Re: [PATCH] static_call,x86: Robustify trampoline patching

From: Peter Zijlstra
Date: Tue Nov 02 2021 - 17:48:49 EST

Next message: Stephen Boyd: "Re: [PATCH v9 3/3] clk: lan966x: Add lan966x SoC clock driver"
Previous message: Andrew Lunn: "Re: [RFC PATCH] net: phy/mdio: enable mmd indirect access through phy_mii_ioctl()"
In reply to: Ard Biesheuvel: "Re: [PATCH] static_call,x86: Robustify trampoline patching"
Next in thread: Kees Cook: "Re: [PATCH] static_call,x86: Robustify trampoline patching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 02, 2021 at 07:18:53PM +0100, Ard Biesheuvel wrote:

> > The range check isn't fundamental to CFI, having a check is the
> > important thing AFAIU.
>
> Agreed. If the call site has a direct branch, it doesn't need the range check.

That, from the earlier email:

| And have the actual indirect callsite look like:
|
| # r11 - &foo
| ALTERNATIVE_2 "cs call __x86_indirect_thunk_r11",
| "cs call __x86_indirect_cfi_deadbeef", X86_FEATURE_CFI
| "cs call __x86_indirect_ibt_deadbeef", X86_FEATURE_IBT

So the callsite has a direct call to the hash-specific and cfi-type
specific thunk, which then does an (indirect) tail-call.

The CFI one does the hash check in the thunk and jumps to the function
proper, the IBT one on does it in the landing-pad.

The !CFI one ignore it all and simply does an indirect call (retpoline
aided or otherwise) to the function proper -- in which case we can free
all the thunks.

Next message: Stephen Boyd: "Re: [PATCH v9 3/3] clk: lan966x: Add lan966x SoC clock driver"
Previous message: Andrew Lunn: "Re: [RFC PATCH] net: phy/mdio: enable mmd indirect access through phy_mii_ioctl()"
In reply to: Ard Biesheuvel: "Re: [PATCH] static_call,x86: Robustify trampoline patching"
Next in thread: Kees Cook: "Re: [PATCH] static_call,x86: Robustify trampoline patching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]