1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com> 4 */ 5 6 #include <string.h> 7 #include <stdlib.h> 8 9 #include "builtin.h" 10 #include "check.h" 11 #include "elf.h" 12 #include "special.h" 13 #include "arch.h" 14 #include "warn.h" 15 16 #include <linux/hashtable.h> 17 #include <linux/kernel.h> 18 19 #define FAKE_JUMP_OFFSET -1 20 21 #define C_JUMP_TABLE_SECTION ".rodata..c_jump_table" 22 23 struct alternative { 24 struct list_head list; 25 struct instruction *insn; 26 bool skip_orig; 27 }; 28 29 const char *objname; 30 struct cfi_init_state initial_func_cfi; 31 32 struct instruction *find_insn(struct objtool_file *file, 33 struct section *sec, unsigned long offset) 34 { 35 struct instruction *insn; 36 37 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) { 38 if (insn->sec == sec && insn->offset == offset) 39 return insn; 40 } 41 42 return NULL; 43 } 44 45 static struct instruction *next_insn_same_sec(struct objtool_file *file, 46 struct instruction *insn) 47 { 48 struct instruction *next = list_next_entry(insn, list); 49 50 if (!next || &next->list == &file->insn_list || next->sec != insn->sec) 51 return NULL; 52 53 return next; 54 } 55 56 static struct instruction *next_insn_same_func(struct objtool_file *file, 57 struct instruction *insn) 58 { 59 struct instruction *next = list_next_entry(insn, list); 60 struct symbol *func = insn->func; 61 62 if (!func) 63 return NULL; 64 65 if (&next->list != &file->insn_list && next->func == func) 66 return next; 67 68 /* Check if we're already in the subfunction: */ 69 if (func == func->cfunc) 70 return NULL; 71 72 /* Move to the subfunction: */ 73 return find_insn(file, func->cfunc->sec, func->cfunc->offset); 74 } 75 76 #define func_for_each_insn(file, func, insn) \ 77 for (insn = find_insn(file, func->sec, func->offset); \ 78 insn; \ 79 insn = next_insn_same_func(file, insn)) 80 81 #define sym_for_each_insn(file, sym, insn) \ 82 for (insn = find_insn(file, sym->sec, sym->offset); \ 83 insn && &insn->list != &file->insn_list && \ 84 insn->sec == sym->sec && \ 85 insn->offset < sym->offset + sym->len; \ 86 insn = list_next_entry(insn, list)) 87 88 #define sym_for_each_insn_continue_reverse(file, sym, insn) \ 89 for (insn = list_prev_entry(insn, list); \ 90 &insn->list != &file->insn_list && \ 91 insn->sec == sym->sec && insn->offset >= sym->offset; \ 92 insn = list_prev_entry(insn, list)) 93 94 #define sec_for_each_insn_from(file, insn) \ 95 for (; insn; insn = next_insn_same_sec(file, insn)) 96 97 #define sec_for_each_insn_continue(file, insn) \ 98 for (insn = next_insn_same_sec(file, insn); insn; \ 99 insn = next_insn_same_sec(file, insn)) 100 101 static bool is_static_jump(struct instruction *insn) 102 { 103 return insn->type == INSN_JUMP_CONDITIONAL || 104 insn->type == INSN_JUMP_UNCONDITIONAL; 105 } 106 107 static bool is_sibling_call(struct instruction *insn) 108 { 109 /* An indirect jump is either a sibling call or a jump to a table. */ 110 if (insn->type == INSN_JUMP_DYNAMIC) 111 return list_empty(&insn->alts); 112 113 if (!is_static_jump(insn)) 114 return false; 115 116 /* add_jump_destinations() sets insn->call_dest for sibling calls. */ 117 return !!insn->call_dest; 118 } 119 120 /* 121 * This checks to see if the given function is a "noreturn" function. 122 * 123 * For global functions which are outside the scope of this object file, we 124 * have to keep a manual list of them. 125 * 126 * For local functions, we have to detect them manually by simply looking for 127 * the lack of a return instruction. 