[v2] x86/asm: Pad assembly functions with INT3 instructions
diff mbox series

Message ID 20180515225845.GB21902@avx2
State New, archived
Headers show
Series
  • [v2] x86/asm: Pad assembly functions with INT3 instructions
Related show

Commit Message

Alexey Dobriyan May 15, 2018, 10:58 p.m. UTC
Use INT3 instead of NOP. All that padding between functions is
an illegal area, no legitimate code should jump into it.

I've checked x86_64 allyesconfig disassembly, all changes looks sane:
INT3 is only used after RET or unconditional JMP.

On i386:
* promote ret_from_exception into ENTRY as it has corresponding END,
* demote "resume_userspace" -- unused,
* delete ALIGN directive in page_fault. It is leftover from x86 assembly
  cleanups.

    commit d211af055d0c12dc3416c2886e6fbdc6eb74a381
    i386: get rid of the use of KPROBE_ENTRY / KPROBE_END

  has ALIGN directive before branch target which makes sense.
  All the code after ALIGN disappeared later.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

 arch/x86/entry/entry_32.S      |    6 +-----
 arch/x86/include/asm/linkage.h |    2 +-
 2 files changed, 2 insertions(+), 6 deletions(-)

Comments

Linus Torvalds May 15, 2018, 11:28 p.m. UTC | #1
On Tue, May 15, 2018 at 3:58 PM Alexey Dobriyan <adobriyan@gmail.com> wrote:
>          jb      resume_kernel                   # not returning to v8086
or userspace
> -
> -ENTRY(resume_userspace)

I went back in history, and we used to have multiple "jmp resume_userspace"
including even the vm86.c code (in a different file) doing that, so there
*used* to be a reason for this being a global symbol (and yes, we had a
fall-through to that global symbol even in those days).

That said, I also look at "resume_kernel". There's no reason to make that
globally visible afaik. It looks local to entry_32.S, and should look like
restore_all rather than resume_userspace.

So we probably should remove the ENTRY() for that too, and just make it be

          ALIGN
         resume_kernel:

instead?

I guess the reason for removing that other ENTRY() is different from this
case, though..

                Linus
Ingo Molnar May 18, 2018, 7:36 a.m. UTC | #2
* Alexey Dobriyan <adobriyan@gmail.com> wrote:

> Use INT3 instead of NOP. All that padding between functions is
> an illegal area, no legitimate code should jump into it.
> 
> I've checked x86_64 allyesconfig disassembly, all changes looks sane:
> INT3 is only used after RET or unconditional JMP.
> 
> On i386:
> * promote ret_from_exception into ENTRY as it has corresponding END,
> * demote "resume_userspace" -- unused,
> * delete ALIGN directive in page_fault. It is leftover from x86 assembly
>   cleanups.
> 
>     commit d211af055d0c12dc3416c2886e6fbdc6eb74a381
>     i386: get rid of the use of KPROBE_ENTRY / KPROBE_END
> 
>   has ALIGN directive before branch target which makes sense.
>   All the code after ALIGN disappeared later.
> 
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> ---
> 
>  arch/x86/entry/entry_32.S      |    6 +-----
>  arch/x86/include/asm/linkage.h |    2 +-
>  2 files changed, 2 insertions(+), 6 deletions(-)
> 
> --- a/arch/x86/entry/entry_32.S
> +++ b/arch/x86/entry/entry_32.S
> @@ -320,8 +320,7 @@ END(ret_from_fork)
>   */
>  
>  	# userspace resumption stub bypassing syscall exit tracing
> -	ALIGN
> -ret_from_exception:
> +ENTRY(ret_from_exception)
>  	preempt_stop(CLBR_ANY)
>  ret_from_intr:
>  #ifdef CONFIG_VM86
> @@ -337,8 +336,6 @@ ret_from_intr:
>  #endif
>  	cmpl	$USER_RPL, %eax
>  	jb	resume_kernel			# not returning to v8086 or userspace
> -
> -ENTRY(resume_userspace)
>  	DISABLE_INTERRUPTS(CLBR_ANY)
>  	TRACE_IRQS_OFF
>  	movl	%esp, %eax
> @@ -910,7 +907,6 @@ BUILD_INTERRUPT3(hv_stimer0_callback_vector, HYPERV_STIMER0_VECTOR,
>  ENTRY(page_fault)
>  	ASM_CLAC
>  	pushl	$do_page_fault
> -	ALIGN
>  	jmp common_exception
>  END(page_fault)
>  
> --- a/arch/x86/include/asm/linkage.h
> +++ b/arch/x86/include/asm/linkage.h
> @@ -18,7 +18,7 @@
>  	name:
>  
>  #if defined(CONFIG_X86_64) || defined(CONFIG_X86_ALIGNMENT_16)
> -#define __ALIGN		.p2align 4, 0x90
> +#define __ALIGN		.p2align 4, 0xCC
>  #define __ALIGN_STR	__stringify(__ALIGN)
>  #endif

So the question is, without objtool support, how will we find INT3-padding related 
crash bugs on 32-bit kernels?

