1 /* 2 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com> 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 2 7 * of the License, or (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, see <http://www.gnu.org/licenses/>. 16 */ 17 18 #include <string.h> 19 #include <stdlib.h> 20 21 #include "builtin.h" 22 #include "check.h" 23 #include "elf.h" 24 #include "special.h" 25 #include "arch.h" 26 #include "warn.h" 27 28 #include <linux/hashtable.h> 29 #include <linux/kernel.h> 30 31 struct alternative { 32 struct list_head list; 33 struct instruction *insn; 34 }; 35 36 const char *objname; 37 struct cfi_state initial_func_cfi; 38 39 struct instruction *find_insn(struct objtool_file *file, 40 struct section *sec, unsigned long offset) 41 { 42 struct instruction *insn; 43 44 hash_for_each_possible(file->insn_hash, insn, hash, offset) 45 if (insn->sec == sec && insn->offset == offset) 46 return insn; 47 48 return NULL; 49 } 50 51 static struct instruction *next_insn_same_sec(struct objtool_file *file, 52 struct instruction *insn) 53 { 54 struct instruction *next = list_next_entry(insn, list); 55 56 if (!next || &next->list == &file->insn_list || next->sec != insn->sec) 57 return NULL; 58 59 return next; 60 } 61 62 static struct instruction *next_insn_same_func(struct objtool_file *file, 63 struct instruction *insn) 64 { 65 struct instruction *next = list_next_entry(insn, list); 66 struct symbol *func = insn->func; 67 68 if (!func) 69 return NULL; 70 71 if (&next->list != &file->insn_list && next->func == func) 72 return next; 73 74 /* Check if we're already in the subfunction: */ 75 if (func == func->cfunc) 76 return NULL; 77 78 /* Move to the subfunction: */ 79 return find_insn(file, func->cfunc->sec, func->cfunc->offset); 80 } 81 82 #define func_for_each_insn_all(file, func, insn) \ 83 for (insn = find_insn(file, func->sec, func->offset); \ 84 insn; \ 85 insn = next_insn_same_func(file, insn)) 86 87 #define func_for_each_insn(file, func, insn) \ 88 for (insn = find_insn(file, func->sec, func->offset); \ 89 insn && &insn->list != &file->insn_list && \ 90 insn->sec == func->sec && \ 91 insn->offset < func->offset + func->len; \ 92 insn = list_next_entry(insn, list)) 93 94 #define func_for_each_insn_continue_reverse(file, func, insn) \ 95 for (insn = list_prev_entry(insn, list); \ 96 &insn->list != &file->insn_list && \ 97 insn->sec == func->sec && insn->offset >= func->offset; \ 98 insn = list_prev_entry(insn, list)) 99 100 #define sec_for_each_insn_from(file, insn) \ 101 for (; insn; insn = next_insn_same_sec(file, insn)) 102 103 #define sec_for_each_insn_continue(file, insn) \ 104 for (insn = next_insn_same_sec(file, insn); insn; \ 105 insn = next_insn_same_sec(file, insn)) 106 107 /* 108 * Check if the function has been manually whitelisted with the 109 * STACK_FRAME_NON_STANDARD macro, or if it should be automatically whitelisted 110 * due to its use of a context switching instruction. 111 */ 112 static bool ignore_func(struct objtool_file *file, struct symbol *func) 113 { 114 struct rela *rela; 115 116 /* check for STACK_FRAME_NON_STANDARD */ 117 if (file->whitelist && file->whitelist->rela) 118 list_for_each_entry(rela, &file->whitelist->rela->rela_list, list) { 119 if (rela->sym->type == STT_SECTION && 120 rela->sym->sec == func->sec && 121 rela->addend == func->offset) 122 return true; 123 if (rela->sym->type == STT_FUNC && rela->sym == func) 124 return true; 125 } 126 127 return false; 128 } 129 130 /* 131 * This checks to see if the given function is a "noreturn" function. 132 * 133 * For global functions which are outside the scope of this object file, we 134 * have to keep a manual list of them. 135 * 136 * For local functions, we have to detect them manually by simply looking for 137 * the lack of a return instruction. 138 * 139 * Returns: 140 * -1: error 141 * 0: no dead end 142 * 1: dead end 143 */ 144 static int __dead_end_function(struct objtool_file *file, struct symbol *func, 145 int recursion) 146 { 147 int i; 148 struct instruction *insn; 149 bool empty = true; 150 151 /* 152 * Unfortunately these have to be hard coded because the noreturn 153 * attribute isn't provided in ELF data. 154 */ 155 static const char * const global_noreturns[] = { 156 "__stack_chk_fail", 157 "panic", 158 "do_exit", 159 "do_task_dead", 160 "__module_put_and_exit", 161 "complete_and_exit", 162 "kvm_spurious_fault", 163 "__reiserfs_panic", 164 "lbug_with_loc", 165 "fortify_panic", 166 "usercopy_abort", 167 "machine_real_restart", 168 "rewind_stack_do_exit", 169 }; 170 171 if (func->bind == STB_WEAK) 172 return 0; 173 174 if (func->bind == STB_GLOBAL) 175 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++) 176 if (!strcmp(func->name, global_noreturns[i])) 177 return 1; 178 179 if (!func->len) 180 return 0; 181 182 insn = find_insn(file, func->sec, func->offset); 183 if (!insn->func) 184 return 0; 185 186 func_for_each_insn_all(file, func, insn) { 187 empty = false; 188 189 if (insn->type == INSN_RETURN) 190 return 0; 191 } 192 193 if (empty) 194 return 0; 195 196 /* 197 * A function can have a sibling call instead of a return. In that 198 * case, the function's dead-end status depends on whether the target 199 * of the sibling call returns. 200 */ 201 func_for_each_insn_all(file, func, insn) { 202 if (insn->type == INSN_JUMP_UNCONDITIONAL) { 203 struct instruction *dest = insn->jump_dest; 204 205 if (!dest) 206 /* sibling call to another file */ 207 return 0; 208 209 if (dest->func && dest->func->pfunc != insn->func->pfunc) { 210 211 /* local sibling call */ 212 if (recursion == 5) { 213 /* 214 * Infinite recursion: two functions 215 * have sibling calls to each other. 216 * This is a very rare case. It means 217 * they aren't dead ends. 218 */ 219 return 0; 220 } 221 222 return __dead_end_function(file, dest->func, 223 recursion + 1); 224 } 225 } 226 227 if (insn->type == INSN_JUMP_DYNAMIC && list_empty(&insn->alts)) 228 /* sibling call */ 229 return 0; 230 } 231 232 return 1; 233 } 234 235 static int dead_end_function(struct objtool_file *file, struct symbol *func) 236 { 237 return __dead_end_function(file, func, 0); 238 } 239 240 static void clear_insn_state(struct insn_state *state) 241 { 242 int i; 243 244 memset(state, 0, sizeof(*state)); 245 state->cfa.base = CFI_UNDEFINED; 246 for (i = 0; i < CFI_NUM_REGS; i++) { 247 state->regs[i].base = CFI_UNDEFINED; 248 state->vals[i].base = CFI_UNDEFINED; 249 } 250 state->drap_reg = CFI_UNDEFINED; 251 state->drap_offset = -1; 252 } 253 254 /* 255 * Call the arch-specific instruction decoder for all the instructions and add 256 * them to the global instruction list. 257 */ 258 static int decode_instructions(struct objtool_file *file) 259 { 260 struct section *sec; 261 struct symbol *func; 262 unsigned long offset; 263 struct instruction *insn; 264 int ret; 265 266 for_each_sec(file, sec) { 267 268 if (!