linux/tools/objtool/arch/x86/special.c

// SPDX-License-Identifier: GPL-2.0-or-later
#include <string.h>

#include <objtool/special.h>
#include <objtool/builtin.h>

#define X86_FEATURE_POPCNT (4 * 32 + 23)
#define X86_FEATURE_SMAP   (9 * 32 + 20)

void arch_handle_alternative(unsigned short feature, struct special_alt *alt)
{
	switch (feature) {
	case X86_FEATURE_SMAP:
		/*
		 * If UACCESS validation is enabled; force that alternative;
		 * otherwise force it the other way.
		 *
		 * What we want to avoid is having both the original and the
		 * alternative code flow at the same time, in that case we can
		 * find paths that see the STAC but take the NOP instead of
		 * CLAC and the other way around.
		 */
		if (uaccess)
			alt->skip_orig = true;
		else
			alt->skip_alt = true;
		break;
	case X86_FEATURE_POPCNT:
		/*
		 * It has been requested that we don't validate the !POPCNT
		 * feature path which is a "very very small percentage of
		 * machines".
		 */
		alt->skip_orig = true;
		break;
	default:
		break;
	}
}

bool arch_support_alt_relocation(struct special_alt *special_alt,
				 struct instruction *insn,
				 struct reloc *reloc)
{
	/*
	 * The x86 alternatives code adjusts the offsets only when it
	 * encounters a branch instruction at the very beginning of the
	 * replacement group.
	 */
	return insn->offset == special_alt->new_off &&
	       (insn->type == INSN_CALL || is_jump(insn));
}

/*
 * There are 3 basic jump table patterns:
 *
 * 1. jmpq *[rodata addr](,%reg,8)
 *
 *    This is the most common case by far.  It jumps to an address in a simple
 *    jump table which is stored in .rodata.
 *
 * 2. jmpq *[rodata addr](%rip)
 *
 *    This is caused by a rare GCC quirk, currently only seen in three driver
 *    functions in the kernel, only with certain obscure non-distro configs.
 *
 *    As part of an optimization, GCC makes a copy of an existing switch jump
 *    table, modifies it, and then hard-codes the jump (albeit with an indirect
 *    jump) to use a single entry in the table.  The rest of the jump table and
 *    some of its jump targets remain as dead code.
 *
 *    In such a case we can just crudely ignore all unreachable instruction
 *    warnings for the entire object file.  Ideally we would just ignore them
 *    for the function, but that would require redesigning the code quite a
 *    bit.  And honestly that's just not worth doing: unreachable instruction
 *    warnings are of questionable value anyway, and this is such a rare issue.
 *
 * 3. mov [rodata addr],%reg1
 *    ... some instructions ...
 *    jmpq *(%reg1,%reg2,8)
 *
 *    This is a fairly uncommon pattern which is new for GCC 6.  As of this
 *    writing, there are 11 occurrences of it in the allmodconfig kernel.
 *
 *    As of GCC 7 there are quite a few more of these and the 'in between' code
 *    is significant. Esp. with KASAN enabled some of the code between the mov
 *    and jmpq uses .rodata itself, which can confuse things.
 *
 *    TODO: Once we have DWARF CFI and smarter instruction decoding logic,
 *    ensure the same register is used in the mov and jump instructions.
 *
 *    NOTE: RETPOLINE made it harder still to decode dynamic jumps.
 */
struct reloc *arch_find_switch_table(struct objtool_file *file,
				    struct instruction *insn)
{
	struct reloc  *text_reloc, *rodata_reloc;
	struct section *table_sec;
	unsigned long table_offset;

	/* look for a relocation which references .rodata */
	text_reloc = find_reloc_by_dest_range(file->elf, insn->sec,
					      insn->offset, insn->len);
	if (!text_reloc || text_reloc->sym->type != STT_SECTION ||
	    !text_reloc->sym->sec->rodata)
		return NULL;

	table_offset = text_reloc->addend;
	table_sec = text_reloc->sym->sec;

	if (text_reloc->type == R_X86_64_PC32)
		table_offset += 4;

