1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com> 4 */ 5 6 #define _GNU_SOURCE /* memmem() */ 7 #include <fnmatch.h> 8 #include <string.h> 9 #include <stdlib.h> 10 #include <inttypes.h> 11 #include <sys/mman.h> 12 13 #include <objtool/builtin.h> 14 #include <objtool/cfi.h> 15 #include <objtool/arch.h> 16 #include <objtool/disas.h> 17 #include <objtool/check.h> 18 #include <objtool/special.h> 19 #include <objtool/trace.h> 20 #include <objtool/warn.h> 21 #include <objtool/checksum.h> 22 #include <objtool/util.h> 23 24 #include <linux/objtool_types.h> 25 #include <linux/hashtable.h> 26 #include <linux/kernel.h> 27 #include <linux/static_call_types.h> 28 #include <linux/string.h> 29 30 static unsigned long nr_cfi, nr_cfi_reused, nr_cfi_cache; 31 32 static struct cfi_init_state initial_func_cfi; 33 static struct cfi_state init_cfi; 34 static struct cfi_state func_cfi; 35 static struct cfi_state force_undefined_cfi; 36 37 struct disas_context *objtool_disas_ctx; 38 39 size_t sym_name_max_len; 40 41 struct instruction *find_insn(struct objtool_file *file, 42 struct section *sec, unsigned long offset) 43 { 44 struct instruction *insn; 45 46 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) { 47 if (insn->sec == sec && insn->offset == offset) 48 return insn; 49 } 50 51 return NULL; 52 } 53 54 struct instruction *next_insn_same_sec(struct objtool_file *file, 55 struct instruction *insn) 56 { 57 if (insn->idx == INSN_CHUNK_MAX) 58 return find_insn(file, insn->sec, insn->offset + insn->len); 59 60 insn++; 61 if (!insn->len) 62 return NULL; 63 64 return insn; 65 } 66 67 static struct instruction *next_insn_same_func(struct objtool_file *file, 68 struct instruction *insn) 69 { 70 struct instruction *next = next_insn_same_sec(file, insn); 71 struct symbol *func = insn_func(insn); 72 73 if (!func) 74 return NULL; 75 76 if (next && insn_func(next) == func) 77 return next; 78 79 /* Check if we're already in the subfunction: */ 80 if (func == func->cfunc) 81 return NULL; 82 83 /* Move to the subfunction: */ 84 return find_insn(file, func->cfunc->sec, func->cfunc->offset); 85 } 86 87 static struct instruction *prev_insn_same_sec(struct objtool_file *file, 88 struct instruction *insn) 89 { 90 if (insn->idx == 0) { 91 if (insn->prev_len) 92 return find_insn(file, insn->sec, insn->offset - insn->prev_len); 93 return NULL; 94 } 95 96 return insn - 1; 97 } 98 99 static struct instruction *prev_insn_same_sym(struct objtool_file *file, 100 struct instruction *insn) 101 { 102 struct instruction *prev = prev_insn_same_sec(file, insn); 103 104 if (prev && insn_func(prev) == insn_func(insn)) 105 return prev; 106 107 return NULL; 108 } 109 110 #define for_each_insn(file, insn) \ 111 for (struct section *__sec, *__fake = (struct section *)1; \ 112 __fake; __fake = NULL) \ 113 for_each_sec(file->elf, __sec) \ 114 sec_for_each_insn(file, __sec, insn) 115 116 #define func_for_each_insn(file, func, insn) \ 117 for (insn = find_insn(file, func->sec, func->offset); \ 118 insn; \ 119 insn = next_insn_same_func(file, insn)) 120 121 #define sym_for_each_insn(file, sym, insn) \ 122 for (insn = find_insn(file, sym->sec, sym->offset); \ 123 insn && insn->offset < sym->offset + sym->len; \ 124 insn = next_insn_same_sec(file, insn)) 125 126 #define sym_for_each_insn_continue_reverse(file, sym, insn) \ 127 for (insn = prev_insn_same_sec(file, insn); \ 128 insn && insn->offset >= sym->offset; \ 129 insn = prev_insn_same_sec(file, insn)) 130 131 #define sec_for_each_insn_from(file, insn) \ 132 for (; insn; insn = next_insn_same_sec(file, insn)) 133 134 #define sec_for_each_insn_continue(file, insn) \ 135 for (insn = next_insn_same_sec(file, insn); insn; \ 136 insn = next_insn_same_sec(file, insn)) 137 138 static inline struct reloc *insn_jump_table(struct instruction *insn) 139 { 140 if (insn->type == INSN_JUMP_DYNAMIC || 141 insn->type == INSN_CALL_DYNAMIC) 142 return insn->_jump_table; 143 144 return NULL; 145 } 146 147 static inline unsigned long insn_jump_table_size(struct instruction *insn) 148 { 149 if (insn->type == INSN_JUMP_DYNAMIC || 150 insn->type == INSN_CALL_DYNAMIC) 151 return insn->_jump_table_size; 152 153 return 0; 154 } 155 156 static bool is_jump_table_jump(struct instruction *insn) 157 { 158 struct alt_group *alt_group = insn->alt_group; 159 160 if (insn_jump_table(insn)) 161 return true; 162 163 /* Retpoline alternative for a jump table? */ 164 return alt_group && alt_group->orig_group && 165 insn_jump_table(alt_group->orig_group->first_insn); 166 } 167 168 static bool is_sibling_call(struct instruction *insn) 169 { 170 /* 171 * Assume only STT_FUNC calls have jump-tables. 172 */ 173 if (insn_func(insn)) { 174 /* An indirect jump is either a sibling call or a jump to a table. */ 175 if (insn->type == INSN_JUMP_DYNAMIC) 176 return !is_jump_table_jump(insn); 177 } 178 179 /* add_jump_destinations() sets insn_call_dest(insn) for sibling calls. */ 180 return (is_static_jump(insn) && insn_call_dest(insn)); 181 } 182 183 /* 184 * Checks if a function is a Rust "noreturn" one. 185 */ 186 static bool is_rust_noreturn(const struct symbol *func) 187 { 188 /* 189 * If it does not start with "_R", then it is not a Rust symbol. 190 */ 191 if (strncmp(func->name, "_R", 2)) 192 return false; 193 194 /* 195 * These are just heuristics -- we do not control the precise symbol 196 * name, due to the crate disambiguators (which depend on the compiler) 197 * as well as changes to the source code itself between versions (since 198 * these come from the Rust standard library). 199 */ 200 return str_ends_with(func->name, "_4core5sliceSp15copy_from_slice17len_mismatch_fail") || 201 str_ends_with(func->name, "_4core6option13expect_failed") || 202 str_ends_with(func->name, "_4core6option13unwrap_failed") || 203 str_ends_with(func->name, "_4core6result13unwrap_failed") || 204 str_ends_with(func->name, "_4core9panicking5panic") || 205 str_ends_with(func->name, "_4core9panicking9panic_fmt") || 206 str_ends_with(func->name, "_4core9panicking14panic_explicit") || 207 str_ends_with(func->name, "_4core9panicking14panic_nounwind") || 208 str_ends_with(func->name, "_4core9panicking18panic_bounds_check") || 209 str_ends_with(func->name, "_4core9panicking18panic_nounwind_fmt") || 210 str_ends_with(func->name, "_4core9panicking19assert_failed_inner") || 211 str_ends_with(func->name, "_4core9panicking30panic_null_pointer_dereference") || 212 str_ends_with(func->name, "_4core9panicking36panic_misaligned_pointer_dereference") || 213 str_ends_with(func->name, "_7___rustc17rust_begin_unwind") || 214 strstr(func->name, "_4core9panicking13assert_failed") || 215 strstr(func->name, "_4core9panicking11panic_const24panic_const_") || 216 (strstr(func->name, "_4core5slice5index") && 217 strstr(func->name, "slice_") && 218 str_ends_with(func->name, "_fail")); 219 } 220 221 /* 222 * This checks to see if the given function is a "noreturn" function. 223 * 224 * For global functions which are outside the scope of this object file, we 225 * have to keep a manual list of them. 226 * 227 * For local functions, we have to detect them manually by simply looking for 228 * the lack of a return instruction. 229 */ 230 static bool __dead_end_function(struct objtool_file *file, struct symbol *func, 231 int recursion) 232 { 233 int i; 234 struct instruction *insn; 235 bool empty = true; 236 237 #define NORETURN(func) __stringify(func), 238 static const char * const global_noreturns[] = { 239 #include "noreturns.h" 240 }; 241 #undef NORETURN 242 243 if (!func) 244 return false; 245 246 if (!is_local_sym(func)) { 247 if (is_rust_noreturn(func)) 248 return true; 249 250 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++) 251 if (!strcmp(func->name, global_noreturns[i])) 252 return true; 253 } 254 255 if (is_weak_sym(func)) 256 return false; 257 258 if (!func->len) 259 return false; 260 261 insn = find_insn(file, func->sec, func->offset); 262 if (!insn || !insn_func(insn)) 263 return false; 264 265 func_for_each_insn(file, func, insn) { 266 empty = false; 267 268 if (insn->type == INSN_RETURN) 269 return false; 270 } 271 272 if (empty) 273 return false; 274 275 /* 276 * A function can have a sibling call instead of a return. In that 277 * case, the function's dead-end status depends on whether the target 278 * of the sibling call returns. 279 */ 280 func_for_each_insn(file, func, insn) { 281 if (is_sibling_call(insn)) { 282 struct instruction *dest = insn->jump_dest; 283 284 if (!dest) 285 /* sibling call to another file */ 286 return false; 287 288 /* local sibling call */ 289 if (recursion == 5) { 290 /* 291 * Infinite recursion: two functions have 292 * sibling calls to each other. This is a very 293 * rare case. It means they aren't dead ends. 294 */ 295 return false; 296 } 297 298 return __dead_end_function(file, insn_func(dest), recursion+1); 299 } 300 } 301 302 return true; 303 } 304 305 static bool dead_end_function(struct objtool_file *file, struct symbol *func) 306 { 307 return __dead_end_function(file, func, 0); 308 } 309 310 static void init_cfi_state(struct cfi_state *cfi) 311 { 312 int i; 313 314 for (i = 0; i < CFI_NUM_REGS; i++) { 315 cfi->regs[i].base = CFI_UNDEFINED; 316 cfi->vals[i].base = CFI_UNDEFINED; 317 } 318 cfi->cfa.base = CFI_UNDEFINED; 319 cfi->drap_reg = CFI_UNDEFINED; 320 cfi->drap_offset = -1; 321 } 322 323 static void init_insn_state(struct objtool_file *file, struct insn_state *state, 324 struct section *sec) 325 { 326 memset(state, 0, sizeof(*state)); 327 init_cfi_state(&state->cfi); 328 329 if (opts.noinstr && sec) 330 state->noinstr = sec->noinstr; 331 } 332 333 static struct cfi_state *cfi_alloc(void) 334 { 335 struct cfi_state *cfi = calloc(1, sizeof(struct cfi_state)); 336 if (!cfi) { 337 ERROR_GLIBC("calloc"); 338 exit(1); 339 } 340 nr_cfi++; 341 return cfi; 342 } 343 344 static int cfi_bits; 345 static struct hlist_head *cfi_hash; 346 347 static inline bool cficmp(struct cfi_state *cfi1, struct cfi_state *cfi2) 348 { 349 return memcmp((void *)cfi1 + sizeof(cfi1->hash), 350 (void *)cfi2 + sizeof(cfi2->hash), 351 sizeof(struct cfi_state) - sizeof(struct hlist_node)); 352 } 353 354 static inline u32 cfi_key(struct cfi_state *cfi) 355 { 356 return jhash((void *)cfi + sizeof(cfi->hash), 357 sizeof(*cfi) - sizeof(cfi->hash), 0); 358 } 359 360 static struct cfi_state *cfi_hash_find_or_add(struct cfi_state *cfi) 361 { 362 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)]; 363 struct cfi_state *obj; 364 365 hlist_for_each_entry(obj, head, hash) { 366 if (!cficmp(cfi, obj)) { 367 nr_cfi_cache++; 368 return obj; 369 } 370 } 371 372 obj = cfi_alloc(); 373 *obj = *cfi; 374 hlist_add_head(&obj->hash, head); 375 376 return obj; 377 } 378 379 static void cfi_hash_add(struct cfi_state *cfi) 380 { 381 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)]; 382 383 hlist_add_head(&cfi->hash, head); 384 } 385 386 static void *cfi_hash_alloc(unsigned long size) 387 { 388 cfi_bits = max(10, ilog2(size)); 389 cfi_hash = mmap(NULL, sizeof(struct hlist_head) << cfi_bits, 390 PROT_READ|PROT_WRITE, 391 MAP_PRIVATE|MAP_ANON, -1, 0); 392 if (cfi_hash == (void *)-1L) { 393 ERROR_GLIBC("mmap fail cfi_hash"); 394 cfi_hash = NULL; 395 } else if (opts.stats) { 396 printf("cfi_bits: %d\n", cfi_bits); 397 } 398 399 return cfi_hash; 400 } 401 402 static unsigned long nr_insns; 403 static unsigned long nr_insns_visited; 404 405 /* 406 * Call the arch-specific instruction decoder for all the instructions and add 407 * them to the global instruction list. 408 */ 409 static int decode_instructions(struct objtool_file *file) 410 { 411 struct section *sec; 412 struct symbol *func; 413 unsigned long offset; 414 struct instruction *insn; 415 416 for_each_sec(file->elf, sec) { 417 struct instruction *insns = NULL; 418 u8 prev_len = 0; 419 u8 idx = 0; 420 421 if (!is_text_sec(sec)) 422 continue; 423 424 if (strcmp(sec->name, ".altinstr_replacement") && 425 strcmp(sec->name, ".altinstr_aux") && 426 strncmp(sec->name, ".discard.", 9)) 427 sec->text = true; 428 429 if (!strcmp(sec->name, ".noinstr.text") || 430 !strcmp(sec->name, ".entry.text") || 431 !strcmp(sec->name, ".cpuidle.text") || 432 !strncmp(sec->name, ".text..__x86.", 13)) 433 sec->noinstr = true; 434 435 /* 436 * .init.text code is ran before userspace and thus doesn't 437 * strictly need retpolines, except for modules which are 438 * loaded late, they very much do need retpoline in their 439 * .init.text 440 */ 441 if (!strcmp(sec->name, ".init.text") && !opts.module) 442 sec->init = true; 443 444 for (offset = 0; offset < sec_size(sec); offset += insn->len) { 445 if (!insns || idx == INSN_CHUNK_MAX) { 446 insns = calloc(INSN_CHUNK_SIZE, sizeof(*insn)); 447 if (!insns) { 448 ERROR_GLIBC("calloc"); 449 return -1; 450 } 451 idx = 0; 452 } else { 453 idx++; 454 } 455 insn = &insns[idx]; 456 insn->idx = idx; 457 458 INIT_LIST_HEAD(&insn->call_node); 459 insn->sec = sec; 460 insn->offset = offset; 461 insn->prev_len = prev_len; 462 463 if (arch_decode_instruction(file, sec, offset, sec_size(sec) - offset, insn)) 464 return -1; 465 466 prev_len = insn->len; 467 468 /* 469 * By default, "ud2" is a dead end unless otherwise 470 * annotated, because GCC 7 inserts it for certain 471 * divide-by-zero cases. 472 */ 473 if (insn->type == INSN_BUG) 474 insn->dead_end = true; 475 476 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset)); 477 nr_insns++; 478 } 479 480 sec_for_each_sym(sec, func) { 481 if (!is_notype_sym(func) && !is_func_sym(func)) 482 continue; 483 484 if (func->offset == sec_size(sec)) { 485 /* Heuristic: likely an "end" symbol */ 486 if (is_notype_sym(func)) 487 continue; 488 ERROR("%s(): STT_FUNC at end of section", func->name); 489 return -1; 490 } 491 492 if (func->embedded_insn || func->alias != func) 493 continue; 494 495 if (!find_insn(file, sec, func->offset)) { 496 ERROR("%s(): can't find starting instruction", func->name); 497 return -1; 498 } 499 500 sym_for_each_insn(file, func, insn) { 501 insn->sym = func; 502 if (is_func_sym(func) && 503 insn->type == INSN_ENDBR && 504 list_empty(&insn->call_node)) { 505 if (insn->offset == func->offset) { 506 list_add_tail(&insn->call_node, &file->endbr_list); 507 file->nr_endbr++; 508 } else { 509 file->nr_endbr_int++; 510 } 511 } 512 } 513 } 514 } 515 516 if (opts.stats) 517 printf("nr_insns: %lu\n", nr_insns); 518 519 return 0; 520 } 521 522 /* 523 * Read the pv_ops[] .data table to find the static initialized values. 524 */ 525 static int add_pv_ops(struct objtool_file *file, const char *symname) 526 { 527 struct symbol *sym, *func; 528 unsigned long off, end; 529 struct reloc *reloc; 530 int idx; 531 532 sym = find_symbol_by_name(file->elf, symname); 533 if (!sym) 534 return 0; 535 536 off = sym->offset; 537 end = off + sym->len; 538 for (;;) { 539 reloc = find_reloc_by_dest_range(file->elf, sym->sec, off, end - off); 540 if (!reloc) 541 break; 542 543 idx = (reloc_offset(reloc) - sym->offset) / sizeof(unsigned long); 544 545 func = reloc->sym; 546 if (is_sec_sym(func)) 547 func = find_symbol_by_offset(reloc->sym->sec, 548 reloc_addend(reloc)); 549 if (!func) { 550 ERROR_FUNC(reloc->sym->sec, reloc_addend(reloc), 551 "can't find func at %s[%d]", symname, idx); 552 return -1; 553 } 554 555 if (objtool_pv_add(file, idx, func)) 556 return -1; 557 558 off = reloc_offset(reloc) + 1; 559 if (off > end) 560 break; 561 } 562 563 return 0; 564 } 565 566 /* 567 * Allocate and initialize file->pv_ops[]. 568 */ 569 static int init_pv_ops(struct objtool_file *file) 570 { 571 static const char *pv_ops_tables[] = { 572 "pv_ops", 573 "xen_cpu_ops", 574 "xen_irq_ops", 575 "xen_mmu_ops", 576 NULL, 577 }; 578 const char *pv_ops; 579 struct symbol *sym; 580 int idx, nr; 581 582 if (!opts.noinstr) 583 return 0; 584 585 file->pv_ops = NULL; 586 587 sym = find_symbol_by_name(file->elf, "pv_ops"); 588 if (!sym) 589 return 0; 590 591 nr = sym->len / sizeof(unsigned long); 592 file->pv_ops = calloc(nr, sizeof(struct pv_state)); 593 if (!file->pv_ops) { 594 ERROR_GLIBC("calloc"); 595 return -1; 596 } 597 598 for (idx = 0; idx < nr; idx++) 599 INIT_LIST_HEAD(&file->pv_ops[idx].targets); 600 601 for (idx = 0; (pv_ops = pv_ops_tables[idx]); idx++) { 602 if (add_pv_ops(file, pv_ops)) 603 return -1; 604 } 605 606 return 0; 607 } 608 609 static bool is_livepatch_module(struct objtool_file *file) 610 { 611 struct section *sec; 612 613 if (!opts.module) 614 return false; 615 616 sec = find_section_by_name(file->elf, ".modinfo"); 617 if (!sec) 618 return false; 619 620 return memmem(sec->data->d_buf, sec_size(sec), "\0livepatch=Y", 12); 621 } 622 623 static int create_static_call_sections(struct objtool_file *file) 624 { 625 struct static_call_site *site; 626 struct section *sec; 627 struct instruction *insn; 628 struct symbol *key_sym; 629 char *key_name, *tmp; 630 int idx; 631 632 sec = find_section_by_name(file->elf, ".static_call_sites"); 633 if (sec) { 634 /* 635 * Livepatch modules may have already extracted the static call 636 * site entries to take advantage of vmlinux static call 637 * privileges. 