Thanks,

	Ingo
Josh Poimboeuf May 18, 2018, 1:02 p.m. UTC | #3
On Fri, May 18, 2018 at 09:36:44AM +0200, Ingo Molnar wrote:
> 
> * Alexey Dobriyan <adobriyan@gmail.com> wrote:
> 
> > Use INT3 instead of NOP. All that padding between functions is
> > an illegal area, no legitimate code should jump into it.
> > 
> > I've checked x86_64 allyesconfig disassembly, all changes looks sane:
> > INT3 is only used after RET or unconditional JMP.
> > 
> > On i386:
> > * promote ret_from_exception into ENTRY as it has corresponding END,
> > * demote "resume_userspace" -- unused,
> > * delete ALIGN directive in page_fault. It is leftover from x86 assembly
> >   cleanups.
> > 
> >     commit d211af055d0c12dc3416c2886e6fbdc6eb74a381
> >     i386: get rid of the use of KPROBE_ENTRY / KPROBE_END
> > 
> >   has ALIGN directive before branch target which makes sense.
> >   All the code after ALIGN disappeared later.
> > 
> > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> > ---
> > 
> >  arch/x86/entry/entry_32.S      |    6 +-----
> >  arch/x86/include/asm/linkage.h |    2 +-
> >  2 files changed, 2 insertions(+), 6 deletions(-)
> > 
> > --- a/arch/x86/entry/entry_32.S
> > +++ b/arch/x86/entry/entry_32.S
> > @@ -320,8 +320,7 @@ END(ret_from_fork)
> >   */
> >  
> >  	# userspace resumption stub bypassing syscall exit tracing
> > -	ALIGN
> > -ret_from_exception:
> > +ENTRY(ret_from_exception)
> >  	preempt_stop(CLBR_ANY)
> >  ret_from_intr:
> >  #ifdef CONFIG_VM86
> > @@ -337,8 +336,6 @@ ret_from_intr:
> >  #endif
> >  	cmpl	$USER_RPL, %eax
> >  	jb	resume_kernel			# not returning to v8086 or userspace
> > -
> > -ENTRY(resume_userspace)
> >  	DISABLE_INTERRUPTS(CLBR_ANY)
> >  	TRACE_IRQS_OFF
> >  	movl	%esp, %eax
> > @@ -910,7 +907,6 @@ BUILD_INTERRUPT3(hv_stimer0_callback_vector, HYPERV_STIMER0_VECTOR,
> >  ENTRY(page_fault)
> >  	ASM_CLAC
> >  	pushl	$do_page_fault
> > -	ALIGN
> >  	jmp common_exception
> >  END(page_fault)
> >  
> > --- a/arch/x86/include/asm/linkage.h
> > +++ b/arch/x86/include/asm/linkage.h
> > @@ -18,7 +18,7 @@
> >  	name:
> >  
> >  #if defined(CONFIG_X86_64) || defined(CONFIG_X86_ALIGNMENT_16)
> > -#define __ALIGN		.p2align 4, 0x90
> > +#define __ALIGN		.p2align 4, 0xCC
> >  #define __ALIGN_STR	__stringify(__ALIGN)
> >  #endif
> 
> So the question is, without objtool support, how will we find INT3-padding related 
> crash bugs on 32-bit kernels?

Is the INT3 padding really worth it, even on x86-64?  What problem are
we trying to solve?