(sec->sh.sh_flags & SHF_EXECINSTR)) 269 continue; 270 271 if (strcmp(sec->name, ".altinstr_replacement") && 272 strcmp(sec->name, ".altinstr_aux") && 273 strncmp(sec->name, ".discard.", 9)) 274 sec->text = true; 275 276 for (offset = 0; offset < sec->len; offset += insn->len) { 277 insn = malloc(sizeof(*insn)); 278 if (!insn) { 279 WARN("malloc failed"); 280 return -1; 281 } 282 memset(insn, 0, sizeof(*insn)); 283 INIT_LIST_HEAD(&insn->alts); 284 clear_insn_state(&insn->state); 285 286 insn->sec = sec; 287 insn->offset = offset; 288 289 ret = arch_decode_instruction(file->elf, sec, offset, 290 sec->len - offset, 291 &insn->len, &insn->type, 292 &insn->immediate, 293 &insn->stack_op); 294 if (ret) 295 goto err; 296 297 if (!insn->type || insn->type > INSN_LAST) { 298 WARN_FUNC("invalid instruction type %d", 299 insn->sec, insn->offset, insn->type); 300 ret = -1; 301 goto err; 302 } 303 304 hash_add(file->insn_hash, &insn->hash, insn->offset); 305 list_add_tail(&insn->list, &file->insn_list); 306 } 307 308 list_for_each_entry(func, &sec->symbol_list, list) { 309 if (func->type != STT_FUNC) 310 continue; 311 312 if (!find_insn(file, sec, func->offset)) { 313 WARN("%s(): can't find starting instruction", 314 func->name); 315 return -1; 316 } 317 318 func_for_each_insn(file, func, insn) 319 if (!insn->func) 320 insn->func = func; 321 } 322 } 323 324 return 0; 325 326 err: 327 free(insn); 328 return ret; 329 } 330 331 /* 332 * Mark "ud2" instructions and manually annotated dead ends. 333 */ 334 static int add_dead_ends(struct objtool_file *file) 335 { 336 struct section *sec; 337 struct rela *rela; 338 struct instruction *insn; 339 bool found; 340 341 /* 342 * By default, "ud2" is a dead end unless otherwise annotated, because 343 * GCC 7 inserts it for certain divide-by-zero cases. 344 */ 345 for_each_insn(file, insn) 346 if (insn->type == INSN_BUG) 347 insn->dead_end = true; 348 349 /* 350 * Check for manually annotated dead ends. 351 */ 352 sec = find_section_by_name(file->elf, ".rela.discard.unreachable"); 353 if (!sec) 354 goto reachable; 355 356 list_for_each_entry(rela, &sec->rela_list, list) { 357 if (rela->sym->type != STT_SECTION) { 358 WARN("unexpected relocation symbol type in %s", sec->name); 359 return -1; 360 } 361 insn = find_insn(file, rela->sym->sec, rela->addend); 362 if (insn) 363 insn = list_prev_entry(insn, list); 364 else if (rela->addend == rela->sym->sec->len) { 365 found = false; 366 list_for_each_entry_reverse(insn, &file->insn_list, list) { 367 if (insn->sec == rela->sym->sec) { 368 found = true; 369 break; 370 } 371 } 372 373 if (!found) { 374 WARN("can't find unreachable insn at %s+0x%x", 375 rela->sym->sec->name, rela->addend); 376 return -1; 377 } 378 } else { 379 WARN("can't find unreachable insn at %s+0x%x", 380 rela->sym->sec->name, rela->addend); 381 return -1; 382 } 383 384 insn->dead_end = true; 385 } 386 387 reachable: 388 /* 389 * These manually annotated reachable checks are needed for GCC 4.4, 390 * where the Linux unreachable() macro isn't supported. In that case 391 * GCC doesn't know the "ud2" is fatal, so it generates code as if it's 392 * not a dead end. 393 */ 394 sec = find_section_by_name(file->elf, ".rela.discard.reachable"); 395 if (!sec) 396 return 0; 397 398 list_for_each_entry(rela, &sec->rela_list, list) { 399 if (rela->sym->type != STT_SECTION) { 400 WARN("unexpected relocation symbol type in %s", sec->name); 401 return -1; 402 } 403 insn = find_insn(file, rela->sym->sec, rela->addend); 404 if (insn) 405 insn = list_prev_entry(insn, list); 406 else if (rela->addend == rela->sym->sec->len) { 407 found = false; 408 list_for_each_entry_reverse(insn, &file->insn_list, list) { 409 if (insn->sec == rela->sym->sec) { 410 found = true; 411 break; 412 } 413 } 414 415 if (!found) { 416 WARN("can't find reachable insn at %s+0x%x", 417 rela->sym->sec->name, rela->addend); 418 return -1; 419 } 420 } else { 421 WARN("can't find reachable insn at %s+0x%x", 422 rela->sym->sec->name, rela->addend); 423 return -1; 424 } 425 426 insn->dead_end = false; 427 } 428 429 return 0; 430 } 431 432 /* 433 * Warnings shouldn't be reported for ignored functions. 434 */ 435 static void add_ignores(struct objtool_file *file) 436 { 437 struct instruction *insn; 438 struct section *sec; 439 struct symbol *func; 440 441 for_each_sec(file, sec) { 442 list_for_each_entry(func, &sec->symbol_list, list) { 443 if (func->type != STT_FUNC) 444 continue; 445 446 if (!ignore_func(file, func)) 447 continue; 448 449 func_for_each_insn_all(file, func, insn) 450 insn->ignore = true; 451 } 452 } 453 } 454 455 /* 456 * FIXME: For now, just ignore any alternatives which add retpolines. This is 457 * a temporary hack, as it doesn't allow ORC to unwind from inside a retpoline. 458 * But it at least allows objtool to understand the control flow *around* the 459 * retpoline. 460 */ 461 static int add_nospec_ignores(struct objtool_file *file) 462 { 463 struct section *sec; 464 struct rela *rela; 465 struct instruction *insn; 466 467 sec = find_section_by_name(file->elf, ".rela.discard.nospec"); 468 if (!sec) 469 return 0; 470 471 list_for_each_entry(rela, &sec->rela_list, list) { 472 if (rela->sym->type != STT_SECTION) { 473 WARN("unexpected relocation symbol type in %s", sec->name); 474 return -1; 475 } 476 477 insn = find_insn(file, rela->sym->sec, rela->addend); 478 if (!insn) { 479 WARN("bad .discard.nospec entry"); 480 return -1; 481 } 482 483 insn->ignore_alts = true; 484 } 485 486 return 0; 487 } 488 489 /* 490 * Find the destination instructions for all jumps. 491 */ 492 static int add_jump_destinations(struct objtool_file *file) 493 { 494 struct instruction *insn; 495 struct rela *rela; 496 struct section *dest_sec; 497 unsigned long dest_off; 498 499 for_each_insn(file, insn) { 500 if (insn->type != INSN_JUMP_CONDITIONAL && 501 insn->type != INSN_JUMP_UNCONDITIONAL) 502 continue; 503 504 if (insn->ignore) 505 continue; 506 507 rela = find_rela_by_dest_range(insn->sec, insn->offset, 508 insn->len); 509 if (!rela) { 510 dest_sec = insn->sec; 511 dest_off = insn->offset + insn->len + insn->immediate; 512 } else if (rela->sym->type == STT_SECTION) { 513 dest_sec = rela->sym->sec; 514 dest_off = rela->addend + 4; 515 } else if (rela->sym->sec->idx) { 516 dest_sec = rela->sym->sec; 517 dest_off = rela->sym->sym.st_value + rela->addend + 4; 518 } else if (strstr(rela->sym->name, "_indirect_thunk_")) { 519 /* 520 * Retpoline jumps are really dynamic jumps in 521 * disguise, so convert them accordingly. 522 */ 523 insn->type = INSN_JUMP_DYNAMIC; 524 insn->retpoline_safe = true; 525 continue; 526 } else { 527 /* sibling call */ 528 insn->jump_dest = 0; 529 continue; 530 } 531 532 insn->jump_dest = find_insn(file, dest_sec, dest_off); 533 if (!insn->jump_dest) { 534 535 /* 536 * This is a special case where an alt instruction 537 * jumps past the end of the section. These are 538 * handled later in handle_group_alt(). 539 */ 540 if (!strcmp(insn->sec->name, ".altinstr_replacement")) 541 continue; 542 543 WARN_FUNC("can't find jump dest instruction at %s+0x%lx", 544 insn->sec, insn->offset, dest_sec->name, 545 dest_off); 546 return -1; 547 } 548 549 /* 550 * For GCC 8+, create parent/child links for any cold 551 * subfunctions. This is _mostly_ redundant with a similar 552 * initialization in read_symbols(). 553 * 554 * If a function has aliases, we want the *first* such function 555 * in the symbol table to be the subfunction's parent. In that 556 * case we overwrite the initialization done in read_symbols(). 557 * 558 * However this code can't completely replace the 559 * read_symbols() code because this doesn't detect the case 560 * where the parent function's only reference to a subfunction 561 * is through a switch table. 