[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.15] xen/x86: Livepatch: support patching CET-enhanced functions



commit be9facf323b40b5a18c5e3f70fce5b245818c42f
Author:     Bjoern Doebel <doebel@xxxxxxxxx>
AuthorDate: Thu Mar 10 07:35:36 2022 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Mar 25 17:10:38 2022 +0000

    xen/x86: Livepatch: support patching CET-enhanced functions
    
    Xen enabled CET for supporting architectures. The control flow aspect of
    CET require functions that can be called indirectly (i.e., via function
    pointers) to start with an ENDBR64 instruction. Otherwise a control flow
    exception is raised.
    
    This expectation breaks livepatching flows because we patch functions by
    overwriting their first 5 bytes with a JMP + <offset>, thus breaking the
    ENDBR64. We fix this by checking the start of a patched function for
    being ENDBR64. In the positive case we move the livepatch JMP to start
    behind the ENDBR64 instruction.
    
    To avoid having to guess the ENDBR64 offset again on patch reversal
    (which might race with other mechanisms adding/removing ENDBR
    dynamically), use the livepatch metadata to store the computed offset
    along with the saved bytes of the overwritten function.
    
    Signed-off-by: Bjoern Doebel <doebel@xxxxxxxxx>
    Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
    Reviewed-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
    Tested-by: Jiamei Xie <jiamei.xie@xxxxxxx>
    (cherry picked from commit 6974c75180f1aad44e5428eabf2396b2b50fb0e4)
    
    Note: For backports to 4.14 thru 4.16, there is no endbr-clobbering, hence 
no
          is_endbr64_poison() logic.
---
 xen/arch/x86/livepatch.c    | 39 +++++++++++++++++++++++++++++++++------
 xen/include/public/sysctl.h |  3 ++-
 2 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c
index 49f0d902e5..e94ac9b228 100644
--- a/xen/arch/x86/livepatch.c
+++ b/xen/arch/x86/livepatch.c
@@ -14,6 +14,7 @@
 #include <xen/vm_event.h>
 #include <xen/virtual_region.h>
 
+#include <asm/endbr.h>
 #include <asm/fixmap.h>
 #include <asm/nmi.h>
 #include <asm/livepatch.h>
@@ -113,8 +114,20 @@ int arch_livepatch_verify_func(const struct livepatch_func 
*func)
         if ( func->old_size < func->new_size )
             return -EINVAL;
     }
-    else if ( func->old_size < ARCH_PATCH_INSN_SIZE )
-        return -EINVAL;
+    else
+    {
+        /*
+         * Space needed now depends on whether the target function
+         * starts with an ENDBR64 instruction.
+         */
+        uint8_t needed = ARCH_PATCH_INSN_SIZE;
+
+        if ( is_endbr64(func->old_addr) )
+            needed += ENDBR64_LEN;
+
+        if ( func->old_size < needed )
+            return -EINVAL;
+    }
 
     return 0;
 }
@@ -129,12 +142,24 @@ void noinline arch_livepatch_apply(struct livepatch_func 
*func)
     uint8_t insn[sizeof(func->opaque)];
     unsigned int len;
 
+    func->patch_offset = 0;
     old_ptr = func->old_addr;
     len = livepatch_insn_len(func);
     if ( !len )
         return;
 
-    memcpy(func->opaque, old_ptr, len);
+    /*
+     * CET hotpatching support: We may have functions starting with an ENDBR64
+     * instruction that MUST remain the first instruction of the function,
+     * hence we need to move any hotpatch trampoline further into the function.
+     * For that we need to keep track of the patching offset used for any
+     * loaded hotpatch (to avoid racing against other fixups adding/removing
+     * ENDBR64 or similar instructions).
+     */
+    if ( is_endbr64(old_ptr) )
+        func->patch_offset += ENDBR64_LEN;
+
+    memcpy(func->opaque, old_ptr + func->patch_offset, len);
     if ( func->new_addr )
     {
         int32_t val;
@@ -142,14 +167,15 @@ void noinline arch_livepatch_apply(struct livepatch_func 
*func)
         BUILD_BUG_ON(ARCH_PATCH_INSN_SIZE != (1 + sizeof(val)));
 
         insn[0] = 0xe9; /* Relative jump. */
-        val = func->new_addr - func->old_addr - ARCH_PATCH_INSN_SIZE;
+        val = func->new_addr - (func->old_addr + func->patch_offset +
+                                ARCH_PATCH_INSN_SIZE);
 
         memcpy(&insn[1], &val, sizeof(val));
     }
     else
         add_nops(insn, len);
 
-    memcpy(old_ptr, insn, len);
+    memcpy(old_ptr + func->patch_offset, insn, len);
 }
 
 /*
@@ -158,7 +184,8 @@ void noinline arch_livepatch_apply(struct livepatch_func 
*func)
  */
 void noinline arch_livepatch_revert(const struct livepatch_func *func)
 {
-    memcpy(func->old_addr, func->opaque, livepatch_insn_len(func));
+    memcpy(func->old_addr + func->patch_offset, func->opaque,
+           livepatch_insn_len(func));
 }
 
 /*
diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h
index 039ccf885c..3145aff95b 100644
--- a/xen/include/public/sysctl.h
+++ b/xen/include/public/sysctl.h
@@ -870,7 +870,8 @@ struct livepatch_func {
     uint8_t version;        /* MUST be LIVEPATCH_PAYLOAD_VERSION. */
     uint8_t opaque[LIVEPATCH_OPAQUE_SIZE];
     uint8_t applied;
-    uint8_t _pad[7];
+    uint8_t patch_offset;
+    uint8_t _pad[6];
     livepatch_expectation_t expect;
 };
 typedef struct livepatch_func livepatch_func_t;
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.15



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.