128 */ 129 static bool __dead_end_function(struct objtool_file *file, struct symbol *func, 130 int recursion) 131 { 132 int i; 133 struct instruction *insn; 134 bool empty = true; 135 136 /* 137 * Unfortunately these have to be hard coded because the noreturn 138 * attribute isn't provided in ELF data. 139 */ 140 static const char * const global_noreturns[] = { 141 "__stack_chk_fail", 142 "panic", 143 "do_exit", 144 "do_task_dead", 145 "__module_put_and_exit", 146 "complete_and_exit", 147 "__reiserfs_panic", 148 "lbug_with_loc", 149 "fortify_panic", 150 "usercopy_abort", 151 "machine_real_restart", 152 "rewind_stack_do_exit", 153 "kunit_try_catch_throw", 154 }; 155 156 if (!func) 157 return false; 158 159 if (func->bind == STB_WEAK) 160 return false; 161 162 if (func->bind == STB_GLOBAL) 163 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++) 164 if (!strcmp(func->name, global_noreturns[i])) 165 return true; 166 167 if (!func->len) 168 return false; 169 170 insn = find_insn(file, func->sec, func->offset); 171 if (!insn->func) 172 return false; 173 174 func_for_each_insn(file, func, insn) { 175 empty = false; 176 177 if (insn->type == INSN_RETURN) 178 return false; 179 } 180 181 if (empty) 182 return false; 183 184 /* 185 * A function can have a sibling call instead of a return. In that 186 * case, the function's dead-end status depends on whether the target 187 * of the sibling call returns. 188 */ 189 func_for_each_insn(file, func, insn) { 190 if (is_sibling_call(insn)) { 191 struct instruction *dest = insn->jump_dest; 192 193 if (!dest) 194 /* sibling call to another file */ 195 return false; 196 197 /* local sibling call */ 198 if (recursion == 5) { 199 /* 200 * Infinite recursion: two functions have 201 * sibling calls to each other. This is a very 202 * rare case. It means they aren't dead ends. 203 */ 204 return false; 205 } 206 207 return __dead_end_function(file, dest->func, recursion+1); 208 } 209 } 210 211 return true; 212 } 213 214 static bool dead_end_function(struct objtool_file *file, struct symbol *func) 215 { 216 return __dead_end_function(file, func, 0); 217 } 218 219 static void init_cfi_state(struct cfi_state *cfi) 220 { 221 int i; 222 223 for (i = 0; i < CFI_NUM_REGS; i++) { 224 cfi->regs[i].base = CFI_UNDEFINED; 225 cfi->vals[i].base = CFI_UNDEFINED; 226 } 227 cfi->cfa.base = CFI_UNDEFINED; 228 cfi->drap_reg = CFI_UNDEFINED; 229 cfi->drap_offset = -1; 230 } 231 232 static void init_insn_state(struct insn_state *state, struct section *sec) 233 { 234 memset(state, 0, sizeof(*state)); 235 init_cfi_state(&state->cfi); 236 237 /* 238 * We need the full vmlinux for noinstr validation, otherwise we can 239 * not correctly determine insn->call_dest->sec (external symbols do 240 * not have a section). 241 */ 242 if (vmlinux && sec) 243 state->noinstr = sec->noinstr; 244 } 245 246 /* 247 * Call the arch-specific instruction decoder for all the instructions and add 248 * them to the global instruction list. 249 */ 250 static int decode_instructions(struct objtool_file *file) 251 { 252 struct section *sec; 253 struct symbol *func; 254 unsigned long offset; 255 struct instruction *insn; 256 unsigned long nr_insns = 0; 257 int ret; 258 259 for_each_sec(file, sec) { 260 261 if (!