638 */ 639 if (!file->klp) 640 WARN("file already has .static_call_sites section, skipping"); 641 642 return 0; 643 } 644 645 if (list_empty(&file->static_call_list)) 646 return 0; 647 648 idx = 0; 649 list_for_each_entry(insn, &file->static_call_list, call_node) 650 idx++; 651 652 sec = elf_create_section_pair(file->elf, ".static_call_sites", 653 sizeof(*site), idx, idx * 2); 654 if (!sec) 655 return -1; 656 657 /* Allow modules to modify the low bits of static_call_site::key */ 658 sec->sh.sh_flags |= SHF_WRITE; 659 660 idx = 0; 661 list_for_each_entry(insn, &file->static_call_list, call_node) { 662 663 /* populate reloc for 'addr' */ 664 if (!elf_init_reloc_text_sym(file->elf, sec, 665 idx * sizeof(*site), idx * 2, 666 insn->sec, insn->offset)) 667 return -1; 668 669 /* find key symbol */ 670 key_name = strdup(insn_call_dest(insn)->name); 671 if (!key_name) { 672 ERROR_GLIBC("strdup"); 673 return -1; 674 } 675 if (strncmp(key_name, STATIC_CALL_TRAMP_PREFIX_STR, 676 STATIC_CALL_TRAMP_PREFIX_LEN)) { 677 ERROR("static_call: trampoline name malformed: %s", key_name); 678 return -1; 679 } 680 tmp = key_name + STATIC_CALL_TRAMP_PREFIX_LEN - STATIC_CALL_KEY_PREFIX_LEN; 681 memcpy(tmp, STATIC_CALL_KEY_PREFIX_STR, STATIC_CALL_KEY_PREFIX_LEN); 682 683 key_sym = find_symbol_by_name(file->elf, tmp); 684 if (!key_sym) { 685 if (!opts.module || file->klp) { 686 ERROR("static_call: can't find static_call_key symbol: %s", tmp); 687 return -1; 688 } 689 690 /* 691 * For modules(), the key might not be exported, which 692 * means the module can make static calls but isn't 693 * allowed to change them. 694 * 695 * In that case we temporarily set the key to be the 696 * trampoline address. This is fixed up in 697 * static_call_add_module(). 698 */ 699 key_sym = insn_call_dest(insn); 700 } 701 702 /* populate reloc for 'key' */ 703 if (!elf_init_reloc_data_sym(file->elf, sec, 704 idx * sizeof(*site) + 4, 705 (idx * 2) + 1, key_sym, 706 is_sibling_call(insn) * STATIC_CALL_SITE_TAIL)) 707 return -1; 708 709 idx++; 710 } 711 712 return 0; 713 } 714 715 static int create_retpoline_sites_sections(struct objtool_file *file) 716 { 717 struct instruction *insn; 718 struct section *sec; 719 int idx; 720 721 sec = find_section_by_name(file->elf, ".retpoline_sites"); 722 if (sec) { 723 WARN("file already has .retpoline_sites, skipping"); 724 return 0; 725 } 726 727 idx = 0; 728 list_for_each_entry(insn, &file->retpoline_call_list, call_node) 729 idx++; 730 731 if (!idx) 732 return 0; 733 734 sec = elf_create_section_pair(file->elf, ".retpoline_sites", 735 sizeof(int), idx, idx); 736 if (!sec) 737 return -1; 738 739 idx = 0; 740 list_for_each_entry(insn, &file->retpoline_call_list, call_node) { 741 742 if (!elf_init_reloc_text_sym(file->elf, sec, 743 idx * sizeof(int), idx, 744 insn->sec, insn->offset)) 745 return -1; 746 747 idx++; 748 } 749 750 return 0; 751 } 752 753 static int create_return_sites_sections(struct objtool_file *file) 754 { 755 struct instruction *insn; 756 struct section *sec; 757 int idx; 758 759 sec = find_section_by_name(file->elf, ".return_sites"); 760 if (sec) { 761 WARN("file already has .return_sites, skipping"); 762 return 0; 763 } 764 765 idx = 0; 766 list_for_each_entry(insn, &file->return_thunk_list, call_node) 767 idx++; 768 769 if (!idx) 770 return 0; 771 772 sec = elf_create_section_pair(file->elf, ".return_sites", 773 sizeof(int), idx, idx); 774 if (!sec) 775 return -1; 776 777 idx = 0; 778 list_for_each_entry(insn, &file->return_thunk_list, call_node) { 779 780 if (!elf_init_reloc_text_sym(file->elf, sec, 781 idx * sizeof(int), idx, 782 insn->sec, insn->offset)) 783 return -1; 784 785 idx++; 786 } 787 788 return 0; 789 } 790 791 static int create_ibt_endbr_seal_sections(struct objtool_file *file) 792 { 793 struct instruction *insn; 794 struct section *sec; 795 int idx; 796 797 sec = find_section_by_name(file->elf, ".ibt_endbr_seal"); 798 if (sec) { 799 WARN("file already has .ibt_endbr_seal, skipping"); 800 return 0; 801 } 802 803 idx = 0; 804 list_for_each_entry(insn, &file->endbr_list, call_node) 805 idx++; 806 807 if (opts.stats) { 808 printf("ibt: ENDBR at function start: %d\n", file->nr_endbr); 809 printf("ibt: ENDBR inside functions: %d\n", file->nr_endbr_int); 810 printf("ibt: superfluous ENDBR: %d\n", idx); 811 } 812 813 if (!idx) 814 return 0; 815 816 sec = elf_create_section_pair(file->elf, ".ibt_endbr_seal", 817 sizeof(int), idx, idx); 818 if (!sec) 819 return -1; 820 821 idx = 0; 822 list_for_each_entry(insn, &file->endbr_list, call_node) { 823 824 int *site = (int *)sec->data->d_buf + idx; 825 struct symbol *sym = insn->sym; 826 *site = 0; 827 828 if (opts.module && sym && is_func_sym(sym) && 829 insn->offset == sym->offset && 830 (!strcmp(sym->name, "init_module") || 831 !strcmp(sym->name, "cleanup_module"))) { 832 ERROR("%s(): Magic init_module() function name is deprecated, use module_init(fn) instead", 833 sym->name); 834 return -1; 835 } 836 837 if (!elf_init_reloc_text_sym(file->elf, sec, 838 idx * sizeof(int), idx, 839 insn->sec, insn->offset)) 840 return -1; 841 842 idx++; 843 } 844 845 return 0; 846 } 847 848 static int create_cfi_sections(struct objtool_file *file) 849 { 850 struct section *sec; 851 struct symbol *sym; 852 int idx; 853 854 sec = find_section_by_name(file->elf, ".cfi_sites"); 855 if (sec) { 856 WARN("file already has .cfi_sites section, skipping"); 857 return 0; 858 } 859 860 idx = 0; 861 for_each_sym(file->elf, sym) { 862 if (!is_func_sym(sym)) 863 continue; 864 865 if (strncmp(sym->name, "__cfi_", 6)) 866 continue; 867 868 idx++; 869 } 870 871 sec = elf_create_section_pair(file->elf, ".cfi_sites", 872 sizeof(unsigned int), idx, idx); 873 if (!sec) 874 return -1; 875 876 idx = 0; 877 for_each_sym(file->elf, sym) { 878 if (!is_func_sym(sym)) 879 continue; 880 881 if (strncmp(sym->name, "__cfi_", 6)) 882 continue; 883 884 if (!elf_init_reloc_text_sym(file->elf, sec, 885 idx * sizeof(unsigned int), idx, 886 sym->sec, sym->offset)) 887 return -1; 888 889 idx++; 890 } 891 892 return 0; 893 } 894 895 static int create_mcount_loc_sections(struct objtool_file *file) 896 { 897 size_t addr_size = elf_addr_size(file->elf); 898 struct instruction *insn; 899 struct section *sec; 900 int idx; 901 902 sec = find_section_by_name(file->elf, "__mcount_loc"); 903 if (sec) { 904 /* 905 * Livepatch modules have already extracted their __mcount_loc 906 * entries to cover the !CONFIG_FTRACE_MCOUNT_USE_OBJTOOL case. 907 */ 908 if (!file->klp) 909 WARN("file already has __mcount_loc section, skipping"); 910 911 return 0; 912 } 913 914 if (list_empty(&file->mcount_loc_list)) 915 return 0; 916 917 idx = 0; 918 list_for_each_entry(insn, &file->mcount_loc_list, call_node) 919 idx++; 920 921 sec = elf_create_section_pair(file->elf, "__mcount_loc", addr_size, 922 idx, idx); 923 if (!sec) 924 return -1; 925 926 sec->sh.sh_addralign = addr_size; 927 928 idx = 0; 929 list_for_each_entry(insn, &file->mcount_loc_list, call_node) { 930 931 struct reloc *reloc; 932 933 reloc = elf_init_reloc_text_sym(file->elf, sec, idx * addr_size, idx, 934 insn->sec, insn->offset); 935 if (!reloc) 936 return -1; 937 938 set_reloc_type(file->elf, reloc, addr_size == 8 ? R_ABS64 : R_ABS32); 939 940 idx++; 941 } 942 943 return 0; 944 } 945 946 static int create_direct_call_sections(struct objtool_file *file) 947 { 948 struct instruction *insn; 949 struct section *sec; 950 int idx; 951 952 sec = find_section_by_name(file->elf, ".call_sites"); 953 if (sec) { 954 WARN("file already has .call_sites section, skipping"); 955 return 0; 956 } 957 958 if (list_empty(&file->call_list)) 959 return 0; 960 961 idx = 0; 962 list_for_each_entry(insn, &file->call_list, call_node) 963 idx++; 964 965 sec = elf_create_section_pair(file->elf, ".call_sites", 966 sizeof(unsigned int), idx, idx); 967 if (!sec) 968 return -1; 969 970 idx = 0; 971 list_for_each_entry(insn, &file->call_list, call_node) { 972 973 if (!elf_init_reloc_text_sym(file->elf, sec, 974 idx * sizeof(unsigned int), idx, 975 insn->sec, insn->offset)) 976 return -1; 977 978 idx++; 979 } 980 981 return 0; 982 } 983 984 #ifdef BUILD_KLP 985 static int create_sym_checksum_section(struct objtool_file *file) 986 { 987 struct section *sec; 988 struct symbol *sym; 989 unsigned int idx = 0; 990 struct sym_checksum *checksum; 991 size_t entsize = sizeof(struct sym_checksum); 992 993 sec = find_section_by_name(file->elf, ".discard.sym_checksum"); 994 if (sec) { 995 if (!opts.dryrun) 996 WARN("file already has .discard.sym_checksum section, skipping"); 997 998 return 0; 999 } 1000 1001 for_each_sym(file->elf, sym) 1002 if (sym->csum.checksum) 1003 idx++; 1004 1005 if (!idx) 1006 return 0; 1007 1008 sec = elf_create_section_pair(file->elf, ".discard.sym_checksum", entsize, 1009 idx, idx); 1010 if (!sec) 1011 return -1; 1012 1013 idx = 0; 1014 for_each_sym(file->elf, sym) { 1015 if (!sym->csum.checksum) 1016 continue; 1017 1018 if (!elf_init_reloc(file->elf, sec->rsec, idx, idx * entsize, 1019 sym, 0, R_TEXT64)) 1020 return -1; 1021 1022 checksum = (struct sym_checksum *)sec->data->d_buf + idx; 1023 checksum->addr = 0; /* reloc */ 1024 checksum->checksum = sym->csum.checksum; 1025 1026 mark_sec_changed(file->elf, sec, true); 1027 1028 idx++; 1029 } 1030 1031 return 0; 1032 } 1033 #else 1034 static int create_sym_checksum_section(struct objtool_file *file) { return -EINVAL; } 1035 #endif 1036 1037 /* 1038 * Warnings shouldn't be reported for ignored functions. 1039 */ 1040 static int add_ignores(struct objtool_file *file) 1041 { 1042 struct section *rsec; 1043 struct symbol *func; 1044 struct reloc *reloc; 1045 1046 rsec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard"); 1047 if (!rsec) 1048 return 0; 1049 1050 for_each_reloc(rsec, reloc) { 1051 switch (reloc->sym->type) { 1052 case STT_FUNC: 1053 func = reloc->sym; 1054 break; 1055 1056 case STT_SECTION: 1057 func = find_func_by_offset(reloc->sym->sec, reloc_addend(reloc)); 1058 if (!func) 1059 continue; 1060 break; 1061 1062 default: 1063 ERROR("unexpected relocation symbol type in %s: %d", 1064 rsec->name, reloc->sym->type); 1065 return -1; 1066 } 1067 1068 func->ignore = true; 1069 if (func->cfunc) 1070 func->cfunc->ignore = true; 1071 } 1072 1073 return 0; 1074 } 1075 1076 /* 1077 * This is a whitelist of functions that is allowed to be called with AC set. 1078 * The list is meant to be minimal and only contains compiler instrumentation 1079 * ABI and a few functions used to implement *_{to,from}_user() functions. 1080 * 1081 * These functions must not directly change AC, but may PUSHF/POPF. 1082 */ 1083 static const char *uaccess_safe_builtin[] = { 1084 /* KASAN */ 1085 "kasan_report", 1086 "kasan_check_range", 1087 /* KASAN out-of-line */ 1088 "__asan_loadN_noabort", 1089 "__asan_load1_noabort", 1090 "__asan_load2_noabort", 1091 "__asan_load4_noabort", 1092 "__asan_load8_noabort", 1093 "__asan_load16_noabort", 1094 "__asan_storeN_noabort", 1095 "__asan_store1_noabort", 1096 "__asan_store2_noabort", 1097 "__asan_store4_noabort", 1098 "__asan_store8_noabort", 1099 "__asan_store16_noabort", 1100 "__kasan_check_read", 1101 "__kasan_check_write", 1102 /* KASAN in-line */ 1103 "__asan_report_load_n_noabort", 1104 "__asan_report_load1_noabort", 1105 "__asan_report_load2_noabort", 1106 "__asan_report_load4_noabort", 1107 "__asan_report_load8_noabort", 1108 "__asan_report_load16_noabort", 1109 "__asan_report_store_n_noabort", 1110 "__asan_report_store1_noabort", 1111 "__asan_report_store2_noabort", 1112 "__asan_report_store4_noabort", 1113 "__asan_report_store8_noabort", 1114 "__asan_report_store16_noabort", 1115 /* KCSAN */ 1116 "__kcsan_check_access", 1117 "__kcsan_mb", 1118 "__kcsan_wmb", 1119 "__kcsan_rmb", 1120 "__kcsan_release", 1121 "kcsan_found_watchpoint", 1122 "kcsan_setup_watchpoint", 1123 "kcsan_check_scoped_accesses", 1124 "kcsan_disable_current", 1125 "kcsan_enable_current_nowarn", 1126 /* KCSAN/TSAN */ 1127 "__tsan_func_entry", 1128 "__tsan_func_exit", 1129 "__tsan_read_range", 1130 "__tsan_write_range", 1131 "__tsan_read1", 1132 "__tsan_read2", 1133 "__tsan_read4", 1134 "__tsan_read8", 1135 "__tsan_read16", 1136 "__tsan_write1", 1137 "__tsan_write2", 1138 "__tsan_write4", 1139 "__tsan_write8", 1140 "__tsan_write16", 1141 "__tsan_read_write1", 1142 "__tsan_read_write2", 1143 "__tsan_read_write4", 1144 "__tsan_read_write8", 1145 "__tsan_read_write16", 1146 "__tsan_volatile_read1", 1147 "__tsan_volatile_read2", 1148 "__tsan_volatile_read4", 1149 "__tsan_volatile_read8", 1150 "__tsan_volatile_read16", 1151 "__tsan_volatile_write1", 1152 "__tsan_volatile_write2", 1153 "__tsan_volatile_write4", 1154 "__tsan_volatile_write8", 1155 "__tsan_volatile_write16", 1156 "__tsan_atomic8_load", 1157 "__tsan_atomic16_load", 1158 "__tsan_atomic32_load", 1159 "__tsan_atomic64_load", 1160 "__tsan_atomic8_store", 1161 "__tsan_atomic16_store", 1162 "__tsan_atomic32_store", 1163 "__tsan_atomic64_store", 1164 "__tsan_atomic8_exchange", 1165 "__tsan_atomic16_exchange", 1166 "__tsan_atomic32_exchange", 1167 "__tsan_atomic64_exchange", 1168 "__tsan_atomic8_fetch_add", 1169 "__tsan_atomic16_fetch_add", 1170 "__tsan_atomic32_fetch_add", 1171 "__tsan_atomic64_fetch_add", 1172 "__tsan_atomic8_fetch_sub", 1173 "__tsan_atomic16_fetch_sub", 1174 "__tsan_atomic32_fetch_sub", 1175 "__tsan_atomic64_fetch_sub", 1176 "__tsan_atomic8_fetch_and", 1177 "__tsan_atomic16_fetch_and", 1178 "__tsan_atomic32_fetch_and", 1179 "__tsan_atomic64_fetch_and", 1180 "__tsan_atomic8_fetch_or", 1181 "__tsan_atomic16_fetch_or", 1182 "__tsan_atomic32_fetch_or", 1183 "__tsan_atomic64_fetch_or", 1184 "__tsan_atomic8_fetch_xor", 1185 "__tsan_atomic16_fetch_xor", 1186 "__tsan_atomic32_fetch_xor", 1187 "__tsan_atomic64_fetch_xor", 1188 "__tsan_atomic8_fetch_nand", 1189 "__tsan_atomic16_fetch_nand", 1190 "__tsan_atomic32_fetch_nand", 1191 "__tsan_atomic64_fetch_nand", 1192 "__tsan_atomic8_compare_exchange_strong", 1193 "__tsan_atomic16_compare_exchange_strong", 1194 "__tsan_atomic32_compare_exchange_strong", 1195 "__tsan_atomic64_compare_exchange_strong", 1196 "__tsan_atomic8_compare_exchange_weak", 1197 "__tsan_atomic16_compare_exchange_weak", 1198 "__tsan_atomic32_compare_exchange_weak", 1199 "__tsan_atomic64_compare_exchange_weak", 1200 "__tsan_atomic8_compare_exchange_val", 1201 "__tsan_atomic16_compare_exchange_val", 1202 "__tsan_atomic32_compare_exchange_val", 1203 "__tsan_atomic64_compare_exchange_val", 1204 "__tsan_atomic_thread_fence", 1205 "__tsan_atomic_signal_fence", 1206 "__tsan_unaligned_read16", 1207 "__tsan_unaligned_write16", 1208 /* KCOV */ 1209 "write_comp_data", 1210 "check_kcov_mode", 1211 "__sanitizer_cov_trace_pc", 1212 "__sanitizer_cov_trace_const_cmp1", 1213 "__sanitizer_cov_trace_const_cmp2", 1214 "__sanitizer_cov_trace_const_cmp4", 1215 "__sanitizer_cov_trace_const_cmp8", 1216 "__sanitizer_cov_trace_cmp1", 1217 "__sanitizer_cov_trace_cmp2", 1218 "__sanitizer_cov_trace_cmp4", 1219 "__sanitizer_cov_trace_cmp8", 1220 "__sanitizer_cov_trace_switch", 1221 /* KMSAN */ 1222 "kmsan_copy_to_user", 1223 "kmsan_disable_current", 1224 "kmsan_enable_current", 1225 "kmsan_report", 1226 "kmsan_unpoison_entry_regs", 1227 "kmsan_unpoison_memory", 1228 "__msan_chain_origin", 1229 "__msan_get_context_state", 1230 "__msan_instrument_asm_store", 1231 "__msan_metadata_ptr_for_load_1", 1232 "__msan_metadata_ptr_for_load_2", 1233 "__msan_metadata_ptr_for_load_4", 1234 "__msan_metadata_ptr_for_load_8", 1235 "__msan_metadata_ptr_for_load_n", 1236 "__msan_metadata_ptr_for_store_1", 1237 "__msan_metadata_ptr_for_store_2", 1238 "__msan_metadata_ptr_for_store_4", 1239 "__msan_metadata_ptr_for_store_8", 1240 "__msan_metadata_ptr_for_store_n", 1241 "__msan_poison_alloca", 1242 "__msan_warning", 1243 /* UBSAN */ 1244 "ubsan_type_mismatch_common", 1245 "__ubsan_handle_type_mismatch", 1246 "__ubsan_handle_type_mismatch_v1", 1247 "__ubsan_handle_shift_out_of_bounds", 1248 "__ubsan_handle_load_invalid_value", 1249 /* KSTACK_ERASE */ 1250 "__sanitizer_cov_stack_depth", 1251 /* TRACE_BRANCH_PROFILING */ 1252 "ftrace_likely_update", 1253 /* STACKPROTECTOR */ 1254 "__stack_chk_fail", 1255 /* misc */ 1256 "csum_partial_copy_generic", 1257 "copy_mc_fragile", 1258 "copy_mc_fragile_handle_tail", 1259 "copy_mc_enhanced_fast_string", 1260 "rep_stos_alternative", 1261 "rep_movs_alternative", 1262 "__copy_user_nocache", 1263 NULL 1264 }; 1265 1266 static void add_uaccess_safe(struct objtool_file *file) 1267 { 1268 struct symbol *func; 1269 const char **name; 1270 1271 if (!opts.uaccess) 1272 return; 1273 1274 for (name = uaccess_safe_builtin; *name; name++) { 1275 func = find_symbol_by_name(file->elf, *name); 1276 if (!func) 1277 continue; 1278 1279 func->uaccess_safe = true; 1280 } 1281 } 1282 1283 /* 1284 * Symbols that replace INSN_CALL_DYNAMIC, every (tail) call to such a symbol 1285 * will be added to the .retpoline_sites section. 