----- On Apr 9, 2019, at 9:57 PM, Andy Lutomirski l...@kernel.org wrote: > On Tue, Apr 9, 2019 at 5:51 PM Zack Weinberg <za...@panix.com> wrote: >> >> On Tue, Apr 9, 2019 at 4:43 PM Mathieu Desnoyers >> <mathieu.desnoy...@efficios.com> wrote: >> > ----- On Apr 9, 2019, at 3:32 PM, Mathieu Desnoyers >> > mathieu.desnoy...@efficios.com wrote: >> > > >> > > We are about to include the code signature required prior to restartable >> > > sequences abort handlers into glibc, which will make this ABI choice >> > > final. >> > > We need architecture maintainer input on that signature value. >> > > >> > > That code signature is placed before each abort handler, so the kernel >> > > can >> > > validate that it is indeed jumping to an abort handler (and not some >> > > arbitrary attacker-chosen code). The signature is never executed. >> > > >> > > Currently, tools/testing/selftests/rseq/rseq-x86.h defines RSEQ_SIG >> > > as 0x53053053, and uses it as an immediate operand to the following >> > > instruction opcodes (as suggested by Andy Lutomirski): >> > > >> > > x86-32: >> > > - .byte 0x0f, 0x1f, 0x05: nopl <sig> >> > > >> > > x86-64: >> > > - .byte 0x0f, 0x1f, 0x05: nopl <sig>(%rip) >> > > >> > > The current discussion thread on the glibc mailing list leads us towards >> > > using a trap with uncommon immediate operand, which simplifies >> > > integration >> > > with disassemblers, emulators, makes it easier to debug if the control >> > > flow gets redirected there by mistake, and is nicer for some >> > > architecture's >> > > speculative execution. >> ... >> > Peter Zijlstra suggested to use "invlpg" in user-space, which should >> > generate >> > a trap. The only concern would be emulators, but ideally they would not >> > try to >> > decode an instruction that is never executed. This would lead to the >> > following >> > patch. Any objections/ack ? >> ... >> > +/* >> > + * RSEQ_SIG is used with the following privileged instructions, which >> > trap in >> > user-space: >> > + * x86-32: 0f 01 3d 53 30 05 53 invlpg 0x53053053 >> > + * x86-64: 0f 01 3d 53 30 05 53 invlpg 0x53053053(%rip) >> > + */ >> > #define RSEQ_SIG 0x53053053 >> >> On x86, you have to worry about what happens if control flow gets >> redirected to an arbitrary byte address. The proposed sequence `0f 01 >> 3d 53 30 05 53` is a trap instruction if control lands seven bytes >> before the beginning of the abort handler, but if it lands anywhere >> _else_ within the marker sequence, you get one of these instruction >> sequences, none of which trap, all but one of which will corrupt the >> process state, and three of which will consume three bytes from the >> beginning of the abort handler's code, continuing execution with a >> misaligned PC: >> >> 01 3d 53 30 05 53 add %edi,0x53053053(%rip) >> 3d 53 30 05 53 cmp $0x53053053,%eax >> 53 30 05 53 XX XX XX push %rbx; xor %al,0xXXXXXX78(%rip) >> 30 05 53 XX XX XX xor %al,0xXXXXXX78(%rip) >> 05 53 XX XX XX add $0xXXXXXX53,%eax >> 53 push %rbx >> >> So I'm going to suggest instead the four-byte sequence CD CF CD CF. >> That's INT $0xCF if control lands either two or four bytes before the >> beginning of the abort handler, and IRET if it lands one or three >> bytes before. I believe both of these possibilities are currently >> also forbidden in user mode. It doesn't need to be longer, does it? >> > > IRET works in user mode just fine. Why are you concerned about > landing in the middle of the signature? A misaligned jump into code > is screwy pretty much no matter what. It does seem genuinely useful > to trap if you accidentally fall through to the beginning of the > signature, but I don't see the point of worrying about jumping to the > middle. > > There's some argument that, for consistency with CET, the last couple > bytes of the signature should match ENDBR. > > Mathieu, how many bytes do we have for the signature?
The signature is 4 bytes. Those 4 bytes need to be uncommon. You can have a longer instruction than that, but then the additional bytes at the beginning of the instruction will not be part of the signature per se. Thanks, Mathieu -- Mathieu Desnoyers EfficiOS Inc. http://www.efficios.com