tools/objtool/disas.c | 3 +++ 1 file changed, 3 insertions(+)
The following commit has been merged into the objtool/core branch of tip:
Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf
Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf
Author: Ingo Molnar <mingo@kernel.org>
AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00
objtool: Fix segfault on unknown alternatives
So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern
in ___bpf_prog_run():
___bpf_prog_run:
1e7680: ___bpf_prog_run+0x0 push %r12
1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12
1e7685: ___bpf_prog_run+0x5 push %rbp
1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp
1e7688: ___bpf_prog_run+0x8 push %rbx
1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx
1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi
1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx
1e7693: ___bpf_prog_run+0x13 mov %esi,%eax
1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx
1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx>
1e76a2: ___bpf_prog_run+0x22 endbr64
1e76a6: ___bpf_prog_run+0x26 endbr64
1e76aa: ___bpf_prog_run+0x2a mov 0x4(%rbx),%edx
And crashes due to blindly dereferencing alt->insn->alt_group.
Bail out on NULL ->alt_group, which produces this warning and continues
with the disassembly, instead of a segfault:
.git/O/vmlinux.o: warning: objtool: <alternative.1e769d>: failed to disassemble alternative
Cc: Alexandre Chartre <alexandre.chartre@oracle.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
tools/objtool/disas.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/objtool/disas.c b/tools/objtool/disas.c
index 441b930..2b5059f 100644
--- a/tools/objtool/disas.c
+++ b/tools/objtool/disas.c
@@ -684,6 +684,9 @@ char *disas_alt_name(struct alternative *alt)
* '?' unknown flag
*/
+ if (!alt->insn->alt_group)
+ return NULL;
+
feature = alt->insn->alt_group->feature;
num = alt_feature(feature);
flags = alt_flags(feature);On Mon, Dec 01, 2025 at 09:52:51AM +0000, tip-bot2 for Ingo Molnar wrote: > The following commit has been merged into the objtool/core branch of tip: > > Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf > Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf > Author: Ingo Molnar <mingo@kernel.org> > AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00 > Committer: Ingo Molnar <mingo@kernel.org> > CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00 > > objtool: Fix segfault on unknown alternatives > > So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern > in ___bpf_prog_run(): > > ___bpf_prog_run: > 1e7680: ___bpf_prog_run+0x0 push %r12 > 1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12 > 1e7685: ___bpf_prog_run+0x5 push %rbp > 1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp > 1e7688: ___bpf_prog_run+0x8 push %rbx > 1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx > 1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi > 1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx > 1e7693: ___bpf_prog_run+0x13 mov %esi,%eax > 1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx > 1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx> The problem is actually that indirect jump. That's a jump table (not to be confused with a jump *label*) which is an objtool "alt" type which the disas code doesn't seem to know about yet. They're used for C indirect goto (___bpf_prog_run) and switch statements. The latter are currently disabled in most x86 configs via -fno-jump-tables. They're indirect jumps with a known set of jump targets. It should be possible to graphically display the possible targets with lines and arrows, something similar to "objdump -d --visualize-jumps". If the code isn't expecting that "alt" type, it might explode in other ways. So at least for now, those alts need to at least be recognized and ignored. -- Josh
On 12/1/25 21:05, Josh Poimboeuf wrote: > On Mon, Dec 01, 2025 at 09:52:51AM +0000, tip-bot2 for Ingo Molnar wrote: >> The following commit has been merged into the objtool/core branch of tip: >> >> Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf >> Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf >> Author: Ingo Molnar <mingo@kernel.org> >> AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00 >> Committer: Ingo Molnar <mingo@kernel.org> >> CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00 >> >> objtool: Fix segfault on unknown alternatives >> >> So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern >> in ___bpf_prog_run(): >> >> ___bpf_prog_run: >> 1e7680: ___bpf_prog_run+0x0 push %r12 >> 1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12 >> 1e7685: ___bpf_prog_run+0x5 push %rbp >> 1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp >> 1e7688: ___bpf_prog_run+0x8 push %rbx >> 1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx >> 1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi >> 1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx >> 1e7693: ___bpf_prog_run+0x13 mov %esi,%eax >> 1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx >> 1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx> > > The problem is actually that indirect jump. That's a jump table (not to > be confused with a jump *label*) which is an objtool "alt" type which > the disas code doesn't seem to know about yet. > > They're used for C indirect goto (___bpf_prog_run) and switch > statements. The latter are currently disabled in most x86 configs via > -fno-jump-tables. > > They're indirect jumps with a known set of jump targets. It should be > possible to graphically display the possible targets with lines and > arrows, something similar to "objdump -d --visualize-jumps". > > If the code isn't expecting that "alt" type, it might explode in other > ways. So at least for now, those alts need to at least be recognized > and ignored. I think the problem is with add_jump_table() which creates a struct alternative but doesn't set the type. So it defaults to 0 which is ALT_TYPE_INSTRUCTIONS and then it fails because an alt_group is expected with this type. A quick fix is probably to define a new alt_type ALT_TYPE_UNKNOWN = 0 and have disas ignore this type of alternative. I will work on a fix. Thanks, alex.
* Alexandre Chartre <alexandre.chartre@oracle.com> wrote: > On 12/1/25 21:05, Josh Poimboeuf wrote: > > On Mon, Dec 01, 2025 at 09:52:51AM +0000, tip-bot2 for Ingo Molnar wrote: > > > The following commit has been merged into the objtool/core branch of tip: > > > > > > Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf > > > Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf > > > Author: Ingo Molnar <mingo@kernel.org> > > > AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00 > > > Committer: Ingo Molnar <mingo@kernel.org> > > > CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00 > > > > > > objtool: Fix segfault on unknown alternatives > > > > > > So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern > > > in ___bpf_prog_run(): > > > > > > ___bpf_prog_run: > > > 1e7680: ___bpf_prog_run+0x0 push %r12 > > > 1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12 > > > 1e7685: ___bpf_prog_run+0x5 push %rbp > > > 1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp > > > 1e7688: ___bpf_prog_run+0x8 push %rbx > > > 1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx > > > 1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi > > > 1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx > > > 1e7693: ___bpf_prog_run+0x13 mov %esi,%eax > > > 1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx > > > 1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx> > > > > The problem is actually that indirect jump. That's a jump table (not to > > be confused with a jump *label*) which is an objtool "alt" type which > > the disas code doesn't seem to know about yet. > > > > They're used for C indirect goto (___bpf_prog_run) and switch > > statements. The latter are currently disabled in most x86 configs via > > -fno-jump-tables. > > > > They're indirect jumps with a known set of jump targets. It should be > > possible to graphically display the possible targets with lines and > > arrows, something similar to "objdump -d --visualize-jumps". > > > > If the code isn't expecting that "alt" type, it might explode in other > > ways. So at least for now, those alts need to at least be recognized > > and ignored. > > I think the problem is with add_jump_table() which > creates a struct alternative but doesn't set the > type. So it defaults to 0 which is > ALT_TYPE_INSTRUCTIONS and then it fails because an > alt_group is expected with this type. > > A quick fix is probably to define a new alt_type > ALT_TYPE_UNKNOWN = 0 and have disas ignore this type > of alternative. I will work on a fix. Note that we still want the NULL dereference protection as well as a fallback, because objtool should always be robust against arbitrarily random and faulty input data. Thanks, Ingo
© 2016 - 2025 Red Hat, Inc.