From patchwork Tue Jan 15 19:02:13 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ruslan Nikolaev <nruslan_devel@yahoo.com>
X-Patchwork-Id: 10765005
Return-Path: 
 <kernel-hardening-return-14884-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9FE4A6C5
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 15 Jan 2019 19:09:09 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8F1182C11D
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 15 Jan 2019 19:09:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8D3302CA7B; Tue, 15 Jan 2019 19:09:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id B783B2C11D
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 15 Jan 2019 19:09:08 +0000 (UTC)
Received: (qmail 25816 invoked by uid 550); 15 Jan 2019 19:08:55 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Delivered-To: moderator for kernel-hardening@lists.openwall.com
Received: (qmail 16029 invoked from network); 15 Jan 2019 19:02:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1547578938; bh=LWMJMISBialLw3fT+PFwBduDKkMqFuf7giNS+HJXFHo=;
 h=To:Cc:From:Subject:Date:From:Subject;
 b=EWSYU4/96/UipKKXc1NbDM2IgLx8D8kquFV2pNmF7CBLupmAHySpIU30mPmWxho91KV44WwjJ+akVkX2QffRk7iVDjIPlCATDDruj548/TgdGTzMuWICz7r1WxeMI+AEC0vS+2UIk0W6xgZF27iYyDWVkFsPMTOmWBHCXLcaooa/ho0CQnfI0/BeZeqpLtcXvaFq3fz1ZEjVx+QGQwOcQamNVM5VYQAGAX4HO7QXT3LrMTLymF29BhkkcQtSCEsJeUA2RfNkktjDqPi+lLl7xbCL2334KtWN7Xa27FdR07ROEDdP1QFK2j+H4se1SdcHOAD6JBG2hqMk61d04RwVnA==
X-YMail-OSG: 3KRNuEIVM1khl47vJBrv_OYRmHL9emMlt0HrQjpNGd7yK.KTHkbou5pDpL.AeZR
 qS8tRsp6KFVcsnv4fgfbPMyE5TjTQw76no75Kd5rlfS4jEqfPHyqvL30TkkMiuJqnJO2H1_p8Fkk
 AgxR_Shxwj9_y1rp3YHSsZ7s0rNbj0tk.4WnIXycixwReUwfMBGEK_Yio4_ok3pGZs046knVWLTG
 62xNNGU_duRYoNoJGGsTIcXawRKZkWEI63_OC1JsC.cWyPrPjGpx2q899e8sSnRttyjM66UJZtdA
 FcRecXEP57r6sFpJ.vMeQZYLdnihDs7XXvuFX6qiyqPo5VowIdtXzwvCIcHYxOLvDjEn741I7JX2
 kZi56_gdR.h4Ey7K0FN61HRpJMKwTaaCY45q3WNaBYUacmyrnQphg6iK_ThM9Pj4gWWaVBDGkMXW
 RSGews3mVqMECG_j0RgCe9hOdk1vMLfyKLmojbdkjHFQdT2iY8o.H8fkxMC06dxYno09D39a0cQK
 7Mcpzd9pgKhf0zJ8FwdQMnv9VwPX3W.6bYnrXxIxmDSvJGvj9cbKpUjnJVMPqwdLNqRWeEJV6kBN
 8vNvK1I6.5MCqHyVruQ7J_dM7BSSH3TcuBcE2BhIvvmNrjMgQ__Ys3v0MNJxyd2zZKi2_QzxuzrG
 5sNl_fH2A9sQW5Bd2aiRhdw7CzJWYO5oROc1K9Tm8ZxRl_yhjgVMoM0byogUkEKkNBDQc7pVH1JK
 fGAcckxjMw_YIygEjds15zHfk4tY1vW9OsaswR8hLy211wRu6XsBJGNSOx9zpzTFfMFhF5KFz4wi
 GxpmlNzJ755cqpR4wV436_cKLdFI1AooF.PvxJD5XCmxmO6255.MUVX8VIfk9BdUVLvjAH2kANX.
 Ul7Y2xJ9AWTD52a1NcHC0mYQ796212WyDznR0BdcNh8_hOXCYjPG8hmxUl8DCofrx7C5ZYMyRwtF
 wzHxxcrgcowb3MqzS_fUL4Cwqsh6nEcrZusy9eWZeqDZj0.D0oi2x7lqrJIpCqeXgY9Lir7OO4Xw
 36yZaR9V.fQGPDwCx8dkOQzIOgwm8kZ_zV9hcp.fik.r2101DuA8UEbFVmiAn0Cwc8qJ44ac6lbY
 9B39lnJd__SRe
To: kernel-hardening@lists.openwall.com
Cc: thgarnie@google.com, x86@kernel.org, kstewart@linuxfoundation.org,
 gregkh@linuxfoundation.org, keescook@chromium.org
From: Ruslan Nikolaev <nruslan_devel@yahoo.com>
Subject: [PATCH v1 05/06]: Retpoline thunks for PIC modules
Message-ID: <851687ba-39a8-2b97-1b7f-51ab87f4b105@yahoo.com>
Date: Tue, 15 Jan 2019 14:02:13 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Language: en-US
X-Virus-Scanned: ClamAV using ClamSMTP