(sec->sh.sh_flags & SHF_EXECINSTR)) 262 continue; 263 264 if (strcmp(sec->name, ".altinstr_replacement") && 265 strcmp(sec->name, ".altinstr_aux") && 266 strncmp(sec->name, ".discard.", 9)) 267 sec->text = true; 268 269 if (!strcmp(sec->name, ".noinstr.text") || 270 !strcmp(sec->name, ".entry.text")) 271 sec->noinstr = true; 272 273 for (offset = 0; offset < sec->len; offset += insn->len) { 274 insn = malloc(sizeof(*insn)); 275 if (!insn) { 276 WARN("malloc failed"); 277 return -1; 278 } 279 memset(insn, 0, sizeof(*insn)); 280 INIT_LIST_HEAD(&insn->alts); 281 INIT_LIST_HEAD(&insn->stack_ops); 282 init_cfi_state(&insn->cfi); 283 284 insn->sec = sec; 285 insn->offset = offset; 286 287 ret = arch_decode_instruction(file->elf, sec, offset, 288 sec->len - offset, 289 &insn->len, &insn->type, 290 &insn->immediate, 291 &insn->stack_ops); 292 if (ret) 293 goto err; 294 295 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset)); 296 list_add_tail(&insn->list, &file->insn_list); 297 nr_insns++; 298 } 299 300 list_for_each_entry(func, &sec->symbol_list, list) { 301 if (func->type != STT_FUNC || func->alias != func) 302 continue; 303 304 if (!find_insn(file, sec, func->offset)) { 305 WARN("%s(): can't find starting instruction", 306 func->name); 307 return -1; 308 } 309 310 sym_for_each_insn(file, func, insn) 311 insn->func = func; 312 } 313 } 314 315 if (stats) 316 printf("nr_insns: %lu\n", nr_insns); 317 318 return 0; 319 320 err: 321 free(insn); 322 return ret; 323 } 324 325 /* 326 * Mark "ud2" instructions and manually annotated dead ends. 327 */ 328 static int add_dead_ends(struct objtool_file *file) 329 { 330 struct section *sec; 331 struct rela *rela; 332 struct instruction *insn; 333 bool found; 334 335 /* 336 * By default, "ud2" is a dead end unless otherwise annotated, because 337 * GCC 7 inserts it for certain divide-by-zero cases. 338 */ 339 for_each_insn(file, insn) 340 if (insn->type == INSN_BUG) 341 insn->dead_end = true; 342 343 /* 344 * Check for manually annotated dead ends. 345 */ 346 sec = find_section_by_name(file->elf, ".rela.discard.unreachable"); 347 if (!sec) 348 goto reachable; 349 350 list_for_each_entry(rela, &sec->rela_list, list) { 351 if (rela->sym->type != STT_SECTION) { 352 WARN("unexpected relocation symbol type in %s", sec->name); 353 return -1; 354 } 355 insn = find_insn(file, rela->sym->sec, rela->addend); 356 if (insn) 357 insn = list_prev_entry(insn, list); 358 else if (rela->addend == rela->sym->sec->len) { 359 found = false; 360 list_for_each_entry_reverse(insn, &file->insn_list, list) { 361 if (insn->sec == rela->sym->sec) { 362 found = true; 363 break; 364 } 365 } 366 367 if (!found) { 368 WARN("can't find unreachable insn at %s+0x%x", 369 rela->sym->sec->name, rela->addend); 370 return -1; 371 } 372 } else { 373 WARN("can't find unreachable insn at %s+0x%x", 374 rela->sym->sec->name, rela->addend); 375 return -1; 376 } 377 378 insn->dead_end = true; 379 } 380 381 reachable: 382 /* 383 * These manually annotated reachable checks are needed for GCC 4.4, 384 * where the Linux unreachable() macro isn't supported. In that case 385 * GCC doesn't know the "ud2" is fatal, so it generates code as if it's 386 * not a dead end. 387 */ 388 sec = find_section_by_name(file->elf, ".rela.discard.reachable"); 389 if (!sec) 390 return 0; 391 392 list_for_each_entry(rela, &sec->rela_list, list) { 393 if (rela->sym->type != STT_SECTION) { 394 WARN("unexpected relocation symbol type in %s", sec->name); 395 return -1; 396 } 397 insn = find_insn(file, rela->sym->sec, rela->addend); 398 if (insn) 399 insn = list_prev_entry(insn, list); 400 else if (rela->addend == rela->sym->sec->len) { 401 found = false; 