562 */ 563 if (insn->func && insn->jump_dest->func && 564 insn->func != insn->jump_dest->func && 565 !strstr(insn->func->name, ".cold.") && 566 strstr(insn->jump_dest->func->name, ".cold.")) { 567 insn->func->cfunc = insn->jump_dest->func; 568 insn->jump_dest->func->pfunc = insn->func; 569 } 570 } 571 572 return 0; 573 } 574 575 /* 576 * Find the destination instructions for all calls. 577 */ 578 static int add_call_destinations(struct objtool_file *file) 579 { 580 struct instruction *insn; 581 unsigned long dest_off; 582 struct rela *rela; 583 584 for_each_insn(file, insn) { 585 if (insn->type != INSN_CALL) 586 continue; 587 588 rela = find_rela_by_dest_range(insn->sec, insn->offset, 589 insn->len); 590 if (!rela) { 591 dest_off = insn->offset + insn->len + insn->immediate; 592 insn->call_dest = find_symbol_by_offset(insn->sec, 593 dest_off); 594 595 if (!insn->call_dest && !insn->ignore) { 596 WARN_FUNC("unsupported intra-function call", 597 insn->sec, insn->offset); 598 if (retpoline) 599 WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE."); 600 return -1; 601 } 602 603 } else if (rela->sym->type == STT_SECTION) { 604 insn->call_dest = find_symbol_by_offset(rela->sym->sec, 605 rela->addend+4); 606 if (!insn->call_dest || 607 insn->call_dest->type != STT_FUNC) { 608 WARN_FUNC("can't find call dest symbol at %s+0x%x", 609 insn->sec, insn->offset, 610 rela->sym->sec->name, 611 rela->addend + 4); 612 return -1; 613 } 614 } else 615 insn->call_dest = rela->sym; 616 } 617 618 return 0; 619 } 620 621 /* 622 * The .alternatives section requires some extra special care, over and above 623 * what other special sections require: 624 * 625 * 1. Because alternatives are patched in-place, we need to insert a fake jump 626 * instruction at the end so that validate_branch() skips all the original 627 * replaced instructions when validating the new instruction path. 628 * 629 * 2. An added wrinkle is that the new instruction length might be zero. In 630 * that case the old instructions are replaced with noops. We simulate that 631 * by creating a fake jump as the only new instruction. 632 * 633 * 3. In some cases, the alternative section includes an instruction which 634 * conditionally jumps to the _end_ of the entry. We have to modify these 635 * jumps' destinations to point back to .text rather than the end of the 636 * entry in .altinstr_replacement. 637 * 638 * 4. It has been requested that we don't validate the !POPCNT feature path 639 * which is a "very very small percentage of machines". 640 */ 641 static int handle_group_alt(struct objtool_file *file, 642 struct special_alt *special_alt, 643 struct instruction *orig_insn, 644 struct instruction **new_insn) 645 { 646 struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump = NULL; 647 unsigned long dest_off; 648 649 last_orig_insn = NULL; 650 insn = orig_insn; 651 sec_for_each_insn_from(file, insn) { 652 if (insn->offset >= special_alt->orig_off + special_alt->orig_len) 653 break; 654 655 if (special_alt->skip_orig) 656 insn->type = INSN_NOP; 657 658 insn->alt_group = true; 659 last_orig_insn = insn; 660 } 661 662 if (next_insn_same_sec(file, last_orig_insn)) { 663 fake_jump = malloc(sizeof(*fake_jump)); 664 if (!fake_jump) { 665 WARN("malloc failed"); 666 return -1; 667 } 668 memset(fake_jump, 0, sizeof(*fake_jump)); 669 INIT_LIST_HEAD(&fake_jump->alts); 670 clear_insn_state(&fake_jump->state); 671 672 fake_jump->sec = special_alt->new_sec; 673 fake_jump->offset = -1; 674 fake_jump->type = INSN_JUMP_UNCONDITIONAL; 675 fake_jump->jump_dest = list_next_entry(last_orig_insn, list); 676 fake_jump->ignore = true; 677 } 678 679 if (!special_alt->new_len) { 680 if (!fake_jump) { 681 WARN("%s: empty alternative at end of section", 682 special_alt->orig_sec->name); 683 return -1; 684 } 685 686 *new_insn = fake_jump; 687 return 0; 688 } 689 690 last_new_insn = NULL; 691 insn = *new_insn; 692 sec_for_each_insn_from(file, insn) { 693 if (insn->offset >= special_alt->new_off + special_alt->new_len) 694 break; 695 696 last_new_insn = insn; 697 698 insn->ignore = orig_insn->ignore_alts; 699 700 if (insn->type != INSN_JUMP_CONDITIONAL && 701 insn->type != INSN_JUMP_UNCONDITIONAL) 702 continue; 703 704 if (!insn->immediate) 705 continue; 706 707 dest_off = insn->offset + insn->len + insn->immediate; 708 if (dest_off == special_alt->new_off + special_alt->new_len) { 709 if (!fake_jump) { 710 WARN("%s: alternative jump to end of section", 711 special_alt->orig_sec->name); 712 return -1; 713 } 714 insn->jump_dest = fake_jump; 715 } 716 717 if (!insn->jump_dest) { 718 WARN_FUNC("can't find alternative jump destination", 719 insn->sec, insn->offset); 720 return -1; 721 } 722 } 723 724 if (!last_new_insn) { 725 WARN_FUNC("can't find last new alternative instruction", 726 special_alt->new_sec, special_alt->new_off); 727 return -1; 728 } 729 730 if (fake_jump) 731 list_add(&fake_jump->list, &last_new_insn->list); 732 733 return 0; 734 } 735 736 /* 737 * A jump table entry can either convert a nop to a jump or a jump to a nop. 738 * If the original instruction is a jump, make the alt entry an effective nop 739 * by just skipping the original instruction. 740 */ 741 static int handle_jump_alt(struct objtool_file *file, 742 struct special_alt *special_alt, 743 struct instruction *orig_insn, 744 struct instruction **new_insn) 745 { 746 if (orig_insn->type == INSN_NOP) 747 return 0; 748 749 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL) { 750 WARN_FUNC("unsupported instruction at jump label", 751 orig_insn->sec, orig_insn->offset); 752 return -1; 753 } 754 755 *new_insn = list_next_entry(orig_insn, list); 756 return 0; 757 } 758 759 /* 760 * Read all the special sections which have alternate instructions which can be 761 * patched in or redirected to at runtime. Each instruction having alternate 762 * instruction(s) has them added to its insn->alts list, which will be 763 * traversed in validate_branch(). 764 */ 765 static int add_special_section_alts(struct objtool_file *file) 766 { 767 struct list_head special_alts; 768 struct instruction *orig_insn, *new_insn; 769 struct special_alt *special_alt, *tmp; 770 struct alternative *alt; 771 int ret; 772 773 ret = special_get_alts(file->elf, &special_alts); 774 if (ret) 775 return ret; 776 777 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) { 778 779 orig_insn = find_insn(file, special_alt->orig_sec, 780 special_alt->orig_off); 781 if (!orig_insn) { 782 WARN_FUNC("special: can't find orig instruction", 783 special_alt->orig_sec, special_alt->orig_off); 784 ret = -1; 785 goto out; 786 } 787 788 new_insn = NULL; 789 if (!special_alt->group || special_alt->new_len) { 790 new_insn = find_insn(file, special_alt->new_sec, 791 special_alt->new_off); 792 if (!new_insn) { 793 WARN_FUNC("special: can't find new instruction", 794 special_alt->new_sec, 795 special_alt->new_off); 796 ret = -1; 797 goto out; 798 } 799 } 800 801 if (special_alt->group) { 802 ret = handle_group_alt(file, special_alt, orig_insn, 803 &new_insn); 804 if (ret) 805 goto out; 806 } else if (special_alt->jump_or_nop) { 807 ret = handle_jump_alt(file, special_alt, orig_insn, 808 &new_insn); 809 if (ret) 810 goto out; 811 } 812 813 alt = malloc(sizeof(*alt)); 814 if (!alt) { 815 WARN("malloc failed"); 816 ret = -1; 817 goto out; 818 } 819 820 alt->insn = new_insn; 821 list_add_tail(&alt->list, &orig_insn->alts); 822 823 list_del(&special_alt->list); 824 free(special_alt); 825 } 826 827 out: 828 return ret; 829 } 830 831 static int