[PATCH openEuler-5.10-LTS 077/137] x86,objtool: Create .return_sites

14 Sep 2022

From: Peter Zijlstra peterz@infradead.org
stable inclusion
from stable-v5.10.133
commit 8bdb25f7aee312450e9c9ac21ae209d9cf0602e5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5PTAS
CVE: CVE-2022-29900,CVE-2022-23816,CVE-2022-29901
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit d9e9d2300681d68a775c28de6aa6e5290ae17796 upstream.
Find all the return-thunk sites and record them in a .return_sites
section such that the kernel can undo this.
Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org
Signed-off-by: Borislav Petkov bp@suse.de
Reviewed-by: Josh Poimboeuf jpoimboe@kernel.org
Signed-off-by: Borislav Petkov bp@suse.de
[cascardo: conflict fixup because of functions added to support IBT]
Signed-off-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com
[bwh: Backported to 5.10: adjust context]
Signed-off-by: Ben Hutchings ben@decadent.org.uk
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Lin Yujun linyujun809@huawei.com
[Backport] objtool: skip non-text sections when adding return-thunk sites
stable inclusion
from stable-v5.10.133
commit 446eb6f08936e6f87bea9f35be05556a7211df9b
category: bugfix
bugzilla: 187378
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
The .discard.text section is added in order to reserve BRK, with a
temporary function just so it can give it a size. This adds a relocation to
the return thunk, which objtool will add to the .return_sites section.
Linking will then fail as there are references to the .discard.text
section.
Do not add instructions from non-text sections to the list of return thunk
calls, avoiding the reference to .discard.text.
Signed-off-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com
Acked-by: Josh Poimboeuf jpoimboe@kernel.org
Signed-off-by: Ben Hutchings ben@decadent.org.uk
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Lin Yujun linyujun809@huawei.com
Reviewed-by: Zhang Jianhua chris.zjh@huawei.com
---
 tools/objtool/arch.h            |  1 +
 tools/objtool/arch/x86/decode.c |  5 +++
 tools/objtool/check.c           | 77 +++++++++++++++++++++++++++++++++
 tools/objtool/elf.h             |  1 +
 tools/objtool/objtool.c         |  1 +
 tools/objtool/objtool.h         |  1 +
 6 files changed, 86 insertions(+)

