1. Patchew
  2. linux
  3. View series

[PATCH V2 RESEND] objtool/x86: objtool can confuse memory and stack access

Alexandre Chartre posted 1 patch 1 year, 5 months ago 
tools/objtool/arch/x86/decode.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
[PATCH V2 RESEND] objtool/x86: objtool can confuse memory and stack access
Posted by Alexandre Chartre 1 year, 5 months ago 
The encoding of an x86 instruction can include a ModR/M and a SIB
(Scale-Index-Base) byte to describe the addressing mode of the
instruction.

objtool processes all addressing mode with a SIB base of 5 as having
%rbp as the base register. However, a SIB base of 5 means that the
effective address has either no base (if ModR/M mod is zero) or %rbp
as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
an absolute address access with a stack operation.

For example, objtool will see the following instruction:

 4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12

as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).

[Note that this kind of weird absolute address access is added by the
 compiler when using KASAN.]

If this perceived stack operation happens to reference the location
where %r12 was pushed on the stack then the objtool validation will
think that %r12 is being restored and this can cause a stack state
mismatch.

This kind behavior was seen on xfs code, after a minor change (convert
kmem_alloc() to kmalloc()):

>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
---
 tools/objtool/arch/x86/decode.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c
index 3a1d80a7878d3..5872818b8930c 100644
--- a/tools/objtool/arch/x86/decode.c
+++ b/tools/objtool/arch/x86/decode.c
@@ -125,8 +125,14 @@ bool arch_pc_relative_reloc(struct reloc *reloc)
 #define is_RIP()   ((modrm_rm & 7) == CFI_BP && modrm_mod == 0)
 #define have_SIB() ((modrm_rm & 7) == CFI_SP && mod_is_mem())
 
+/*
+ * Check the ModRM register. If there is a SIB byte then check with
+ * the SIB base register. But if the SIB base is 5 (i.e. CFI_BP) and
+ * ModRM mod is 0 then there is no base register.
+ */
 #define rm_is(reg) (have_SIB() ? \
-		    sib_base == (reg) && sib_index == CFI_SP : \
+		    sib_base == (reg) && sib_index == CFI_SP && \
+		    (sib_base != CFI_BP || modrm_mod != 0):	\
 		    modrm_rm == (reg))
 
 #define rm_is_mem(reg)	(mod_is_mem() && !is_RIP() && rm_is(reg))
-- 
2.39.3
Re: [PATCH V2 RESEND] objtool/x86: objtool can confuse memory and stack access
Posted by Josh Poimboeuf 1 year, 5 months ago 
On Thu, Jun 20, 2024 at 04:47:47PM +0200, Alexandre Chartre wrote:
> The encoding of an x86 instruction can include a ModR/M and a SIB
> (Scale-Index-Base) byte to describe the addressing mode of the
> instruction.
> 
> objtool processes all addressing mode with a SIB base of 5 as having
> %rbp as the base register. However, a SIB base of 5 means that the
> effective address has either no base (if ModR/M mod is zero) or %rbp
> as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
> an absolute address access with a stack operation.
> 
> For example, objtool will see the following instruction:
> 
>  4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12
> 
> as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).
> 
> [Note that this kind of weird absolute address access is added by the
>  compiler when using KASAN.]
> 
> If this perceived stack operation happens to reference the location
> where %r12 was pushed on the stack then the objtool validation will
> think that %r12 is being restored and this can cause a stack state
> mismatch.
> 
> This kind behavior was seen on xfs code, after a minor change (convert
> kmem_alloc() to kmalloc()):
> 
> >> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
> Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>

Thanks, queueing...

-- 
Josh
[tip: objtool/core] objtool/x86: objtool can confuse memory and stack access
Posted by tip-bot2 for Alexandre Chartre 1 year, 5 months ago 
The following commit has been merged into the objtool/core branch of tip:

Commit-ID:     8e366d83edce3065ff3372bedc281c5e217c0550
Gitweb:        https://git.kernel.org/tip/8e366d83edce3065ff3372bedc281c5e217c0550
Author:        Alexandre Chartre <alexandre.chartre@oracle.com>
AuthorDate:    Thu, 20 Jun 2024 16:47:47 +02:00
Committer:     Josh Poimboeuf <jpoimboe@kernel.org>
CommitterDate: Tue, 02 Jul 2024 23:40:54 -07:00

objtool/x86: objtool can confuse memory and stack access

The encoding of an x86 instruction can include a ModR/M and a SIB
(Scale-Index-Base) byte to describe the addressing mode of the
instruction.

objtool processes all addressing mode with a SIB base of 5 as having
%rbp as the base register. However, a SIB base of 5 means that the
effective address has either no base (if ModR/M mod is zero) or %rbp
as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
an absolute address access with a stack operation.

