From: Joe Simmons-Talbott <josimmon@redhat.com>
To: Noah Goldstein <goldstein.w.n@gmail.com>
Cc: Florian Weimer <fweimer@redhat.com>,
Noah Goldstein via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [PATCH v6 1/3] x86_64: Set the syscall register right before doing the syscall.
Date: Wed, 28 Jun 2023 15:17:05 -0400 [thread overview]
Message-ID: <20230628191705.GQ6392@oak> (raw)
In-Reply-To: <CAFUsyfJPxRK5a5Z6i2u6VioDwZ6wszc10d=NN5Z3mpoC1xm6tA@mail.gmail.com>
On Wed, May 31, 2023 at 01:23:44PM -0500, Noah Goldstein wrote:
> On Tue, May 30, 2023 at 5:13 AM Florian Weimer <fweimer@redhat.com> wrote:
> >
> > * Noah Goldstein:
> >
> > > On Fri, May 26, 2023 at 5:59 AM Joe Simmons-Talbott <josimmon@redhat.com> wrote:
> > >>
> > >> On Fri, May 26, 2023 at 09:04:06AM +0200, Florian Weimer wrote:
> > >> > * Noah Goldstein via Libc-alpha:
> > >> >
> > >> > > I'm minorly opposed to this patch. Even if GLIBC guarantees all
> > >> > > syscalls will set the number the instruction before, that's no guarantee
> > >> > > for the entire program. Furthermore in the event of:
> > >> > > `movl $VAL, %eax; syscall`
> > >> > > It's still not safe to *always* assume that `VAL` correspond to the
> > >> > > syscall number as a jump (direct or indirect) could still go between
> > >> > > the instructions (i.e there is no guarantee in the assembly that the
> > >> > > `mov` dominates the `syscall).
> > >> > > So at the end of the day, we are bloating the library without, AFAICT,
> > >> > > providing any real guarantee. Maybe I'm missing something?
> > >> >
> > >> > Joe, is there a size change to libc.so.6 as the result of this change?
> > >>
> > >> No, the size is the same with and with out this patchset on x86_64.
> > >>
> > > There aren't many syscalls so it's only a minor cost (hence the only
> > > minor opposition), but I don't see the value this provides given that it
> > > still won't be safe to assume the syscall number is always set the
> > > instruction beforehand for any robust purpose. So it still feels like
> > > why take any cost at all?
> >
> > I think there is any run-time cost at all, only the increased source
> > complexity.
> >
> > It's much easier to change glibc than to add full register tracking to a
> > the static analysis tool that discovers system calls in the disassembly.
> >
>
> Is the aim only to verify libc.so or to verify arbitrary binaries? If the
> former then sure I guess we know we only use the syscall wrapper
> so this may help (more on that), but if it's arbitrary binaries there
> is no guarantee they are using the GLIBC syscall wrapper for their
> syscalls.
>
> If it really is just GLIBC then this change seems unnecessary. Even
> if there can be separation between setting rax and the syscall, the
> way we have the wrappers setup we know there will always be a
> dominating write to rax with the syscall number so would rather see
> the case where that isn't trivial to find as a motivator first. Or we could
> just do source code level analysis as we will always have the
> syscall number in macro invocation.
>
Right now we are only concerned with libc.so. Here's an example case
from my installed libc.so.
000000000003ec70 <__GI___arc4random_buf.part.0>:
3ec70: 55 push %rbp
3ec71: 41 b8 3e 01 00 00 mov $0x13e,%r8d
3ec77: 48 89 e5 mov %rsp,%rbp
3ec7a: 41 56 push %r14
3ec7c: 41 55 push %r13
3ec7e: 41 54 push %r12
3ec80: 49 89 fc mov %rdi,%r12
3ec83: 53 push %rbx
3ec84: 48 89 f3 mov %rsi,%rbx
3ec87: 48 83 ec 10 sub $0x10,%rsp
3ec8b: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
3ec92: 00 00
3ec94: 48 89 45 d8 mov %rax,-0x28(%rbp)
3ec98: 31 c0 xor %eax,%eax
3ec9a: 31 d2 xor %edx,%edx
3ec9c: 48 89 de mov %rbx,%rsi
3ec9f: 4c 89 e7 mov %r12,%rdi
3eca2: 44 89 c0 mov %r8d,%eax
3eca5: 0f 05 syscall
And with my patchset:
0000000000039480 <__GI___arc4random_buf.part.0>:
39480: 41 55 push %r13
39482: 41 54 push %r12
39484: 55 push %rbp
39485: 48 89 fd mov %rdi,%rbp
39488: 53 push %rbx
39489: 48 89 f3 mov %rsi,%rbx
3948c: 48 83 ec 18 sub $0x18,%rsp
39490: 31 d2 xor %edx,%edx
39492: 48 89 de mov %rbx,%rsi
39495: 48 89 ef mov %rbp,%rdi
39498: b8 3e 01 00 00 mov $0x13e,%eax
3949d: 0f 05 syscall
Thanks,
Joe
next prev parent reply other threads:[~2023-06-28 19:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-24 15:03 [PATCH v6 0/3] x86_64: aarch64: Set call number just before syscall Joe Simmons-Talbott
2023-04-24 15:03 ` [PATCH v6 1/3] x86_64: Set the syscall register right before doing the syscall Joe Simmons-Talbott
2023-05-15 14:15 ` Joe Simmons-Talbott
2023-05-15 16:20 ` H.J. Lu
2023-05-25 18:07 ` Joe Simmons-Talbott
2023-05-25 18:40 ` Noah Goldstein
2023-05-26 7:04 ` Florian Weimer
2023-05-26 12:59 ` Joe Simmons-Talbott
2023-05-26 21:18 ` Noah Goldstein
2023-05-30 10:13 ` Florian Weimer
2023-05-31 18:23 ` Noah Goldstein
2023-06-28 19:17 ` Joe Simmons-Talbott [this message]
2023-04-24 15:03 ` [PATCH v6 2/3] aarch64: " Joe Simmons-Talbott
2023-05-09 7:47 ` Szabolcs Nagy
2023-04-24 15:03 ` [PATCH v6 3/3] nptl: Use direct syscall numbers in setxid Joe Simmons-Talbott
2023-04-24 15:17 ` Xi Ruoyao
2023-04-26 9:46 ` Szabolcs Nagy
2023-04-28 10:52 ` Florian Weimer
2023-04-26 12:39 ` Cristian Rodríguez
2023-04-26 13:24 ` Szabolcs Nagy
2023-05-25 18:07 ` Joe Simmons-Talbott
2023-05-08 14:13 ` [PATCH v6 0/3] x86_64: aarch64: Set call number just before syscall Joe Simmons-Talbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230628191705.GQ6392@oak \
--to=josimmon@redhat.com \
--cc=fweimer@redhat.com \
--cc=goldstein.w.n@gmail.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).