402 list_for_each_entry_reverse(insn, &file->insn_list, list) { 403 if (insn->sec == rela->sym->sec) { 404 found = true; 405 break; 406 } 407 } 408 409 if (!found) { 410 WARN("can't find reachable insn at %s+0x%x", 411 rela->sym->sec->name, rela->addend); 412 return -1; 413 } 414 } else { 415 WARN("can't find reachable insn at %s+0x%x", 416 rela->sym->sec->name, rela->addend); 417 return -1; 418 } 419 420 insn->dead_end = false; 421 } 422 423 return 0; 424 } 425 426 /* 427 * Warnings shouldn't be reported for ignored functions. 428 */ 429 static void add_ignores(struct objtool_file *file) 430 { 431 struct instruction *insn; 432 struct section *sec; 433 struct symbol *func; 434 struct rela *rela; 435 436 sec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard"); 437 if (!sec) 438 return; 439 440 list_for_each_entry(rela, &sec->rela_list, list) { 441 switch (rela->sym->type) { 442 case STT_FUNC: 443 func = rela->sym; 444 break; 445 446 case STT_SECTION: 447 func = find_func_by_offset(rela->sym->sec, rela->addend); 448 if (!func) 449 continue; 450 break; 451 452 default: 453 WARN("unexpected relocation symbol type in %s: %d", sec->name, rela->sym->type); 454 continue; 455 } 456 457 func_for_each_insn(file, func, insn) 458 insn->ignore = true; 459 } 460 } 461 462 /* 463 * This is a whitelist of functions that is allowed to be called with AC set. 464 * The list is meant to be minimal and only contains compiler instrumentation 465 * ABI and a few functions used to implement *_{to,from}_user() functions. 466 * 467 * These functions must not directly change AC, but may PUSHF/POPF. 468 */ 469 static const char *uaccess_safe_builtin[] = { 470 /* KASAN */ 471 "kasan_report", 472 "check_memory_region", 473 /* KASAN out-of-line */ 474 "__asan_loadN_noabort", 475 "__asan_load1_noabort", 476 "__asan_load2_noabort", 477 "__asan_load4_noabort", 478 "__asan_load8_noabort", 479 "__asan_load16_noabort", 480 "__asan_storeN_noabort", 481 "__asan_store1_noabort", 482 "__asan_store2_noabort", 483 "__asan_store4_noabort", 484 "__asan_store8_noabort", 485 "__asan_store16_noabort", 486 /* KASAN in-line */ 487 "__asan_report_load_n_noabort", 488 "__asan_report_load1_noabort", 489 "__asan_report_load2_noabort", 490 "__asan_report_load4_noabort", 491 "__asan_report_load8_noabort", 492 "__asan_report_load16_noabort", 493 "__asan_report_store_n_noabort", 494 "__asan_report_store1_noabort", 495 "__asan_report_store2_noabort", 496 "__asan_report_store4_noabort", 497 "__asan_report_store8_noabort", 498 "__asan_report_store16_noabort", 499 /* KCOV */ 500 "write_comp_data", 501 "__sanitizer_cov_trace_pc", 502 "__sanitizer_cov_trace_const_cmp1", 503 "__sanitizer_cov_trace_const_cmp2", 504 "__sanitizer_cov_trace_const_cmp4", 505 "__sanitizer_cov_trace_const_cmp8", 506 "__sanitizer_cov_trace_cmp1", 507 "__sanitizer_cov_trace_cmp2", 508 "__sanitizer_cov_trace_cmp4", 509 "__sanitizer_cov_trace_cmp8", 510 "__sanitizer_cov_trace_switch", 511 /* UBSAN */ 512 "ubsan_type_mismatch_common", 513 "__ubsan_handle_type_mismatch", 514 "__ubsan_handle_type_mismatch_v1", 515 "__ubsan_handle_shift_out_of_bounds", 516 /* misc */ 517 "csum_partial_copy_generic", 518 "__memcpy_mcsafe", 519 "mcsafe_handle_tail", 520 "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */ 521 NULL 522 }; 523 524 static void add_uaccess_safe(struct objtool_file *file) 525 { 526 struct symbol *func; 527 const char **name; 528 529 if (!uaccess) 530 return; 531 532 for (name = uaccess_safe_builtin; *name; name++) { 533 func = find_symbol_by_name(file->elf, *name); 534 if (!func) 535 continue; 536 537 func->uaccess_safe = true; 538 } 539 } 540 541 /* 542 * FIXME: For now, just ignore any alternatives which add retpolines. This is 543 * a temporary hack, as it doesn't allow ORC to unwind from inside a retpoline. 