From patchwork Tue Jul 18 22:33:19 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Garnier <thgarnie@google.com>
X-Patchwork-Id: 9850033
Return-Path: 
 <kernel-hardening-return-9007-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	1EB8060392 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:35:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 09FDD285B7
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:35:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id F1B7B285CD; Tue, 18 Jul 2017 22:35:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id D720F285B7
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:35:50 +0000 (UTC)
Received: (qmail 26485 invoked by uid 550); 18 Jul 2017 22:34:36 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 26337 invoked from network); 18 Jul 2017 22:34:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=UpMEsq8AofDPyhtX1fiCHZciKW2pc/cVSIecBulyr4E=;
	b=tpGdBZj3ljXYWl34a0u6CUYSUCfU+WY62K0NvYIm0R7zpG1AOKm5mwUUd/QU2kxQ8L
	xVMdCL/VLBLcLv+9Oqj44M1/6iF78xj5KFL+k+PeDAFTYRnzLY8wKVG05z1XpADsH8rF
	bR+j4KeNjB7z5pysXesrm8W9NiykCW02TCiQlkjoW/H3k3kwi2KA2+J4JUn9ss66kPmW
	mrzLnCOFKqjUiOY6FoGSu7ey/6hdfpV9GVPqtc60B13oOcMmvd28OXPboGKRs27aA0Iq
	DanVrKGN4Z2b983gWB3jpX8mcFFI+2/8jurPtoCsNaY2d5gJy3w9LKC2CmwPLLEDkPOb
	pixA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=UpMEsq8AofDPyhtX1fiCHZciKW2pc/cVSIecBulyr4E=;
	b=snEq2yE5Ql3dal2QFdYuz6ix34KubLLwvkJ7fQ5Z9lPETusCPkdc/nXSOuHl0xnjwG
	o5UeUGmAHJSIkXeaUZPWRp/VQ8rxhOQQuvrC7PmZ6yTC8dwaXL6pcbgBGBOvF2M2cQFO
	RuvAFFuP/7VrJv5u9ha8sfQ+bCXuqwfVsHVhUGVKZRoaE4Gigw4LoynlABrWuX6RiOv9
	KJq8eH9KzPzYQWoOfj+IuAcoFz/ZQWofGmFwm6B/20OpTkwH3cxWe2NrKltGwzrjKg9S
	u/C4jrcEbdxiF6kE8iUxT0J3SPqd+GhlJUTVSQDHVlPsWjRo9R7XcrXbDbdeRRycb/Gz
	3rsw==
X-Gm-Message-State: AIVw112hAnoq9buD6UaWVMgkbxgXnH7A1YOF5lycZZCXroafdIRmY59V
	DTmVXVc72YZSPNAj
X-Received: by 10.98.198.87 with SMTP id m84mr3970271pfg.122.1500417262244;
	Tue, 18 Jul 2017 15:34:22 -0700 (PDT)
From: Thomas Garnier <thgarnie@google.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
	"H . Peter Anvin" <hpa@zytor.com>, Peter Zijlstra <peterz@infradead.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Thomas Garnier <thgarnie@google.com>, Arnd Bergmann <arnd@arndb.de>,
	Matthias Kaehlcke <mka@chromium.org>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>,
	Juergen Gross <jgross@suse.com>, Paolo Bonzini <pbonzini@redhat.com>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
	Joerg Roedel <joro@8bytes.org>, Andy Lutomirski <luto@kernel.org>,
	Borislav Petkov <bp@alien8.de>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	Brian Gerst <brgerst@gmail.com>, Borislav Petkov <bp@suse.de>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	"Rafael J . Wysocki" <rjw@rjwysocki.net>,
	Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
	Tejun Heo <tj@kernel.org>, Christoph Lameter <cl@linux.com>,
	Kees Cook <keescook@chromium.org>,
	Paul Gortmaker <paul.gortmaker@windriver.com>,
	Chris Metcalf <cmetcalf@mellanox.com>,
	"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Christopher Li <sparse@chrisli.org>,
	Dou Liyang <douly.fnst@cn.fujitsu.com>,
	Masahiro Yamada <yamada.masahiro@socionext.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Markus Trippelsdorf <markus@trippelsdorf.de>,
	Peter Foley <pefoley2@pefoley.com>, Steven Rostedt <rostedt@goodmis.org>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Matthew Wilcox <mawilcox@microsoft.com>, Michal Hocko <mhocko@suse.com>,
	Rob Landley <rob@landley.net>, Jiri Kosina <jkosina@suse.cz>,
	"H . J . Lu" <hjl.tools@gmail.com>, Paul Bolle <pebolle@tiscali.nl>,
	Baoquan He <bhe@redhat.com>, Daniel Micay <danielmicay@gmail.com>
Cc: x86@kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org,
	kvm@vger.kernel.org, linux-pm@vger.kernel.org,
	linux-arch@vger.kernel.org, linux-sparse@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Date: Tue, 18 Jul 2017 15:33:19 -0700
Message-Id: <20170718223333.110371-9-thgarnie@google.com>
X-Mailer: git-send-email 2.13.2.932.g7449e964c-goog
In-Reply-To: <20170718223333.110371-1-thgarnie@google.com>
References: <20170718223333.110371-1-thgarnie@google.com>
Subject: [kernel-hardening] [RFC 08/22] x86/entry/64: Adapt assembly for PIE
	support
X-Virus-Scanned: ClamAV using ClamSMTP