I've seen cases with GCC functions falling through, but with asm code,
falling through could just be working as designed.
Alexey Dobriyan May 18, 2018, 5:34 p.m. UTC | #4
On Fri, May 18, 2018 at 08:02:24AM -0500, Josh Poimboeuf wrote:
> On Fri, May 18, 2018 at 09:36:44AM +0200, Ingo Molnar wrote:
> > 
> > * Alexey Dobriyan <adobriyan@gmail.com> wrote:
> > 
> > > Use INT3 instead of NOP. All that padding between functions is
> > > an illegal area, no legitimate code should jump into it.
> > > 
> > > I've checked x86_64 allyesconfig disassembly, all changes looks sane:
> > > INT3 is only used after RET or unconditional JMP.
> > > 
> > > On i386:
> > > * promote ret_from_exception into ENTRY as it has corresponding END,
> > > * demote "resume_userspace" -- unused,
> > > * delete ALIGN directive in page_fault. It is leftover from x86 assembly
> > >   cleanups.
> > > 
> > >     commit d211af055d0c12dc3416c2886e6fbdc6eb74a381
> > >     i386: get rid of the use of KPROBE_ENTRY / KPROBE_END
> > > 
> > >   has ALIGN directive before branch target which makes sense.
> > >   All the code after ALIGN disappeared later.
> > > 
> > > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> > > ---
> > > 
> > >  arch/x86/entry/entry_32.S      |    6 +-----
> > >  arch/x86/include/asm/linkage.h |    2 +-
> > >  2 files changed, 2 insertions(+), 6 deletions(-)
> > > 
> > > --- a/arch/x86/entry/entry_32.S
> > > +++ b/arch/x86/entry/entry_32.S
> > > @@ -320,8 +320,7 @@ END(ret_from_fork)
> > >   */
> > >  
> > >  	# userspace resumption stub bypassing syscall exit tracing
> > > -	ALIGN
> > > -ret_from_exception:
> > > +ENTRY(ret_from_exception)
> > >  	preempt_stop(CLBR_ANY)
> > >  ret_from_intr:
> > >  #ifdef CONFIG_VM86
> > > @@ -337,8 +336,6 @@ ret_from_intr:
> > >  #endif
> > >  	cmpl	$USER_RPL, %eax
> > >  	jb	resume_kernel			# not returning to v8086 or userspace
> > > -
> > > -ENTRY(resume_userspace)
> > >  	DISABLE_INTERRUPTS(CLBR_ANY)
> > >  	TRACE_IRQS_OFF
> > >  	movl	%esp, %eax
> > > @@ -910,7 +907,6 @@ BUILD_INTERRUPT3(hv_stimer0_callback_vector, HYPERV_STIMER0_VECTOR,
> > >  ENTRY(page_fault)
> > >  	ASM_CLAC
> > >  	pushl	$do_page_fault
> > > -	ALIGN
> > >  	jmp common_exception
> > >  END(page_fault)
> > >  
> > > --- a/arch/x86/include/asm/linkage.h
> > > +++ b/arch/x86/include/asm/linkage.h
> > > @@ -18,7 +18,7 @@
> > >  	name:
> > >  
> > >  #if defined(CONFIG_X86_64) || defined(CONFIG_X86_ALIGNMENT_16)
> > > -#define __ALIGN		.p2align 4, 0x90
> > > +#define __ALIGN		.p2align 4, 0xCC
> > >  #define __ALIGN_STR	__stringify(__ALIGN)
> > >  #endif
> > 
> > So the question is, without objtool support, how will we find INT3-padding related 
> > crash bugs on 32-bit kernels?
> 
> Is the INT3 padding really worth it, even on x86-64?  What problem are
> we trying to solve?

It is a start: manual padding, then compiler inserted padding, then
kernel CFI (in the future).

The only ways processor can end up in the padding are memory corruption,
exploit, some kind of miscompilation or CPU bug. In every case it is better
to crash immediately.

> I've seen cases with GCC functions falling through, but with asm code,
> falling through could just be working as designed.

Manual NOP align still can be inserted, fallthough is not the common case.

Patch
diff mbox series

--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -320,8 +320,7 @@  END(ret_from_fork)
  */
 
 	# userspace resumption stub bypassing syscall exit tracing
-	ALIGN
-ret_from_exception:
+ENTRY(ret_from_exception)
 	preempt_stop(CLBR_ANY)
 ret_from_intr:
 #ifdef CONFIG_VM86
@@ -337,8 +336,6 @@  ret_from_intr:
 #endif
 	cmpl	$USER_RPL, %eax
 	jb	resume_kernel			# not returning to v8086 or userspace
-
-ENTRY(resume_userspace)
 	DISABLE_INTERRUPTS(CLBR_ANY)
 	TRACE_IRQS_OFF
 	movl	%esp, %eax
@@ -910,7 +907,6 @@  BUILD_INTERRUPT3(hv_stimer0_callback_vector, HYPERV_STIMER0_VECTOR,
 ENTRY(page_fault)
 	ASM_CLAC
 	pushl	$do_page_fault
-	ALIGN
 	jmp common_exception
 END(page_fault)
 
--- a/arch/x86/include/asm/linkage.h
+++ b/arch/x86/include/asm/linkage.h
@@ -18,7 +18,7 @@ 
 	name:
 
 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_ALIGNMENT_16)
-#define __ALIGN		.p2align 4, 0x90
+#define __ALIGN		.p2align 4, 0xCC
 #define __ALIGN_STR	__stringify(__ALIGN)
 #endif