	/*
	 * Make sure the .rodata address isn't associated with a
	 * symbol.  GCC jump tables are anonymous data.
	 *
	 * Also support C jump tables which are in the same format as
	 * switch jump tables.  For objtool to recognize them, they
	 * need to be placed in the C_JUMP_TABLE_SECTION section.  They
	 * have symbols associated with them.
	 */
	if (find_symbol_containing(table_sec, table_offset) &&
	    strcmp(table_sec->name, C_JUMP_TABLE_SECTION))
		return NULL;

	/*
	 * Each table entry has a rela associated with it.  The rela
	 * should reference text in the same function as the original
	 * instruction.
	 */
	rodata_reloc = find_reloc_by_dest(file->elf, table_sec, table_offset);
	if (!rodata_reloc)
		return NULL;

	/*
	 * Use of RIP-relative switch jumps is quite rare, and
	 * indicates a rare GCC quirk/bug which can leave dead
	 * code behind.
	 */
	if (text_reloc->type == R_X86_64_PC32)
		file->ignore_unreachables = true;

	return rodata_reloc;
}
objtool: Abstract alternative special case handling Some alternatives associated with a specific feature need to be treated in a special way. Since the features and how to treat them vary from one architecture to another, move the special case handling to arch specific code. Reviewed-by: Miroslav Benes <mbenes@suse.cz> Signed-off-by: Julien Thierry <jthierry@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> 2020-09-04 16:30:22 +01:00			`// SPDX-License-Identifier: GPL-2.0-or-later`
objtool: Refactor jump table code to support other architectures The way to identify jump tables and retrieve all the data necessary to handle the different execution branches is not the same on all architectures. In order to be able to add other architecture support, define an arch-dependent function to process jump-tables. Reviewed-by: Miroslav Benes <mbenes@suse.cz> Signed-off-by: Raphael Gault <raphael.gault@arm.com> [J.T.: Move arm64 bits out of this patch, Have only one function to find the start of the jump table, for now assume that the jump table format will be the same as x86] Signed-off-by: Julien Thierry <jthierry@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> 2020-09-04 16:30:24 +01:00			`#include <string.h>`

objtool: Rework header include paths Currently objtool headers are being included either by their base name or included via ../ from a parent directory. In case of a base name usage: #include "warn.h" #include "arch_elf.h" it does not make it apparent from which directory the file comes from. To make it slightly better, and actually to avoid name clashes some arch specific files have "arch_" suffix. And files from an arch folder have to revert to including via ../ e.g: #include "../../elf.h" With additional architectures support and the code base growth there is a need for clearer headers naming scheme for multiple reasons: 1. to make it instantly obvious where these files come from (objtool itself / objtool arch\|generic folders / some other external files), 2. to avoid name clashes of objtool arch specific headers, potential obtool arch generic headers and the system header files (there is /usr/include/elf.h already), 3. to avoid ../ includes and improve code readability. 4. to give a warm fuzzy feeling to developers who are mostly kernel developers and are accustomed to linux kernel headers arranging scheme. Doesn't this make it instantly obvious where are these files come from? #include <objtool/warn.h> #include <arch/elf.h> And doesn't it look nicer to avoid ugly ../ includes? Which also guarantees this is elf.h from the objtool and not /usr/include/elf.h. #include <objtool/elf.h> This patch defines and implements new objtool headers arranging scheme. Which is: - all generic headers go to include/objtool (similar to include/linux) - all arch headers go to arch/$(SRCARCH)/include/arch (to get arch prefix). This is similar to linux arch specific "asm/*" headers but we are not abusing "asm" name and calling it what it is. This also helps to prevent name clashes (arch is not used in system headers or kernel exports). To bring objtool to this state the following things are done: 1. current top level tools/objtool/ headers are moved into include/objtool/ subdirectory, 2. arch specific headers, currently only arch/x86/include/ are moved into arch/x86/include/arch/ and were stripped of "arch_" suffix, 3. new -I$(srctree)/tools/objtool/include include path to make includes like <objtool/warn.h> possible, 4. rewriting file includes, 5. make git not to ignore include/objtool/ subdirectory. Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> 2020-11-13 00:03:32 +01:00			`#include <objtool/special.h>`
			`#include <objtool/builtin.h>`
objtool: Abstract alternative special case handling Some alternatives associated with a specific feature need to be treated in a special way. Since the features and how to treat them vary from one architecture to another, move the special case handling to arch specific code. Reviewed-by: Miroslav Benes <mbenes@suse.cz> Signed-off-by: Julien Thierry <jthierry@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> 2020-09-04 16:30:22 +01:00
			`#define X86_FEATURE_POPCNT (4 * 32 + 23)`
			`#define X86_FEATURE_SMAP (9 * 32 + 20)`

