[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/cet: Use dedicated NOP4 for cf_clobber


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Tue, 8 Mar 2022 16:03:57 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Bz9yh7zgs1IE033WKO97YRQC8oeZNSDFRXWb+0ig/NM=; b=AkdRV4Hn0fK0NL+cPGYhjmo5urXghRzYBseUo0gWLy0C8hZQAx0rXlqfc1v5P/0hSlMkuPJ9qABWYKZS9665eOPGqyNiliuRwePjLpffChWSrcnYVrQflCFx37vVFmDBPmI+ZLemkg0Tb2RcPQvDBhNKkMQCK6qvb2xZ24HQAFVKzxqn5tT+oLw0ShAt+ISDrO4TEF1prdooBa/hCfFh7W43WiCIsbNgLo+VOb5IF2qbDOgs71q13rdKjJ3faJ5TQK4XQ8ocUmG2NqVyEUBcU4UvOlqx0Iv8UEBVhufGsotFcazcb49CVIPTHQH1eeFGuxgaKfNHRYsroM0KejurgQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BBx2G0jxhSZY28HiQRKCmjmZtEoW/gVWPg1P0BqRE3Pfuh6DcEBIZ6VtG0efVWypdeyk4bPfM61rKg6IGxsxC/7ZdRvnTbXkzc7+iH1SW+Eb9Ad5hLvRONvOo/fC64iDWxAQu0rEKhToXZrlThRwb1ejvhApfonhgiz4ltTSPPYM85O1txqh+EPuUdwJpQiFIgfzFGWAoBxdJOA098aPkGHkkzOmRqELMpWvuyrUS1A48VJx3Qc2L/7yW2VKZw48utLgF19kxMnA5Z70O3ank31o/6agt2XRS7g1vpz0l60SVSt8Z36kw5VPqOkzhn9tNFU/LwpUJiH+8qiwF0tFZw==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "Bjoern Doebel" <doebel@xxxxxxxxx>, Michael Kurth <mku@xxxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 08 Mar 2022 16:04:25 +0000
  • Ironport-data: A9a23:kinaWqgjMAqF/0YNlQBNfPXzX161qxAKZh0ujC45NGQN5FlHY01je htvXDiEOvuMNjekKNogadu09EJU6MLWzoJgTAJkrSs2Fiwb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oDJ9CU6jefSLlbFILas1hpZHGeIcw98z0M78wIFqtQw24LhWFvd4 YmaT/D3YzdJ5RYlagr41IrbwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWSV efbpIxVy0uCl/sb5nFJpZ6gGqECaua60QFjERO6UYD66vRJjnRaPqrWqJPwwKqY4tmEt4kZ9 TlDiXC/YTcSLJHu29sRaghZKRlGPfF826frfWfq5KR/z2WeG5ft6/BnDUVwNowE4OdnR2pJ8 JT0KhhUMErF3bjvhuvmFK883azPL+GyVG8bklhmwSvUErANRpfbTr+RzdRZwC0xloZFGvO2i 88xN2cxMU6bPUUn1lE/VJt5vr+CtFrGUiBA7wytlfssvk+Kw1kkuFTqGIWMIYHbLSlPpW6dp X/u9mHwEBYcctCSoRKA6nWsgubEngvyXYsAE7v++vMCqE2ewCkfBQMbUXO/oOKlkQiuVtRHM UsW9yEy668o+ySDTNPwQhm5q36spQMHVpxbFOhSwB6J4rrZ5UCeHGdsZjJGZdYrsOc/QDU40 VnPk96BONB0mOTLEzTHrO7S9G7sf3hORYMfWcMaZTs+8eXB474/twPOdO5bEPKPrcXZRS6ll lhmsxMCr7kUiMcK0YCy8lbGny+gq/D1c+Il2unEdjn7t10kPeZJc6TtsAGGtqgYcO51W3Hc5 CBspiSI0AwZ4XhhfgSpSf5FIrym7u3t3Nb00Q82RMlJG9hAFheekWFsDNNWeR8B3iUsI2aBj KrvVeV5vsc70JyCN/MfXm5JI552pZUM7Py8PhwuUvJAY4JqaCiM9zx0aEib0gjFyRZwz/9ga crAKJbxVh727JiLKhLsHI/xNpdxmkgDKZ77H8inn3xLL5LEDJJqdVv1GATXNb1ohE91iA7U7 8xeJ6O3J+Z3C4XDjt3s2ddLdzgidCFjbbiv8pA/XrPTc2JORTB6Y9eMkOxJRmCQt/kM/gs+1 irmAREwJZuWrSCvFDhmnVg/MOO/B8gu9ylnVcHuVH7xs0UejU+UxP53X7M8fKU99fwlyvhxT vIffN6HDOgJQTPCkwnxp7Gh8eSOqDzDadqyAheY
  • Ironport-hdrordr: A9a23:+hCh265K7eYKnG9N5gPXwWiBI+orL9Y04lQ7vn2ZFiY6TiXIra +TdaoguSMc0AxhJE3Jmbi7Sc29qeu1z+863WBjB8bcYOCAghroEGgC1/qs/9SEIUzDH4FmpN 9dmsRFeb/N5B1B/LvHCWqDYpYdKbu8gduVbI7lph8HJ2wLGsJdBkVCe3ym+yVNNVN77PECZf 2hD7981kOdkAMsH6KG7xc+Lo3+juyOsKijTQ8NBhYh5gXLpyiv8qTGHx+R2Qpbey9TwJ85mF K10DDR1+GGibWW2xXc32jc49B9g9360OZOA8SKl4w8NijssAC1f45sMofy/gzd4dvfrWrCou O85CvIDP4DrU85uVvF+CcF7jOQlArGLUWSkWNwz0GT+vARDwhKdfapzbgpAycxrXBQ4e2UmZ g7rF5w/fBsfGP9tTW46N7SWx5wkE2o5XIkjO4IlnRaFZATcblLsOUkjQlo+bo7bWrHAbocYa JT5QDnlYFrWELfa2qcsnhkwdSqUHh2FhCaQlIassjQ1zRNhnh2w0YR2cRaxx47hd4AYogB4/ 6BPrVjlblIQMNTZaVhBP0ZSc/yDmDWWxrDPG+bPFyiHqAaPHDGrYLx/dwOlayXUY1NyIF3lI XKUVteu2J3c0XyCdeW1JkO6RzJSHXVZ0Wl9iif3ekOhlTRfsufDcTYciFdryKJmYRqPvHm
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYMvUk0XiHSYNleUqdwHU2YHv5TKy1jjMAgAALzQCAAASOAIAAB8IA
  • Thread-topic: [PATCH] x86/cet: Use dedicated NOP4 for cf_clobber

