* [tip: objtool/core] objtool: Fix segfault on unknown alternatives
@ 2025-12-01 9:52 tip-bot2 for Ingo Molnar
2025-12-01 20:05 ` Josh Poimboeuf
0 siblings, 1 reply; 4+ messages in thread
From: tip-bot2 for Ingo Molnar @ 2025-12-01 9:52 UTC (permalink / raw)
To: linux-tip-commits
Cc: Alexandre Chartre, Peter Zijlstra (Intel), Josh Poimboeuf,
linux-kernel, Ingo Molnar, x86
The following commit has been merged into the objtool/core branch of tip:
Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf
Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf
Author: Ingo Molnar <mingo@kernel.org>
AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00
objtool: Fix segfault on unknown alternatives
So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern
in ___bpf_prog_run():
___bpf_prog_run:
1e7680: ___bpf_prog_run+0x0 push %r12
1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12
1e7685: ___bpf_prog_run+0x5 push %rbp
1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp
1e7688: ___bpf_prog_run+0x8 push %rbx
1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx
1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi
1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx
1e7693: ___bpf_prog_run+0x13 mov %esi,%eax
1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx
1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx>
1e76a2: ___bpf_prog_run+0x22 endbr64
1e76a6: ___bpf_prog_run+0x26 endbr64
1e76aa: ___bpf_prog_run+0x2a mov 0x4(%rbx),%edx
And crashes due to blindly dereferencing alt->insn->alt_group.
Bail out on NULL ->alt_group, which produces this warning and continues
with the disassembly, instead of a segfault:
.git/O/vmlinux.o: warning: objtool: <alternative.1e769d>: failed to disassemble alternative
Cc: Alexandre Chartre <alexandre.chartre@oracle.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
tools/objtool/disas.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/objtool/disas.c b/tools/objtool/disas.c
index 441b930..2b5059f 100644
--- a/tools/objtool/disas.c
+++ b/tools/objtool/disas.c
@@ -684,6 +684,9 @@ char *disas_alt_name(struct alternative *alt)
* '?' unknown flag
*/
+ if (!alt->insn->alt_group)
+ return NULL;
+
feature = alt->insn->alt_group->feature;
num = alt_feature(feature);
flags = alt_flags(feature);
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [tip: objtool/core] objtool: Fix segfault on unknown alternatives
2025-12-01 9:52 [tip: objtool/core] objtool: Fix segfault on unknown alternatives tip-bot2 for Ingo Molnar
@ 2025-12-01 20:05 ` Josh Poimboeuf
2025-12-01 20:44 ` Alexandre Chartre
0 siblings, 1 reply; 4+ messages in thread
From: Josh Poimboeuf @ 2025-12-01 20:05 UTC (permalink / raw)
To: tip-bot2 for Ingo Molnar
Cc: linux-tip-commits, Alexandre Chartre, Peter Zijlstra (Intel),
linux-kernel, Ingo Molnar, x86
On Mon, Dec 01, 2025 at 09:52:51AM +0000, tip-bot2 for Ingo Molnar wrote:
> The following commit has been merged into the objtool/core branch of tip:
>
> Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf
> Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf
> Author: Ingo Molnar <mingo@kernel.org>
> AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00
> Committer: Ingo Molnar <mingo@kernel.org>
> CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00
>
> objtool: Fix segfault on unknown alternatives
>
> So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern
> in ___bpf_prog_run():
>
> ___bpf_prog_run:
> 1e7680: ___bpf_prog_run+0x0 push %r12
> 1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12
> 1e7685: ___bpf_prog_run+0x5 push %rbp
> 1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp
> 1e7688: ___bpf_prog_run+0x8 push %rbx
> 1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx
> 1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi
> 1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx
> 1e7693: ___bpf_prog_run+0x13 mov %esi,%eax
> 1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx
> 1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx>
The problem is actually that indirect jump. That's a jump table (not to
be confused with a jump *label*) which is an objtool "alt" type which
the disas code doesn't seem to know about yet.
They're used for C indirect goto (___bpf_prog_run) and switch
statements. The latter are currently disabled in most x86 configs via
-fno-jump-tables.
They're indirect jumps with a known set of jump targets. It should be
possible to graphically display the possible targets with lines and
arrows, something similar to "objdump -d --visualize-jumps".
If the code isn't expecting that "alt" type, it might explode in other
ways. So at least for now, those alts need to at least be recognized
and ignored.
--
Josh
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tip: objtool/core] objtool: Fix segfault on unknown alternatives
2025-12-01 20:05 ` Josh Poimboeuf
@ 2025-12-01 20:44 ` Alexandre Chartre
2025-12-01 20:49 ` Ingo Molnar
0 siblings, 1 reply; 4+ messages in thread
From: Alexandre Chartre @ 2025-12-01 20:44 UTC (permalink / raw)
To: Josh Poimboeuf, tip-bot2 for Ingo Molnar
Cc: alexandre.chartre, linux-tip-commits, Peter Zijlstra (Intel),
linux-kernel, Ingo Molnar, x86
On 12/1/25 21:05, Josh Poimboeuf wrote:
> On Mon, Dec 01, 2025 at 09:52:51AM +0000, tip-bot2 for Ingo Molnar wrote:
>> The following commit has been merged into the objtool/core branch of tip:
>>
>> Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf
>> Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf
>> Author: Ingo Molnar <mingo@kernel.org>
>> AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00
>> Committer: Ingo Molnar <mingo@kernel.org>
>> CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00
>>
>> objtool: Fix segfault on unknown alternatives
>>
>> So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern
>> in ___bpf_prog_run():
>>
>> ___bpf_prog_run:
>> 1e7680: ___bpf_prog_run+0x0 push %r12
>> 1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12
>> 1e7685: ___bpf_prog_run+0x5 push %rbp
>> 1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp
>> 1e7688: ___bpf_prog_run+0x8 push %rbx
>> 1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx
>> 1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi
>> 1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx
>> 1e7693: ___bpf_prog_run+0x13 mov %esi,%eax
>> 1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx
>> 1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx>
>
> The problem is actually that indirect jump. That's a jump table (not to
> be confused with a jump *label*) which is an objtool "alt" type which
> the disas code doesn't seem to know about yet.