Change the assembly code to use only relative references of symbols for the
kernel to be PIE compatible.

Position Independent Executable (PIE) support will allow to extended the
KASLR randomization range below the -2G memory limit.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
---
 arch/x86/entry/entry_64.S | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index a9a8027a6c0e..691c4755269b 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -195,12 +195,15 @@ entry_SYSCALL_64_fastpath:
 	ja	1f				/* return -ENOSYS (already in pt_regs->ax) */
 	movq	%r10, %rcx
 
+	/* Ensures the call is position independent */
+	leaq	sys_call_table(%rip), %r11
+
 	/*
 	 * This call instruction is handled specially in stub_ptregs_64.
 	 * It might end up jumping to the slow path.  If it jumps, RAX
 	 * and all argument registers are clobbered.
 	 */
-	call	*sys_call_table(, %rax, 8)
+	call	*(%r11, %rax, 8)
 .Lentry_SYSCALL_64_after_fastpath_call:
 
 	movq	%rax, RAX(%rsp)
@@ -333,7 +336,8 @@ ENTRY(stub_ptregs_64)
 	 * RAX stores a pointer to the C function implementing the syscall.
 	 * IRQs are on.
 	 */
-	cmpq	$.Lentry_SYSCALL_64_after_fastpath_call, (%rsp)
+	leaq	.Lentry_SYSCALL_64_after_fastpath_call(%rip), %r11
+	cmpq	%r11, (%rsp)
 	jne	1f
 
 	/*
@@ -1109,7 +1113,8 @@ ENTRY(error_entry)
 	movl	%ecx, %eax			/* zero extend */
 	cmpq	%rax, RIP+8(%rsp)
 	je	.Lbstep_iret
-	cmpq	$.Lgs_change, RIP+8(%rsp)
+	leaq	.Lgs_change(%rip), %rcx
+	cmpq	%rcx, RIP+8(%rsp)
 	jne	.Lerror_entry_done
 
 	/*
@@ -1324,10 +1329,10 @@ ENTRY(nmi)
 	 * resume the outer NMI.
 	 */
 
-	movq	$repeat_nmi, %rdx
+	leaq	repeat_nmi(%rip), %rdx
 	cmpq	8(%rsp), %rdx
 	ja	1f
-	movq	$end_repeat_nmi, %rdx
+	leaq	end_repeat_nmi(%rip), %rdx
 	cmpq	8(%rsp), %rdx
 	ja	nested_nmi_out
 1:
@@ -1381,7 +1386,8 @@ nested_nmi:
 	pushq	%rdx
 	pushfq
 	pushq	$__KERNEL_CS
-	pushq	$repeat_nmi
+	leaq	repeat_nmi(%rip), %rdx
+	pushq	%rdx
 
 	/* Put stack back */
 	addq	$(6*8), %rsp
@@ -1419,7 +1425,9 @@ first_nmi:
 	addq	$8, (%rsp)	/* Fix up RSP */
 	pushfq			/* RFLAGS */
 	pushq	$__KERNEL_CS	/* CS */
-	pushq	$1f		/* RIP */
+	pushq	%rax		/* Support Position Independent Code */
+	leaq	1f(%rip), %rax	/* RIP */
+	xchgq	%rax, (%rsp)	/* Restore RAX, put 1f */
 	INTERRUPT_RETURN	/* continues at repeat_nmi below */
 1:
 #endif