544 * But it at least allows objtool to understand the control flow *around* the 545 * retpoline. 546 */ 547 static int add_ignore_alternatives(struct objtool_file *file) 548 { 549 struct section *sec; 550 struct rela *rela; 551 struct instruction *insn; 552 553 sec = find_section_by_name(file->elf, ".rela.discard.ignore_alts"); 554 if (!sec) 555 return 0; 556 557 list_for_each_entry(rela, &sec->rela_list, list) { 558 if (rela->sym->type != STT_SECTION) { 559 WARN("unexpected relocation symbol type in %s", sec->name); 560 return -1; 561 } 562 563 insn = find_insn(file, rela->sym->sec, rela->addend); 564 if (!insn) { 565 WARN("bad .discard.ignore_alts entry"); 566 return -1; 567 } 568 569 insn->ignore_alts = true; 570 } 571 572 return 0; 573 } 574 575 /* 576 * Find the destination instructions for all jumps. 577 */ 578 static int add_jump_destinations(struct objtool_file *file) 579 { 580 struct instruction *insn; 581 struct rela *rela; 582 struct section *dest_sec; 583 unsigned long dest_off; 584 585 for_each_insn(file, insn) { 586 if (!is_static_jump(insn)) 587 continue; 588 589 if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET) 590 continue; 591 592 rela = find_rela_by_dest_range(file->elf, insn->sec, 593 insn->offset, insn->len); 594 if (!rela) { 595 dest_sec = insn->sec; 596 dest_off = arch_jump_destination(insn); 597 } else if (rela->sym->type == STT_SECTION) { 598 dest_sec = rela->sym->sec; 599 dest_off = arch_dest_rela_offset(rela->addend); 600 } else if (rela->sym->sec->idx) { 601 dest_sec = rela->sym->sec; 602 dest_off = rela->sym->sym.st_value + 603 arch_dest_rela_offset(rela->addend); 604 } else if (strstr(rela->sym->name, "_indirect_thunk_")) { 605 /* 606 * Retpoline jumps are really dynamic jumps in 607 * disguise, so convert them accordingly. 608 */ 609 if (insn->type == INSN_JUMP_UNCONDITIONAL) 610 insn->type = INSN_JUMP_DYNAMIC; 611 else 612 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL; 613 614 insn->retpoline_safe = true; 615 continue; 616 } else { 617 /* external sibling call */ 618 insn->call_dest = rela->sym; 619 continue; 620 } 621 622 insn->jump_dest = find_insn(file, dest_sec, dest_off); 623 if (!insn->jump_dest) { 624 625 /* 626 * This is a special case where an alt instruction 627 * jumps past the end of the section. These are 628 * handled later in handle_group_alt(). 629 */ 630 if (!strcmp(insn->sec->name, ".altinstr_replacement")) 631 continue; 632 633 WARN_FUNC("can't find jump dest instruction at %s+0x%lx", 634 insn->sec, insn->offset, dest_sec->name, 635 dest_off); 636 return -1; 637 } 638 639 /* 640 * Cross-function jump. 641 */ 642 if (insn->func && insn->jump_dest->func && 643 insn->func != insn->jump_dest->func) { 644 645 /* 646 * For GCC 8+, create parent/child links for any cold 647 * subfunctions. This is _mostly_ redundant with a 648 * similar initialization in read_symbols(). 649 * 650 * If a function has aliases, we want the *first* such 651 * function in the symbol table to be the subfunction's 652 * parent. In that case we overwrite the 653 * initialization done in read_symbols(). 