From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2870258CFD; Mon, 7 Apr 2025 18:12:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744049538; cv=none; b=o6Cj5hv0OSrVQIeY6d1fSWWKLGem5/CsoNHnCGm6TfmuOAaQIPcG+s0LsFKbRlZamRQyBRB4kK4gUfCRyKV66DFXUKPpw5kg9IirxhVZ+Xy1QsOL5X6eoxsQzWdQmpzOtbZNNcX1MIWstXJGl1coBdiCzgauVHLVqHwZMRZYBvw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744049538; c=relaxed/simple; bh=HUUon//Jhnm++nSXg4SODznjq7cHjuBfxI2rWh8ozpI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ex+F0OYza5hehbg7bxCuFCsl0TSoUl09GeA99PmFUxvTvKFy5DtK8/M9I67+JBadPj1Ko81vO3BKN3NKfA3MzTQbNw1QClqCdinnuiLcIivEiczOwE0hR/6mN4WWzoQR5xIlA0jRKqSFO0qOiCMberg5jFjj04OmXnWmwVgKArQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=tUkrHooI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="tUkrHooI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5AAE8C4CEDD; Mon, 7 Apr 2025 18:12:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1744049537; bh=HUUon//Jhnm++nSXg4SODznjq7cHjuBfxI2rWh8ozpI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tUkrHooI+zsYP1fjxxfSQ29Pv0wxKhre11dgeF6k/sHy91+j8NUJiFwp0G1dND80p 4IMFcT14tnfoHM0h4wx+N9tpHgp6RgQT/XRhzY/aAsOH65ncL9bteWZ7oH3pifgnK4 TMZ1YBUaTQ5bC+avzAkWeZk94CQhtPLDfMmdGNFms8Ntl+DKvL/DFS1XTmjFJbjq55 VkwNeLMgy6BdNHUFACCbJMwxEvHvci0FiiNPb7WRNhlB+ILFgrsEUVY++lQYZWPBkU ChmuZRUEm8OHIUGOKE1woj+5uu9oIXHHHFGEXUJUMl2KCOHAUpahELsXpWc3eW+U2m jw6Plp1brDE2g== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Josh Poimboeuf , kernel test robot , Ingo Molnar , Kees Cook , Arnd Bergmann , Greg Kroah-Hartman , Linus Torvalds , Sasha Levin Subject: [PATCH AUTOSEL 6.14 31/31] objtool, lkdtm: Obfuscate the do_nothing() pointer Date: Mon, 7 Apr 2025 14:10:47 -0400 Message-Id: <20250407181054.3177479-31-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250407181054.3177479-1-sashal@kernel.org> References: <20250407181054.3177479-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.14.1 Content-Transfer-Encoding: 8bit From: Josh Poimboeuf [ Upstream commit 05026ea01e95ffdeb0e5ac8fb7fb1b551e3a8726 ] If execute_location()'s memcpy of do_nothing() gets inlined and unrolled by the compiler, it copies one word at a time: mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x1374 mov %rax,0x38(%rbx) mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x136c mov %rax,0x30(%rbx) ... Those .text references point to the middle of the function, causing objtool to complain about their lack of ENDBR. Prevent that by resolving the function pointer at runtime rather than build time. This fixes the following warning: drivers/misc/lkdtm/lkdtm.o: warning: objtool: execute_location+0x23: relocation to !ENDBR: .text+0x1378 Reported-by: kernel test robot Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Reviewed-by: Kees Cook Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Linus Torvalds Link: https://lore.kernel.org/r/30b9abffbddeb43c4f6320b1270fa9b4d74c54ed.1742852847.git.jpoimboe@kernel.org Closes: https://lore.kernel.org/oe-kbuild-all/202503191453.uFfxQy5R-lkp@intel.com/ Signed-off-by: Sasha Levin --- drivers/misc/lkdtm/perms.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c index 5b861dbff27e9..6c24426104ba6 100644 --- a/drivers/misc/lkdtm/perms.c +++ b/drivers/misc/lkdtm/perms.c @@ -28,6 +28,13 @@ static const unsigned long rodata = 0xAA55AA55; /* This is marked __ro_after_init, so it should ultimately be .rodata. */ static unsigned long ro_after_init __ro_after_init = 0x55AA5500; +/* + * This is a pointer to do_nothing() which is initialized at runtime rather + * than build time to avoid objtool IBT validation warnings caused by an + * inlined unrolled memcpy() in execute_location(). + */ +static void __ro_after_init *do_nothing_ptr; + /* * This just returns to the caller. It is designed to be copied into * non-executable memory regions. @@ -65,13 +72,12 @@ static noinline __nocfi void execute_location(void *dst, bool write) { void (*func)(void); func_desc_t fdesc; - void *do_nothing_text = dereference_function_descriptor(do_nothing); - pr_info("attempting ok execution at %px\n", do_nothing_text); + pr_info("attempting ok execution at %px\n", do_nothing_ptr); do_nothing(); if (write == CODE_WRITE) { - memcpy(dst, do_nothing_text, EXEC_SIZE); + memcpy(dst, do_nothing_ptr, EXEC_SIZE); flush_icache_range((unsigned long)dst, (unsigned long)dst + EXEC_SIZE); } @@ -267,6 +273,8 @@ static void lkdtm_ACCESS_NULL(void) void __init lkdtm_perms_init(void) { + do_nothing_ptr = dereference_function_descriptor(do_nothing); + /* Make sure we can write to __ro_after_init values during __init */ ro_after_init |= 0xAA; } -- 2.39.5