1286 */ 1287 __weak bool arch_is_retpoline(struct symbol *sym) 1288 { 1289 return false; 1290 } 1291 1292 /* 1293 * Symbols that replace INSN_RETURN, every (tail) call to such a symbol 1294 * will be added to the .return_sites section. 1295 */ 1296 __weak bool arch_is_rethunk(struct symbol *sym) 1297 { 1298 return false; 1299 } 1300 1301 /* 1302 * Symbols that are embedded inside other instructions, because sometimes crazy 1303 * code exists. These are mostly ignored for validation purposes. 1304 */ 1305 __weak bool arch_is_embedded_insn(struct symbol *sym) 1306 { 1307 return false; 1308 } 1309 1310 static struct reloc *insn_reloc(struct objtool_file *file, struct instruction *insn) 1311 { 1312 struct reloc *reloc; 1313 1314 if (insn->no_reloc) 1315 return NULL; 1316 1317 if (!file) 1318 return NULL; 1319 1320 reloc = find_reloc_by_dest_range(file->elf, insn->sec, 1321 insn->offset, insn->len); 1322 if (!reloc) { 1323 insn->no_reloc = 1; 1324 return NULL; 1325 } 1326 1327 return reloc; 1328 } 1329 1330 static void remove_insn_ops(struct instruction *insn) 1331 { 1332 struct stack_op *op, *next; 1333 1334 for (op = insn->stack_ops; op; op = next) { 1335 next = op->next; 1336 free(op); 1337 } 1338 insn->stack_ops = NULL; 1339 } 1340 1341 static int annotate_call_site(struct objtool_file *file, 1342 struct instruction *insn, bool sibling) 1343 { 1344 struct reloc *reloc = insn_reloc(file, insn); 1345 struct symbol *sym = insn_call_dest(insn); 1346 1347 if (!sym) 1348 sym = reloc->sym; 1349 1350 if (sym->static_call_tramp) { 1351 list_add_tail(&insn->call_node, &file->static_call_list); 1352 return 0; 1353 } 1354 1355 if (sym->retpoline_thunk) { 1356 list_add_tail(&insn->call_node, &file->retpoline_call_list); 1357 return 0; 1358 } 1359 1360 /* 1361 * Many compilers cannot disable KCOV or sanitizer calls with a function 1362 * attribute so they need a little help, NOP out any such calls from 1363 * noinstr text. 1364 */ 1365 if (opts.hack_noinstr && insn->sec->noinstr && sym->profiling_func) { 1366 if (reloc) 1367 set_reloc_type(file->elf, reloc, R_NONE); 1368 1369 if (elf_write_insn(file->elf, insn->sec, 1370 insn->offset, insn->len, 1371 sibling ? arch_ret_insn(insn->len) 1372 : arch_nop_insn(insn->len))) { 1373 return -1; 1374 } 1375 1376 insn->type = sibling ? INSN_RETURN : INSN_NOP; 1377 1378 if (sibling) { 1379 /* 1380 * We've replaced the tail-call JMP insn by two new 1381 * insn: RET; INT3, except we only have a single struct 1382 * insn here. Mark it retpoline_safe to avoid the SLS 1383 * warning, instead of adding another insn. 1384 */ 1385 insn->retpoline_safe = true; 1386 } 1387 1388 return 0; 1389 } 1390 1391 if (opts.mcount && sym->fentry) { 1392 if (sibling) 1393 WARN_INSN(insn, "tail call to __fentry__ !?!?"); 1394 if (opts.mnop) { 1395 if (reloc) 1396 set_reloc_type(file->elf, reloc, R_NONE); 1397 1398 if (elf_write_insn(file->elf, insn->sec, 1399 insn->offset, insn->len, 1400 arch_nop_insn(insn->len))) { 1401 return -1; 1402 } 1403 1404 insn->type = INSN_NOP; 1405 } 1406 1407 list_add_tail(&insn->call_node, &file->mcount_loc_list); 1408 return 0; 1409 } 1410 1411 if (insn->type == INSN_CALL && !insn->sec->init && 1412 !insn->_call_dest->embedded_insn) 1413 list_add_tail(&insn->call_node, &file->call_list); 1414 1415 if (!sibling && dead_end_function(file, sym)) 1416 insn->dead_end = true; 1417 1418 return 0; 1419 } 1420 1421 static int add_call_dest(struct objtool_file *file, struct instruction *insn, 1422 struct symbol *dest, bool sibling) 1423 { 1424 insn->_call_dest = dest; 1425 if (!dest) 1426 return 0; 1427 1428 /* 1429 * Whatever stack impact regular CALLs have, should be undone 1430 * by the RETURN of the called function. 1431 * 1432 * Annotated intra-function calls retain the stack_ops but 1433 * are converted to JUMP, see read_intra_function_calls(). 1434 */ 1435 remove_insn_ops(insn); 1436 1437 return annotate_call_site(file, insn, sibling); 1438 } 1439 1440 static int add_retpoline_call(struct objtool_file *file, struct instruction *insn) 1441 { 1442 /* 1443 * Retpoline calls/jumps are really dynamic calls/jumps in disguise, 1444 * so convert them accordingly. 1445 */ 1446 switch (insn->type) { 1447 case INSN_CALL: 1448 insn->type = INSN_CALL_DYNAMIC; 1449 break; 1450 case INSN_JUMP_UNCONDITIONAL: 1451 insn->type = INSN_JUMP_DYNAMIC; 1452 break; 1453 case INSN_JUMP_CONDITIONAL: 1454 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL; 1455 break; 1456 default: 1457 return 0; 1458 } 1459 1460 insn->retpoline_safe = true; 1461 1462 /* 1463 * Whatever stack impact regular CALLs have, should be undone 1464 * by the RETURN of the called function. 1465 * 1466 * Annotated intra-function calls retain the stack_ops but 1467 * are converted to JUMP, see read_intra_function_calls(). 1468 */ 1469 remove_insn_ops(insn); 1470 1471 return annotate_call_site(file, insn, false); 1472 } 1473 1474 static void add_return_call(struct objtool_file *file, struct instruction *insn, bool add) 1475 { 1476 /* 1477 * Return thunk tail calls are really just returns in disguise, 1478 * so convert them accordingly. 1479 */ 1480 insn->type = INSN_RETURN; 1481 insn->retpoline_safe = true; 1482 1483 if (add) 1484 list_add_tail(&insn->call_node, &file->return_thunk_list); 1485 } 1486 1487 static bool is_first_func_insn(struct objtool_file *file, 1488 struct instruction *insn) 1489 { 1490 struct symbol *func = insn_func(insn); 1491 1492 if (!func) 1493 return false; 1494 1495 if (insn->offset == func->offset) 1496 return true; 1497 1498 /* Allow direct CALL/JMP past ENDBR */ 1499 if (opts.ibt) { 1500 struct instruction *prev = prev_insn_same_sym(file, insn); 1501 1502 if (prev && prev->type == INSN_ENDBR && 1503 insn->offset == func->offset + prev->len) 1504 return true; 1505 } 1506 1507 return false; 1508 } 1509 1510 /* 1511 * Find the destination instructions for all jumps. 1512 */ 1513 static int add_jump_destinations(struct objtool_file *file) 1514 { 1515 struct instruction *insn; 1516 struct reloc *reloc; 1517 1518 for_each_insn(file, insn) { 1519 struct symbol *func = insn_func(insn); 1520 struct instruction *dest_insn; 1521 struct section *dest_sec; 1522 struct symbol *dest_sym; 1523 unsigned long dest_off; 1524 1525 if (!is_static_jump(insn)) 1526 continue; 1527 1528 if (insn->jump_dest) { 1529 /* 1530 * handle_group_alt() may have previously set 1531 * 'jump_dest' for some alternatives. 1532 */ 1533 continue; 1534 } 1535 1536 reloc = insn_reloc(file, insn); 1537 if (!reloc) { 1538 dest_sec = insn->sec; 1539 dest_off = arch_jump_destination(insn); 1540 dest_sym = dest_sec->sym; 1541 } else { 1542 dest_sym = reloc->sym; 1543 if (is_undef_sym(dest_sym)) { 1544 if (dest_sym->retpoline_thunk) { 1545 if (add_retpoline_call(file, insn)) 1546 return -1; 1547 continue; 1548 } 1549 1550 if (dest_sym->return_thunk) { 1551 add_return_call(file, insn, true); 1552 continue; 1553 } 1554 1555 /* External symbol */ 1556 if (func) { 1557 /* External sibling call */ 1558 if (add_call_dest(file, insn, dest_sym, true)) 1559 return -1; 1560 continue; 1561 } 1562 1563 /* Non-func asm code jumping to external symbol */ 1564 continue; 1565 } 1566 1567 dest_sec = dest_sym->sec; 1568 dest_off = dest_sym->offset + arch_insn_adjusted_addend(insn, reloc); 1569 } 1570 1571 dest_insn = find_insn(file, dest_sec, dest_off); 1572 if (!dest_insn) { 1573 struct symbol *sym = find_symbol_by_offset(dest_sec, dest_off); 1574 1575 /* 1576 * retbleed_untrain_ret() jumps to 1577 * __x86_return_thunk(), but objtool can't find 1578 * the thunk's starting RET instruction, 1579 * because the RET is also in the middle of 1580 * another instruction. Objtool only knows 1581 * about the outer instruction. 1582 */ 1583 if (sym && sym->embedded_insn) { 1584 add_return_call(file, insn, false); 1585 continue; 1586 } 1587 1588 /* 1589 * GCOV/KCOV dead code can jump to the end of 1590 * the function/section. 1591 */ 1592 if (file->ignore_unreachables && func && 1593 dest_sec == insn->sec && 1594 dest_off == func->offset + func->len) 1595 continue; 1596 1597 ERROR_INSN(insn, "can't find jump dest instruction at %s", 1598 offstr(dest_sec, dest_off)); 1599 return -1; 1600 } 1601 1602 if (!dest_sym || is_sec_sym(dest_sym)) { 1603 dest_sym = dest_insn->sym; 1604 if (!dest_sym) 1605 goto set_jump_dest; 1606 } 1607 1608 if (dest_sym->retpoline_thunk && dest_insn->offset == dest_sym->offset) { 1609 if (add_retpoline_call(file, insn)) 1610 return -1; 1611 continue; 1612 } 1613 1614 if (dest_sym->return_thunk && dest_insn->offset == dest_sym->offset) { 1615 add_return_call(file, insn, true); 1616 continue; 1617 } 1618 1619 if (!insn->sym || insn->sym->pfunc == dest_sym->pfunc) 1620 goto set_jump_dest; 1621 1622 /* 1623 * Internal cross-function jump. 1624 */ 1625 1626 if (is_first_func_insn(file, dest_insn)) { 1627 /* Internal sibling call */ 1628 if (add_call_dest(file, insn, dest_sym, true)) 1629 return -1; 1630 continue; 1631 } 1632 1633 set_jump_dest: 1634 insn->jump_dest = dest_insn; 1635 } 1636 1637 return 0; 1638 } 1639 1640 static struct symbol *find_call_destination(struct section *sec, unsigned long offset) 1641 { 1642 struct symbol *call_dest; 1643 1644 call_dest = find_func_by_offset(sec, offset); 1645 if (!call_dest) 1646 call_dest = find_symbol_by_offset(sec, offset); 1647 1648 return call_dest; 1649 } 1650 1651 /* 1652 * Find the destination instructions for all calls. 1653 */ 1654 static int add_call_destinations(struct objtool_file *file) 1655 { 1656 struct instruction *insn; 1657 unsigned long dest_off; 1658 struct symbol *dest; 1659 struct reloc *reloc; 1660 1661 for_each_insn(file, insn) { 1662 struct symbol *func = insn_func(insn); 1663 if (insn->type != INSN_CALL) 1664 continue; 1665 1666 reloc = insn_reloc(file, insn); 1667 if (!reloc) { 1668 dest_off = arch_jump_destination(insn); 1669 dest = find_call_destination(insn->sec, dest_off); 1670 1671 if (add_call_dest(file, insn, dest, false)) 1672 return -1; 1673 1674 if (func && func->ignore) 1675 continue; 1676 1677 if (!insn_call_dest(insn)) { 1678 ERROR_INSN(insn, "unannotated intra-function call"); 1679 return -1; 1680 } 1681 1682 if (func && !is_func_sym(insn_call_dest(insn))) { 1683 ERROR_INSN(insn, "unsupported call to non-function"); 1684 return -1; 1685 } 1686 1687 } else if (is_sec_sym(reloc->sym)) { 1688 dest_off = arch_insn_adjusted_addend(insn, reloc); 1689 dest = find_call_destination(reloc->sym->sec, dest_off); 1690 if (!dest) { 1691 ERROR_INSN(insn, "can't find call dest symbol at %s+0x%lx", 1692 reloc->sym->sec->name, dest_off); 1693 return -1; 1694 } 1695 1696 if (add_call_dest(file, insn, dest, false)) 1697 return -1; 1698 1699 } else if (reloc->sym->retpoline_thunk) { 1700 if (add_retpoline_call(file, insn)) 1701 return -1; 1702 1703 } else { 1704 if (add_call_dest(file, insn, reloc->sym, false)) 1705 return -1; 1706 } 1707 } 1708 1709 return 0; 1710 } 1711 1712 /* 1713 * The .alternatives section requires some extra special care over and above 1714 * other special sections because alternatives are patched in place. 1715 */ 1716 static int handle_group_alt(struct objtool_file *file, 1717 struct special_alt *special_alt, 1718 struct instruction *orig_insn, 1719 struct instruction **new_insn) 1720 { 1721 struct instruction *last_new_insn = NULL, *insn, *nop = NULL; 1722 struct alt_group *orig_alt_group, *new_alt_group; 1723 unsigned long dest_off; 1724 1725 orig_alt_group = orig_insn->alt_group; 1726 if (!orig_alt_group) { 1727 struct instruction *last_orig_insn = NULL; 1728 1729 orig_alt_group = calloc(1, sizeof(*orig_alt_group)); 1730 if (!orig_alt_group) { 1731 ERROR_GLIBC("calloc"); 1732 return -1; 1733 } 1734 orig_alt_group->cfi = calloc(special_alt->orig_len, 1735 sizeof(struct cfi_state *)); 1736 if (!orig_alt_group->cfi) { 1737 ERROR_GLIBC("calloc"); 1738 return -1; 1739 } 1740 1741 insn = orig_insn; 1742 sec_for_each_insn_from(file, insn) { 1743 if (insn->offset >= special_alt->orig_off + special_alt->orig_len) 1744 break; 1745 1746 insn->alt_group = orig_alt_group; 1747 last_orig_insn = insn; 1748 } 1749 orig_alt_group->orig_group = NULL; 1750 orig_alt_group->first_insn = orig_insn; 1751 orig_alt_group->last_insn = last_orig_insn; 1752 orig_alt_group->nop = NULL; 1753 orig_alt_group->ignore = orig_insn->ignore_alts; 1754 orig_alt_group->feature = 0; 1755 } else { 1756 if (orig_alt_group->last_insn->offset + orig_alt_group->last_insn->len - 1757 orig_alt_group->first_insn->offset != special_alt->orig_len) { 1758 ERROR_INSN(orig_insn, "weirdly overlapping alternative! %ld != %d", 1759 orig_alt_group->last_insn->offset + 1760 orig_alt_group->last_insn->len - 1761 orig_alt_group->first_insn->offset, 1762 special_alt->orig_len); 1763 return -1; 1764 } 1765 } 1766 1767 new_alt_group = calloc(1, sizeof(*new_alt_group)); 1768 if (!new_alt_group) { 1769 ERROR_GLIBC("calloc"); 1770 return -1; 1771 } 1772 1773 if (special_alt->new_len < special_alt->orig_len) { 1774 /* 1775 * Insert a fake nop at the end to make the replacement 1776 * alt_group the same size as the original. This is needed to 1777 * allow propagate_alt_cfi() to do its magic. When the last 1778 * instruction affects the stack, the instruction after it (the 1779 * nop) will propagate the new state to the shared CFI array. 1780 */ 1781 nop = calloc(1, sizeof(*nop)); 1782 if (!nop) { 1783 ERROR_GLIBC("calloc"); 1784 return -1; 1785 } 1786 memset(nop, 0, sizeof(*nop)); 1787 1788 nop->sec = special_alt->new_sec; 1789 nop->offset = special_alt->new_off + special_alt->new_len; 1790 nop->len = special_alt->orig_len - special_alt->new_len; 1791 nop->type = INSN_NOP; 1792 nop->sym = orig_insn->sym; 1793 nop->alt_group = new_alt_group; 1794 nop->fake = 1; 1795 } 1796 1797 if (!special_alt->new_len) { 1798 *new_insn = nop; 1799 goto end; 1800 } 1801 1802 insn = *new_insn; 1803 sec_for_each_insn_from(file, insn) { 1804 struct reloc *alt_reloc; 1805 1806 if (insn->offset >= special_alt->new_off + special_alt->new_len) 1807 break; 1808 1809 last_new_insn = insn; 1810 1811 insn->sym = orig_insn->sym; 1812 insn->alt_group = new_alt_group; 1813 1814 /* 1815 * Since alternative replacement code is copy/pasted by the 1816 * kernel after applying relocations, generally such code can't 1817 * have relative-address relocation references to outside the 1818 * .altinstr_replacement section, unless the arch's 1819 * alternatives code can adjust the relative offsets 1820 * accordingly. 1821 */ 1822 alt_reloc = insn_reloc(file, insn); 1823 if (alt_reloc && arch_pc_relative_reloc(alt_reloc) && 1824 !arch_support_alt_relocation(special_alt, insn, alt_reloc)) { 1825 1826 ERROR_INSN(insn, "unsupported relocation in alternatives section"); 1827 return -1; 1828 } 1829 1830 if (!is_static_jump(insn)) 1831 continue; 1832 1833 if (!insn->immediate) 1834 continue; 1835 1836 dest_off = arch_jump_destination(insn); 1837 if (dest_off == special_alt->new_off + special_alt->new_len) { 1838 insn->jump_dest = next_insn_same_sec(file, orig_alt_group->last_insn); 1839 if (!insn->jump_dest) { 1840 ERROR_INSN(insn, "can't find alternative jump destination"); 1841 return -1; 1842 } 1843 } 1844 } 1845 1846 if (!last_new_insn) { 1847 ERROR_FUNC(special_alt->new_sec, special_alt->new_off, 1848 "can't find last new alternative instruction"); 1849 return -1; 1850 } 1851 1852 end: 1853 new_alt_group->orig_group = orig_alt_group; 1854 new_alt_group->first_insn = *new_insn; 1855 new_alt_group->last_insn = last_new_insn; 1856 new_alt_group->nop = nop; 1857 new_alt_group->ignore = (*new_insn)->ignore_alts; 1858 new_alt_group->cfi = orig_alt_group->cfi; 1859 new_alt_group->feature = special_alt->feature; 1860 return 0; 1861 } 1862 1863 /* 1864 * A jump table entry can either convert a nop to a jump or a jump to a nop. 1865 * If the original instruction is a jump, make the alt entry an effective nop 1866 * by just skipping the original instruction. 