>
> They're used for C indirect goto (___bpf_prog_run) and switch
> statements. The latter are currently disabled in most x86 configs via
> -fno-jump-tables.
>
> They're indirect jumps with a known set of jump targets. It should be
> possible to graphically display the possible targets with lines and
> arrows, something similar to "objdump -d --visualize-jumps".
>
> If the code isn't expecting that "alt" type, it might explode in other
> ways. So at least for now, those alts need to at least be recognized
> and ignored.
I think the problem is with add_jump_table() which creates a struct alternative
but doesn't set the type. So it defaults to 0 which is ALT_TYPE_INSTRUCTIONS and
then it fails because an alt_group is expected with this type.
A quick fix is probably to define a new alt_type ALT_TYPE_UNKNOWN = 0 and have
disas ignore this type of alternative. I will work on a fix.
Thanks,
alex.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tip: objtool/core] objtool: Fix segfault on unknown alternatives
2025-12-01 20:44 ` Alexandre Chartre
@ 2025-12-01 20:49 ` Ingo Molnar
0 siblings, 0 replies; 4+ messages in thread
From: Ingo Molnar @ 2025-12-01 20:49 UTC (permalink / raw)
To: Alexandre Chartre
Cc: Josh Poimboeuf, tip-bot2 for Ingo Molnar, linux-tip-commits,
Peter Zijlstra (Intel), linux-kernel, x86
* Alexandre Chartre <alexandre.chartre@oracle.com> wrote:
> On 12/1/25 21:05, Josh Poimboeuf wrote:
> > On Mon, Dec 01, 2025 at 09:52:51AM +0000, tip-bot2 for Ingo Molnar wrote:
> > > The following commit has been merged into the objtool/core branch of tip:
> > >
> > > Commit-ID: 6ec33db1aaf06a76fb063610e668f8e12f32ebbf
> > > Gitweb: https://git.kernel.org/tip/6ec33db1aaf06a76fb063610e668f8e12f32ebbf
> > > Author: Ingo Molnar <mingo@kernel.org>
> > > AuthorDate: Mon, 01 Dec 2025 10:42:27 +01:00
> > > Committer: Ingo Molnar <mingo@kernel.org>
> > > CommitterDate: Mon, 01 Dec 2025 10:42:27 +01:00
> > >
> > > objtool: Fix segfault on unknown alternatives
> > >
> > > So 'objtool --link -d vmlinux.o' gets surprised by this endbr64+endbr64 pattern
> > > in ___bpf_prog_run():
> > >
> > > ___bpf_prog_run:
> > > 1e7680: ___bpf_prog_run+0x0 push %r12
> > > 1e7682: ___bpf_prog_run+0x2 mov %rdi,%r12
> > > 1e7685: ___bpf_prog_run+0x5 push %rbp
> > > 1e7686: ___bpf_prog_run+0x6 xor %ebp,%ebp
> > > 1e7688: ___bpf_prog_run+0x8 push %rbx
> > > 1e7689: ___bpf_prog_run+0x9 mov %rsi,%rbx
> > > 1e768c: ___bpf_prog_run+0xc movzbl (%rbx),%esi
> > > 1e768f: ___bpf_prog_run+0xf movzbl %sil,%edx
> > > 1e7693: ___bpf_prog_run+0x13 mov %esi,%eax
> > > 1e7695: ___bpf_prog_run+0x15 mov 0x0(,%rdx,8),%rdx
> > > 1e769d: ___bpf_prog_run+0x1d jmp 0x1e76a2 <__x86_indirect_thunk_rdx>
> >
> > The problem is actually that indirect jump. That's a jump table (not to
> > be confused with a jump *label*) which is an objtool "alt" type which
> > the disas code doesn't seem to know about yet.
> >
> > They're used for C indirect goto (___bpf_prog_run) and switch
> > statements. The latter are currently disabled in most x86 configs via
> > -fno-jump-tables.
> >
> > They're indirect jumps with a known set of jump targets. It should be
> > possible to graphically display the possible targets with lines and
> > arrows, something similar to "objdump -d --visualize-jumps".
> >
> > If the code isn't expecting that "alt" type, it might explode in other
> > ways. So at least for now, those alts need to at least be recognized
> > and ignored.
>
> I think the problem is with add_jump_table() which
> creates a struct alternative but doesn't set the
> type. So it defaults to 0 which is
> ALT_TYPE_INSTRUCTIONS and then it fails because an
> alt_group is expected with this type.
>
> A quick fix is probably to define a new alt_type
> ALT_TYPE_UNKNOWN = 0 and have disas ignore this type
> of alternative. I will work on a fix.
Note that we still want the NULL dereference protection
as well as a fallback, because objtool should always be
robust against arbitrarily random and faulty input
data.
Thanks,
Ingo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-12-01 20:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-01 9:52 [tip: objtool/core] objtool: Fix segfault on unknown alternatives tip-bot2 for Ingo Molnar
2025-12-01 20:05 ` Josh Poimboeuf
2025-12-01 20:44 ` Alexandre Chartre
2025-12-01 20:49 ` Ingo Molnar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox