert " tip-bot for Josh Poimboeuf
2019-07-18 1:36 ` [PATCH v2 22/22] objtool: Support conditional retpolines Josh Poimboeuf
2019-07-18 19:23 ` [tip:core/urgent] " tip-bot for Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-e65050b94d8c518fdbee572ea4ca6d352e1fda37@git.kernel.org \
--to=tipbot@zytor.com \
--cc=arnd@arndb.de \
--cc=hpa@zytor.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=ndesaulniers@google.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.