			`void arch_handle_alternative(unsigned short feature, struct special_alt *alt)`
			`{`
			`switch (feature) {`
			`case X86_FEATURE_SMAP:`
			`/*`
			`* If UACCESS validation is enabled; force that alternative;`
			`* otherwise force it the other way.`
			`*`
			`* What we want to avoid is having both the original and the`
			`* alternative code flow at the same time, in that case we can`
			`* find paths that see the STAC but take the NOP instead of`
			`* CLAC and the other way around.`
			`*/`
			`if (uaccess)`
			`alt->skip_orig = true;`
			`else`
			`alt->skip_alt = true;`
			`break;`
			`case X86_FEATURE_POPCNT:`
			`/*`
			`* It has been requested that we don't validate the !POPCNT`
			`* feature path which is a "very very small percentage of`
			`* machines".`
			`*/`
			`alt->skip_orig = true;`
			`break;`
			`default:`
			`break;`
			`}`
			`}`
objtool: Make relocation in alternative handling arch dependent As pointed out by the comment in handle_group_alt(), support of relocation for instructions in an alternative group depends on whether arch specific kernel code handles it. So, let objtool arch specific code decide whether a relocation for the alternative section should be accepted. Reviewed-by: Miroslav Benes <mbenes@suse.cz> Signed-off-by: Julien Thierry <jthierry@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> 2020-09-04 16:30:23 +01:00
			`bool arch_support_alt_relocation(struct special_alt *special_alt,`
			`struct instruction *insn,`
			`struct reloc *reloc)`
			`{`
			`/*`
			`* The x86 alternatives code adjusts the offsets only when it`
			`* encounters a branch instruction at the very beginning of the`
			`* replacement group.`
			`*/`
			`return insn->offset == special_alt->new_off &&`
objtool: Fix retpoline detection in asm code The JMP_NOSPEC macro branches to __x86_retpoline_() rather than the __x86_indirect_thunk_() wrappers used by C code. Detect jumps to __x86_retpoline_*() as retpoline dynamic jumps. Presumably this doesn't trigger a user-visible bug. I only found it when testing vmlinux.o validation. Fixes: 39b735332cb8 ("objtool: Detect jumps to retpoline thunks") Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> Link: https://lore.kernel.org/r/31f5833e2e4f01e3d755889ac77e3661e906c09f.1611263461.git.jpoimboe@redhat.com 2021-01-21 15:29:18 -06:00			`(insn->type == INSN_CALL \|\| is_jump(insn));`
objtool: Make relocation in alternative handling arch dependent As pointed out by the comment in handle_group_alt(), support of relocation for instructions in an alternative group depends on whether arch specific kernel code handles it. So, let objtool arch specific code decide whether a relocation for the alternative section should be accepted. Reviewed-by: Miroslav Benes <mbenes@suse.cz> Signed-off-by: Julien Thierry <jthierry@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> 2020-09-04 16:30:23 +01:00			`}`
objtool: Refactor jump table code to support other architectures The way to identify jump tables and retrieve all the data necessary to handle the different execution branches is not the same on all architectures. In order to be able to add other architecture support, define an arch-dependent function to process jump-tables. Reviewed-by: Miroslav Benes <mbenes@suse.cz> Signed-off-by: Raphael Gault <raphael.gault@arm.com> [J.T.: Move arm64 bits out of this patch, Have only one function to find the start of the jump table, for now assume that the jump table format will be the same as x86] Signed-off-by: Julien Thierry <jthierry@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> 2020-09-04 16:30:24 +01:00
			`/*`
			`* There are 3 basic jump table patterns:`
			`*`
			`* 1. jmpq *[rodata addr](,%reg,8)`
			`*`
			`* This is the most common case by far. It jumps to an address in a simple`
			`* jump table which is stored in .rodata.`
			`*`
			`* 2. jmpq *[rodata addr](%rip)`
			`*`
			`* This is caused by a rare GCC quirk, currently only seen in three driver`
			`* functions in the kernel, only with certain obscure non-distro configs.`
			`*`
			`* As part of an optimization, GCC makes a copy of an existing switch jump`
			`* table, modifies it, and then hard-codes the jump (albeit with an indirect`
			`* jump) to use a single entry in the table. The rest of the jump table and`
			`* some of its jump targets remain as dead code.`
			`*`
			`* In such a case we can just crudely ignore all unreachable instruction`
			`* warnings for the entire object file. Ideally we would just ignore them`
			`* for the function, but that would require redesigning the code quite a`
			`* bit. And honestly that's just not worth doing: unreachable instruction`
			`* warnings are of questionable value anyway, and this is such a rare issue.`
			`*`
			`* 3. mov [rodata addr],%reg1`
			`* ... some instructions ...`
			`* jmpq *(%reg1,%reg2,8)`
			`*`
			`* This is a fairly uncommon pattern which is new for GCC 6. As of this`
			`* writing, there are 11 occurrences of it in the allmodconfig kernel.`
			`*`
			`* As of GCC 7 there are quite a few more of these and the 'in between' code`
			`* is significant. Esp. with KASAN enabled some of the code between the mov`
			`* and jmpq uses .rodata itself, which can confuse things.`
			`*`
			`* TODO: Once we have DWARF CFI and smarter instruction decoding logic,`
			`* ensure the same register is used in the mov and jump instructions.`
			`*`
			`* NOTE: RETPOLINE made it harder still to decode dynamic jumps.`
			`*/`
			`struct reloc arch_find_switch_table(struct objtool_file file,`
			`struct instruction *insn)`
			`{`
			`struct reloc text_reloc, rodata_reloc;`
			`struct section *table_sec;`
			`unsigned long table_offset;`