654 * 655 * However this code can't completely replace the 656 * read_symbols() code because this doesn't detect the 657 * case where the parent function's only reference to a 658 * subfunction is through a jump table. 659 */ 660 if (!strstr(insn->func->name, ".cold.") && 661 strstr(insn->jump_dest->func->name, ".cold.")) { 662 insn->func->cfunc = insn->jump_dest->func; 663 insn->jump_dest->func->pfunc = insn->func; 664 665 } else if (insn->jump_dest->func->pfunc != insn->func->pfunc && 666 insn->jump_dest->offset == insn->jump_dest->func->offset) { 667 668 /* internal sibling call */ 669 insn->call_dest = insn->jump_dest->func; 670 } 671 } 672 } 673 674 return 0; 675 } 676 677 /* 678 * Find the destination instructions for all calls. 679 */ 680 static int add_call_destinations(struct objtool_file *file) 681 { 682 struct instruction *insn; 683 unsigned long dest_off; 684 struct rela *rela; 685 686 for_each_insn(file, insn) { 687 if (insn->type != INSN_CALL) 688 continue; 689 690 rela = find_rela_by_dest_range(file->elf, insn->sec, 691 insn->offset, insn->len); 692 if (!rela) { 693 dest_off = arch_jump_destination(insn); 694 insn->call_dest = find_func_by_offset(insn->sec, dest_off); 695 if (!insn->call_dest) 696 insn->call_dest = find_symbol_by_offset(insn->sec, dest_off); 697 698 if (insn->ignore) 699 continue; 700 701 if (!insn->call_dest) { 702 WARN_FUNC("unsupported intra-function call", 703 insn->sec, insn->offset); 704 if (retpoline) 705 WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE."); 706 return -1; 707 } 708 709 if (insn->func && insn->call_dest->type != STT_FUNC) { 710 WARN_FUNC("unsupported call to non-function", 711 insn->sec, insn->offset); 712 return -1; 713 } 714 715 } else if (rela->sym->type == STT_SECTION) { 716 dest_off = arch_dest_rela_offset(rela->addend); 717 insn->call_dest = find_func_by_offset(rela->sym->sec, 718 dest_off); 719 if (!insn->call_dest) { 720 WARN_FUNC("can't find call dest symbol at %s+0x%lx", 721 insn->sec, insn->offset, 722 rela->sym->sec->name, 723 dest_off); 724 return -1; 725 } 726 } else 727 insn->call_dest = rela->sym; 728 } 729 730 return 0; 731 } 732 733 /* 734 * The .alternatives section requires some extra special care, over and above 735 * what other special sections require: 736 * 737 * 1. Because alternatives are patched in-place, we need to insert a fake jump 738 * instruction at the end so that validate_branch() skips all the original 739 * replaced instructions when validating the new instruction path. 740 * 741 * 2. An added wrinkle is that the new instruction length might be zero. In 742 * that case the old instructions are replaced with noops. We simulate that 743 * by creating a fake jump as the only new instruction. 744 * 745 * 3. In some cases, the alternative section includes an instruction which 746 * conditionally jumps to the _end_ of the entry. We have to modify these 747 * jumps' destinations to point back to .text rather than the end of the 748 * entry in .altinstr_replacement. 749 */ 750 static int handle_group_alt(struct objtool_file *file, 751 struct special_alt *special_alt, 752 struct instruction *orig_insn, 753 struct instruction **new_insn) 754 { 755 static unsigned int alt_group_next_index = 1; 756 struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump = NULL; 757 unsigned int alt_group = alt_group_next_index++; 758 unsigned long dest_off; 759 760 last_orig_insn = NULL; 761 insn = orig_insn; 762 sec_for_each_insn_from(file, insn) { 763 if (insn->offset >= special_alt->orig_off + special_alt->orig_len) 764 break; 