add_switch_table(struct objtool_file *file, struct instruction *insn, 832 struct rela *table, struct rela *next_table) 833 { 834 struct rela *rela = table; 835 struct instruction *alt_insn; 836 struct alternative *alt; 837 struct symbol *pfunc = insn->func->pfunc; 838 unsigned int prev_offset = 0; 839 840 list_for_each_entry_from(rela, &table->rela_sec->rela_list, list) { 841 if (rela == next_table) 842 break; 843 844 /* Make sure the switch table entries are consecutive: */ 845 if (prev_offset && rela->offset != prev_offset + 8) 846 break; 847 848 /* Detect function pointers from contiguous objects: */ 849 if (rela->sym->sec == pfunc->sec && 850 rela->addend == pfunc->offset) 851 break; 852 853 alt_insn = find_insn(file, rela->sym->sec, rela->addend); 854 if (!alt_insn) 855 break; 856 857 /* Make sure the jmp dest is in the function or subfunction: */ 858 if (alt_insn->func->pfunc != pfunc) 859 break; 860 861 alt = malloc(sizeof(*alt)); 862 if (!alt) { 863 WARN("malloc failed"); 864 return -1; 865 } 866 867 alt->insn = alt_insn; 868 list_add_tail(&alt->list, &insn->alts); 869 prev_offset = rela->offset; 870 } 871 872 if (!prev_offset) { 873 WARN_FUNC("can't find switch jump table", 874 insn->sec, insn->offset); 875 return -1; 876 } 877 878 return 0; 879 } 880 881 /* 882 * find_switch_table() - Given a dynamic jump, find the switch jump table in 883 * .rodata associated with it. 884 * 885 * There are 3 basic patterns: 886 * 887 * 1. jmpq *[rodata addr](,%reg,8) 888 * 889 * This is the most common case by far. It jumps to an address in a simple 890 * jump table which is stored in .rodata. 891 * 892 * 2. jmpq *[rodata addr](%rip) 893 * 894 * This is caused by a rare GCC quirk, currently only seen in three driver 895 * functions in the kernel, only with certain obscure non-distro configs. 896 * 897 * As part of an optimization, GCC makes a copy of an existing switch jump 898 * table, modifies it, and then hard-codes the jump (albeit with an indirect 899 * jump) to use a single entry in the table. The rest of the jump table and 900 * some of its jump targets remain as dead code. 901 * 902 * In such a case we can just crudely ignore all unreachable instruction 903 * warnings for the entire object file. Ideally we would just ignore them 904 * for the function, but that would require redesigning the code quite a 905 * bit. And honestly that's just not worth doing: unreachable instruction 906 * warnings are of questionable value anyway, and this is such a rare issue. 907 * 908 * 3. mov [rodata addr],%reg1 909 * ... some instructions ... 910 * jmpq *(%reg1,%reg2,8) 911 * 912 * This is a fairly uncommon pattern which is new for GCC 6. As of this 913 * writing, there are 11 occurrences of it in the allmodconfig kernel. 914 * 915 * As of GCC 7 there are quite a few more of these and the 'in between' code 916 * is significant. Esp. with KASAN enabled some of the code between the mov 917 * and jmpq uses .rodata itself, which can confuse things. 918 * 919 * TODO: Once we have DWARF CFI and smarter instruction decoding logic, 920 * ensure the same register is used in the mov and jump instructions. 921 * 922 * NOTE: RETPOLINE made it harder still to decode dynamic jumps. 923 */ 924 static struct rela *find_switch_table(struct objtool_file *file, 925 struct symbol *func, 926 struct instruction *insn) 927 { 928 struct rela *text_rela, *rodata_rela; 929 struct instruction *orig_insn = insn; 930 struct section *rodata_sec; 931 unsigned long table_offset; 932 933 /* 934 * Backward search using the @first_jump_src links, these help avoid 935 * much of the 'in between' code. Which avoids us getting confused by 936 * it. 937 */ 938 for (; 939 &insn->list != &file->insn_list && 940 insn->sec == func->sec && 941 insn->offset >= func->offset; 942 943 insn = insn->first_jump_src ?: list_prev_entry(insn, list)) { 944 945 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC) 946 break; 947 948 /* allow small jumps within the range */ 949 if (insn->type == INSN_JUMP_UNCONDITIONAL && 950 insn->jump_dest && 951 (insn->jump_dest->offset <= insn->offset || 952 insn->jump_dest->offset > orig_insn->offset)) 953 break; 954 955 /* look for a relocation which references .rodata */ 956 text_rela = find_rela_by_dest_range(insn->sec, insn->offset, 957 insn->len); 958 if (!text_rela || text_rela->sym->type != STT_SECTION || 959 !text_rela->sym->sec->rodata) 960 continue; 961 962 table_offset = text_rela->addend; 963 rodata_sec = text_rela->sym->sec; 964 965 if (text_rela->type == R_X86_64_PC32) 966 table_offset += 4; 967 968 /* 969 * Make sure the .rodata address isn't associated with a 970 * symbol. gcc jump tables are anonymous data. 971 */ 972 if (find_symbol_containing(rodata_sec, table_offset)) 973 continue; 974 975 rodata_rela = find_rela_by_dest(rodata_sec, table_offset); 976 if (rodata_rela) { 977 /* 978 * Use of RIP-relative switch jumps is quite rare, and 979 * indicates a rare GCC quirk/bug which can leave dead 980 * code behind. 981 */ 982 if (text_rela->type == R_X86_64_PC32) 983 file->ignore_unreachables = true; 984 985 return rodata_rela; 986 } 987 } 988 989 return NULL; 990 } 991 992 993 static int add_func_switch_tables(struct objtool_file *file, 994 struct symbol *func) 995 { 996 struct instruction *insn, *last = NULL, *prev_jump = NULL; 997 struct rela *rela, *prev_rela = NULL; 998 int ret; 999 1000 func_for_each_insn_all(file, func, insn) { 1001 if (!last) 1002 last = insn; 1003 1004 /* 1005 * Store back-pointers for unconditional forward jumps such 1006 * that find_switch_table() can back-track using those and 1007 * avoid some potentially confusing code. 1008 */ 1009 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest && 1010 insn->offset > last->offset && 1011 insn->jump_dest->offset > insn->offset && 1012 !insn->jump_dest->first_jump_src) { 1013 1014 insn->jump_dest->first_jump_src = insn; 1015 last = insn->jump_dest; 1016 } 1017 1018 if (insn->type != INSN_JUMP_DYNAMIC) 1019 continue; 1020 1021 rela = find_switch_table(file, func, insn); 1022 if (!rela) 1023 continue; 1024 1025 /* 1026 * We found a switch table, but we don't know yet how big it 1027 * is. Don't add it until we reach the end of the function or 1028 * the beginning of another switch table in the same function. 1029 */ 1030 if (prev_jump) { 1031 ret = add_switch_table(file, prev_jump, prev_rela, rela); 1032 if (ret) 1033 return ret; 1034 } 1035 1036 prev_jump = insn; 1037 prev_rela = rela; 1038 } 1039 1040 if (prev_jump) { 1041 ret = add_switch_table(file, prev_jump, prev_rela, NULL); 1042 if (ret) 1043 return ret; 1044 } 1045 1046 return 0; 1047 } 1048 1049 /* 1050 * For some switch statements, gcc generates a jump table in the .rodata 1051 * section which contains a list of addresses within the function to jump to. 1052 * This finds these jump tables and adds them to the insn->alts lists. 