Re: [PATCH] static_call,x86: Robustify trampoline patching

From: Ard Biesheuvel
Date: Tue Nov 02 2021 - 14:19:17 EST


On Tue, 2 Nov 2021 at 19:14, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
>
> On Tue, Nov 02, 2021 at 06:44:56PM +0100, Ard Biesheuvel wrote:
> > On Tue, 2 Nov 2021 at 16:15, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> > >
> > > On Tue, Nov 02, 2021 at 01:57:44PM +0100, Peter Zijlstra wrote:
> > >
> > > > So how insane is something like this, have each function:
> > > >
> > > > foo.cfi:
> > > > endbr64
> > > > xorl $0xdeadbeef, %r10d
> > > > jz foo
> > > > ud2
> > > > nop # make it 16 bytes
> > > > foo:
> > > > # actual function text goes here
> > > >
> > > >
> > > > And for each hash have two thunks:
> > > >
> > > >
> > > > # arg: r11
> > > > # clobbers: r10, r11
> > > > __x86_indirect_cfi_deadbeef:
> > > > movl -9(%r11), %r10 # immediate in foo.cfi
> > > > xorl $0xdeadbeef, %r10 # our immediate
> > > > jz 1f
> > > > ud2
> > > > 1: ALTERNATIVE_2 "jmp *%r11",
> > > > "jmp __x86_indirect_thunk_r11", X86_FEATURE_RETPOLINE
> > > > "lfence; jmp *%r11", X86_FEATURE_RETPOLINE_AMD
> > > >
> >
> > So are these supposed to go into the jump tables? If so, there still
> > needs to be a check against the boundary of the table at the call
> > site, to ensure that we are not calling something that we shouldn't.
> >
> > If they are not going into the jump tables, I don't see the point of
> > having them, as only happy flow/uncomprised code would bother to use
> > them.
>
> I don't understand. If you can scribble your own code, you can
> circumvent pretty much any range check anyway.

A function pointer is data not code.

> But if you can't scribble
> your own code, you get to use the branch here and that checks the
> callsite and callee signature.
>

OK, so the call site has a direct branch to this trampoline then? That
wasn't clear to me.

> The range check isn't fundamental to CFI, having a check is the
> important thing AFAIU.

Agreed. If the call site has a direct branch, it doesn't need the range check.