1867 */ 1868 static int handle_jump_alt(struct objtool_file *file, 1869 struct special_alt *special_alt, 1870 struct instruction *orig_insn, 1871 struct instruction **new_insn) 1872 { 1873 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL && 1874 orig_insn->type != INSN_NOP) { 1875 1876 ERROR_INSN(orig_insn, "unsupported instruction at jump label"); 1877 return -1; 1878 } 1879 1880 if (opts.hack_jump_label && special_alt->key_addend & 2) { 1881 struct reloc *reloc = insn_reloc(file, orig_insn); 1882 1883 if (reloc) 1884 set_reloc_type(file->elf, reloc, R_NONE); 1885 1886 if (elf_write_insn(file->elf, orig_insn->sec, 1887 orig_insn->offset, orig_insn->len, 1888 arch_nop_insn(orig_insn->len))) { 1889 return -1; 1890 } 1891 1892 orig_insn->type = INSN_NOP; 1893 } 1894 1895 if (orig_insn->type == INSN_NOP) { 1896 if (orig_insn->len == 2) 1897 file->jl_nop_short++; 1898 else 1899 file->jl_nop_long++; 1900 1901 return 0; 1902 } 1903 1904 if (orig_insn->len == 2) 1905 file->jl_short++; 1906 else 1907 file->jl_long++; 1908 1909 *new_insn = next_insn_same_sec(file, orig_insn); 1910 return 0; 1911 } 1912 1913 /* 1914 * Read all the special sections which have alternate instructions which can be 1915 * patched in or redirected to at runtime. Each instruction having alternate 1916 * instruction(s) has them added to its insn->alts list, which will be 1917 * traversed in validate_branch(). 1918 */ 1919 static int add_special_section_alts(struct objtool_file *file) 1920 { 1921 struct list_head special_alts; 1922 struct instruction *orig_insn, *new_insn; 1923 struct special_alt *special_alt, *tmp; 1924 enum alternative_type alt_type; 1925 struct alternative *alt; 1926 struct alternative *a; 1927 1928 if (special_get_alts(file->elf, &special_alts)) 1929 return -1; 1930 1931 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) { 1932 1933 orig_insn = find_insn(file, special_alt->orig_sec, 1934 special_alt->orig_off); 1935 if (!orig_insn) { 1936 ERROR_FUNC(special_alt->orig_sec, special_alt->orig_off, 1937 "special: can't find orig instruction"); 1938 return -1; 1939 } 1940 1941 new_insn = NULL; 1942 if (!special_alt->group || special_alt->new_len) { 1943 new_insn = find_insn(file, special_alt->new_sec, 1944 special_alt->new_off); 1945 if (!new_insn) { 1946 ERROR_FUNC(special_alt->new_sec, special_alt->new_off, 1947 "special: can't find new instruction"); 1948 return -1; 1949 } 1950 } 1951 1952 if (special_alt->group) { 1953 if (!special_alt->orig_len) { 1954 ERROR_INSN(orig_insn, "empty alternative entry"); 1955 continue; 1956 } 1957 1958 if (handle_group_alt(file, special_alt, orig_insn, &new_insn)) 1959 return -1; 1960 1961 alt_type = ALT_TYPE_INSTRUCTIONS; 1962 1963 } else if (special_alt->jump_or_nop) { 1964 if (handle_jump_alt(file, special_alt, orig_insn, &new_insn)) 1965 return -1; 1966 1967 alt_type = ALT_TYPE_JUMP_TABLE; 1968 } else { 1969 alt_type = ALT_TYPE_EX_TABLE; 1970 } 1971 1972 alt = calloc(1, sizeof(*alt)); 1973 if (!alt) { 1974 ERROR_GLIBC("calloc"); 1975 return -1; 1976 } 1977 1978 alt->insn = new_insn; 1979 alt->type = alt_type; 1980 alt->next = NULL; 1981 1982 /* 1983 * Store alternatives in the same order they have been 1984 * defined. 1985 */ 1986 if (!orig_insn->alts) { 1987 orig_insn->alts = alt; 1988 } else { 1989 for (a = orig_insn->alts; a->next; a = a->next) 1990 ; 1991 a->next = alt; 1992 } 1993 1994 list_del(&special_alt->list); 1995 free(special_alt); 1996 } 1997 1998 if (opts.stats) { 1999 printf("jl\\\tNOP\tJMP\n"); 2000 printf("short:\t%ld\t%ld\n", file->jl_nop_short, file->jl_short); 2001 printf("long:\t%ld\t%ld\n", file->jl_nop_long, file->jl_long); 2002 } 2003 2004 return 0; 2005 } 2006 2007 __weak unsigned long arch_jump_table_sym_offset(struct reloc *reloc, struct reloc *table) 2008 { 2009 return reloc->sym->offset + reloc_addend(reloc); 2010 } 2011 2012 static int add_jump_table(struct objtool_file *file, struct instruction *insn) 2013 { 2014 unsigned long table_size = insn_jump_table_size(insn); 2015 struct symbol *pfunc = insn_func(insn)->pfunc; 2016 struct reloc *table = insn_jump_table(insn); 2017 struct instruction *dest_insn; 2018 unsigned int prev_offset = 0; 2019 struct reloc *reloc = table; 2020 struct alternative *alt; 2021 unsigned long sym_offset; 2022 2023 /* 2024 * Each @reloc is a switch table relocation which points to the target 2025 * instruction. 2026 */ 2027 for_each_reloc_from(table->sec, reloc) { 2028 2029 /* Check for the end of the table: */ 2030 if (table_size && reloc_offset(reloc) - reloc_offset(table) >= table_size) 2031 break; 2032 if (reloc != table && is_jump_table(reloc)) 2033 break; 2034 2035 /* Make sure the table entries are consecutive: */ 2036 if (prev_offset && reloc_offset(reloc) != prev_offset + arch_reloc_size(reloc)) 2037 break; 2038 2039 sym_offset = arch_jump_table_sym_offset(reloc, table); 2040 2041 /* Detect function pointers from contiguous objects: */ 2042 if (reloc->sym->sec == pfunc->sec && sym_offset == pfunc->offset) 2043 break; 2044 2045 /* 2046 * Clang sometimes leaves dangling unused jump table entries 2047 * which point to the end of the function. Ignore them. 2048 */ 2049 if (reloc->sym->sec == pfunc->sec && 2050 sym_offset == pfunc->offset + pfunc->len) 2051 goto next; 2052 2053 dest_insn = find_insn(file, reloc->sym->sec, sym_offset); 2054 if (!dest_insn) 2055 break; 2056 2057 /* Make sure the destination is in the same function: */ 2058 if (!insn_func(dest_insn) || insn_func(dest_insn)->pfunc != pfunc) 2059 break; 2060 2061 alt = calloc(1, sizeof(*alt)); 2062 if (!alt) { 2063 ERROR_GLIBC("calloc"); 2064 return -1; 2065 } 2066 2067 alt->insn = dest_insn; 2068 alt->next = insn->alts; 2069 insn->alts = alt; 2070 next: 2071 prev_offset = reloc_offset(reloc); 2072 } 2073 2074 if (!prev_offset) { 2075 ERROR_INSN(insn, "can't find switch jump table"); 2076 return -1; 2077 } 2078 2079 return 0; 2080 } 2081 2082 /* 2083 * find_jump_table() - Given a dynamic jump, find the switch jump table 2084 * associated with it. 2085 */ 2086 static void find_jump_table(struct objtool_file *file, struct symbol *func, 2087 struct instruction *insn) 2088 { 2089 struct reloc *table_reloc; 2090 struct instruction *dest_insn, *orig_insn = insn; 2091 unsigned long table_size; 2092 unsigned long sym_offset; 2093 2094 /* 2095 * Backward search using the @first_jump_src links, these help avoid 2096 * much of the 'in between' code. Which avoids us getting confused by 2097 * it. 2098 */ 2099 for (; 2100 insn && insn_func(insn) && insn_func(insn)->pfunc == func; 2101 insn = insn->first_jump_src ?: prev_insn_same_sym(file, insn)) { 2102 2103 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC) 2104 break; 2105 2106 /* allow small jumps within the range */ 2107 if (insn->type == INSN_JUMP_UNCONDITIONAL && 2108 insn->jump_dest && 2109 (insn->jump_dest->offset <= insn->offset || 2110 insn->jump_dest->offset > orig_insn->offset)) 2111 break; 2112 2113 table_reloc = arch_find_switch_table(file, insn, &table_size); 2114 if (!table_reloc) 2115 continue; 2116 2117 sym_offset = table_reloc->sym->offset + reloc_addend(table_reloc); 2118 2119 dest_insn = find_insn(file, table_reloc->sym->sec, sym_offset); 2120 if (!dest_insn || !insn_func(dest_insn) || insn_func(dest_insn)->pfunc != func) 2121 continue; 2122 2123 set_jump_table(table_reloc); 2124 orig_insn->_jump_table = table_reloc; 2125 orig_insn->_jump_table_size = table_size; 2126 2127 break; 2128 } 2129 } 2130 2131 /* 2132 * First pass: Mark the head of each jump table so that in the next pass, 2133 * we know when a given jump table ends and the next one starts. 2134 */ 2135 static void mark_func_jump_tables(struct objtool_file *file, 2136 struct symbol *func) 2137 { 2138 struct instruction *insn, *last = NULL; 2139 2140 func_for_each_insn(file, func, insn) { 2141 if (!last) 2142 last = insn; 2143 2144 /* 2145 * Store back-pointers for unconditional forward jumps such 2146 * that find_jump_table() can back-track using those and 2147 * avoid some potentially confusing code. 2148 */ 2149 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest && 2150 insn->offset > last->offset && 2151 insn->jump_dest->offset > insn->offset && 2152 !insn->jump_dest->first_jump_src) { 2153 2154 insn->jump_dest->first_jump_src = insn; 2155 last = insn->jump_dest; 2156 } 2157 2158 if (insn->type != INSN_JUMP_DYNAMIC) 2159 continue; 2160 2161 find_jump_table(file, func, insn); 2162 } 2163 } 2164 2165 static int add_func_jump_tables(struct objtool_file *file, 2166 struct symbol *func) 2167 { 2168 struct instruction *insn; 2169 2170 func_for_each_insn(file, func, insn) { 2171 if (!insn_jump_table(insn)) 2172 continue; 2173 2174 if (add_jump_table(file, insn)) 2175 return -1; 2176 } 2177 2178 return 0; 2179 } 2180 2181 /* 2182 * For some switch statements, gcc generates a jump table in the .rodata 2183 * section which contains a list of addresses within the function to jump to. 2184 * This finds these jump tables and adds them to the insn->alts lists. 2185 */ 2186 static int add_jump_table_alts(struct objtool_file *file) 2187 { 2188 struct symbol *func; 2189 2190 if (!file->rodata) 2191 return 0; 2192 2193 for_each_sym(file->elf, func) { 2194 if (!is_func_sym(func) || func->alias != func) 2195 continue; 2196 2197 mark_func_jump_tables(file, func); 2198 if (add_func_jump_tables(file, func)) 2199 return -1; 2200 } 2201 2202 return 0; 2203 } 2204 2205 static void set_func_state(struct cfi_state *state) 2206 { 2207 state->cfa = initial_func_cfi.cfa; 2208 memcpy(&state->regs, &initial_func_cfi.regs, 2209 CFI_NUM_REGS * sizeof(struct cfi_reg)); 2210 state->stack_size = initial_func_cfi.cfa.offset; 2211 state->type = UNWIND_HINT_TYPE_CALL; 2212 } 2213 2214 static int read_unwind_hints(struct objtool_file *file) 2215 { 2216 struct cfi_state cfi = init_cfi; 2217 struct section *sec; 2218 struct unwind_hint *hint; 2219 struct instruction *insn; 2220 struct reloc *reloc; 2221 unsigned long offset; 2222 int i; 2223 2224 sec = find_section_by_name(file->elf, ".discard.unwind_hints"); 2225 if (!sec) 2226 return 0; 2227 2228 if (!sec->rsec) { 2229 ERROR("missing .rela.discard.unwind_hints section"); 2230 return -1; 2231 } 2232 2233 if (sec_size(sec) % sizeof(struct unwind_hint)) { 2234 ERROR("struct unwind_hint size mismatch"); 2235 return -1; 2236 } 2237 2238 file->hints = true; 2239 2240 for (i = 0; i < sec_size(sec) / sizeof(struct unwind_hint); i++) { 2241 hint = (struct unwind_hint *)sec->data->d_buf + i; 2242 2243 reloc = find_reloc_by_dest(file->elf, sec, i * sizeof(*hint)); 2244 if (!reloc) { 2245 ERROR("can't find reloc for unwind_hints[%d]", i); 2246 return -1; 2247 } 2248 2249 offset = reloc->sym->offset + reloc_addend(reloc); 2250 2251 insn = find_insn(file, reloc->sym->sec, offset); 2252 if (!insn) { 2253 ERROR("can't find insn for unwind_hints[%d]", i); 2254 return -1; 2255 } 2256 2257 insn->hint = true; 2258 2259 if (hint->type == UNWIND_HINT_TYPE_UNDEFINED) { 2260 insn->cfi = &force_undefined_cfi; 2261 continue; 2262 } 2263 2264 if (hint->type == UNWIND_HINT_TYPE_SAVE) { 2265 insn->hint = false; 2266 insn->save = true; 2267 continue; 2268 } 2269 2270 if (hint->type == UNWIND_HINT_TYPE_RESTORE) { 2271 insn->restore = true; 2272 continue; 2273 } 2274 2275 if (hint->type == UNWIND_HINT_TYPE_REGS_PARTIAL) { 2276 struct symbol *sym = find_symbol_by_offset(insn->sec, insn->offset); 2277 2278 if (sym && is_global_sym(sym)) { 2279 if (opts.ibt && insn->type != INSN_ENDBR && !insn->noendbr) { 2280 ERROR_INSN(insn, "UNWIND_HINT_IRET_REGS without ENDBR"); 2281 return -1; 2282 } 2283 } 2284 } 2285 2286 if (hint->type == UNWIND_HINT_TYPE_FUNC) { 2287 insn->cfi = &func_cfi; 2288 continue; 2289 } 2290 2291 if (insn->cfi) 2292 cfi = *(insn->cfi); 2293 2294 if (arch_decode_hint_reg(hint->sp_reg, &cfi.cfa.base)) { 2295 ERROR_INSN(insn, "unsupported unwind_hint sp base reg %d", hint->sp_reg); 2296 return -1; 2297 } 2298 2299 cfi.cfa.offset = bswap_if_needed(file->elf, hint->sp_offset); 2300 cfi.type = hint->type; 2301 cfi.signal = hint->signal; 2302 2303 insn->cfi = cfi_hash_find_or_add(&cfi); 2304 } 2305 2306 return 0; 2307 } 2308 2309 static int read_annotate(struct objtool_file *file, 2310 int (*func)(struct objtool_file *file, int type, struct instruction *insn)) 2311 { 2312 struct section *sec; 2313 struct instruction *insn; 2314 struct reloc *reloc; 2315 uint64_t offset; 2316 int type; 2317 2318 sec = find_section_by_name(file->elf, ".discard.annotate_insn"); 2319 if (!sec) 2320 return 0; 2321 2322 if (!sec->rsec) 2323 return 0; 2324 2325 if (sec->sh.sh_entsize != 8) { 2326 static bool warned = false; 2327 if (!warned && opts.verbose) { 2328 WARN("%s: dodgy linker, sh_entsize != 8", sec->name); 2329 warned = true; 2330 } 2331 sec->sh.sh_entsize = 8; 2332 } 2333 2334 if (sec_num_entries(sec) != sec_num_entries(sec->rsec)) { 2335 ERROR("bad .discard.annotate_insn section: missing relocs"); 2336 return -1; 2337 } 2338 2339 for_each_reloc(sec->rsec, reloc) { 2340 type = annotype(file->elf, sec, reloc); 2341 offset = reloc->sym->offset + reloc_addend(reloc); 2342 insn = find_insn(file, reloc->sym->sec, offset); 2343 2344 if (!insn) { 2345 ERROR("bad .discard.annotate_insn entry: %d of type %d", reloc_idx(reloc), type); 2346 return -1; 2347 } 2348 2349 if (func(file, type, insn)) 2350 return -1; 2351 } 2352 2353 return 0; 2354 } 2355 2356 static int __annotate_early(struct objtool_file *file, int type, struct instruction *insn) 2357 { 2358 switch (type) { 2359 2360 /* Must be before add_special_section_alts() */ 2361 case ANNOTYPE_IGNORE_ALTS: 2362 insn->ignore_alts = true; 2363 break; 2364 2365 /* 2366 * Must be before read_unwind_hints() since that needs insn->noendbr. 2367 */ 2368 case ANNOTYPE_NOENDBR: 2369 insn->noendbr = 1; 2370 break; 2371 2372 default: 2373 break; 2374 } 2375 2376 return 0; 2377 } 2378 2379 static int __annotate_ifc(struct objtool_file *file, int type, struct instruction *insn) 2380 { 2381 unsigned long dest_off; 2382 2383 if (type != ANNOTYPE_INTRA_FUNCTION_CALL) 2384 return 0; 2385 2386 if (insn->type != INSN_CALL) { 2387 ERROR_INSN(insn, "intra_function_call not a direct call"); 2388 return -1; 2389 } 2390 2391 /* 2392 * Treat intra-function CALLs as JMPs, but with a stack_op. 2393 * See add_call_destinations(), which strips stack_ops from 2394 * normal CALLs. 2395 */ 2396 insn->type = INSN_JUMP_UNCONDITIONAL; 2397 2398 dest_off = arch_jump_destination(insn); 2399 insn->jump_dest = find_insn(file, insn->sec, dest_off); 2400 if (!insn->jump_dest) { 2401 ERROR_INSN(insn, "can't find call dest at %s+0x%lx", 2402 insn->sec->name, dest_off); 2403 return -1; 2404 } 2405 2406 return 0; 2407 } 2408 2409 static int __annotate_late(struct objtool_file *file, int type, struct instruction *insn) 2410 { 2411 struct symbol *sym; 2412 2413 switch (type) { 2414 case ANNOTYPE_NOENDBR: 2415 /* early */ 2416 break; 2417 2418 case ANNOTYPE_RETPOLINE_SAFE: 2419 if (insn->type != INSN_JUMP_DYNAMIC && 2420 insn->type != INSN_CALL_DYNAMIC && 2421 insn->type != INSN_RETURN && 2422 insn->type != INSN_NOP) { 2423 ERROR_INSN(insn, "retpoline_safe hint not an indirect jump/call/ret/nop"); 2424 return -1; 2425 } 2426 2427 insn->retpoline_safe = true; 2428 break; 2429 2430 case ANNOTYPE_INSTR_BEGIN: 2431 insn->instr++; 2432 break; 2433 2434 case ANNOTYPE_INSTR_END: 2435 insn->instr--; 2436 break; 2437 2438 case ANNOTYPE_UNRET_BEGIN: 2439 insn->unret = 1; 2440 break; 2441 2442 case ANNOTYPE_IGNORE_ALTS: 2443 /* early */ 2444 break; 2445 2446 case ANNOTYPE_INTRA_FUNCTION_CALL: 2447 /* ifc */ 2448 break; 2449 2450 case ANNOTYPE_REACHABLE: 2451 insn->dead_end = false; 2452 break; 2453 2454 case ANNOTYPE_NOCFI: 2455 sym = insn->sym; 2456 if (!sym) { 2457 ERROR_INSN(insn, "dodgy NOCFI annotation"); 2458 return -1; 2459 } 2460 insn->sym->nocfi = 1; 2461 break; 2462 2463 default: 2464 ERROR_INSN(insn, "Unknown annotation type: %d", type); 2465 return -1; 2466 } 2467 2468 return 0; 2469 } 2470 2471 /* 2472 * Return true if name matches an instrumentation function, where calls to that 2473 * function from noinstr code can safely be removed, but compilers won't do so. 2474 */ 2475 static bool is_profiling_func(const char *name) 2476 { 2477 /* 2478 * Many compilers cannot disable KCOV with a function attribute. 