1053 */ 1054 static int add_switch_table_alts(struct objtool_file *file) 1055 { 1056 struct section *sec; 1057 struct symbol *func; 1058 int ret; 1059 1060 if (!file->rodata) 1061 return 0; 1062 1063 for_each_sec(file, sec) { 1064 list_for_each_entry(func, &sec->symbol_list, list) { 1065 if (func->type != STT_FUNC) 1066 continue; 1067 1068 ret = add_func_switch_tables(file, func); 1069 if (ret) 1070 return ret; 1071 } 1072 } 1073 1074 return 0; 1075 } 1076 1077 static int read_unwind_hints(struct objtool_file *file) 1078 { 1079 struct section *sec, *relasec; 1080 struct rela *rela; 1081 struct unwind_hint *hint; 1082 struct instruction *insn; 1083 struct cfi_reg *cfa; 1084 int i; 1085 1086 sec = find_section_by_name(file->elf, ".discard.unwind_hints"); 1087 if (!sec) 1088 return 0; 1089 1090 relasec = sec->rela; 1091 if (!relasec) { 1092 WARN("missing .rela.discard.unwind_hints section"); 1093 return -1; 1094 } 1095 1096 if (sec->len % sizeof(struct unwind_hint)) { 1097 WARN("struct unwind_hint size mismatch"); 1098 return -1; 1099 } 1100 1101 file->hints = true; 1102 1103 for (i = 0; i < sec->len / sizeof(struct unwind_hint); i++) { 1104 hint = (struct unwind_hint *)sec->data->d_buf + i; 1105 1106 rela = find_rela_by_dest(sec, i * sizeof(*hint)); 1107 if (!rela) { 1108 WARN("can't find rela for unwind_hints[%d]", i); 1109 return -1; 1110 } 1111 1112 insn = find_insn(file, rela->sym->sec, rela->addend); 1113 if (!insn) { 1114 WARN("can't find insn for unwind_hints[%d]", i); 1115 return -1; 1116 } 1117 1118 cfa = &insn->state.cfa; 1119 1120 if (hint->type == UNWIND_HINT_TYPE_SAVE) { 1121 insn->save = true; 1122 continue; 1123 1124 } else if (hint->type == UNWIND_HINT_TYPE_RESTORE) { 1125 insn->restore = true; 1126 insn->hint = true; 1127 continue; 1128 } 1129 1130 insn->hint = true; 1131 1132 switch (hint->sp_reg) { 1133 case ORC_REG_UNDEFINED: 1134 cfa->base = CFI_UNDEFINED; 1135 break; 1136 case ORC_REG_SP: 1137 cfa->base = CFI_SP; 1138 break; 1139 case ORC_REG_BP: 1140 cfa->base = CFI_BP; 1141 break; 1142 case ORC_REG_SP_INDIRECT: 1143 cfa->base = CFI_SP_INDIRECT; 1144 break; 1145 case ORC_REG_R10: 1146 cfa->base = CFI_R10; 1147 break; 1148 case ORC_REG_R13: 1149 cfa->base = CFI_R13; 1150 break; 1151 case ORC_REG_DI: 1152 cfa->base = CFI_DI; 1153 break; 1154 case ORC_REG_DX: 1155 cfa->base = CFI_DX; 1156 break; 1157 default: 1158 WARN_FUNC("unsupported unwind_hint sp base reg %d", 1159 insn->sec, insn->offset, hint->sp_reg); 1160 return -1; 1161 } 1162 1163 cfa->offset = hint->sp_offset; 1164 insn->state.type = hint->type; 1165 insn->state.end = hint->end; 1166 } 1167 1168 return 0; 1169 } 1170 1171 static int read_retpoline_hints(struct objtool_file *file) 1172 { 1173 struct section *sec; 1174 struct instruction *insn; 1175 struct rela *rela; 1176 1177 sec = find_section_by_name(file->elf, ".rela.discard.retpoline_safe"); 1178 if (!sec) 1179 return 0; 1180 1181 list_for_each_entry(rela, &sec->rela_list, list) { 1182 if (rela->sym->type != STT_SECTION) { 1183 WARN("unexpected relocation symbol type in %s", sec->name); 1184 return -1; 1185 } 1186 1187 insn = find_insn(file, rela->sym->sec, rela->addend); 1188 if (!insn) { 1189 WARN("bad .discard.retpoline_safe entry"); 1190 return -1; 1191 } 1192 1193 if (insn->type != INSN_JUMP_DYNAMIC && 1194 insn->type != INSN_CALL_DYNAMIC) { 1195 WARN_FUNC("retpoline_safe hint not an indirect jump/call", 1196 insn->sec, insn->offset); 1197 return -1; 1198 } 1199 1200 insn->retpoline_safe = true; 1201 } 1202 1203 return 0; 1204 } 1205 1206 static void mark_rodata(struct objtool_file *file) 1207 { 1208 struct section *sec; 1209 bool found = false; 1210 1211 /* 1212 * This searches for the .rodata section or multiple .rodata.func_name 1213 * sections if -fdata-sections is being used. The .str.1.1 and .str.1.8 1214 * rodata sections are ignored as they don't contain jump tables. 1215 */ 1216 for_each_sec(file, sec) { 1217 if (!strncmp(sec->name, ".rodata", 7) && 1218 !strstr(sec->name, ".str1.")) { 1219 sec->rodata = true; 1220 found = true; 1221 } 1222 } 1223 1224 file->rodata = found; 1225 } 1226 1227 static int decode_sections(struct objtool_file *file) 1228 { 1229 int ret; 1230 1231 mark_rodata(file); 1232 1233 ret = decode_instructions(file); 1234 if (ret) 1235 return ret; 1236 1237 ret = add_dead_ends(file); 1238 if (ret) 1239 return ret; 1240 1241 add_ignores(file); 1242 1243 ret = add_nospec_ignores(file); 1244 if (ret) 1245 return ret; 1246 1247 ret = add_jump_destinations(file); 1248 if (ret) 1249 return ret; 1250 1251 ret = add_special_section_alts(file); 1252 if (ret) 1253 return ret; 1254 1255 ret = add_call_destinations(file); 1256 if (ret) 1257 return ret; 1258 1259 ret = add_switch_table_alts(file); 1260 if (ret) 1261 return ret; 1262 1263 ret = read_unwind_hints(file); 1264 if (ret) 1265 return ret; 1266 1267 ret = read_retpoline_hints(file); 1268 if (ret) 1269 return ret; 1270 1271 return 0; 1272 } 1273 1274 static bool is_fentry_call(struct instruction *insn) 1275 { 1276 if (insn->type == INSN_CALL && 1277 insn->call_dest->type == STT_NOTYPE && 1278 !strcmp(insn->call_dest->name, "__fentry__")) 1279 return true; 1280 1281 return false; 1282 } 1283 1284 static bool has_modified_stack_frame(struct insn_state *state) 1285 { 1286 int i; 1287 1288 if (state->cfa.base != initial_func_cfi.cfa.base || 1289 state->cfa.offset != initial_func_cfi.cfa.offset || 1290 state->stack_size != initial_func_cfi.cfa.offset || 1291 state->drap) 1292 return true; 1293 1294 for (i = 0; i < CFI_NUM_REGS; i++) 1295 if (state->regs[i].base != initial_func_cfi.regs[i].base || 1296 state->regs[i].offset != initial_func_cfi.regs[i].offset) 1297 return true; 1298 1299 return false; 1300 } 1301 1302 static bool has_valid_stack_frame(struct insn_state *state) 1303 { 1304 if (state->cfa.base == CFI_BP && state->regs[CFI_BP].base == CFI_CFA && 1305 state->regs[CFI_BP].offset == -16) 1306 return true; 1307 1308 if (state->drap && state->regs[CFI_BP].base == CFI_BP) 1309 return true; 1310 1311 return false; 1312 } 1313 1314 static int update_insn_state_regs(struct instruction *insn, struct insn_state *state) 1315 { 1316 struct cfi_reg *cfa = &state->cfa; 1317 struct stack_op *op = &insn->stack_op; 1318 1319 if (cfa->base != CFI_SP) 1320 return 0; 1321 1322 /* push */ 1323 if (op->dest.type == OP_DEST_PUSH) 1324 cfa->offset += 8; 1325 1326 /* pop */ 1327 if (op->src.type == OP_SRC_POP) 1328 cfa->offset -= 8; 1329 1330 /* add immediate to sp */ 1331 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD && 1332 op->dest.reg == CFI_SP && op->src.reg == CFI_SP) 1333 cfa->offset -= op->src.offset; 1334 1335 return 0; 1336 } 1337 1338 static void save_reg(struct insn_state *state, unsigned char reg, int base, 1339 int offset) 1340 { 1341 if (arch_callee_saved_reg(reg) && 1342 state->regs[reg].base == CFI_UNDEFINED) { 1343 state->regs[reg].base = base; 1344 state->regs[reg].offset = offset; 1345 } 1346 } 1347 1348 static void restore_reg(struct insn_state *state, unsigned char reg) 1349 { 1350 state->regs[reg].base = CFI_UNDEFINED; 1351 state->regs[reg].offset = 0; 1352 } 1353 1354 /* 1355 * A note about DRAP stack alignment: 1356 * 1357 * GCC has the concept of a DRAP register, which is used to help keep track of 1358 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP 1359 * register. The typical DRAP pattern is: 1360 * 1361 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10 1362 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp 1363 * 41 ff 72 f8 pushq -0x8(%r10) 1364 * 55 push %rbp 1365 * 48 89 e5 mov %rsp,%rbp 1366 * (more pushes) 1367 * 41 52 push %r10 1368 * ... 