Re: [PATCH v6 1/3] x86_64: Set the syscall register right before doing the syscall.

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Joe Simmons-Talbott <josimmon@redhat.com>
To: Noah Goldstein <goldstein.w.n@gmail.com>
Cc: Florian Weimer <fweimer@redhat.com>,
	Noah Goldstein via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [PATCH v6 1/3] x86_64: Set the syscall register right before doing the syscall.
Date: Wed, 28 Jun 2023 15:17:05 -0400	[thread overview]
Message-ID: <20230628191705.GQ6392@oak> (raw)
In-Reply-To: <CAFUsyfJPxRK5a5Z6i2u6VioDwZ6wszc10d=NN5Z3mpoC1xm6tA@mail.gmail.com>

On Wed, May 31, 2023 at 01:23:44PM -0500, Noah Goldstein wrote:
> On Tue, May 30, 2023 at 5:13 AM Florian Weimer <fweimer@redhat.com> wrote:
> >
> > * Noah Goldstein:
> >
> > > On Fri, May 26, 2023 at 5:59 AM Joe Simmons-Talbott <josimmon@redhat.com> wrote:
> > >>
> > >> On Fri, May 26, 2023 at 09:04:06AM +0200, Florian Weimer wrote:
> > >> > * Noah Goldstein via Libc-alpha:
> > >> >
> > >> > > I'm minorly opposed to this patch. Even if GLIBC guarantees all
> > >> > > syscalls will set the number the instruction before, that's no guarantee
> > >> > > for the entire program. Furthermore in the event of:
> > >> > >    `movl $VAL, %eax; syscall`
> > >> > > It's still not safe to *always* assume that `VAL` correspond to the
> > >> > > syscall number as a jump (direct or indirect) could still go between
> > >> > > the instructions (i.e there is no guarantee in the assembly that the
> > >> > > `mov` dominates the `syscall).
> > >> > > So at the end of the day, we are bloating the library without, AFAICT,
> > >> > > providing any real guarantee. Maybe I'm missing something?
> > >> >
> > >> > Joe, is there a size change to libc.so.6 as the result of this change?
> > >>
> > >> No, the size is the same with and with out this patchset on x86_64.
> > >>
> > > There aren't many syscalls so it's only a minor cost (hence the only
> > > minor opposition), but I don't see the value this provides given that it
> > > still won't be safe to assume the syscall number is always set the
> > > instruction beforehand for any robust purpose. So it still feels like
> > > why take any cost at all?
> >
> > I think there is any run-time cost at all, only the increased source
> > complexity.
> >
> > It's much easier to change glibc than to add full register tracking to a
> > the static analysis tool that discovers system calls in the disassembly.
> >
> 
> Is the aim only to verify libc.so or to verify arbitrary binaries? If the
> former then sure I guess we know we only use the syscall wrapper
> so this may help (more on that), but if it's arbitrary binaries there
> is no guarantee they are using the GLIBC syscall wrapper for their
> syscalls.
> 
> If it really is just GLIBC then this change seems unnecessary. Even
> if there can be separation between setting rax and the syscall, the
> way we have the wrappers setup we know there will always be a
> dominating write to rax with the syscall number so would rather see
> the case where that isn't trivial to find as a motivator first. Or we could
> just do source code level analysis as we will always have the
> syscall number in macro invocation.
> 

Right now we are only concerned with libc.so.  Here's an example case
from my installed libc.so.

000000000003ec70 <__GI___arc4random_buf.part.0>:
   3ec70:       55                      push   %rbp
   3ec71:       41 b8 3e 01 00 00       mov    $0x13e,%r8d
   3ec77:       48 89 e5                mov    %rsp,%rbp
   3ec7a:       41 56                   push   %r14
   3ec7c:       41 55                   push   %r13
   3ec7e:       41 54                   push   %r12
   3ec80:       49 89 fc                mov    %rdi,%r12
   3ec83:       53                      push   %rbx
   3ec84:       48 89 f3                mov    %rsi,%rbx
   3ec87:       48 83 ec 10             sub    $0x10,%rsp
   3ec8b:       64 48 8b 04 25 28 00    mov    %fs:0x28,%rax
   3ec92:       00 00 
   3ec94:       48 89 45 d8             mov    %rax,-0x28(%rbp)
   3ec98:       31 c0                   xor    %eax,%eax
   3ec9a:       31 d2                   xor    %edx,%edx
   3ec9c:       48 89 de                mov    %rbx,%rsi
   3ec9f:       4c 89 e7                mov    %r12,%rdi
   3eca2:       44 89 c0                mov    %r8d,%eax
   3eca5:       0f 05                   syscall

And with my patchset:

0000000000039480 <__GI___arc4random_buf.part.0>:
   39480:       41 55                   push   %r13
   39482:       41 54                   push   %r12
   39484:       55                      push   %rbp
   39485:       48 89 fd                mov    %rdi,%rbp
   39488:       53                      push   %rbx
   39489:       48 89 f3                mov    %rsi,%rbx
   3948c:       48 83 ec 18             sub    $0x18,%rsp
   39490:       31 d2                   xor    %edx,%edx
   39492:       48 89 de                mov    %rbx,%rsi
   39495:       48 89 ef                mov    %rbp,%rdi
   39498:       b8 3e 01 00 00          mov    $0x13e,%eax
   3949d:       0f 05                   syscall 


Thanks,
Joe

next prev parent reply	other threads:[~2023-06-28 19:17 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-24 15:03 [PATCH v6 0/3] x86_64: aarch64: Set call number just before syscall Joe Simmons-Talbott
2023-04-24 15:03 ` [PATCH v6 1/3] x86_64: Set the syscall register right before doing the syscall Joe Simmons-Talbott
2023-05-15 14:15   ` Joe Simmons-Talbott
2023-05-15 16:20     ` H.J. Lu
2023-05-25 18:07   ` Joe Simmons-Talbott
2023-05-25 18:40     ` Noah Goldstein
2023-05-26  7:04       ` Florian Weimer
2023-05-26 12:59         ` Joe Simmons-Talbott
2023-05-26 21:18           ` Noah Goldstein
2023-05-30 10:13             ` Florian Weimer
2023-05-31 18:23               ` Noah Goldstein
2023-06-28 19:17                 ` Joe Simmons-Talbott [this message]
2023-04-24 15:03 ` [PATCH v6 2/3] aarch64: " Joe Simmons-Talbott
2023-05-09  7:47   ` Szabolcs Nagy
2023-04-24 15:03 ` [PATCH v6 3/3] nptl: Use direct syscall numbers in setxid Joe Simmons-Talbott
2023-04-24 15:17   ` Xi Ruoyao
2023-04-26  9:46     ` Szabolcs Nagy
2023-04-28 10:52       ` Florian Weimer
2023-04-26 12:39     ` Cristian Rodríguez
2023-04-26 13:24       ` Szabolcs Nagy
2023-05-25 18:07   ` Joe Simmons-Talbott
2023-05-08 14:13 ` [PATCH v6 0/3] x86_64: aarch64: Set call number just before syscall Joe Simmons-Talbott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230628191705.GQ6392@oak \
    --to=josimmon@redhat.com \
    --cc=fweimer@redhat.com \
    --cc=goldstein.w.n@gmail.com \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).