2479 */ 2480 if (!strncmp(name, "__sanitizer_cov_", 16)) 2481 return true; 2482 2483 return false; 2484 } 2485 2486 static int classify_symbols(struct objtool_file *file) 2487 { 2488 struct symbol *func; 2489 size_t len; 2490 2491 for_each_sym(file->elf, func) { 2492 if (is_notype_sym(func) && strstarts(func->name, ".L")) 2493 func->local_label = true; 2494 2495 if (!is_global_sym(func)) 2496 continue; 2497 2498 if (!strncmp(func->name, STATIC_CALL_TRAMP_PREFIX_STR, 2499 strlen(STATIC_CALL_TRAMP_PREFIX_STR))) 2500 func->static_call_tramp = true; 2501 2502 if (arch_is_retpoline(func)) 2503 func->retpoline_thunk = true; 2504 2505 if (arch_is_rethunk(func)) 2506 func->return_thunk = true; 2507 2508 if (arch_is_embedded_insn(func)) 2509 func->embedded_insn = true; 2510 2511 if (arch_ftrace_match(func->name)) 2512 func->fentry = true; 2513 2514 if (is_profiling_func(func->name)) 2515 func->profiling_func = true; 2516 2517 len = strlen(func->name); 2518 if (len > sym_name_max_len) 2519 sym_name_max_len = len; 2520 } 2521 2522 return 0; 2523 } 2524 2525 static void mark_rodata(struct objtool_file *file) 2526 { 2527 struct section *sec; 2528 bool found = false; 2529 2530 /* 2531 * Search for the following rodata sections, each of which can 2532 * potentially contain jump tables: 2533 * 2534 * - .rodata: can contain GCC switch tables 2535 * - .rodata.<func>: same, if -fdata-sections is being used 2536 * - .data.rel.ro.c_jump_table: contains C annotated jump tables 2537 * 2538 * .rodata.str1.* sections are ignored; they don't contain jump tables. 2539 */ 2540 for_each_sec(file->elf, sec) { 2541 if ((!strncmp(sec->name, ".rodata", 7) && 2542 !strstr(sec->name, ".str1.")) || 2543 !strncmp(sec->name, ".data.rel.ro", 12)) { 2544 sec->rodata = true; 2545 found = true; 2546 } 2547 } 2548 2549 file->rodata = found; 2550 } 2551 2552 static void mark_holes(struct objtool_file *file) 2553 { 2554 struct instruction *insn; 2555 bool in_hole = false; 2556 2557 if (!opts.link) 2558 return; 2559 2560 /* 2561 * Whole archive runs might encounter dead code from weak symbols. 2562 * This is where the linker will have dropped the weak symbol in 2563 * favour of a regular symbol, but leaves the code in place. 2564 */ 2565 for_each_insn(file, insn) { 2566 if (insn->sym || !find_symbol_hole_containing(insn->sec, insn->offset)) { 2567 in_hole = false; 2568 continue; 2569 } 2570 2571 /* Skip function padding and pfx code */ 2572 if (!in_hole && insn->type == INSN_NOP) 2573 continue; 2574 2575 in_hole = true; 2576 insn->hole = 1; 2577 2578 /* 2579 * If this hole jumps to a .cold function, mark it ignore. 2580 */ 2581 if (insn->jump_dest) { 2582 struct symbol *dest_func = insn_func(insn->jump_dest); 2583 2584 if (dest_func && dest_func->cold) 2585 dest_func->ignore = true; 2586 } 2587 } 2588 } 2589 2590 static bool validate_branch_enabled(void) 2591 { 2592 return opts.stackval || 2593 opts.orc || 2594 opts.uaccess || 2595 opts.checksum; 2596 } 2597 2598 static int decode_sections(struct objtool_file *file) 2599 { 2600 file->klp = is_livepatch_module(file); 2601 2602 mark_rodata(file); 2603 2604 if (init_pv_ops(file)) 2605 return -1; 2606 2607 /* 2608 * Must be before add_{jump_call}_destination. 2609 */ 2610 if (classify_symbols(file)) 2611 return -1; 2612 2613 if (decode_instructions(file)) 2614 return -1; 2615 2616 if (add_ignores(file)) 2617 return -1; 2618 2619 add_uaccess_safe(file); 2620 2621 if (read_annotate(file, __annotate_early)) 2622 return -1; 2623 2624 /* 2625 * Must be before add_jump_destinations(), which depends on 'func' 2626 * being set for alternatives, to enable proper sibling call detection. 2627 */ 2628 if (validate_branch_enabled() || opts.noinstr || opts.hack_jump_label || opts.disas) { 2629 if (add_special_section_alts(file)) 2630 return -1; 2631 } 2632 2633 if (add_jump_destinations(file)) 2634 return -1; 2635 2636 /* 2637 * Must be before add_call_destination(); it changes INSN_CALL to 2638 * INSN_JUMP. 2639 */ 2640 if (read_annotate(file, __annotate_ifc)) 2641 return -1; 2642 2643 if (add_call_destinations(file)) 2644 return -1; 2645 2646 if (add_jump_table_alts(file)) 2647 return -1; 2648 2649 if (read_unwind_hints(file)) 2650 return -1; 2651 2652 /* Must be after add_jump_destinations() */ 2653 mark_holes(file); 2654 2655 /* 2656 * Must be after add_call_destinations() such that it can override 2657 * dead_end_function() marks. 2658 */ 2659 if (read_annotate(file, __annotate_late)) 2660 return -1; 2661 2662 return 0; 2663 } 2664 2665 static bool is_special_call(struct instruction *insn) 2666 { 2667 if (insn->type == INSN_CALL) { 2668 struct symbol *dest = insn_call_dest(insn); 2669 2670 if (!dest) 2671 return false; 2672 2673 if (dest->fentry || dest->embedded_insn) 2674 return true; 2675 } 2676 2677 return false; 2678 } 2679 2680 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state) 2681 { 2682 struct cfi_state *cfi = &state->cfi; 2683 int i; 2684 2685 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap) 2686 return true; 2687 2688 if (cfi->cfa.offset != initial_func_cfi.cfa.offset) 2689 return true; 2690 2691 if (cfi->stack_size != initial_func_cfi.cfa.offset) 2692 return true; 2693 2694 for (i = 0; i < CFI_NUM_REGS; i++) { 2695 if (cfi->regs[i].base != initial_func_cfi.regs[i].base || 2696 cfi->regs[i].offset != initial_func_cfi.regs[i].offset) 2697 return true; 2698 } 2699 2700 return false; 2701 } 2702 2703 static bool check_reg_frame_pos(const struct cfi_reg *reg, 2704 int expected_offset) 2705 { 2706 return reg->base == CFI_CFA && 2707 reg->offset == expected_offset; 2708 } 2709 2710 static bool has_valid_stack_frame(struct insn_state *state) 2711 { 2712 struct cfi_state *cfi = &state->cfi; 2713 2714 if (cfi->cfa.base == CFI_BP && 2715 check_reg_frame_pos(&cfi->regs[CFI_BP], -cfi->cfa.offset) && 2716 check_reg_frame_pos(&cfi->regs[CFI_RA], -cfi->cfa.offset + 8)) 2717 return true; 2718 2719 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP) 2720 return true; 2721 2722 return false; 2723 } 2724 2725 static int update_cfi_state_regs(struct instruction *insn, 2726 struct cfi_state *cfi, 2727 struct stack_op *op) 2728 { 2729 struct cfi_reg *cfa = &cfi->cfa; 2730 2731 if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT) 2732 return 0; 2733 2734 /* push */ 2735 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF) 2736 cfa->offset += 8; 2737 2738 /* pop */ 2739 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF) 2740 cfa->offset -= 8; 2741 2742 /* add immediate to sp */ 2743 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD && 2744 op->dest.reg == CFI_SP && op->src.reg == CFI_SP) 2745 cfa->offset -= op->src.offset; 2746 2747 return 0; 2748 } 2749 2750 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset) 2751 { 2752 if (arch_callee_saved_reg(reg) && 2753 cfi->regs[reg].base == CFI_UNDEFINED) { 2754 cfi->regs[reg].base = base; 2755 cfi->regs[reg].offset = offset; 2756 } 2757 } 2758 2759 static void restore_reg(struct cfi_state *cfi, unsigned char reg) 2760 { 2761 cfi->regs[reg].base = initial_func_cfi.regs[reg].base; 2762 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset; 2763 } 2764 2765 /* 2766 * A note about DRAP stack alignment: 2767 * 2768 * GCC has the concept of a DRAP register, which is used to help keep track of 2769 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP 2770 * register. The typical DRAP pattern is: 2771 * 2772 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10 2773 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp 2774 * 41 ff 72 f8 pushq -0x8(%r10) 2775 * 55 push %rbp 2776 * 48 89 e5 mov %rsp,%rbp 2777 * (more pushes) 2778 * 41 52 push %r10 2779 * ... 2780 * 41 5a pop %r10 2781 * (more pops) 2782 * 5d pop %rbp 2783 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2784 * c3 retq 2785 * 2786 * There are some variations in the epilogues, like: 2787 * 2788 * 5b pop %rbx 2789 * 41 5a pop %r10 2790 * 41 5c pop %r12 2791 * 41 5d pop %r13 2792 * 41 5e pop %r14 2793 * c9 leaveq 2794 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2795 * c3 retq 2796 * 2797 * and: 2798 * 2799 * 4c 8b 55 e8 mov -0x18(%rbp),%r10 2800 * 48 8b 5d e0 mov -0x20(%rbp),%rbx 2801 * 4c 8b 65 f0 mov -0x10(%rbp),%r12 2802 * 4c 8b 6d f8 mov -0x8(%rbp),%r13 2803 * c9 leaveq 2804 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2805 * c3 retq 2806 * 2807 * Sometimes r13 is used as the DRAP register, in which case it's saved and 2808 * restored beforehand: 2809 * 2810 * 41 55 push %r13 2811 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13 2812 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 2813 * ... 2814 * 49 8d 65 f0 lea -0x10(%r13),%rsp 2815 * 41 5d pop %r13 2816 * c3 retq 2817 */ 2818 static int update_cfi_state(struct instruction *insn, 2819 struct instruction *next_insn, 2820 struct cfi_state *cfi, struct stack_op *op) 2821 { 2822 struct cfi_reg *cfa = &cfi->cfa; 2823 struct cfi_reg *regs = cfi->regs; 2824 2825 /* ignore UNWIND_HINT_UNDEFINED regions */ 2826 if (cfi->force_undefined) 2827 return 0; 2828 2829 /* stack operations don't make sense with an undefined CFA */ 2830 if (cfa->base == CFI_UNDEFINED) { 2831 if (insn_func(insn)) { 2832 WARN_INSN(insn, "undefined stack state"); 2833 return 1; 2834 } 2835 return 0; 2836 } 2837 2838 if (cfi->type == UNWIND_HINT_TYPE_REGS || 2839 cfi->type == UNWIND_HINT_TYPE_REGS_PARTIAL) 2840 return update_cfi_state_regs(insn, cfi, op); 2841 2842 switch (op->dest.type) { 2843 2844 case OP_DEST_REG: 2845 switch (op->src.type) { 2846 2847 case OP_SRC_REG: 2848 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP && 2849 cfa->base == CFI_SP && 2850 check_reg_frame_pos(®s[CFI_BP], -cfa->offset)) { 2851 2852 /* mov %rsp, %rbp */ 2853 cfa->base = op->dest.reg; 2854 cfi->bp_scratch = false; 2855 } 2856 2857 else if (op->src.reg == CFI_SP && 2858 op->dest.reg == CFI_BP && cfi->drap) { 2859 2860 /* drap: mov %rsp, %rbp */ 2861 regs[CFI_BP].base = CFI_BP; 2862 regs[CFI_BP].offset = -cfi->stack_size; 2863 cfi->bp_scratch = false; 2864 } 2865 2866 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 2867 2868 /* 2869 * mov %rsp, %reg 2870 * 2871 * This is needed for the rare case where GCC 2872 * does: 2873 * 2874 * mov %rsp, %rax 2875 * ... 2876 * mov %rax, %rsp 2877 */ 2878 cfi->vals[op->dest.reg].base = CFI_CFA; 2879 cfi->vals[op->dest.reg].offset = -cfi->stack_size; 2880 } 2881 2882 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP && 2883 (cfa->base == CFI_BP || cfa->base == cfi->drap_reg)) { 2884 2885 /* 2886 * mov %rbp, %rsp 2887 * 2888 * Restore the original stack pointer (Clang). 2889 */ 2890 cfi->stack_size = -cfi->regs[CFI_BP].offset; 2891 } 2892 2893 else if (op->dest.reg == cfa->base) { 2894 2895 /* mov %reg, %rsp */ 2896 if (cfa->base == CFI_SP && 2897 cfi->vals[op->src.reg].base == CFI_CFA) { 2898 2899 /* 2900 * This is needed for the rare case 2901 * where GCC does something dumb like: 2902 * 2903 * lea 0x8(%rsp), %rcx 2904 * ... 2905 * mov %rcx, %rsp 2906 */ 2907 cfa->offset = -cfi->vals[op->src.reg].offset; 2908 cfi->stack_size = cfa->offset; 2909 2910 } else if (cfa->base == CFI_SP && 2911 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT && 2912 cfi->vals[op->src.reg].offset == cfa->offset) { 2913 2914 /* 2915 * Stack swizzle: 2916 * 2917 * 1: mov %rsp, (%[tos]) 2918 * 2: mov %[tos], %rsp 2919 * ... 2920 * 3: pop %rsp 2921 * 2922 * Where: 2923 * 2924 * 1 - places a pointer to the previous 2925 * stack at the Top-of-Stack of the 2926 * new stack. 2927 * 2928 * 2 - switches to the new stack. 2929 * 2930 * 3 - pops the Top-of-Stack to restore 2931 * the original stack. 2932 * 2933 * Note: we set base to SP_INDIRECT 2934 * here and preserve offset. Therefore 2935 * when the unwinder reaches ToS it 2936 * will dereference SP and then add the 2937 * offset to find the next frame, IOW: 2938 * (%rsp) + offset. 2939 */ 2940 cfa->base = CFI_SP_INDIRECT; 2941 2942 } else { 2943 cfa->base = CFI_UNDEFINED; 2944 cfa->offset = 0; 2945 } 2946 } 2947 2948 else if (op->dest.reg == CFI_SP && 2949 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT && 2950 cfi->vals[op->src.reg].offset == cfa->offset) { 2951 2952 /* 2953 * The same stack swizzle case 2) as above. But 2954 * because we can't change cfa->base, case 3) 2955 * will become a regular POP. Pretend we're a 2956 * PUSH so things don't go unbalanced. 2957 */ 2958 cfi->stack_size += 8; 2959 } 2960 2961 2962 break; 2963 2964 case OP_SRC_ADD: 2965 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) { 2966 2967 /* add imm, %rsp */ 2968 cfi->stack_size -= op->src.offset; 2969 if (cfa->base == CFI_SP) 2970 cfa->offset -= op->src.offset; 2971 break; 2972 } 2973 2974 if (op->dest.reg == CFI_BP && op->src.reg == CFI_SP && 2975 insn->sym->frame_pointer) { 2976 /* addi.d fp,sp,imm on LoongArch */ 2977 if (cfa->base == CFI_SP && cfa->offset == op->src.offset) { 2978 cfa->base = CFI_BP; 2979 cfa->offset = 0; 2980 } 2981 break; 2982 } 2983 2984 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) { 2985 /* addi.d sp,fp,imm on LoongArch */ 2986 if (cfa->base == CFI_BP && cfa->offset == 0) { 2987 if (insn->sym->frame_pointer) { 2988 cfa->base = CFI_SP; 2989 cfa->offset = -op->src.offset; 2990 } 2991 } else { 2992 /* lea disp(%rbp), %rsp */ 2993 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset); 2994 } 2995 break; 2996 } 2997 2998 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 2999 3000 /* drap: lea disp(%rsp), %drap */ 3001 cfi->drap_reg = op->dest.reg; 3002 3003 /* 3004 * lea disp(%rsp), %reg 3005 * 3006 * This is needed for the rare case where GCC 3007 * does something dumb like: 3008 * 3009 * lea 0x8(%rsp), %rcx 3010 * ... 3011 * mov %rcx, %rsp 3012 */ 3013 cfi->vals[op->dest.reg].base = CFI_CFA; 3014 cfi->vals[op->dest.reg].offset = \ 3015 -cfi->stack_size + op->src.offset; 3016 3017 break; 3018 } 3019 3020 if (cfi->drap && op->dest.reg == CFI_SP && 3021 op->src.reg == cfi->drap_reg) { 3022 3023 /* drap: lea disp(%drap), %rsp */ 3024 cfa->base = CFI_SP; 3025 cfa->offset = cfi->stack_size = -op->src.offset; 3026 cfi->drap_reg = CFI_UNDEFINED; 3027 cfi->drap = false; 3028 break; 3029 } 3030 3031 if (op->dest.reg == cfi->cfa.base && !(next_insn && next_insn->hint)) { 3032 WARN_INSN(insn, "unsupported stack register modification"); 3033 return -1; 3034 } 3035 3036 break; 3037 3038 case OP_SRC_AND: 3039 if (op->dest.reg != CFI_SP || 3040 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) || 3041 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) { 3042 WARN_INSN(insn, "unsupported stack pointer realignment"); 3043 return -1; 3044 } 3045 3046 if (cfi->drap_reg != CFI_UNDEFINED) { 3047 /* drap: and imm, %rsp */ 3048 cfa->base = cfi->drap_reg; 3049 cfa->offset = cfi->stack_size = 0; 3050 cfi->drap = true; 3051 } 3052 3053 /* 3054 * Older versions of GCC (4.8ish) realign the stack 3055 * without DRAP, with a frame pointer. 