[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] x86/cet: Use dedicated NOP4 for cf_clobber


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 17 Mar 2022 15:21:53 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZtsCjFJy3SAf5+62VquVWL7CN9CufFRJlebFQ8TFX1I=; b=Wp1MMxsUqWShtqv00QL0wpCIHodBxTlis+frJdDxtJS0bzaoHDp9T3K6Qasyi4Wd5P8UWyIyOvBx7IM9IIij8XMn1DRWhQwZBghyH/U5CaoCSODIfiKtq2onGRNOZLddurrur9yu1tYOOC7MMAA/9Z4i/2X4RqQKd5Z41p1WLZVTtvGHDH216hzBKyImHqzBiUNTEQqk3QDZC1exi3NBHC40d+P7babRSVMG7yjhXb8O4OrQCRr3X8+lHqZ269kBBdBz8gvLY6pH3yRHUj8H8vICenpL/kIJKhrKjpSgqSEWy0WFldD7XUPnThNDQUWO3ZpdSKB/Lv/MTxf5uS/kfA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=drPH2deXTHslqJEWFKk+1UnXZ5JeC2pgMiIoe78M/83run3ae7yhpEA8bibjqKpQLtDMik2k0r1xEoqH/5e4vBAP8cwLsLCHCCU7A0S/z8qAAdIGqCY0rPoaXgNZODWh1KegoUKbVWDpAtrsnmUNngAjc3DgGSlLAHAXHcvDqBPgCpQQJdsApvUUUiMeLI7HOuse0X3WuqZI/6f3EoA+NuO+oodcRbuPvg9Z4q3kR9GePcup3gbIokINR+J8oS92oA2X3kMJKoYC+PkP0tp5f100IRHGTB3R1FC+LxT3R4Iso7+JTcotpeGDeoVXktph6EveNCbQlKCM/dzIyzICiQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>, Michael Kurth <mku@xxxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 17 Mar 2022 14:22:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 17.03.2022 15:06, Andrew Cooper wrote:
> For livepatching, we need to look at a potentially clobbered function and
> determine whether it used to have an ENDBR64 instruction.
> 
> Use a non-default 4-byte P6 long nop, not emitted by toolchains, and extend
> check-endbr.sh to look for it.  The same logic can check for the absence of
> any endbr32 instructions, so include a check for those too.
> 
> The choice of nop has some complicated consequences.  nopw (%rax) has a ModRM
> byte of 0, which the Bourne compatible shells unconditionally strip from
> parameters, meaning that we can't pass it to `grep -aob`.
> 
> Therefore, use nopw (%rcx) so the ModRM byte becomes 1.
> 
> This then demonstrates another bug.  Under perl regexes, \1 thru \9 are
> subpattern matches, and not octal escapes, while the behaviour of \10 and
> higher depend on the number of capture groups.  Switch the `grep -P` runes to
> use hex escapes instead, which are unambiguous
> 
> The build time check then requires that the endbr64 poison have the same
> treatment as endbr64 to avoid placing the byte pattern in immediate operands.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
with one nit (which likely I should have spotted before):

> @@ -45,13 +45,15 @@ echo "X" | grep -aobP "\130" -q 2>/dev/null || 
> perl_re=false
>  ${OBJDUMP} -j .text $1 -d -w | grep '        endbr64 *$' | cut -f 1 -d ':' > 
> $VALID &
>  
>  #
> -# Second, look for any endbr64 byte sequence
> +# Second, look for all endbr64, endbr32 and nop poison byte sequences
>  # This has a couple of complications:
>  #
>  # 1) Grep binary search isn't VMA aware.  Copy .text out as binary, causing
>  #    the grep offset to be from the start of .text.
>  #
>  # 2) dash's printf doesn't understand hex escapes, hence the use of octal.
> +#    `grep -P` on the other hand can has various ambiguities with octal-like
> +#    escapes, so use hex escapes instead which are unambiguous.

There looks to be a stray "can" in here.

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.