diff --git a/tools/objtool/arch.h b/tools/objtool/arch.h
index e15f6e932b4f..580ce1857585 100644
--- a/tools/objtool/arch.h
+++ b/tools/objtool/arch.h
@@ -89,6 +89,7 @@ const char *arch_ret_insn(int len);
 int arch_decode_hint_reg(u8 sp_reg, int *base);
bool arch_is_retpoline(struct symbol *sym);
+bool arch_is_rethunk(struct symbol *sym);
int arch_rewrite_retpolines(struct objtool_file *file);
diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c
index f7154241a2a5..d8f47704fd85 100644
--- a/tools/objtool/arch/x86/decode.c
+++ b/tools/objtool/arch/x86/decode.c
@@ -649,3 +649,8 @@ bool arch_is_retpoline(struct symbol *sym)
 {
    return !strncmp(sym->name, "__x86_indirect_", 15);
 }
+
+bool arch_is_rethunk(struct symbol *sym)
+{
+	return !strcmp(sym->name, "__x86_return_thunk");
+}
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 0ca4a3c2d86b..4d9057e50b1b 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -652,6 +652,52 @@ static int create_retpoline_sites_sections(struct objtool_file *file)
    return 0;
 }
+static int create_return_sites_sections(struct objtool_file *file)
+{
+	struct instruction *insn;
+	struct section *sec;
+	int idx;
+
+	sec = find_section_by_name(file->elf, ".return_sites");
+	if (sec) {
+		WARN("file already has .return_sites, skipping");
+		return 0;
+	}
+
+	idx = 0;
+	list_for_each_entry(insn, &file->return_thunk_list, call_node)
+		idx++;
+
+	if (!idx)
+		return 0;
+
+	sec = elf_create_section(file->elf, ".return_sites", 0,
+				 sizeof(int), idx);
+	if (!sec) {
+		WARN("elf_create_section: .return_sites");
+		return -1;
+	}
+
+	idx = 0;
+	list_for_each_entry(insn, &file->return_thunk_list, call_node) {
+
+		int *site = (int *)sec->data->d_buf + idx;
+		*site = 0;
+
+		if (elf_add_reloc_to_insn(file->elf, sec,
+					  idx * sizeof(int),
+					  R_X86_64_PC32,
+					  insn->sec, insn->offset)) {
+			WARN("elf_add_reloc_to_insn: .return_sites");
+			return -1;
+		}
+
+		idx++;
+	}
+
+	return 0;
+}
+
 /*
  * Warnings shouldn't be reported for ignored functions.
  */
@@ -887,6 +933,11 @@ __weak bool arch_is_retpoline(struct symbol *sym)
    return false;
 }
+__weak bool arch_is_rethunk(struct symbol *sym)
+{
+	return false;
+}
+
 #define NEGATIVE_RELOC	((void *)-1L)
static struct reloc *insn_reloc(struct objtool_file *file, struct instruction *insn)
@@ -1028,6 +1079,21 @@ static void add_retpoline_call(struct objtool_file *file, struct instruction *in
annotate_call_site(file, insn, false);
 }
+
+static void add_return_call(struct objtool_file *file, struct instruction *insn)
+{
+	/*
+	 * Return thunk tail calls are really just returns in disguise,
+	 * so convert them accordingly.
+	 */
+	insn->type = INSN_RETURN;
+	insn->retpoline_safe = true;
+
+	/* Skip the non-text sections, specially .discard ones */
+	if (insn->sec->text)
+		list_add_tail(&insn->call_node, &file->return_thunk_list);
+}
+
 /*
  * Find the destination instructions for all jumps.
  */
@@ -1052,6 +1118,9 @@ static int add_jump_destinations(struct objtool_file *file)
    	} else if (reloc->sym->retpoline_thunk) {
    		add_retpoline_call(file, insn);
    		continue;
+		} else if (reloc->sym->return_thunk) {
+			add_return_call(file, insn);
+			continue;
    	} else if (insn->func) {
    		/* internal or external sibling call (with reloc) */
    		add_call_dest(file, insn, reloc->sym, true);
@@ -1841,6 +1910,9 @@ static int classify_symbols(struct objtool_file *file)
    		if (arch_is_retpoline(func))
    			func->retpoline_thunk = true;
+			if (arch_is_rethunk(func))
+				func->return_thunk = true;
+
    		if (!strcmp(func->name, "__fentry__"))
    			func->fentry = true;
@@ -3234,6 +3306,11 @@ int check(struct objtool_file *file)
    	if (ret < 0)
    		goto out;
    	warnings += ret;
+
+		ret = create_return_sites_sections(file);
+		if (ret < 0)
+			goto out;
+		warnings += ret;
    }
if (stats) {
diff --git a/tools/objtool/elf.h b/tools/objtool/elf.h
index de00cac9aede..c68f11b71562 100644
--- a/tools/objtool/elf.h
+++ b/tools/objtool/elf.h
@@ -58,6 +58,7 @@ struct symbol {
    u8 uaccess_safe      : 1;
    u8 static_call_tramp : 1;
    u8 retpoline_thunk   : 1;
+	u8 return_thunk      : 1;
    u8 fentry            : 1;
    u8 kcov              : 1;
 };
diff --git a/tools/objtool/objtool.c b/tools/objtool/objtool.c
index c0b1f5a99df9..cb2c6acd9667 100644
--- a/tools/objtool/objtool.c
+++ b/tools/objtool/objtool.c
@@ -62,6 +62,7 @@ struct objtool_file *objtool_open_read(const char *_objname)
    INIT_LIST_HEAD(&file.insn_list);
    hash_init(file.insn_hash);
    INIT_LIST_HEAD(&file.retpoline_call_list);
+	INIT_LIST_HEAD(&file.return_thunk_list);
    INIT_LIST_HEAD(&file.static_call_list);
    file.c_file = !vmlinux && find_section_by_name(file.elf, ".comment");
    file.ignore_unreachables = no_unreachable;
diff --git a/tools/objtool/objtool.h b/tools/objtool/objtool.h
index 0b57150ea0fe..bf64946e749b 100644
--- a/tools/objtool/objtool.h
+++ b/tools/objtool/objtool.h
@@ -19,6 +19,7 @@ struct objtool_file {
    struct list_head insn_list;
    DECLARE_HASHTABLE(insn_hash, 20);
    struct list_head retpoline_call_list;
+	struct list_head return_thunk_list;
    struct list_head static_call_list;
    bool ignore_unreachables, c_file, hints, rodata;
 };
-- 
2.20.1

    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-5.10-LTS 077/137] x86,objtool: Create .return_sites