3056 */ 3057 3058 break; 3059 3060 case OP_SRC_POP: 3061 case OP_SRC_POPF: 3062 if (op->dest.reg == CFI_SP && cfa->base == CFI_SP_INDIRECT) { 3063 3064 /* pop %rsp; # restore from a stack swizzle */ 3065 cfa->base = CFI_SP; 3066 break; 3067 } 3068 3069 if (!cfi->drap && op->dest.reg == cfa->base) { 3070 3071 /* pop %rbp */ 3072 cfa->base = CFI_SP; 3073 } 3074 3075 if (cfi->drap && cfa->base == CFI_BP_INDIRECT && 3076 op->dest.reg == cfi->drap_reg && 3077 cfi->drap_offset == -cfi->stack_size) { 3078 3079 /* drap: pop %drap */ 3080 cfa->base = cfi->drap_reg; 3081 cfa->offset = 0; 3082 cfi->drap_offset = -1; 3083 3084 } else if (cfi->stack_size == -regs[op->dest.reg].offset) { 3085 3086 /* pop %reg */ 3087 restore_reg(cfi, op->dest.reg); 3088 } 3089 3090 cfi->stack_size -= 8; 3091 if (cfa->base == CFI_SP) 3092 cfa->offset -= 8; 3093 3094 break; 3095 3096 case OP_SRC_REG_INDIRECT: 3097 if (!cfi->drap && op->dest.reg == cfa->base && 3098 op->dest.reg == CFI_BP) { 3099 3100 /* mov disp(%rsp), %rbp */ 3101 cfa->base = CFI_SP; 3102 cfa->offset = cfi->stack_size; 3103 } 3104 3105 if (cfi->drap && op->src.reg == CFI_BP && 3106 op->src.offset == cfi->drap_offset) { 3107 3108 /* drap: mov disp(%rbp), %drap */ 3109 cfa->base = cfi->drap_reg; 3110 cfa->offset = 0; 3111 cfi->drap_offset = -1; 3112 } 3113 3114 if (cfi->drap && op->src.reg == CFI_BP && 3115 op->src.offset == regs[op->dest.reg].offset) { 3116 3117 /* drap: mov disp(%rbp), %reg */ 3118 restore_reg(cfi, op->dest.reg); 3119 3120 } else if (op->src.reg == cfa->base && 3121 op->src.offset == regs[op->dest.reg].offset + cfa->offset) { 3122 3123 /* mov disp(%rbp), %reg */ 3124 /* mov disp(%rsp), %reg */ 3125 restore_reg(cfi, op->dest.reg); 3126 3127 } else if (op->src.reg == CFI_SP && 3128 op->src.offset == regs[op->dest.reg].offset + cfi->stack_size) { 3129 3130 /* mov disp(%rsp), %reg */ 3131 restore_reg(cfi, op->dest.reg); 3132 } 3133 3134 break; 3135 3136 default: 3137 WARN_INSN(insn, "unknown stack-related instruction"); 3138 return -1; 3139 } 3140 3141 break; 3142 3143 case OP_DEST_PUSH: 3144 case OP_DEST_PUSHF: 3145 cfi->stack_size += 8; 3146 if (cfa->base == CFI_SP) 3147 cfa->offset += 8; 3148 3149 if (op->src.type != OP_SRC_REG) 3150 break; 3151 3152 if (cfi->drap) { 3153 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 3154 3155 /* drap: push %drap */ 3156 cfa->base = CFI_BP_INDIRECT; 3157 cfa->offset = -cfi->stack_size; 3158 3159 /* save drap so we know when to restore it */ 3160 cfi->drap_offset = -cfi->stack_size; 3161 3162 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) { 3163 3164 /* drap: push %rbp */ 3165 cfi->stack_size = 0; 3166 3167 } else { 3168 3169 /* drap: push %reg */ 3170 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size); 3171 } 3172 3173 } else { 3174 3175 /* push %reg */ 3176 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size); 3177 } 3178 3179 /* detect when asm code uses rbp as a scratch register */ 3180 if (opts.stackval && insn_func(insn) && op->src.reg == CFI_BP && 3181 cfa->base != CFI_BP) 3182 cfi->bp_scratch = true; 3183 break; 3184 3185 case OP_DEST_REG_INDIRECT: 3186 3187 if (cfi->drap) { 3188 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 3189 3190 /* drap: mov %drap, disp(%rbp) */ 3191 cfa->base = CFI_BP_INDIRECT; 3192 cfa->offset = op->dest.offset; 3193 3194 /* save drap offset so we know when to restore it */ 3195 cfi->drap_offset = op->dest.offset; 3196 } else { 3197 3198 /* drap: mov reg, disp(%rbp) */ 3199 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset); 3200 } 3201 3202 } else if (op->dest.reg == cfa->base) { 3203 3204 /* mov reg, disp(%rbp) */ 3205 /* mov reg, disp(%rsp) */ 3206 save_reg(cfi, op->src.reg, CFI_CFA, 3207 op->dest.offset - cfi->cfa.offset); 3208 3209 } else if (op->dest.reg == CFI_SP) { 3210 3211 /* mov reg, disp(%rsp) */ 3212 save_reg(cfi, op->src.reg, CFI_CFA, 3213 op->dest.offset - cfi->stack_size); 3214 3215 } else if (op->src.reg == CFI_SP && op->dest.offset == 0) { 3216 3217 /* mov %rsp, (%reg); # setup a stack swizzle. */ 3218 cfi->vals[op->dest.reg].base = CFI_SP_INDIRECT; 3219 cfi->vals[op->dest.reg].offset = cfa->offset; 3220 } 3221 3222 break; 3223 3224 case OP_DEST_MEM: 3225 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) { 3226 WARN_INSN(insn, "unknown stack-related memory operation"); 3227 return -1; 3228 } 3229 3230 /* pop mem */ 3231 cfi->stack_size -= 8; 3232 if (cfa->base == CFI_SP) 3233 cfa->offset -= 8; 3234 3235 break; 3236 3237 default: 3238 WARN_INSN(insn, "unknown stack-related instruction"); 3239 return -1; 3240 } 3241 3242 return 0; 3243 } 3244 3245 /* 3246 * The stack layouts of alternatives instructions can sometimes diverge when 3247 * they have stack modifications. That's fine as long as the potential stack 3248 * layouts don't conflict at any given potential instruction boundary. 3249 * 3250 * Flatten the CFIs of the different alternative code streams (both original 3251 * and replacement) into a single shared CFI array which can be used to detect 3252 * conflicts and nicely feed a linear array of ORC entries to the unwinder. 3253 */ 3254 static int propagate_alt_cfi(struct objtool_file *file, struct instruction *insn) 3255 { 3256 struct cfi_state **alt_cfi; 3257 int group_off; 3258 3259 if (!insn->alt_group) 3260 return 0; 3261 3262 if (!insn->cfi) { 3263 WARN("CFI missing"); 3264 return -1; 3265 } 3266 3267 alt_cfi = insn->alt_group->cfi; 3268 group_off = insn->offset - insn->alt_group->first_insn->offset; 3269 3270 if (!alt_cfi[group_off]) { 3271 alt_cfi[group_off] = insn->cfi; 3272 } else { 3273 if (cficmp(alt_cfi[group_off], insn->cfi)) { 3274 struct alt_group *orig_group = insn->alt_group->orig_group ?: insn->alt_group; 3275 struct instruction *orig = orig_group->first_insn; 3276 WARN_INSN(orig, "stack layout conflict in alternatives: %s", 3277 offstr(insn->sec, insn->offset)); 3278 return -1; 3279 } 3280 } 3281 3282 return 0; 3283 } 3284 3285 static int handle_insn_ops(struct instruction *insn, 3286 struct instruction *next_insn, 3287 struct insn_state *state) 3288 { 3289 struct stack_op *op; 3290 int ret; 3291 3292 for (op = insn->stack_ops; op; op = op->next) { 3293 3294 ret = update_cfi_state(insn, next_insn, &state->cfi, op); 3295 if (ret) 3296 return ret; 3297 3298 if (!opts.uaccess || !insn->alt_group) 3299 continue; 3300 3301 if (op->dest.type == OP_DEST_PUSHF) { 3302 if (!state->uaccess_stack) { 3303 state->uaccess_stack = 1; 3304 } else if (state->uaccess_stack >> 31) { 3305 WARN_INSN(insn, "PUSHF stack exhausted"); 3306 return 1; 3307 } 3308 state->uaccess_stack <<= 1; 3309 state->uaccess_stack |= state->uaccess; 3310 } 3311 3312 if (op->src.type == OP_SRC_POPF) { 3313 if (state->uaccess_stack) { 3314 state->uaccess = state->uaccess_stack & 1; 3315 state->uaccess_stack >>= 1; 3316 if (state->uaccess_stack == 1) 3317 state->uaccess_stack = 0; 3318 } 3319 } 3320 } 3321 3322 return 0; 3323 } 3324 3325 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2) 3326 { 3327 struct cfi_state *cfi1 = insn->cfi; 3328 int i; 3329 3330 if (!cfi1) { 3331 WARN("CFI missing"); 3332 return false; 3333 } 3334 3335 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) { 3336 3337 WARN_INSN(insn, "stack state mismatch: cfa1=%d%+d cfa2=%d%+d", 3338 cfi1->cfa.base, cfi1->cfa.offset, 3339 cfi2->cfa.base, cfi2->cfa.offset); 3340 return false; 3341 3342 } 3343 3344 if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) { 3345 for (i = 0; i < CFI_NUM_REGS; i++) { 3346 3347 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i], sizeof(struct cfi_reg))) 3348 continue; 3349 3350 WARN_INSN(insn, "stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d", 3351 i, cfi1->regs[i].base, cfi1->regs[i].offset, 3352 i, cfi2->regs[i].base, cfi2->regs[i].offset); 3353 } 3354 return false; 3355 } 3356 3357 if (cfi1->type != cfi2->type) { 3358 3359 WARN_INSN(insn, "stack state mismatch: type1=%d type2=%d", 3360 cfi1->type, cfi2->type); 3361 return false; 3362 } 3363 3364 if (cfi1->drap != cfi2->drap || 3365 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) || 3366 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) { 3367 3368 WARN_INSN(insn, "stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)", 3369 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset, 3370 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset); 3371 return false; 3372 } 3373 3374 return true; 3375 } 3376 3377 static inline bool func_uaccess_safe(struct symbol *func) 3378 { 3379 if (func) 3380 return func->uaccess_safe; 3381 3382 return false; 3383 } 3384 3385 static inline const char *call_dest_name(struct instruction *insn) 3386 { 3387 static char pvname[19]; 3388 struct reloc *reloc; 3389 int idx; 3390 3391 if (insn_call_dest(insn)) 3392 return insn_call_dest(insn)->name; 3393 3394 reloc = insn_reloc(NULL, insn); 3395 if (reloc && !strcmp(reloc->sym->name, "pv_ops")) { 3396 idx = (reloc_addend(reloc) / sizeof(void *)); 3397 snprintf(pvname, sizeof(pvname), "pv_ops[%d]", idx); 3398 return pvname; 3399 } 3400 3401 return "{dynamic}"; 3402 } 3403 3404 static bool pv_call_dest(struct objtool_file *file, struct instruction *insn) 3405 { 3406 struct symbol *target; 3407 struct reloc *reloc; 3408 int idx; 3409 3410 reloc = insn_reloc(file, insn); 3411 if (!reloc || strcmp(reloc->sym->name, "pv_ops")) 3412 return false; 3413 3414 idx = arch_insn_adjusted_addend(insn, reloc) / sizeof(void *); 3415 3416 if (file->pv_ops[idx].clean) 3417 return true; 3418 3419 file->pv_ops[idx].clean = true; 3420 3421 list_for_each_entry(target, &file->pv_ops[idx].targets, pv_target) { 3422 if (!target->sec->noinstr) { 3423 WARN("pv_ops[%d]: %s", idx, target->name); 3424 file->pv_ops[idx].clean = false; 3425 } 3426 } 3427 3428 return file->pv_ops[idx].clean; 3429 } 3430 3431 static inline bool noinstr_call_dest(struct objtool_file *file, 3432 struct instruction *insn, 3433 struct symbol *func) 3434 { 3435 /* 3436 * We can't deal with indirect function calls at present; 3437 * assume they're instrumented. 3438 */ 3439 if (!func) { 3440 if (file->pv_ops) 3441 return pv_call_dest(file, insn); 3442 3443 return false; 3444 } 3445 3446 /* 3447 * If the symbol is from a noinstr section; we good. 3448 */ 3449 if (func->sec->noinstr) 3450 return true; 3451 3452 /* 3453 * If the symbol is a static_call trampoline, we can't tell. 3454 */ 3455 if (func->static_call_tramp) 3456 return true; 3457 3458 /* 3459 * The __ubsan_handle_*() calls are like WARN(), they only happen when 3460 * something 'BAD' happened. At the risk of taking the machine down, 3461 * let them proceed to get the message out. 3462 */ 3463 if (!strncmp(func->name, "__ubsan_handle_", 15)) 3464 return true; 3465 3466 return false; 3467 } 3468 3469 static int validate_call(struct objtool_file *file, 3470 struct instruction *insn, 3471 struct insn_state *state) 3472 { 3473 if (state->noinstr && state->instr <= 0 && 3474 !noinstr_call_dest(file, insn, insn_call_dest(insn))) { 3475 WARN_INSN(insn, "call to %s() leaves .noinstr.text section", call_dest_name(insn)); 3476 return 1; 3477 } 3478 3479 if (state->uaccess && !func_uaccess_safe(insn_call_dest(insn))) { 3480 WARN_INSN(insn, "call to %s() with UACCESS enabled", call_dest_name(insn)); 3481 return 1; 3482 } 3483 3484 if (state->df) { 3485 WARN_INSN(insn, "call to %s() with DF set", call_dest_name(insn)); 3486 return 1; 3487 } 3488 3489 return 0; 3490 } 3491 3492 static int validate_sibling_call(struct objtool_file *file, 3493 struct instruction *insn, 3494 struct insn_state *state) 3495 { 3496 if (insn_func(insn) && has_modified_stack_frame(insn, state)) { 3497 WARN_INSN(insn, "sibling call from callable instruction with modified stack frame"); 3498 return 1; 3499 } 3500 3501 return validate_call(file, insn, state); 3502 } 3503 3504 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state) 3505 { 3506 if (state->noinstr && state->instr > 0) { 3507 WARN_INSN(insn, "return with instrumentation enabled"); 3508 return 1; 3509 } 3510 3511 if (state->uaccess && !func_uaccess_safe(func)) { 3512 WARN_INSN(insn, "return with UACCESS enabled"); 3513 return 1; 3514 } 3515 3516 if (!state->uaccess && func_uaccess_safe(func)) { 3517 WARN_INSN(insn, "return with UACCESS disabled from a UACCESS-safe function"); 3518 return 1; 3519 } 3520 3521 if (state->df) { 3522 WARN_INSN(insn, "return with DF set"); 3523 return 1; 3524 } 3525 3526 if (func && has_modified_stack_frame(insn, state)) { 3527 WARN_INSN(insn, "return with modified stack frame"); 3528 return 1; 3529 } 3530 3531 if (state->cfi.bp_scratch) { 3532 WARN_INSN(insn, "BP used as a scratch register"); 3533 return 1; 3534 } 3535 3536 return 0; 3537 } 3538 3539 static struct instruction *next_insn_to_validate(struct objtool_file *file, 3540 struct instruction *insn) 3541 { 3542 struct alt_group *alt_group = insn->alt_group; 3543 3544 /* 3545 * Simulate the fact that alternatives are patched in-place. When the 3546 * end of a replacement alt_group is reached, redirect objtool flow to 3547 * the end of the original alt_group. 3548 * 3549 * insn->alts->insn -> alt_group->first_insn 3550 * ... 3551 * alt_group->last_insn 3552 * [alt_group->nop] -> next(orig_group->last_insn) 3553 */ 3554 if (alt_group) { 3555 if (alt_group->nop) { 3556 /* ->nop implies ->orig_group */ 3557 if (insn == alt_group->last_insn) 3558 return alt_group->nop; 3559 if (insn == alt_group->nop) 3560 goto next_orig; 3561 } 3562 if (insn == alt_group->last_insn && alt_group->orig_group) 3563 goto next_orig; 3564 } 3565 3566 return next_insn_same_sec(file, insn); 3567 3568 next_orig: 3569 return next_insn_same_sec(file, alt_group->orig_group->last_insn); 3570 } 3571 3572 static bool skip_alt_group(struct instruction *insn) 3573 { 3574 struct instruction *alt_insn = insn->alts ? insn->alts->insn : NULL; 3575 3576 if (!insn->alt_group) 3577 return false; 3578 3579 /* ANNOTATE_IGNORE_ALTERNATIVE */ 3580 if (insn->alt_group->ignore) { 3581 TRACE_ALT(insn, "alt group ignored"); 3582 return true; 3583 } 3584 3585 /* 3586 * For NOP patched with CLAC/STAC, only follow the latter to avoid 3587 * impossible code paths combining patched CLAC with unpatched STAC 3588 * or vice versa. 3589 * 3590 * ANNOTATE_IGNORE_ALTERNATIVE could have been used here, but Linus 3591 * requested not to do that to avoid hurting .s file readability 3592 * around CLAC/STAC alternative sites. 3593 */ 3594 3595 if (!alt_insn) 3596 return false; 3597 3598 /* Don't override ASM_{CLAC,STAC}_UNSAFE */ 3599 if (alt_insn->alt_group && alt_insn->alt_group->ignore) 3600 return false; 3601 3602 return alt_insn->type == INSN_CLAC || alt_insn->type == INSN_STAC; 3603 } 3604 3605 static int checksum_debug_init(struct objtool_file *file) 3606 { 3607 char *dup, *s; 3608 3609 if (!opts.debug_checksum) 3610 return 0; 3611 3612 dup = strdup(opts.debug_checksum); 3613 if (!dup) { 3614 ERROR_GLIBC("strdup"); 3615 return -1; 3616 } 3617 3618 s = dup; 3619 while (*s) { 3620 struct symbol *func; 3621 char *comma; 3622 3623 comma = strchr(s, ','); 3624 if (comma) 3625 *comma = '\0'; 3626 3627 func = find_symbol_by_name(file->elf, s); 3628 if (!func || !is_func_sym(func)) 3629 WARN("--debug-checksum: can't find '%s'", s); 3630 else 3631 func->debug_checksum = 1; 3632 3633 if (!comma) 3634 break; 3635 3636 s = comma + 1; 3637 } 3638 3639 free(dup); 3640 return 0; 3641 } 3642 3643 static void checksum_update_insn(struct objtool_file *file, struct symbol *func, 3644 struct instruction *insn) 3645 { 3646 struct reloc *reloc = insn_reloc(file, insn); 3647 unsigned long offset; 3648 struct symbol *sym; 3649 3650 if (insn->fake) 3651 return; 3652 3653 checksum_update(func, insn, insn->sec->data->d_buf + insn->offset, insn->len); 3654 3655 if (!reloc) { 3656 struct symbol *call_dest = insn_call_dest(insn); 3657 3658 if (call_dest) 3659 checksum_update(func, insn, call_dest->demangled_name, 3660 strlen(call_dest->demangled_name)); 3661 return; 3662 } 3663 3664 sym = reloc->sym; 3665 offset = arch_insn_adjusted_addend(insn, reloc); 3666 3667 if (is_string_sec(sym->sec)) { 3668 char *str; 3669 3670 str = sym->sec->data->d_buf + sym->offset + offset; 3671 checksum_update(func, insn, str, strlen(str)); 3672 return; 3673 } 3674 3675 if (is_sec_sym(sym)) { 3676 sym = find_symbol_containing(reloc->sym->sec, offset); 3677 if (!sym) 3678 return; 3679 3680 offset -= sym->offset; 3681 } 3682 3683 checksum_update(func, insn, sym->demangled_name, strlen(sym->demangled_name)); 3684 checksum_update(func, insn, &offset, sizeof(offset)); 3685 } 3686 3687 static int validate_branch(struct objtool_file *file, struct symbol *func, 3688 struct instruction *insn, struct insn_state state); 3689 static int do_validate_branch(struct objtool_file *file, struct symbol *func, 3690 struct instruction *insn, struct insn_state state); 3691 3692 static int validate_insn(struct objtool_file *file, struct symbol *func, 3693 struct instruction *insn, struct insn_state *statep, 3694 struct instruction *prev_insn, struct instruction *next_insn, 3695 bool *dead_end) 3696 { 3697 /* prev_state and alt_name are not used if there is no disassembly support */ 3698 struct insn_state prev_state __maybe_unused; 3699 char *alt_name __maybe_unused = NULL; 3700 struct alternative *alt; 3701 u8 visited; 3702 int ret; 3703 3704 /* 3705 * Any returns before the end of this function are effectively dead 3706 * ends, i.e. validate_branch() has reached the end of the branch. 