			`/* look for a relocation which references .rodata */`
			`text_reloc = find_reloc_by_dest_range(file->elf, insn->sec,`
			`insn->offset, insn->len);`
			`if (!text_reloc \|\| text_reloc->sym->type != STT_SECTION \|\|`
			`!text_reloc->sym->sec->rodata)`
			`return NULL;`

			`table_offset = text_reloc->addend;`
			`table_sec = text_reloc->sym->sec;`

			`if (text_reloc->type == R_X86_64_PC32)`
			`table_offset += 4;`

			`/*`
			`* Make sure the .rodata address isn't associated with a`
			`* symbol. GCC jump tables are anonymous data.`
			`*`
			`* Also support C jump tables which are in the same format as`
			`* switch jump tables. For objtool to recognize them, they`
			`* need to be placed in the C_JUMP_TABLE_SECTION section. They`
			`* have symbols associated with them.`
			`*/`
			`if (find_symbol_containing(table_sec, table_offset) &&`
			`strcmp(table_sec->name, C_JUMP_TABLE_SECTION))`
			`return NULL;`

			`/*`
			`* Each table entry has a rela associated with it. The rela`
			`* should reference text in the same function as the original`
			`* instruction.`
			`*/`
			`rodata_reloc = find_reloc_by_dest(file->elf, table_sec, table_offset);`
			`if (!rodata_reloc)`
			`return NULL;`

			`/*`
			`* Use of RIP-relative switch jumps is quite rare, and`
			`* indicates a rare GCC quirk/bug which can leave dead`
			`* code behind.`
			`*/`
			`if (text_reloc->type == R_X86_64_PC32)`
			`file->ignore_unreachables = true;`

			`return rodata_reloc;`
			`}`