For example, objtool will see the following instruction:

 4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12

as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).

[Note that this kind of weird absolute address access is added by the
 compiler when using KASAN.]

If this perceived stack operation happens to reference the location
where %r12 was pushed on the stack then the objtool validation will
think that %r12 is being restored and this can cause a stack state
mismatch.

This kind behavior was seen on xfs code, after a minor change (convert
kmem_alloc() to kmalloc()):

>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Link: https://lore.kernel.org/r/20240620144747.2524805-1-alexandre.chartre@oracle.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 tools/objtool/arch/x86/decode.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c
index 3a1d80a..ed6bff0 100644
--- a/tools/objtool/arch/x86/decode.c
+++ b/tools/objtool/arch/x86/decode.c
@@ -125,8 +125,14 @@ bool arch_pc_relative_reloc(struct reloc *reloc)
 #define is_RIP()   ((modrm_rm & 7) == CFI_BP && modrm_mod == 0)
 #define have_SIB() ((modrm_rm & 7) == CFI_SP && mod_is_mem())
 
+/*
+ * Check the ModRM register. If there is a SIB byte then check with
+ * the SIB base register. But if the SIB base is 5 (i.e. CFI_BP) and
+ * ModRM mod is 0 then there is no base register.
+ */
 #define rm_is(reg) (have_SIB() ? \
-		    sib_base == (reg) && sib_index == CFI_SP : \
+		    sib_base == (reg) && sib_index == CFI_SP && \
+		    (sib_base != CFI_BP || modrm_mod != 0) :	\
 		    modrm_rm == (reg))
 
 #define rm_is_mem(reg)	(mod_is_mem() && !is_RIP() && rm_is(reg))
Re: [tip: objtool/core] objtool/x86: objtool can confuse memory and stack access
Posted by Borislav Petkov 1 year, 5 months ago 
On Mon, Jul 08, 2024 at 11:49:24AM -0000, tip-bot2 for Alexandre Chartre wrote:
>  4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12

Right, this is missing a "ff" which is the 4th byte of a disp32.

I.e., ModRM=0, SIB=5 simply means that what follows is a disp32 field:

 REX:                   0x4c { 4 [w]: 1 [r]: 1 [x]: 0 [b]: 0 }
Opcode:                 0x8b
ModRM:                  0x24  [mod:0b][.R:1b,reg:1100b][.B:0b,r/m:100b]
                        register-indirect mode, offset 0
SIB:                    0x25 [.B:0b,base:101b][.X:0b,idx:100b][scale: 0]

 MOV Gv,Ev; MOV reg{16,32,64} reg/mem{16,32,64}
               0:       4c 8b 24 25 e0 ff ff    mov 0xffffffffffffffe0,%r12
               7:       ff
-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette
Re: [tip: objtool/core] objtool/x86: objtool can confuse memory and stack access
Posted by Alexandre Chartre 1 year, 5 months ago 

On 7/8/24 18:48, Borislav Petkov wrote:
> On Mon, Jul 08, 2024 at 11:49:24AM -0000, tip-bot2 for Alexandre Chartre wrote:
>>   4c 8b 24 25 e0 ff ff    mov    0xffffffffffffffe0,%r12
> 
> Right, this is missing a "ff" which is the 4th byte of a disp32.
> 
> I.e., ModRM=0, SIB=5 simply means that what follows is a disp32 field:
> 
>   REX:                   0x4c { 4 [w]: 1 [r]: 1 [x]: 0 [b]: 0 }
> Opcode:                 0x8b
> ModRM:                  0x24  [mod:0b][.R:1b,reg:1100b][.B:0b,r/m:100b]
>                          register-indirect mode, offset 0
> SIB:                    0x25 [.B:0b,base:101b][.X:0b,idx:100b][scale: 0]
> 
>   MOV Gv,Ev; MOV reg{16,32,64} reg/mem{16,32,64}
>                 0:       4c 8b 24 25 e0 ff ff    mov 0xffffffffffffffe0,%r12
>                 7:       ff

Ah! Right. I regularly got tricked when the opcode is output on two lines :-(

Sorry.

alex.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.