3707 */ 3708 *dead_end = true; 3709 3710 visited = VISITED_BRANCH << statep->uaccess; 3711 if (insn->visited & VISITED_BRANCH_MASK) { 3712 if (!insn->hint && !insn_cfi_match(insn, &statep->cfi)) 3713 return 1; 3714 3715 if (insn->visited & visited) { 3716 TRACE_INSN(insn, "already visited"); 3717 return 0; 3718 } 3719 } else { 3720 nr_insns_visited++; 3721 } 3722 3723 if (statep->noinstr) 3724 statep->instr += insn->instr; 3725 3726 if (insn->hint) { 3727 if (insn->restore) { 3728 struct instruction *save_insn, *i; 3729 3730 i = insn; 3731 save_insn = NULL; 3732 3733 sym_for_each_insn_continue_reverse(file, func, i) { 3734 if (i->save) { 3735 save_insn = i; 3736 break; 3737 } 3738 } 3739 3740 if (!save_insn) { 3741 WARN_INSN(insn, "no corresponding CFI save for CFI restore"); 3742 return 1; 3743 } 3744 3745 if (!save_insn->visited) { 3746 /* 3747 * If the restore hint insn is at the 3748 * beginning of a basic block and was 3749 * branched to from elsewhere, and the 3750 * save insn hasn't been visited yet, 3751 * defer following this branch for now. 3752 * It will be seen later via the 3753 * straight-line path. 3754 */ 3755 if (!prev_insn) { 3756 TRACE_INSN(insn, "defer restore"); 3757 return 0; 3758 } 3759 3760 WARN_INSN(insn, "objtool isn't smart enough to handle this CFI save/restore combo"); 3761 return 1; 3762 } 3763 3764 insn->cfi = save_insn->cfi; 3765 nr_cfi_reused++; 3766 } 3767 3768 statep->cfi = *insn->cfi; 3769 } else { 3770 /* XXX track if we actually changed statep->cfi */ 3771 3772 if (prev_insn && !cficmp(prev_insn->cfi, &statep->cfi)) { 3773 insn->cfi = prev_insn->cfi; 3774 nr_cfi_reused++; 3775 } else { 3776 insn->cfi = cfi_hash_find_or_add(&statep->cfi); 3777 } 3778 } 3779 3780 insn->visited |= visited; 3781 3782 if (propagate_alt_cfi(file, insn)) 3783 return 1; 3784 3785 if (insn->alts) { 3786 for (alt = insn->alts; alt; alt = alt->next) { 3787 TRACE_ALT_BEGIN(insn, alt, alt_name); 3788 ret = validate_branch(file, func, alt->insn, *statep); 3789 TRACE_ALT_END(insn, alt, alt_name); 3790 if (ret) { 3791 BT_INSN(insn, "(alt)"); 3792 return ret; 3793 } 3794 } 3795 TRACE_ALT_INFO_NOADDR(insn, "/ ", "DEFAULT"); 3796 } 3797 3798 if (skip_alt_group(insn)) 3799 return 0; 3800 3801 prev_state = *statep; 3802 ret = handle_insn_ops(insn, next_insn, statep); 3803 TRACE_INSN_STATE(insn, &prev_state, statep); 3804 3805 if (ret) 3806 return 1; 3807 3808 switch (insn->type) { 3809 3810 case INSN_RETURN: 3811 TRACE_INSN(insn, "return"); 3812 return validate_return(func, insn, statep); 3813 3814 case INSN_CALL: 3815 case INSN_CALL_DYNAMIC: 3816 if (insn->type == INSN_CALL) 3817 TRACE_INSN(insn, "call"); 3818 else 3819 TRACE_INSN(insn, "indirect call"); 3820 3821 ret = validate_call(file, insn, statep); 3822 if (ret) 3823 return ret; 3824 3825 if (opts.stackval && func && !is_special_call(insn) && 3826 !has_valid_stack_frame(statep)) { 3827 WARN_INSN(insn, "call without frame pointer save/setup"); 3828 return 1; 3829 } 3830 3831 break; 3832 3833 case INSN_JUMP_CONDITIONAL: 3834 case INSN_JUMP_UNCONDITIONAL: 3835 if (is_sibling_call(insn)) { 3836 TRACE_INSN(insn, "sibling call"); 3837 ret = validate_sibling_call(file, insn, statep); 3838 if (ret) 3839 return ret; 3840 3841 } else if (insn->jump_dest) { 3842 if (insn->type == INSN_JUMP_UNCONDITIONAL) 3843 TRACE_INSN(insn, "unconditional jump"); 3844 else 3845 TRACE_INSN(insn, "jump taken"); 3846 3847 ret = validate_branch(file, func, insn->jump_dest, *statep); 3848 if (ret) { 3849 BT_INSN(insn, "(branch)"); 3850 return ret; 3851 } 3852 } 3853 3854 if (insn->type == INSN_JUMP_UNCONDITIONAL) 3855 return 0; 3856 3857 TRACE_INSN(insn, "jump not taken"); 3858 break; 3859 3860 case INSN_JUMP_DYNAMIC: 3861 case INSN_JUMP_DYNAMIC_CONDITIONAL: 3862 TRACE_INSN(insn, "indirect jump"); 3863 if (is_sibling_call(insn)) { 3864 ret = validate_sibling_call(file, insn, statep); 3865 if (ret) 3866 return ret; 3867 } 3868 3869 if (insn->type == INSN_JUMP_DYNAMIC) 3870 return 0; 3871 3872 break; 3873 3874 case INSN_SYSCALL: 3875 TRACE_INSN(insn, "syscall"); 3876 if (func && (!next_insn || !next_insn->hint)) { 3877 WARN_INSN(insn, "unsupported instruction in callable function"); 3878 return 1; 3879 } 3880 3881 break; 3882 3883 case INSN_SYSRET: 3884 TRACE_INSN(insn, "sysret"); 3885 if (func && (!next_insn || !next_insn->hint)) { 3886 WARN_INSN(insn, "unsupported instruction in callable function"); 3887 return 1; 3888 } 3889 3890 return 0; 3891 3892 case INSN_STAC: 3893 TRACE_INSN(insn, "stac"); 3894 if (!opts.uaccess) 3895 break; 3896 3897 if (statep->uaccess) { 3898 WARN_INSN(insn, "recursive UACCESS enable"); 3899 return 1; 3900 } 3901 3902 statep->uaccess = true; 3903 break; 3904 3905 case INSN_CLAC: 3906 TRACE_INSN(insn, "clac"); 3907 if (!opts.uaccess) 3908 break; 3909 3910 if (!statep->uaccess && func) { 3911 WARN_INSN(insn, "redundant UACCESS disable"); 3912 return 1; 3913 } 3914 3915 if (func_uaccess_safe(func) && !statep->uaccess_stack) { 3916 WARN_INSN(insn, "UACCESS-safe disables UACCESS"); 3917 return 1; 3918 } 3919 3920 statep->uaccess = false; 3921 break; 3922 3923 case INSN_STD: 3924 TRACE_INSN(insn, "std"); 3925 if (statep->df) { 3926 WARN_INSN(insn, "recursive STD"); 3927 return 1; 3928 } 3929 3930 statep->df = true; 3931 break; 3932 3933 case INSN_CLD: 3934 TRACE_INSN(insn, "cld"); 3935 if (!statep->df && func) { 3936 WARN_INSN(insn, "redundant CLD"); 3937 return 1; 3938 } 3939 3940 statep->df = false; 3941 break; 3942 3943 default: 3944 break; 3945 } 3946 3947 if (insn->dead_end) 3948 TRACE_INSN(insn, "dead end"); 3949 3950 *dead_end = insn->dead_end; 3951 return 0; 3952 } 3953 3954 /* 3955 * Follow the branch starting at the given instruction, and recursively follow 3956 * any other branches (jumps). Meanwhile, track the frame pointer state at 3957 * each instruction and validate all the rules described in 3958 * tools/objtool/Documentation/objtool.txt. 3959 */ 3960 static int do_validate_branch(struct objtool_file *file, struct symbol *func, 3961 struct instruction *insn, struct insn_state state) 3962 { 3963 struct instruction *next_insn, *prev_insn = NULL; 3964 bool dead_end; 3965 int ret; 3966 3967 if (func && func->ignore) 3968 return 0; 3969 3970 do { 3971 insn->trace = 0; 3972 next_insn = next_insn_to_validate(file, insn); 3973 3974 if (opts.checksum && func && insn->sec) 3975 checksum_update_insn(file, func, insn); 3976 3977 if (func && insn_func(insn) && func != insn_func(insn)->pfunc) { 3978 /* Ignore KCFI type preambles, which always fall through */ 3979 if (is_prefix_func(func)) 3980 return 0; 3981 3982 if (file->ignore_unreachables) 3983 return 0; 3984 3985 WARN("%s() falls through to next function %s()", 3986 func->name, insn_func(insn)->name); 3987 func->warned = 1; 3988 3989 return 1; 3990 } 3991 3992 ret = validate_insn(file, func, insn, &state, prev_insn, next_insn, 3993 &dead_end); 3994 3995 if (!insn->trace) { 3996 if (ret) 3997 TRACE_INSN(insn, "warning (%d)", ret); 3998 else 3999 TRACE_INSN(insn, NULL); 4000 } 4001 4002 if (!dead_end && !next_insn) { 4003 if (state.cfi.cfa.base == CFI_UNDEFINED) 4004 return 0; 4005 if (file->ignore_unreachables) 4006 return 0; 4007 4008 WARN("%s%sunexpected end of section %s", 4009 func ? func->name : "", func ? "(): " : "", 4010 insn->sec->name); 4011 return 1; 4012 } 4013 4014 prev_insn = insn; 4015 insn = next_insn; 4016 4017 } while (!dead_end); 4018 4019 return ret; 4020 } 4021 4022 static int validate_branch(struct objtool_file *file, struct symbol *func, 4023 struct instruction *insn, struct insn_state state) 4024 { 4025 int ret; 4026 4027 trace_depth_inc(); 4028 ret = do_validate_branch(file, func, insn, state); 4029 trace_depth_dec(); 4030 4031 return ret; 4032 } 4033 4034 static int validate_unwind_hint(struct objtool_file *file, 4035 struct instruction *insn, 4036 struct insn_state *state) 4037 { 4038 if (insn->hint && !insn->visited) { 4039 struct symbol *func = insn_func(insn); 4040 int ret; 4041 4042 if (opts.checksum) 4043 checksum_init(func); 4044 4045 ret = validate_branch(file, func, insn, *state); 4046 if (ret) 4047 BT_INSN(insn, "<=== (hint)"); 4048 return ret; 4049 } 4050 4051 return 0; 4052 } 4053 4054 static int validate_unwind_hints(struct objtool_file *file, struct section *sec) 4055 { 4056 struct instruction *insn; 4057 struct insn_state state; 4058 int warnings = 0; 4059 4060 if (!file->hints) 4061 return 0; 4062 4063 init_insn_state(file, &state, sec); 4064 4065 if (sec) { 4066 sec_for_each_insn(file, sec, insn) 4067 warnings += validate_unwind_hint(file, insn, &state); 4068 } else { 4069 for_each_insn(file, insn) 4070 warnings += validate_unwind_hint(file, insn, &state); 4071 } 4072 4073 return warnings; 4074 } 4075 4076 /* 4077 * Validate rethunk entry constraint: must untrain RET before the first RET. 4078 * 4079 * Follow every branch (intra-function) and ensure VALIDATE_UNRET_END comes 4080 * before an actual RET instruction. 4081 */ 4082 static int validate_unret(struct objtool_file *file, struct instruction *insn) 4083 { 4084 struct instruction *next, *dest; 4085 int ret; 4086 4087 for (;;) { 4088 next = next_insn_to_validate(file, insn); 4089 4090 if (insn->visited & VISITED_UNRET) 4091 return 0; 4092 4093 insn->visited |= VISITED_UNRET; 4094 4095 if (insn->alts) { 4096 struct alternative *alt; 4097 for (alt = insn->alts; alt; alt = alt->next) { 4098 ret = validate_unret(file, alt->insn); 4099 if (ret) { 4100 BT_INSN(insn, "(alt)"); 4101 return ret; 4102 } 4103 } 4104 } 4105 4106 switch (insn->type) { 4107 4108 case INSN_CALL_DYNAMIC: 4109 case INSN_JUMP_DYNAMIC: 4110 case INSN_JUMP_DYNAMIC_CONDITIONAL: 4111 WARN_INSN(insn, "early indirect call"); 4112 return 1; 4113 4114 case INSN_JUMP_UNCONDITIONAL: 4115 case INSN_JUMP_CONDITIONAL: 4116 if (!is_sibling_call(insn)) { 4117 if (!insn->jump_dest) { 4118 WARN_INSN(insn, "unresolved jump target after linking?!?"); 4119 return 1; 4120 } 4121 ret = validate_unret(file, insn->jump_dest); 4122 if (ret) { 4123 BT_INSN(insn, "(branch%s)", 4124 insn->type == INSN_JUMP_CONDITIONAL ? "-cond" : ""); 4125 return ret; 4126 } 4127 4128 if (insn->type == INSN_JUMP_UNCONDITIONAL) 4129 return 0; 4130 4131 break; 4132 } 4133 4134 /* fallthrough */ 4135 case INSN_CALL: 4136 dest = find_insn(file, insn_call_dest(insn)->sec, 4137 insn_call_dest(insn)->offset); 4138 if (!dest) { 4139 WARN("Unresolved function after linking!?: %s", 4140 insn_call_dest(insn)->name); 4141 return 1; 4142 } 4143 4144 ret = validate_unret(file, dest); 4145 if (ret) { 4146 BT_INSN(insn, "(call)"); 4147 return ret; 4148 } 4149 /* 4150 * If a call returns without error, it must have seen UNTRAIN_RET. 4151 * Therefore any non-error return is a success. 4152 */ 4153 return 0; 4154 4155 case INSN_RETURN: 4156 WARN_INSN(insn, "RET before UNTRAIN"); 4157 return 1; 4158 4159 case INSN_SYSCALL: 4160 break; 4161 4162 case INSN_SYSRET: 4163 return 0; 4164 4165 case INSN_NOP: 4166 if (insn->retpoline_safe) 4167 return 0; 4168 break; 4169 4170 default: 4171 break; 4172 } 4173 4174 if (insn->dead_end) 4175 return 0; 4176 4177 if (!next) { 4178 WARN_INSN(insn, "teh end!"); 4179 return 1; 4180 } 4181 insn = next; 4182 } 4183 4184 return 0; 4185 } 4186 4187 /* 4188 * Validate that all branches starting at VALIDATE_UNRET_BEGIN encounter 4189 * VALIDATE_UNRET_END before RET. 4190 */ 4191 static int validate_unrets(struct objtool_file *file) 4192 { 4193 struct instruction *insn; 4194 int warnings = 0; 4195 4196 for_each_insn(file, insn) { 4197 if (!insn->unret) 4198 continue; 4199 4200 warnings += validate_unret(file, insn); 4201 } 4202 4203 return warnings; 4204 } 4205 4206 static int validate_retpoline(struct objtool_file *file) 4207 { 4208 struct instruction *insn; 4209 int warnings = 0; 4210 4211 for_each_insn(file, insn) { 4212 if (insn->type != INSN_JUMP_DYNAMIC && 4213 insn->type != INSN_CALL_DYNAMIC && 4214 insn->type != INSN_RETURN) 4215 continue; 4216 4217 if (insn->retpoline_safe) 4218 continue; 4219 4220 if (insn->sec->init) 4221 continue; 4222 4223 if (insn->type == INSN_RETURN) { 4224 if (opts.rethunk) { 4225 WARN_INSN(insn, "'naked' return found in MITIGATION_RETHUNK build"); 4226 warnings++; 4227 } 4228 continue; 4229 } 4230 4231 WARN_INSN(insn, "indirect %s found in MITIGATION_RETPOLINE build", 4232 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call"); 4233 warnings++; 4234 } 4235 4236 if (!opts.cfi) 4237 return warnings; 4238 4239 /* 4240 * kCFI call sites look like: 4241 * 4242 * movl $(-0x12345678), %r10d 4243 * addl -4(%r11), %r10d 4244 * jz 1f 4245 * ud2 4246 * 1: cs call __x86_indirect_thunk_r11 4247 * 4248 * Verify all indirect calls are kCFI adorned by checking for the 4249 * UD2. Notably, doing __nocfi calls to regular (cfi) functions is 4250 * broken. 4251 */ 4252 list_for_each_entry(insn, &file->retpoline_call_list, call_node) { 4253 struct symbol *sym = insn->sym; 4254 4255 if (sym && (sym->type == STT_NOTYPE || 4256 sym->type == STT_FUNC) && !sym->nocfi) { 4257 struct instruction *prev = 4258 prev_insn_same_sym(file, insn); 4259 4260 if (!prev || prev->type != INSN_BUG) { 4261 WARN_INSN(insn, "no-cfi indirect call!"); 4262 warnings++; 4263 } 4264 } 4265 } 4266 4267 return warnings; 4268 } 4269 4270 static bool is_kasan_insn(struct instruction *insn) 4271 { 4272 return (insn->type == INSN_CALL && 4273 !strcmp(insn_call_dest(insn)->name, "__asan_handle_no_return")); 4274 } 4275 4276 static bool is_ubsan_insn(struct instruction *insn) 4277 { 4278 return (insn->type == INSN_CALL && 4279 !strcmp(insn_call_dest(insn)->name, 4280 "__ubsan_handle_builtin_unreachable")); 4281 } 4282 4283 static bool ignore_unreachable_insn(struct objtool_file *file, struct instruction *insn) 4284 { 4285 struct symbol *func = insn_func(insn); 4286 struct instruction *prev_insn; 4287 int i; 4288 4289 if (insn->type == INSN_NOP || insn->type == INSN_TRAP || 4290 insn->hole || (func && func->ignore)) 4291 return true; 4292 4293 /* 4294 * Ignore alternative replacement instructions. This can happen 4295 * when a whitelisted function uses one of the ALTERNATIVE macros. 4296 */ 4297 if (!strcmp(insn->sec->name, ".altinstr_replacement") || 4298 !strcmp(insn->sec->name, ".altinstr_aux")) 4299 return true; 4300 4301 if (!func) 4302 return false; 4303 4304 if (func->static_call_tramp) 4305 return true; 4306 4307 /* 4308 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees 4309 * __builtin_unreachable(). The BUG() macro has an unreachable() after 4310 * the UD2, which causes GCC's undefined trap logic to emit another UD2 4311 * (or occasionally a JMP to UD2). 4312 * 4313 * It may also insert a UD2 after calling a __noreturn function. 4314 */ 4315 prev_insn = prev_insn_same_sec(file, insn); 4316 if (prev_insn && prev_insn->dead_end && 4317 (insn->type == INSN_BUG || 4318 (insn->type == INSN_JUMP_UNCONDITIONAL && 4319 insn->jump_dest && insn->jump_dest->type == INSN_BUG))) 4320 return true; 4321 4322 /* 4323 * Check if this (or a subsequent) instruction is related to 4324 * CONFIG_UBSAN or CONFIG_KASAN. 4325 * 4326 * End the search at 5 instructions to avoid going into the weeds. 4327 */ 4328 for (i = 0; i < 5; i++) { 4329 4330 if (is_kasan_insn(insn) || is_ubsan_insn(insn)) 4331 return true; 4332 4333 if (insn->type == INSN_JUMP_UNCONDITIONAL) { 4334 if (insn->jump_dest && 4335 insn_func(insn->jump_dest) == func) { 4336 insn = insn->jump_dest; 4337 continue; 4338 } 4339 4340 break; 4341 } 4342 4343 if (insn->offset + insn->len >= func->offset + func->len) 4344 break; 4345 4346 insn = next_insn_same_sec(file, insn); 4347 } 4348 4349 return false; 4350 } 4351 4352 /* 4353 * For FineIBT or kCFI, a certain number of bytes preceding the function may be 4354 * NOPs. Those NOPs may be rewritten at runtime and executed, so give them a 4355 * proper function name: __pfx_<func>. 4356 * 4357 * The NOPs may not exist for the following cases: 4358 * 4359 * - compiler cloned functions (*.cold, *.part0, etc) 4360 * - asm functions created with inline asm or without SYM_FUNC_START() 4361 * 4362 * Also, the function may already have a prefix from a previous objtool run 4363 * (livepatch extracted functions, or manually running objtool multiple times). 4364 * 4365 * So return 0 if the NOPs are missing or the function already has a prefix 4366 * symbol. 4367 */ 4368 static int create_prefix_symbol(struct objtool_file *file, struct symbol *func) 4369 { 4370 struct instruction *insn, *prev; 4371 char name[SYM_NAME_LEN]; 4372 struct cfi_state *cfi; 4373 4374 if (!is_func_sym(func) || is_prefix_func(func) || 4375 func->cold || func->static_call_tramp) 4376 return 0; 4377 4378 if ((strlen(func->name) + sizeof("__pfx_") > SYM_NAME_LEN)) { 4379 WARN("%s: symbol name too long, can't create __pfx_ symbol", 4380 func->name); 4381 return 0; 4382 } 4383 4384 if (snprintf_check(name, SYM_NAME_LEN, "__pfx_%s", func->name)) 4385 return -1; 4386 4387 if (file->klp) { 4388 struct symbol *pfx; 4389 4390 pfx = find_symbol_by_offset(func->sec, func->offset - opts.prefix); 4391 if (pfx && is_prefix_func(pfx) && !strcmp(pfx->name, name)) 4392 return 0; 4393 } 4394 4395 insn = find_insn(file, func->sec, func->offset); 4396 if (!insn) { 4397 WARN("%s: can't find starting instruction", func->name); 4398 return -1; 4399 } 4400 4401 for (prev = prev_insn_same_sec(file, insn); 4402 prev; 4403 prev = prev_insn_same_sec(file, prev)) { 4404 u64 offset; 4405 4406 if (prev->type != INSN_NOP) 4407 return 0; 4408 4409 offset = func->offset - prev->offset; 4410 4411 if (offset > opts.prefix) 4412 return 0; 4413 4414 if (offset < opts.prefix) 4415 continue; 4416 4417 if (!elf_create_symbol(file->elf, name, func->sec, 4418 GELF_ST_BIND(func->sym.st_info), 4419 GELF_ST_TYPE(func->sym.st_info), 4420 prev->offset, opts.prefix)) 4421 return -1; 4422 4423 break; 4424 } 4425 4426 if (!prev) 4427 return 0; 4428 4429 if (!insn->cfi) { 4430 /* 4431 * This can happen if stack validation isn't enabled or the 4432 * function is annotated with STACK_FRAME_NON_STANDARD. 