1369 * 41 5a pop %r10 1370 * (more pops) 1371 * 5d pop %rbp 1372 * 49 8d 62 f8 lea -0x8(%r10),%rsp 1373 * c3 retq 1374 * 1375 * There are some variations in the epilogues, like: 1376 * 1377 * 5b pop %rbx 1378 * 41 5a pop %r10 1379 * 41 5c pop %r12 1380 * 41 5d pop %r13 1381 * 41 5e pop %r14 1382 * c9 leaveq 1383 * 49 8d 62 f8 lea -0x8(%r10),%rsp 1384 * c3 retq 1385 * 1386 * and: 1387 * 1388 * 4c 8b 55 e8 mov -0x18(%rbp),%r10 1389 * 48 8b 5d e0 mov -0x20(%rbp),%rbx 1390 * 4c 8b 65 f0 mov -0x10(%rbp),%r12 1391 * 4c 8b 6d f8 mov -0x8(%rbp),%r13 1392 * c9 leaveq 1393 * 49 8d 62 f8 lea -0x8(%r10),%rsp 1394 * c3 retq 1395 * 1396 * Sometimes r13 is used as the DRAP register, in which case it's saved and 1397 * restored beforehand: 1398 * 1399 * 41 55 push %r13 1400 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13 1401 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 1402 * ... 1403 * 49 8d 65 f0 lea -0x10(%r13),%rsp 1404 * 41 5d pop %r13 1405 * c3 retq 1406 */ 1407 static int update_insn_state(struct instruction *insn, struct insn_state *state) 1408 { 1409 struct stack_op *op = &insn->stack_op; 1410 struct cfi_reg *cfa = &state->cfa; 1411 struct cfi_reg *regs = state->regs; 1412 1413 /* stack operations don't make sense with an undefined CFA */ 1414 if (cfa->base == CFI_UNDEFINED) { 1415 if (insn->func) { 1416 WARN_FUNC("undefined stack state", insn->sec, insn->offset); 1417 return -1; 1418 } 1419 return 0; 1420 } 1421 1422 if (state->type == ORC_TYPE_REGS || state->type == ORC_TYPE_REGS_IRET) 1423 return update_insn_state_regs(insn, state); 1424 1425 switch (op->dest.type) { 1426 1427 case OP_DEST_REG: 1428 switch (op->src.type) { 1429 1430 case OP_SRC_REG: 1431 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP && 1432 cfa->base == CFI_SP && 1433 regs[CFI_BP].base == CFI_CFA && 1434 regs[CFI_BP].offset == -cfa->offset) { 1435 1436 /* mov %rsp, %rbp */ 1437 cfa->base = op->dest.reg; 1438 state->bp_scratch = false; 1439 } 1440 1441 else if (op->src.reg == CFI_SP && 1442 op->dest.reg == CFI_BP && state->drap) { 1443 1444 /* drap: mov %rsp, %rbp */ 1445 regs[CFI_BP].base = CFI_BP; 1446 regs[CFI_BP].offset = -state->stack_size; 1447 state->bp_scratch = false; 1448 } 1449 1450 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 1451 1452 /* 1453 * mov %rsp, %reg 1454 * 1455 * This is needed for the rare case where GCC 1456 * does: 1457 * 1458 * mov %rsp, %rax 1459 * ... 1460 * mov %rax, %rsp 1461 */ 1462 state->vals[op->dest.reg].base = CFI_CFA; 1463 state->vals[op->dest.reg].offset = -state->stack_size; 1464 } 1465 1466 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP && 1467 cfa->base == CFI_BP) { 1468 1469 /* 1470 * mov %rbp, %rsp 1471 * 1472 * Restore the original stack pointer (Clang). 1473 */ 1474 state->stack_size = -state->regs[CFI_BP].offset; 1475 } 1476 1477 else if (op->dest.reg == cfa->base) { 1478 1479 /* mov %reg, %rsp */ 1480 if (cfa->base == CFI_SP && 1481 state->vals[op->src.reg].base == CFI_CFA) { 1482 1483 /* 1484 * This is needed for the rare case 1485 * where GCC does something dumb like: 1486 * 1487 * lea 0x8(%rsp), %rcx 1488 * ... 1489 * mov %rcx, %rsp 1490 */ 1491 cfa->offset = -state->vals[op->src.reg].offset; 1492 state->stack_size = cfa->offset; 1493 1494 } else { 1495 cfa->base = CFI_UNDEFINED; 1496 cfa->offset = 0; 1497 } 1498 } 1499 1500 break; 1501 1502 case OP_SRC_ADD: 1503 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) { 1504 1505 /* add imm, %rsp */ 1506 state->stack_size -= op->src.offset; 1507 if (cfa->base == CFI_SP) 1508 cfa->offset -= op->src.offset; 1509 break; 1510 } 1511 1512 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) { 1513 1514 /* lea disp(%rbp), %rsp */ 1515 state->stack_size = -(op->src.offset + regs[CFI_BP].offset); 1516 break; 1517 } 1518 1519 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 1520 1521 /* drap: lea disp(%rsp), %drap */ 1522 state->drap_reg = op->dest.reg; 1523 1524 /* 1525 * lea disp(%rsp), %reg 1526 * 1527 * This is needed for the rare case where GCC 1528 * does something dumb like: 1529 * 1530 * lea 0x8(%rsp), %rcx 1531 * ... 1532 * mov %rcx, %rsp 1533 */ 1534 state->vals[op->dest.reg].base = CFI_CFA; 1535 state->vals[op->dest.reg].offset = \ 1536 -state->stack_size + op->src.offset; 1537 1538 break; 1539 } 1540 1541 if (state->drap && op->dest.reg == CFI_SP && 1542 op->src.reg == state->drap_reg) { 1543 1544 /* drap: lea disp(%drap), %rsp */ 1545 cfa->base = CFI_SP; 1546 cfa->offset = state->stack_size = -op->src.offset; 1547 state->drap_reg = CFI_UNDEFINED; 1548 state->drap = false; 1549 break; 1550 } 1551 1552 if (op->dest.reg == state->cfa.base) { 1553 WARN_FUNC("unsupported stack register modification", 1554 insn->sec, insn->offset); 1555 return -1; 1556 } 1557 1558 break; 1559 1560 case OP_SRC_AND: 1561 if (op->dest.reg != CFI_SP || 1562 (state->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) || 1563 (state->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) { 1564 WARN_FUNC("unsupported stack pointer realignment", 1565 insn->sec, insn->offset); 1566 return -1; 1567 } 1568 1569 if (state->drap_reg != CFI_UNDEFINED) { 1570 /* drap: and imm, %rsp */ 1571 cfa->base = state->drap_reg; 1572 cfa->offset = state->stack_size = 0; 1573 state->drap = true; 1574 } 1575 1576 /* 1577 * Older versions of GCC (4.8ish) realign the stack 1578 * without DRAP, with a frame pointer. 1579 */ 1580 1581 break; 1582 1583 case OP_SRC_POP: 1584 if (!state->drap && op->dest.type == OP_DEST_REG && 1585 op->dest.reg == cfa->base) { 1586 1587 /* pop %rbp */ 1588 cfa->base = CFI_SP; 1589 } 1590 1591 if (state->drap && cfa->base == CFI_BP_INDIRECT && 1592 op->dest.type == OP_DEST_REG && 1593 op->dest.reg == state->drap_reg && 1594 state->drap_offset == -state->stack_size) { 1595 1596 /* drap: pop %drap */ 1597 cfa->base = state->drap_reg; 1598 cfa->offset = 0; 1599 state->drap_offset = -1; 1600 1601 } else if (regs[op->dest.reg].offset == -state->stack_size) { 1602 1603 /* pop %reg */ 1604 restore_reg(state, op->dest.reg); 1605 } 1606 1607 state->stack_size -= 8; 1608 if (cfa->base == CFI_SP) 1609 cfa->offset -= 8; 1610 1611 break; 1612 1613 case OP_SRC_REG_INDIRECT: 1614 if (state->drap && op->src.reg == CFI_BP && 1615 op->src.offset == state->drap_offset) { 1616 1617 /* drap: mov disp(%rbp), %drap */ 1618 cfa->base = state->drap_reg; 1619 cfa->offset = 0; 1620 state->drap_offset = -1; 1621 } 1622 1623 if (state->drap && op->src.reg == CFI_BP && 1624 op->src.offset == regs[op->dest.reg].offset) { 1625 1626 /* drap: mov disp(%rbp), %reg */ 1627 restore_reg(state, op->dest.reg); 1628 1629 } else if (op->src.reg == cfa->base && 1630 op->src.offset == regs[op->dest.reg].offset + cfa->offset) { 1631 1632 /* mov disp(%rbp), %reg */ 1633 /* mov disp(%rsp), %reg */ 1634 restore_reg(state, op->dest.reg); 1635 } 1636 1637 break; 1638 1639 default: 1640 WARN_FUNC("unknown stack-related instruction", 1641 insn->sec, insn->offset); 1642 return -1; 1643 } 1644 1645 break; 1646 1647 case OP_DEST_PUSH: 1648 state->stack_size += 8; 1649 if (cfa->base == CFI_SP) 1650 cfa->offset += 8; 1651 1652 if (op->src.type != OP_SRC_REG) 1653 break; 1654 1655 if (state->drap) { 1656 if (op->src.reg == cfa->base && op->src.reg == state->drap_reg) { 1657 1658 /* drap: push %drap */ 1659 cfa->base = CFI_BP_INDIRECT; 1660 cfa->offset = -state->stack_size; 1661 1662 /* save drap so we know when to restore it */ 1663 state->drap_offset = -state->stack_size; 1664 1665 } else if (op->src.reg == CFI_BP && cfa->base == state->drap_reg) { 1666 1667 /* drap: push %rbp */ 1668 state->stack_size = 0; 1669 1670 } else if (regs[op->src.reg].base == CFI_UNDEFINED) { 1671 1672 /* drap: push %reg */ 1673 save_reg(state, op->src.reg, CFI_BP, -state->stack_size); 1674 } 1675 1676 } else { 1677 1678 /* push %reg */ 1679 save_reg(state, op->src.reg, CFI_CFA, -state->stack_size); 1680 } 1681 1682 /* detect when asm code uses rbp as a scratch register */ 1683 if (!no_fp && insn->func && op->src.reg == CFI_BP && 1684 cfa->base != CFI_BP) 1685 state->bp_scratch = true; 1686 break; 1687 1688 case OP_DEST_REG_INDIRECT: 1689 1690 if (state->drap) { 1691 if (op->src.reg == cfa->base && op->src.reg == state->drap_reg) { 1692 1693 /* drap: mov %drap, disp(%rbp) */ 1694 cfa->base = CFI_BP_INDIRECT; 1695 cfa->offset = op->dest.offset; 1696 1697 /* save drap offset so we know when to restore it */ 1698 state->drap_offset = op->dest.offset; 1699 } 1700 1701 else if (regs[op->src.reg].base == CFI_UNDEFINED) { 1702 1703 /* drap: mov reg, disp(%rbp) */ 1704 save_reg(state, op->src.reg, CFI_BP, op->dest.offset); 1705 } 1706 1707 } else if (op->dest.reg == cfa->base) { 1708 1709 /* mov reg, disp(%rbp) */ 1710 /* mov reg, disp(%rsp) */ 1711 save_reg(state, op->src.reg, CFI_CFA, 1712 op->dest.offset - state->cfa.offset); 1713 } 1714 1715 break; 1716 1717 case OP_DEST_LEAVE: 1718 if ((!state->drap && cfa->base != CFI_BP) || 1719 (state->drap && cfa->base != state->drap_reg)) { 1720 WARN_FUNC("leave instruction with modified stack frame", 1721 insn->sec, insn->offset); 1722 return -1; 1723 } 1724 1725 /* leave (mov %rbp, %rsp; pop %rbp) */ 1726 1727 state->stack_size = -state->regs[CFI_BP].offset - 8; 1728 restore_reg(state, CFI_BP); 1729 1730 if (!state->drap) { 1731 cfa->base = CFI_SP; 1732 cfa->offset -= 8; 1733 } 1734 1735 break; 1736 1737 case OP_DEST_MEM: 1738 if (op->src.type != OP_SRC_POP) { 1739 WARN_FUNC("unknown stack-related memory operation", 1740 insn->sec, insn->offset); 1741 return -1; 1742 } 1743 1744 /* pop mem */ 1745 state->stack_size -= 8; 1746 if (cfa->base == CFI_SP) 1747 cfa->offset -= 8; 1748 1749 break; 1750 1751 default: 1752 WARN_FUNC("unknown stack-related instruction", 1753 insn->sec, insn->offset); 1754 return -1; 1755 } 1756 1757 return 0; 1758 } 1759 1760 static bool insn_state_match(struct instruction *insn, struct insn_state *state) 1761 { 1762 struct insn_state *state1 = &insn->state, *state2 = state; 1763 int i; 1764 1765 if (memcmp(&state1->cfa, &state2->cfa, sizeof(state1->cfa))) { 1766 WARN_FUNC("stack state mismatch: cfa1=%d%+d cfa2=%d%+d", 1767 insn->sec, insn->offset, 1768 state1->cfa.base, state1->cfa.offset, 1769 state2->cfa.base, state2->cfa.offset); 1770 1771 } else if (memcmp(&state1->regs, &state2->regs, sizeof(state1->regs))) { 1772 for (i = 0; i < CFI_NUM_REGS; i++) { 1773 if (!memcmp(&state1->regs[i], &state2->regs[i], 1774 sizeof(struct cfi_reg))) 1775 continue; 1776 1777 WARN_FUNC("stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d", 1778 insn->sec, insn->offset, 1779 i, state1->regs[i].base, state1->regs[i].offset, 1780 i, state2->regs[i].base, state2->regs[i].offset); 1781 break; 1782 } 1783 1784 } else if (state1->type != state2->type) { 1785 WARN_FUNC("stack state mismatch: type1=%d type2=%d", 1786 insn->sec, insn->offset, state1->type, state2->type); 1787 1788 } else if (state1->drap != state2->drap || 1789 (state1->drap && state1->drap_reg != state2->drap_reg) || 1790 (state1->drap && state1->drap_offset != state2->drap_offset)) { 1791 WARN_FUNC("stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)", 1792 insn->sec, insn->offset, 1793 state1->drap, state1->drap_reg, state1->drap_offset, 1794 state2->drap, state2->drap_reg, state2->drap_offset); 1795 1796 } else 1797 return true; 1798 1799 return false; 1800 } 1801 1802 /* 1803 * Follow the branch starting at the given instruction, and recursively follow 1804 * any other branches (jumps). Meanwhile, track the frame pointer state at 1805 * each instruction and validate all the rules described in 1806 * tools/objtool/Documentation/stack-validation.txt. 1807 */ 1808 static int validate_branch(struct objtool_file *file, struct instruction *first, 1809 struct insn_state state) 1810 { 1811 struct alternative *alt; 1812 struct instruction *insn, *next_insn; 1813 struct section *sec; 1814 struct symbol *func = NULL; 1815 int ret; 1816 1817 insn = first; 1818 sec = insn->sec; 1819 1820 if (insn->alt_group && list_empty(&insn->alts)) { 1821 WARN_FUNC("don't know how to handle branch to middle of alternative instruction group", 1822 sec, insn->offset); 1823 return 1; 1824 } 1825 1826 while (1) { 1827 next_insn = next_insn_same_sec(file, insn); 1828 1829 if (file->c_file && func && insn->func && func != insn->func->pfunc) { 1830 WARN("%s() falls through to next function %s()", 1831 func->name, insn->func->name); 1832 return 1; 1833 } 1834 1835 func = insn->func ? insn->func->pfunc : NULL; 1836 1837 if (func && insn->ignore) { 1838 WARN_FUNC("BUG: why am I validating an ignored function?", 1839 sec, insn->offset); 1840 return 1; 1841 } 1842 1843 if (insn->visited) { 1844 if (!insn->hint && !insn_state_match(insn, &state)) 1845 return 1; 1846 1847 return 0; 1848 } 1849 1850 if (insn->hint) { 1851 if (insn->restore) { 1852 struct instruction *save_insn, *i; 1853 1854 i = insn; 1855 save_insn = NULL; 1856 func_for_each_insn_continue_reverse(file, insn->func, i) { 1857 if (i->save) { 1858 save_insn = i; 1859 break; 1860 } 1861 } 1862 1863 if (!save_insn) { 1864 WARN_FUNC("no corresponding CFI save for CFI restore", 1865 sec, insn->offset); 1866 return 1; 1867 } 1868 1869 if (!save_insn->visited) { 1870 /* 1871 * Oops, no state to copy yet. 1872 * Hopefully we can reach this 1873 * instruction from another branch 1874 * after the save insn has been 1875 * visited. 1876 */ 1877 if (insn == first) 1878 return 0; 1879 1880 WARN_FUNC("objtool isn't smart enough to handle this CFI save/restore combo", 1881 sec, insn->offset); 1882 return 1; 1883 } 1884 1885 insn->state = save_insn->state; 1886 } 1887 1888 state = insn->state; 1889 1890 } else 1891 insn->state = state; 1892 1893 insn->visited = true; 1894 1895 if (!insn->ignore_alts) { 1896 list_for_each_entry(alt, &insn->alts, list) { 1897 ret = validate_branch(file, alt->insn, state); 1898 if (ret) 1899 return 1; 1900 } 1901 } 1902 1903 switch (insn->type) { 1904 1905 case INSN_RETURN: 1906 if (func && has_modified_stack_frame(&state)) { 1907 WARN_FUNC("return with modified stack frame", 1908 sec, insn->offset); 1909 return 1; 1910 } 1911 1912 if (state.bp_scratch) { 1913 WARN("%s uses BP as a scratch register", 1914 insn->func->name); 1915 return 1; 1916 } 1917 1918 return 0; 1919 1920 case INSN_CALL: 1921 if (is_fentry_call(insn)) 1922 break; 1923 1924 ret = dead_end_function(file, insn->call_dest); 1925 if (ret == 1) 1926 return 0; 1927 if (ret == -1) 1928 return 1; 1929 1930 /* fallthrough */ 1931 case INSN_CALL_DYNAMIC: 1932 if (!no_fp && func && !has_valid_stack_frame(&state)) { 1933 WARN_FUNC("call without frame pointer save/setup", 1934 sec, insn->offset); 1935 return 1; 1936 } 1937 break; 1938 1939 case INSN_JUMP_CONDITIONAL: 1940 case INSN_JUMP_UNCONDITIONAL: 1941 if (insn->jump_dest && 1942 (!func || !insn->jump_dest->func || 1943 insn->jump_dest->func->pfunc == func)) { 1944 ret = validate_branch(file, insn->jump_dest, 1945 state); 1946 if (ret) 1947 return 1; 1948 1949 } else if (func && has_modified_stack_frame(&state)) { 1950 WARN_FUNC("sibling call from callable instruction with modified