* [PATCH] x86/cmdline: Disable instrumentation of cmdline unconditionally @ 2020-09-06 15:46 Arvind Sankar 2020-09-17 9:40 ` Borislav Petkov 0 siblings, 1 reply; 4+ messages in thread From: Arvind Sankar @ 2020-09-06 15:46 UTC (permalink / raw) To: x86; +Cc: linux-kernel On 32-bit, cmdline_find_option_bool() is used before paging is enabled, from check_loader_disabled_bsp() in the early microcode loader. Instrumentation options that insert accesses to global data will likely crash or corrupt memory at this point. cmdline_find_option{,_bool}() are only used during boot, so instrumentation is not that useful anyway. Disable instrumentation unconditionally, and additionally disable: - GCOV - UBSAN - tracing: change -pg -> CC_FLAGS_FTRACE - STACKLEAK_PLUGIN - BRANCH_PROFILING Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu> --- arch/x86/lib/Makefile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile index aa067859a70b..0ad4ae9def44 100644 --- a/arch/x86/lib/Makefile +++ b/arch/x86/lib/Makefile @@ -15,17 +15,19 @@ CFLAGS_REMOVE_delay.o = $(CC_FLAGS_FTRACE) endif # Early boot use of cmdline; don't instrument it -ifdef CONFIG_AMD_MEM_ENCRYPT +GCOV_PROFILE_cmdline.o := n KCOV_INSTRUMENT_cmdline.o := n KASAN_SANITIZE_cmdline.o := n +UBSAN_SANITIZE_cmdline.o := n KCSAN_SANITIZE_cmdline.o := n ifdef CONFIG_FUNCTION_TRACER -CFLAGS_REMOVE_cmdline.o = -pg +CFLAGS_REMOVE_cmdline.o = $(CC_FLAGS_FTRACE) endif CFLAGS_cmdline.o := -fno-stack-protector -fno-jump-tables -endif +CFLAGS_cmdline.o += $(DISABLE_STACKLEAK_PLUGIN) +CFLAGS_cmdline.o += -DDISABLE_BRANCH_PROFILING inat_tables_script = $(srctree)/arch/x86/tools/gen-insn-attr-x86.awk inat_tables_maps = $(srctree)/arch/x86/lib/x86-opcode-map.txt -- 2.26.2 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/cmdline: Disable instrumentation of cmdline unconditionally 2020-09-06 15:46 [PATCH] x86/cmdline: Disable instrumentation of cmdline unconditionally Arvind Sankar @ 2020-09-17 9:40 ` Borislav Petkov 2020-09-17 16:05 ` Arvind Sankar 0 siblings, 1 reply; 4+ messages in thread From: Borislav Petkov @ 2020-09-17 9:40 UTC (permalink / raw) To: Arvind Sankar; +Cc: x86, linux-kernel On Sun, Sep 06, 2020 at 11:46:37AM -0400, Arvind Sankar wrote: > On 32-bit, cmdline_find_option_bool() is used before paging is enabled, > from check_loader_disabled_bsp() in the early microcode loader. > Instrumentation options that insert accesses to global data will likely > crash or corrupt memory at this point. What is the use case here, can you trigger an actual crash? -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/cmdline: Disable instrumentation of cmdline unconditionally 2020-09-17 9:40 ` Borislav Petkov @ 2020-09-17 16:05 ` Arvind Sankar 2020-09-17 17:28 ` Borislav Petkov 0 siblings, 1 reply; 4+ messages in thread From: Arvind Sankar @ 2020-09-17 16:05 UTC (permalink / raw) To: Borislav Petkov; +Cc: Arvind Sankar, x86, linux-kernel On Thu, Sep 17, 2020 at 11:40:55AM +0200, Borislav Petkov wrote: > On Sun, Sep 06, 2020 at 11:46:37AM -0400, Arvind Sankar wrote: > > On 32-bit, cmdline_find_option_bool() is used before paging is enabled, > > from check_loader_disabled_bsp() in the early microcode loader. > > Instrumentation options that insert accesses to global data will likely > > crash or corrupt memory at this point. > > What is the use case here, can you trigger an actual crash? > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette Hm this is a bit embarassing. I did have a crash and this patch fixed it, but it seems it was on a branch where I was making changes to cmdline.c, which triggered clang to use a jump table for cmdline_find_option_bool(). That was the cause of the crash, and the reason this patch fixed it was because it enabled -fno-jump-tables, rather than because it disabled instrumentation. The instrumentation code does write data to random addresses, but apparently that doesn't necessarily crash the system. This patch would also be insufficient to fix it, since load_ucode_bsp() itself can have instrumentation code in it. Eg with GCOV_PROFILE_ALL enabled, the start of the function is: c2a7706a <load_ucode_bsp>: c2a7706a: 55 push %ebp c2a7706b: 83 05 c0 4d ba c2 01 addl $0x1,0xc2ba4dc0 c2a77072: 83 15 c4 4d ba c2 00 adcl $0x0,0xc2ba4dc4 c2a77079: 89 e5 mov %esp,%ebp but when it's called from arch/x86/kernel/head_32.S, paging is disabled and the code is executing out of physical addresses, so it's going to read/write data from garbage addresses. Anyway, please ignore this patch and sorry for the noise. Thanks. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/cmdline: Disable instrumentation of cmdline unconditionally 2020-09-17 16:05 ` Arvind Sankar @ 2020-09-17 17:28 ` Borislav Petkov 0 siblings, 0 replies; 4+ messages in thread From: Borislav Petkov @ 2020-09-17 17:28 UTC (permalink / raw) To: Arvind Sankar; +Cc: x86, linux-kernel On Thu, Sep 17, 2020 at 12:05:48PM -0400, Arvind Sankar wrote: > I did have a crash and this patch fixed it, but it seems it was on a > branch where I was making changes to cmdline.c, which triggered clang to > use a jump table for cmdline_find_option_bool(). That was the cause of > the crash, and the reason this patch fixed it was because it enabled > -fno-jump-tables, rather than because it disabled instrumentation. I see. > The instrumentation code does write data to random addresses, but > apparently that doesn't necessarily crash the system. This patch would > also be insufficient to fix it, since load_ucode_bsp() itself can have > instrumentation code in it. Yeah, it better not have any. > Eg with GCOV_PROFILE_ALL enabled, the start of the function is: > > c2a7706a <load_ucode_bsp>: > c2a7706a: 55 push %ebp > c2a7706b: 83 05 c0 4d ba c2 01 addl $0x1,0xc2ba4dc0 > c2a77072: 83 15 c4 4d ba c2 00 adcl $0x0,0xc2ba4dc4 > c2a77079: 89 e5 mov %esp,%ebp > > but when it's called from arch/x86/kernel/head_32.S, paging is disabled > and the code is executing out of physical addresses, so it's going to > read/write data from garbage addresses. Right, so I'm sceptical to all this instrumentation nonsense - it is fine and good if you have it but not everywhere. And certainly not when the thing is loading microcode. microcode/core.c contains all the code, early and late so it might make some little sense to have instrumentation there for whatever reasons, say KASANing (yah, I made a verb :)) the thing for leaks or whatnot, but meh, I can't find it in me to care. So at some point, if it starts getting in the way, we might remove all instrumentation from that thing altogether. > Anyway, please ignore this patch and sorry for the noise. No worries. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-17 18:07 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-09-06 15:46 [PATCH] x86/cmdline: Disable instrumentation of cmdline unconditionally Arvind Sankar 2020-09-17 9:40 ` Borislav Petkov 2020-09-17 16:05 ` Arvind Sankar 2020-09-17 17:28 ` Borislav Petkov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).