Retpoline thunks for PIC modules

The patch is by Hassan Nadeem and Ruslan Nikolaev. This extends
the prior PIE kernel patch (by Thomas Garnier) to also support
position-independent modules that can be placed anywhere in the
48/64-bit address space (for better KASLR).

Signed-off-by: Ruslan Nikolaev <nruslan_devel@yahoo.com>
---
  Makefile    |    3 +++
  retpoline.S |   47 +++++++++++++++++++++++++++++++++++++++++++++++
  2 files changed, 50 insertions(+)

diff -uprN a/arch/x86/module-lib/Makefile b/arch/x86/module-lib/Makefile
--- a/arch/x86/module-lib/Makefile	1969-12-31 19:00:00.000000000 -0500
+++ b/arch/x86/module-lib/Makefile	2019-01-15 11:32:46.721911879 -0500
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: GPL-2.0
+
+obj-$(CONFIG_RETPOLINE) += retpoline.o
\ No newline at end of file
diff -uprN a/arch/x86/module-lib/retpoline.S 
b/arch/x86/module-lib/retpoline.S
--- a/arch/x86/module-lib/retpoline.S	1969-12-31 19:00:00.000000000 -0500
+++ b/arch/x86/module-lib/retpoline.S	2019-01-15 11:32:46.721911879 -0500
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#include <linux/stringify.h>
+#include <linux/linkage.h>
+#include <asm/dwarf2.h>
+#include <asm/cpufeatures.h>
+#include <asm/alternative-asm.h>
+#include <asm/export.h>
+#include <asm/nospec-branch.h>
+
+.macro THUNK reg
+	.section .text.__x86.indirect_thunk
+
+ENTRY(__x86_indirect_thunk_\reg)
+	CFI_STARTPROC
+	JMP_NOSPEC %\reg
+	CFI_ENDPROC
+ENDPROC(__x86_indirect_thunk_\reg)
+.endm
+
+/*
+ * Despite being an assembler file we can't just use .irp here
+ * because __KSYM_DEPS__ only uses the C preprocessor and would
+ * only see one instance of "__x86_indirect_thunk_\reg" rather
+ * than one per register with the correct names. So we do it
+ * the simple and nasty way...
+ */
+#define GENERATE_THUNK(reg) THUNK reg
+
+GENERATE_THUNK(_ASM_AX)
+GENERATE_THUNK(_ASM_BX)
+GENERATE_THUNK(_ASM_CX)
+GENERATE_THUNK(_ASM_DX)
+GENERATE_THUNK(_ASM_SI)
+GENERATE_THUNK(_ASM_DI)
+GENERATE_THUNK(_ASM_BP)
+#ifdef CONFIG_64BIT
+GENERATE_THUNK(r8)
+GENERATE_THUNK(r9)
+GENERATE_THUNK(r10)
+GENERATE_THUNK(r11)
+GENERATE_THUNK(r12)
+GENERATE_THUNK(r13)
+GENERATE_THUNK(r14)
+GENERATE_THUNK(r15)
+#endif
+