4433 */ 4434 return 0; 4435 } 4436 4437 /* Propagate insn->cfi to the prefix code */ 4438 cfi = cfi_hash_find_or_add(insn->cfi); 4439 for (; prev != insn; prev = next_insn_same_sec(file, prev)) 4440 prev->cfi = cfi; 4441 4442 return 0; 4443 } 4444 4445 static int create_prefix_symbols(struct objtool_file *file) 4446 { 4447 struct section *sec; 4448 struct symbol *func; 4449 4450 for_each_sec(file->elf, sec) { 4451 if (!is_text_sec(sec)) 4452 continue; 4453 4454 sec_for_each_sym(sec, func) { 4455 if (create_prefix_symbol(file, func)) 4456 return -1; 4457 } 4458 } 4459 4460 return 0; 4461 } 4462 4463 static int validate_symbol(struct objtool_file *file, struct section *sec, 4464 struct symbol *sym, struct insn_state *state) 4465 { 4466 struct instruction *insn; 4467 struct symbol *func; 4468 int ret; 4469 4470 if (!sym->len) { 4471 WARN("%s() is missing an ELF size annotation", sym->name); 4472 return 1; 4473 } 4474 4475 if (sym->pfunc != sym || sym->alias != sym) 4476 return 0; 4477 4478 insn = find_insn(file, sec, sym->offset); 4479 if (!insn || insn->visited) 4480 return 0; 4481 4482 if (opts.uaccess) 4483 state->uaccess = sym->uaccess_safe; 4484 4485 func = insn_func(insn); 4486 4487 if (opts.checksum) 4488 checksum_init(func); 4489 4490 if (opts.trace && !fnmatch(opts.trace, sym->name, 0)) { 4491 trace_enable(); 4492 TRACE("%s: validation begin\n", sym->name); 4493 } 4494 4495 ret = validate_branch(file, func, insn, *state); 4496 if (ret) 4497 BT_INSN(insn, "<=== (sym)"); 4498 4499 TRACE("%s: validation %s\n\n", sym->name, ret ? "failed" : "end"); 4500 trace_disable(); 4501 4502 if (opts.checksum) 4503 checksum_finish(func); 4504 4505 return ret; 4506 } 4507 4508 static int validate_section(struct objtool_file *file, struct section *sec) 4509 { 4510 struct insn_state state; 4511 struct symbol *func; 4512 int warnings = 0; 4513 4514 sec_for_each_sym(sec, func) { 4515 if (!is_func_sym(func)) 4516 continue; 4517 4518 init_insn_state(file, &state, sec); 4519 set_func_state(&state.cfi); 4520 4521 warnings += validate_symbol(file, sec, func, &state); 4522 } 4523 4524 return warnings; 4525 } 4526 4527 static int validate_noinstr_sections(struct objtool_file *file) 4528 { 4529 struct section *sec; 4530 int warnings = 0; 4531 4532 sec = find_section_by_name(file->elf, ".noinstr.text"); 4533 if (sec) { 4534 warnings += validate_section(file, sec); 4535 warnings += validate_unwind_hints(file, sec); 4536 } 4537 4538 sec = find_section_by_name(file->elf, ".entry.text"); 4539 if (sec) { 4540 warnings += validate_section(file, sec); 4541 warnings += validate_unwind_hints(file, sec); 4542 } 4543 4544 sec = find_section_by_name(file->elf, ".cpuidle.text"); 4545 if (sec) { 4546 warnings += validate_section(file, sec); 4547 warnings += validate_unwind_hints(file, sec); 4548 } 4549 4550 return warnings; 4551 } 4552 4553 static int validate_functions(struct objtool_file *file) 4554 { 4555 struct section *sec; 4556 int warnings = 0; 4557 4558 for_each_sec(file->elf, sec) { 4559 if (!is_text_sec(sec)) 4560 continue; 4561 4562 warnings += validate_section(file, sec); 4563 } 4564 4565 return warnings; 4566 } 4567 4568 static void mark_endbr_used(struct instruction *insn) 4569 { 4570 if (!list_empty(&insn->call_node)) 4571 list_del_init(&insn->call_node); 4572 } 4573 4574 static bool noendbr_range(struct objtool_file *file, struct instruction *insn) 4575 { 4576 struct symbol *sym = find_symbol_containing(insn->sec, insn->offset-1); 4577 struct instruction *first; 4578 4579 if (!sym) 4580 return false; 4581 4582 first = find_insn(file, sym->sec, sym->offset); 4583 if (!first) 4584 return false; 4585 4586 if (first->type != INSN_ENDBR && !first->noendbr) 4587 return false; 4588 4589 return insn->offset == sym->offset + sym->len; 4590 } 4591 4592 static int __validate_ibt_insn(struct objtool_file *file, struct instruction *insn, 4593 struct instruction *dest) 4594 { 4595 if (dest->type == INSN_ENDBR) { 4596 mark_endbr_used(dest); 4597 return 0; 4598 } 4599 4600 if (insn_func(dest) && insn_func(insn) && 4601 insn_func(dest)->pfunc == insn_func(insn)->pfunc) { 4602 /* 4603 * Anything from->to self is either _THIS_IP_ or 4604 * IRET-to-self. 4605 * 4606 * There is no sane way to annotate _THIS_IP_ since the 4607 * compiler treats the relocation as a constant and is 4608 * happy to fold in offsets, skewing any annotation we 4609 * do, leading to vast amounts of false-positives. 4610 * 4611 * There's also compiler generated _THIS_IP_ through 4612 * KCOV and such which we have no hope of annotating. 4613 * 4614 * As such, blanket accept self-references without 4615 * issue. 4616 */ 4617 return 0; 4618 } 4619 4620 /* 4621 * Accept anything ANNOTATE_NOENDBR. 4622 */ 4623 if (dest->noendbr) 4624 return 0; 4625 4626 /* 4627 * Accept if this is the instruction after a symbol 4628 * that is (no)endbr -- typical code-range usage. 4629 */ 4630 if (noendbr_range(file, dest)) 4631 return 0; 4632 4633 WARN_INSN(insn, "relocation to !ENDBR: %s", offstr(dest->sec, dest->offset)); 4634 return 1; 4635 } 4636 4637 static int validate_ibt_insn(struct objtool_file *file, struct instruction *insn) 4638 { 4639 struct instruction *dest; 4640 struct reloc *reloc; 4641 unsigned long off; 4642 int warnings = 0; 4643 4644 /* 4645 * Looking for function pointer load relocations. Ignore 4646 * direct/indirect branches: 4647 */ 4648 switch (insn->type) { 4649 4650 case INSN_CALL: 4651 case INSN_CALL_DYNAMIC: 4652 case INSN_JUMP_CONDITIONAL: 4653 case INSN_JUMP_UNCONDITIONAL: 4654 case INSN_JUMP_DYNAMIC: 4655 case INSN_JUMP_DYNAMIC_CONDITIONAL: 4656 case INSN_RETURN: 4657 case INSN_NOP: 4658 return 0; 4659 4660 case INSN_LEA_RIP: 4661 if (!insn_reloc(file, insn)) { 4662 /* local function pointer reference without reloc */ 4663 4664 off = arch_jump_destination(insn); 4665 4666 dest = find_insn(file, insn->sec, off); 4667 if (!dest) { 4668 WARN_INSN(insn, "corrupt function pointer reference"); 4669 return 1; 4670 } 4671 4672 return __validate_ibt_insn(file, insn, dest); 4673 } 4674 break; 4675 4676 default: 4677 break; 4678 } 4679 4680 for (reloc = insn_reloc(file, insn); 4681 reloc; 4682 reloc = find_reloc_by_dest_range(file->elf, insn->sec, 4683 reloc_offset(reloc) + 1, 4684 (insn->offset + insn->len) - (reloc_offset(reloc) + 1))) { 4685 4686 off = reloc->sym->offset + arch_insn_adjusted_addend(insn, reloc); 4687 4688 dest = find_insn(file, reloc->sym->sec, off); 4689 if (!dest) 4690 continue; 4691 4692 warnings += __validate_ibt_insn(file, insn, dest); 4693 } 4694 4695 return warnings; 4696 } 4697 4698 static int validate_ibt_data_reloc(struct objtool_file *file, 4699 struct reloc *reloc) 4700 { 4701 struct instruction *dest; 4702 4703 dest = find_insn(file, reloc->sym->sec, 4704 reloc->sym->offset + reloc_addend(reloc)); 4705 if (!dest) 4706 return 0; 4707 4708 if (dest->type == INSN_ENDBR) { 4709 mark_endbr_used(dest); 4710 return 0; 4711 } 4712 4713 if (dest->noendbr) 4714 return 0; 4715 4716 WARN_FUNC(reloc->sec->base, reloc_offset(reloc), 4717 "data relocation to !ENDBR: %s", offstr(dest->sec, dest->offset)); 4718 4719 return 1; 4720 } 4721 4722 /* 4723 * Validate IBT rules and remove used ENDBR instructions from the seal list. 4724 * Unused ENDBR instructions will be annotated for sealing (i.e., replaced with 4725 * NOPs) later, in create_ibt_endbr_seal_sections(). 4726 */ 4727 static int validate_ibt(struct objtool_file *file) 4728 { 4729 struct section *sec; 4730 struct reloc *reloc; 4731 struct instruction *insn; 4732 int warnings = 0; 4733 4734 for_each_insn(file, insn) 4735 warnings += validate_ibt_insn(file, insn); 4736 4737 for_each_sec(file->elf, sec) { 4738 4739 /* Already done by validate_ibt_insn() */ 4740 if (is_text_sec(sec)) 4741 continue; 4742 4743 if (!sec->rsec) 4744 continue; 4745 4746 /* 4747 * These sections can reference text addresses, but not with 4748 * the intent to indirect branch to them. 4749 */ 4750 if ((!strncmp(sec->name, ".discard", 8) && 4751 strcmp(sec->name, ".discard.ibt_endbr_noseal")) || 4752 !strncmp(sec->name, ".debug", 6) || 4753 !strcmp(sec->name, ".altinstructions") || 4754 !strcmp(sec->name, ".ibt_endbr_seal") || 4755 !strcmp(sec->name, ".kcfi_traps") || 4756 !strcmp(sec->name, ".orc_unwind_ip") || 4757 !strcmp(sec->name, ".retpoline_sites") || 4758 !strcmp(sec->name, ".smp_locks") || 4759 !strcmp(sec->name, ".static_call_sites") || 4760 !strcmp(sec->name, "_error_injection_whitelist") || 4761 !strcmp(sec->name, "_kprobe_blacklist") || 4762 !strcmp(sec->name, "__bug_table") || 4763 !strcmp(sec->name, "__ex_table") || 4764 !strcmp(sec->name, "__jump_table") || 4765 !strcmp(sec->name, "__klp_funcs") || 4766 !strcmp(sec->name, "__mcount_loc") || 4767 !strcmp(sec->name, ".llvm.call-graph-profile") || 4768 !strcmp(sec->name, ".llvm_bb_addr_map") || 4769 !strcmp(sec->name, "__tracepoints") || 4770 !strcmp(sec->name, ".return_sites") || 4771 !strcmp(sec->name, ".call_sites") || 4772 !strcmp(sec->name, "__patchable_function_entries")) 4773 continue; 4774 4775 for_each_reloc(sec->rsec, reloc) 4776 warnings += validate_ibt_data_reloc(file, reloc); 4777 } 4778 4779 return warnings; 4780 } 4781 4782 static int validate_sls(struct objtool_file *file) 4783 { 4784 struct instruction *insn, *next_insn; 4785 int warnings = 0; 4786 4787 for_each_insn(file, insn) { 4788 next_insn = next_insn_same_sec(file, insn); 4789 4790 if (insn->retpoline_safe) 4791 continue; 4792 4793 switch (insn->type) { 4794 case INSN_RETURN: 4795 if (!next_insn || next_insn->type != INSN_TRAP) { 4796 WARN_INSN(insn, "missing int3 after ret"); 4797 warnings++; 4798 } 4799 4800 break; 4801 case INSN_JUMP_DYNAMIC: 4802 if (!next_insn || next_insn->type != INSN_TRAP) { 4803 WARN_INSN(insn, "missing int3 after indirect jump"); 4804 warnings++; 4805 } 4806 break; 4807 default: 4808 break; 4809 } 4810 } 4811 4812 return warnings; 4813 } 4814 4815 static int validate_reachable_instructions(struct objtool_file *file) 4816 { 4817 struct instruction *insn, *prev_insn; 4818 struct symbol *call_dest; 4819 int warnings = 0; 4820 4821 if (file->ignore_unreachables) 4822 return 0; 4823 4824 for_each_insn(file, insn) { 4825 if (insn->visited || ignore_unreachable_insn(file, insn)) 4826 continue; 4827 4828 prev_insn = prev_insn_same_sec(file, insn); 4829 if (prev_insn && prev_insn->dead_end) { 4830 call_dest = insn_call_dest(prev_insn); 4831 if (call_dest) { 4832 WARN_INSN(insn, "%s() missing __noreturn in .c/.h or NORETURN() in noreturns.h", 4833 call_dest->name); 4834 warnings++; 4835 continue; 4836 } 4837 } 4838 4839 WARN_INSN(insn, "unreachable instruction"); 4840 warnings++; 4841 } 4842 4843 return warnings; 4844 } 4845 4846 __weak bool arch_absolute_reloc(struct elf *elf, struct reloc *reloc) 4847 { 4848 unsigned int type = reloc_type(reloc); 4849 size_t sz = elf_addr_size(elf); 4850 4851 return (sz == 8) ? (type == R_ABS64) : (type == R_ABS32); 4852 } 4853 4854 static int check_abs_references(struct objtool_file *file) 4855 { 4856 struct section *sec; 4857 struct reloc *reloc; 4858 int ret = 0; 4859 4860 for_each_sec(file->elf, sec) { 4861 /* absolute references in non-loadable sections are fine */ 4862 if (!(sec->sh.sh_flags & SHF_ALLOC)) 4863 continue; 4864 4865 /* section must have an associated .rela section */ 4866 if (!sec->rsec) 4867 continue; 4868 4869 /* 4870 * Special case for compiler generated metadata that is not 4871 * consumed until after boot. 4872 */ 4873 if (!strcmp(sec->name, "__patchable_function_entries")) 4874 continue; 4875 4876 for_each_reloc(sec->rsec, reloc) { 4877 if (arch_absolute_reloc(file->elf, reloc)) { 4878 WARN("section %s has absolute relocation at offset 0x%llx", 4879 sec->name, (unsigned long long)reloc_offset(reloc)); 4880 ret++; 4881 } 4882 } 4883 } 4884 return ret; 4885 } 4886 4887 struct insn_chunk { 4888 void *addr; 4889 struct insn_chunk *next; 4890 }; 4891 4892 /* 4893 * Reduce peak RSS usage by freeing insns memory before writing the ELF file, 4894 * which can trigger more allocations for .debug_* sections whose data hasn't 4895 * been read yet. 4896 */ 4897 static void free_insns(struct objtool_file *file) 4898 { 4899 struct instruction *insn; 4900 struct insn_chunk *chunks = NULL, *chunk; 4901 4902 for_each_insn(file, insn) { 4903 if (!insn->idx) { 4904 chunk = malloc(sizeof(*chunk)); 4905 chunk->addr = insn; 4906 chunk->next = chunks; 4907 chunks = chunk; 4908 } 4909 } 4910 4911 for (chunk = chunks; chunk; chunk = chunk->next) 4912 free(chunk->addr); 4913 } 4914 4915 const char *objtool_disas_insn(struct instruction *insn) 4916 { 4917 struct disas_context *dctx = objtool_disas_ctx; 4918 4919 if (!dctx) 4920 return ""; 4921 4922 disas_insn(dctx, insn); 4923 return disas_result(dctx); 4924 } 4925 4926 int check(struct objtool_file *file) 4927 { 4928 struct disas_context *disas_ctx = NULL; 4929 int ret = 0, warnings = 0; 4930 4931 /* 4932 * Create a disassembly context if we might disassemble any 4933 * instruction or function. 4934 */ 4935 if (opts.verbose || opts.backtrace || opts.trace || opts.disas) { 4936 disas_ctx = disas_context_create(file); 4937 if (!disas_ctx) { 4938 opts.disas = false; 4939 opts.trace = false; 4940 } 4941 objtool_disas_ctx = disas_ctx; 4942 } 4943 4944 arch_initial_func_cfi_state(&initial_func_cfi); 4945 init_cfi_state(&init_cfi); 4946 init_cfi_state(&func_cfi); 4947 set_func_state(&func_cfi); 4948 init_cfi_state(&force_undefined_cfi); 4949 force_undefined_cfi.force_undefined = true; 4950 4951 if (!cfi_hash_alloc(1UL << (file->elf->symbol_bits - 3))) { 4952 ret = -1; 4953 goto out; 4954 } 4955 4956 cfi_hash_add(&init_cfi); 4957 cfi_hash_add(&func_cfi); 4958 4959 ret = checksum_debug_init(file); 4960 if (ret) 4961 goto out; 4962 4963 ret = decode_sections(file); 4964 if (ret) 4965 goto out; 4966 4967 if (!nr_insns) 4968 goto out; 4969 4970 if (opts.retpoline) 4971 warnings += validate_retpoline(file); 4972 4973 if (validate_branch_enabled()) { 4974 int w = 0; 4975 4976 w += validate_functions(file); 4977 w += validate_unwind_hints(file, NULL); 4978 if (!w) 4979 w += validate_reachable_instructions(file); 4980 4981 warnings += w; 4982 4983 } else if (opts.noinstr) { 4984 warnings += validate_noinstr_sections(file); 4985 } 4986 4987 if (opts.unret) { 4988 /* 4989 * Must be after validate_branch() and friends, it plays 4990 * further games with insn->visited. 4991 */ 4992 warnings += validate_unrets(file); 4993 } 4994 4995 if (opts.ibt) 4996 warnings += validate_ibt(file); 4997 4998 if (opts.sls) 4999 warnings += validate_sls(file); 5000 5001 if (opts.static_call) { 5002 ret = create_static_call_sections(file); 5003 if (ret) 5004 goto out; 5005 } 5006 5007 if (opts.retpoline) { 5008 ret = create_retpoline_sites_sections(file); 5009 if (ret) 5010 goto out; 5011 } 5012 5013 if (opts.cfi) { 5014 ret = create_cfi_sections(file); 5015 if (ret) 5016 goto out; 5017 } 5018 5019 if (opts.rethunk) { 5020 ret = create_return_sites_sections(file); 5021 if (ret) 5022 goto out; 5023 5024 if (opts.hack_skylake) { 5025 ret = create_direct_call_sections(file); 5026 if (ret) 5027 goto out; 5028 } 5029 } 5030 5031 if (opts.mcount) { 5032 ret = create_mcount_loc_sections(file); 5033 if (ret) 5034 goto out; 5035 } 5036 5037 if (opts.prefix) { 5038 ret = create_prefix_symbols(file); 5039 if (ret) 5040 goto out; 5041 } 5042 5043 if (opts.ibt) { 5044 ret = create_ibt_endbr_seal_sections(file); 5045 if (ret) 5046 goto out; 5047 } 5048 5049 if (opts.noabs) 5050 warnings += check_abs_references(file); 5051 5052 if (opts.checksum) { 5053 ret = create_sym_checksum_section(file); 5054 if (ret) 5055 goto out; 5056 } 5057 5058 if (opts.orc && nr_insns) { 5059 ret = orc_create(file); 5060 if (ret) 5061 goto out; 5062 } 5063 5064 if (opts.stats) { 5065 printf("nr_insns_visited: %ld\n", nr_insns_visited); 5066 printf("nr_cfi: %ld\n", nr_cfi); 5067 printf("nr_cfi_reused: %ld\n", nr_cfi_reused); 5068 printf("nr_cfi_cache: %ld\n", nr_cfi_cache); 5069 } 5070 5071 out: 5072 if (ret || warnings) { 5073 if (opts.werror && warnings) 5074 ret = 1; 5075 5076 if (opts.verbose) { 5077 if (opts.werror && warnings) 5078 WARN("%d warning(s) upgraded to errors", warnings); 5079 disas_warned_funcs(disas_ctx); 5080 } 5081 } 5082 5083 if (opts.disas) 5084 disas_funcs(disas_ctx); 5085 5086 if (disas_ctx) { 5087 disas_context_destroy(disas_ctx); 5088 objtool_disas_ctx = NULL; 5089 } 5090 5091 free_insns(file); 5092 5093 if (!ret && !warnings) 5094 return 0; 5095 5096 if (opts.backup && make_backup()) 5097 return 1; 5098 5099 return ret; 5100 } 5101