stack frame", 1951 sec, insn->offset); 1952 return 1; 1953 } 1954 1955 if (insn->type == INSN_JUMP_UNCONDITIONAL) 1956 return 0; 1957 1958 break; 1959 1960 case INSN_JUMP_DYNAMIC: 1961 if (func && list_empty(&insn->alts) && 1962 has_modified_stack_frame(&state)) { 1963 WARN_FUNC("sibling call from callable instruction with modified stack frame", 1964 sec, insn->offset); 1965 return 1; 1966 } 1967 1968 return 0; 1969 1970 case INSN_CONTEXT_SWITCH: 1971 if (func && (!next_insn || !next_insn->hint)) { 1972 WARN_FUNC("unsupported instruction in callable function", 1973 sec, insn->offset); 1974 return 1; 1975 } 1976 return 0; 1977 1978 case INSN_STACK: 1979 if (update_insn_state(insn, &state)) 1980 return 1; 1981 1982 break; 1983 1984 default: 1985 break; 1986 } 1987 1988 if (insn->dead_end) 1989 return 0; 1990 1991 if (!next_insn) { 1992 if (state.cfa.base == CFI_UNDEFINED) 1993 return 0; 1994 WARN("%s: unexpected end of section", sec->name); 1995 return 1; 1996 } 1997 1998 insn = next_insn; 1999 } 2000 2001 return 0; 2002 } 2003 2004 static int validate_unwind_hints(struct objtool_file *file) 2005 { 2006 struct instruction *insn; 2007 int ret, warnings = 0; 2008 struct insn_state state; 2009 2010 if (!file->hints) 2011 return 0; 2012 2013 clear_insn_state(&state); 2014 2015 for_each_insn(file, insn) { 2016 if (insn->hint && !insn->visited) { 2017 ret = validate_branch(file, insn, state); 2018 warnings += ret; 2019 } 2020 } 2021 2022 return warnings; 2023 } 2024 2025 static int validate_retpoline(struct objtool_file *file) 2026 { 2027 struct instruction *insn; 2028 int warnings = 0; 2029 2030 for_each_insn(file, insn) { 2031 if (insn->type != INSN_JUMP_DYNAMIC && 2032 insn->type != INSN_CALL_DYNAMIC) 2033 continue; 2034 2035 if (insn->retpoline_safe) 2036 continue; 2037 2038 /* 2039 * .init.text code is ran before userspace and thus doesn't 2040 * strictly need retpolines, except for modules which are 2041 * loaded late, they very much do need retpoline in their 2042 * .init.text 2043 */ 2044 if (!strcmp(insn->sec->name, ".init.text") && !module) 2045 continue; 2046 2047 WARN_FUNC("indirect %s found in RETPOLINE build", 2048 insn->sec, insn->offset, 2049 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call"); 2050 2051 warnings++; 2052 } 2053 2054 return warnings; 2055 } 2056 2057 static bool is_kasan_insn(struct instruction *insn) 2058 { 2059 return (insn->type == INSN_CALL && 2060 !strcmp(insn->call_dest->name, "__asan_handle_no_return")); 2061 } 2062 2063 static bool is_ubsan_insn(struct instruction *insn) 2064 { 2065 return (insn->type == INSN_CALL && 2066 !strcmp(insn->call_dest->name, 2067 "__ubsan_handle_builtin_unreachable")); 2068 } 2069 2070 static bool ignore_unreachable_insn(struct instruction *insn) 2071 { 2072 int i; 2073 2074 if (insn->ignore || insn->type == INSN_NOP) 2075 return true; 2076 2077 /* 2078 * Ignore any unused exceptions. This can happen when a whitelisted 2079 * function has an exception table entry. 2080 * 2081 * Also ignore alternative replacement instructions. This can happen 2082 * when a whitelisted function uses one of the ALTERNATIVE macros. 2083 */ 2084 if (!strcmp(insn->sec->name, ".fixup") || 2085 !strcmp(insn->sec->name, ".altinstr_replacement") || 2086 !strcmp(insn->sec->name, ".altinstr_aux")) 2087 return true; 2088 2089 /* 2090 * Check if this (or a subsequent) instruction is related to 2091 * CONFIG_UBSAN or CONFIG_KASAN. 2092 * 2093 * End the search at 5 instructions to avoid going into the weeds. 2094 */ 2095 if (!insn->func) 2096 return false; 2097 for (i = 0; i < 5; i++) { 2098 2099 if (is_kasan_insn(insn) || is_ubsan_insn(insn)) 2100 return true; 2101 2102 if (insn->type == INSN_JUMP_UNCONDITIONAL) { 2103 if (insn->jump_dest && 2104 insn->jump_dest->func == insn->func) { 2105 insn = insn->jump_dest; 2106 continue; 2107 } 2108 2109 break; 2110 } 2111 2112 if (insn->offset + insn->len >= insn->func->offset + insn->func->len) 2113 break; 2114 2115 insn = list_next_entry(insn, list); 2116 } 2117 2118 return false; 2119 } 2120 2121 static int validate_functions(struct objtool_file *file) 2122 { 2123 struct section *sec; 2124 struct symbol *func; 2125 struct instruction *insn; 2126 struct insn_state state; 2127 int ret, warnings = 0; 2128 2129 clear_insn_state(&state); 2130 2131 state.cfa = initial_func_cfi.cfa; 2132 memcpy(&state.regs, &initial_func_cfi.regs, 2133 CFI_NUM_REGS * sizeof(struct cfi_reg)); 2134 state.stack_size = initial_func_cfi.cfa.offset; 2135 2136 for_each_sec(file, sec) { 2137 list_for_each_entry(func, &sec->symbol_list, list) { 2138 if (func->type != STT_FUNC || func->pfunc != func) 2139 continue; 2140 2141 insn = find_insn(file, sec, func->offset); 2142 if (!insn || insn->ignore) 2143 continue; 2144 2145 ret = validate_branch(file, insn, state); 2146 warnings += ret; 2147 } 2148 } 2149 2150 return warnings; 2151 } 2152 2153 static int validate_reachable_instructions(struct objtool_file *file) 2154 { 2155 struct instruction *insn; 2156 2157 if (file->ignore_unreachables) 2158 return 0; 2159 2160 for_each_insn(file, insn) { 2161 if (insn->visited || ignore_unreachable_insn(insn)) 2162 continue; 2163 2164 WARN_FUNC("unreachable instruction", insn->sec, insn->offset); 2165 return 1; 2166 } 2167 2168 return 0; 2169 } 2170 2171 static void cleanup(struct objtool_file *file) 2172 { 2173 struct instruction *insn, *tmpinsn; 2174 struct alternative *alt, *tmpalt; 2175 2176 list_for_each_entry_safe(insn, tmpinsn, &file->insn_list, list) { 2177 list_for_each_entry_safe(alt, tmpalt, &insn->alts, list) { 2178 list_del(&alt->list); 2179 free(alt); 2180 } 2181 list_del(&insn->list); 2182 hash_del(&insn->hash); 2183 free(insn); 2184 } 2185 elf_close(file->elf); 2186 } 2187 2188 static struct objtool_file file; 2189 2190 int check(const char *_objname, bool orc) 2191 { 2192 int ret, warnings = 0; 2193 2194 objname = _objname; 2195 2196 file.elf = elf_open(objname, orc ? O_RDWR : O_RDONLY); 2197 if (!file.elf) 2198 return 1; 2199 2200 INIT_LIST_HEAD(&file.insn_list); 2201 hash_init(file.insn_hash); 2202 file.whitelist = find_section_by_name(file.elf, ".discard.func_stack_frame_non_standard"); 2203 file.c_file = find_section_by_name(file.elf, ".comment"); 2204 file.ignore_unreachables = no_unreachable; 2205 file.hints = false; 2206 2207 arch_initial_func_cfi_state(&initial_func_cfi); 2208 2209 ret = decode_sections(&file); 2210 if (ret < 0) 2211 goto out; 2212 warnings += ret; 2213 2214 if (list_empty(&file.insn_list)) 2215 goto out; 2216 2217 if (retpoline) { 2218 ret = validate_retpoline(&file); 2219 if (ret < 0) 2220 return ret; 2221 warnings += ret; 2222 } 2223 2224 ret = validate_functions(&file); 2225 if (ret < 0) 2226 goto out; 2227 warnings += ret; 2228 2229 ret = validate_unwind_hints(&file); 2230 if (ret < 0) 2231 goto out; 2232 warnings += ret; 2233 2234 if (!warnings) { 2235 ret = validate_reachable_instructions(&file); 2236 if (ret < 0) 2237 goto out; 2238 warnings += ret; 2239 } 2240 2241 if (orc) { 2242 ret = create_orc(&file); 2243 if (ret < 0) 2244 goto out; 2245 2246 ret = create_orc_sections(&file); 2247 if (ret < 0) 2248 goto out; 2249 2250 ret = elf_write(file.elf); 2251 if (ret < 0) 2252 goto out; 2253 } 2254 2255 out: 2256 cleanup(&file); 2257 2258 /* ignore warnings for now until we get all the code cleaned up */ 2259 if (ret || warnings) 2260 return 0; 2261 return 0; 2262 } 2263