Re: [PATCH 08/15] x86/alternatives: Teach text_poke_bp() to emulate instructions
From: Peter Zijlstra
Date: Mon Jun 17 2019 - 15:31:57 EST
On Mon, Jun 17, 2019 at 10:25:27AM -0700, Andy Lutomirski wrote:
> On Mon, Jun 17, 2019 at 7:42 AM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> > On Wed, Jun 12, 2019 at 07:44:12PM +0000, Nadav Amit wrote:
> > > I have run into similar problems before.
> > >
> > > I had two problematic scenarios. In the first case, I had a âcallâ in the
> > > middle of the patched code-block, but this call was always followed by a
> > > âjumpâ to the end of the potentially patched code-block, so I did not have
> > > the problem.
> > >
> > > In the second case, I had an indirect call (which is shorter than a direct
> > Longer, 6 bytes vs 5 if I'm not mistaken.
> > > call) being patched into a direct call. In this case, I preceded the
> > > indirect call with NOPs so indeed the indirect call was at the end of the
> > > patched block.
> > >
> > > In certain cases, if a shorter instruction should be potentially patched
> > > into a longer one, the shorter one can be preceded by some prefixes. If
> > > there are multiple REX prefixes, for instance, the CPU only uses the last
> > > one, IIRC. This can allow to avoid synchronize_sched() when patching a
> > > single instruction into another instruction with a different length.
> > >
> > > Not sure how helpful this information is, but sharing - just in case.
> > I think we can patch multiple instructions provided:
> > - all but one instruction are a NOP,
> > - there are no branch targets inside the range.
> > By poking INT3 at every instruction in the range and then doing the
> > machine wide IPI+SYNC, we'll trap every CPU that is in-side the range.
> How do you know you'll trap them? You need to IPI, serialize, and get
> them to execute an instruction. If the CPU is in an interrupt and RIP
> just happens to be pointed to the INT3, you need them to execute a
> whole lot more than just one instruction.
Argh, yes, I'm an idiot.