On 08/03/2022 15:36, Jan Beulich wrote:
> On 08.03.2022 16:19, Andrew Cooper wrote:
>> On 08/03/2022 14:37, Jan Beulich wrote:
>>> On 08.03.2022 15:01, Andrew Cooper wrote:
>>>> For livepatching, we need to look at a potentially clobbered function and
>>>> determine whether it used to have an ENDBR64 instruction.
>>>>
>>>> Use a non-default 4-byte P6 long nop, not emitted by toolchains, and 
>>>> introduce
>>>> the was_endbr64() predicate.
>>> Did you consider using ENDBR32 for this purpose?
>> No, and no because that's very short sighted.  Even 4 non-nops would be
>> better than ENDBR32, because they wouldn't create actually-usable
>> codepaths in corner cases we care to exclude.
> Well - I thought of ENDBR32 because elsewhere you said we don't
> need to be worried about any byte sequence resembling that insn,
> since for it to become "usable" an attacker would first need to
> have managed to manufacture a 32-bit ring0 code segment. Now you
> say effectively the opposite.

We've got ~0 risk of having any embedded ENDBR32's because we never
refer to the opcode, and therefore adding 2x 0.7s delay to scan the
binary on build is a waste.  If the check were free, it would be a
different matter.

At any point, if we were to introduce references to ENDBR32, we'd want
to start scanning for embedded sequences.

But at no point do we want to intentionally remove our defence in depth
created by both having no CS32 code segment, and no ENDBR32 instructions.

>
>>> I'm worried that
>>> the pattern you picked is still too close to what might be used
>>> (down the road) by a tool chain.
>> This is what Linux are doing too, but no - I'm not worried.  The
>> encoding isn't the only protection; toolchains also have no reason to
>> put a nop4 at the head of functions; nop5 is the common one to find.
> Well, okay - let's hope for the best then.
>
>>>> Bjoern: For the livepatching code, I think you want:
>>>>
>>>>   if ( is_endbr64(...) || was_endbr64(...) )
>>>>       needed += ENDBR64_LEN;
>>> Looks like I didn't fully understand the problem then from your
>>> initial description. The adjustment here (and the one needed in
>>> Björn's patch) is to compensate for the advancing of the
>>> targets of altcalls past the ENDBR?
>> No.  Consider this scenario:
>>
>> callee:
>>     endbr64
>>     ...
>>
>> altcall:
>>     call *foo(%rip)
>>
>> During boot, we rewrite altcall to be `call callee+4` and turn endbr64
>> into nops, so it now looks like:
>>
>> callee:
>>     nop4
>>     ...
>>
>> altcall:
>>     call callee+4
>>
>> Then we want to livepatch callee to callee_new, so we get
>>
>> callee_new:
>>     endbr64
>>     ...
>>
>> in the livepatch itself.
>>
>> Now, to actually patch, we need to memcpy(callee+4, "jmp callee_new", 5).
>>
>> The livepatch logic calling is_endbr(callee) doesn't work because it's
>> now a nop4, which is why it needs a was_endbr64(callee) too.
> Sounds like exactly what I was thinking of. Perhaps my description
> wasn't sufficiently clear / unambiguous then.

Ah yes - I think I did misinterpret what you wrote.  I hope everything
is clear now.

>
>>>> --- a/xen/arch/x86/include/asm/endbr.h
>>>> +++ b/xen/arch/x86/include/asm/endbr.h
>>>> @@ -52,4 +52,16 @@ static inline void place_endbr64(void *ptr)
>>>>      *(uint32_t *)ptr = gen_endbr64();
>>>>  }
>>>>  
>>>> +/*
>>>> + * After clobbering ENDBR64, we may need to confirm that the site used to
>>>> + * contain an ENDBR64 instruction.  Use an encoding which isn't the 
>>>> default
>>>> + * P6_NOP4.
>>>> + */
>>>> +#define ENDBR64_POISON "\x66\x0f\x1f\x00" /* osp nopl (%rax) */
>>> In case this remains as is - did you mean "opsz" instead of "osp"?
>>> But this really is "nopw (%rax)" anyway.
>> Oh, osp is the nasm name.  I'll switch to nopw.
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Thanks.

~Andrew

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.