765 766 insn->alt_group = alt_group; 767 last_orig_insn = insn; 768 } 769 770 if (next_insn_same_sec(file, last_orig_insn)) { 771 fake_jump = malloc(sizeof(*fake_jump)); 772 if (!fake_jump) { 773 WARN("malloc failed"); 774 return -1; 775 } 776 memset(fake_jump, 0, sizeof(*fake_jump)); 777 INIT_LIST_HEAD(&fake_jump->alts); 778 INIT_LIST_HEAD(&fake_jump->stack_ops); 779 init_cfi_state(&fake_jump->cfi); 780 781 fake_jump->sec = special_alt->new_sec; 782 fake_jump->offset = FAKE_JUMP_OFFSET; 783 fake_jump->type = INSN_JUMP_UNCONDITIONAL; 784 fake_jump->jump_dest = list_next_entry(last_orig_insn, list); 785 fake_jump->func = orig_insn->func; 786 } 787 788 if (!special_alt->new_len) { 789 if (!fake_jump) { 790 WARN("%s: empty alternative at end of section", 791 special_alt->orig_sec->name); 792 return -1; 793 } 794 795 *new_insn = fake_jump; 796 return 0; 797 } 798 799 last_new_insn = NULL; 800 alt_group = alt_group_next_index++; 801 insn = *new_insn; 802 sec_for_each_insn_from(file, insn) { 803 if (insn->offset >= special_alt->new_off + special_alt->new_len) 804 break; 805 806 last_new_insn = insn; 807 808 insn->ignore = orig_insn->ignore_alts; 809 insn->func = orig_insn->func; 810 insn->alt_group = alt_group; 811 812 /* 813 * Since alternative replacement code is copy/pasted by the 814 * kernel after applying relocations, generally such code can't 815 * have relative-address relocation references to outside the 816 * .altinstr_replacement section, unless the arch's 817 * alternatives code can adjust the relative offsets 818 * accordingly. 819 * 820 * The x86 alternatives code adjusts the offsets only when it 821 * encounters a branch instruction at the very beginning of the 822 * replacement group. 823 */ 824 if ((insn->offset != special_alt->new_off || 825 (insn->type != INSN_CALL && !is_static_jump(insn))) && 826 find_rela_by_dest_range(file->elf, insn->sec, insn->offset, insn->len)) { 827 828 WARN_FUNC("unsupported relocation in alternatives section", 829 insn->sec, insn->offset); 830 return -1; 831 } 832 833 if (!is_static_jump(insn)) 834 continue; 835 836 if (!insn->immediate) 837 continue; 838 839 dest_off = arch_jump_destination(insn); 840 if (dest_off == special_alt->new_off + special_alt->new_len) { 841 if (!fake_jump) { 842 WARN("%s: alternative jump to end of section", 843 special_alt->orig_sec->name); 844 return -1; 845 } 846 insn->jump_dest = fake_jump; 847 } 848 849 if (!insn->jump_dest) { 850 WARN_FUNC("can't find alternative jump destination", 851 insn->sec, insn->offset); 852 return -1; 853 } 854 } 855 856 if (!last_new_insn) { 857 WARN_FUNC("can't find last new alternative instruction", 858 special_alt->new_sec, special_alt->new_off); 859 return -1; 860 } 861 862 if (fake_jump) 863 list_add(&fake_jump->list, &last_new_insn->list); 864 865 return 0; 866 } 867 868 /* 869 * A jump table entry can either convert a nop to a jump or a jump to a nop. 870 * If the original instruction is a jump, make the alt entry an effective nop 871 * by just skipping the original instruction. 872 */ 873 static int handle_jump_alt(struct objtool_file *file, 874 struct special_alt *special_alt, 875 struct instruction *orig_insn, 876 struct instruction **new_insn) 877 { 878 if (orig_insn->type == INSN_NOP) 879 return 0; 880 881 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL) { 882 WARN_FUNC("unsupported instruction at jump label", 883 orig_insn->sec, orig_insn->offset); 884 return -1; 885 } 886 887 *new_insn = list_next_entry(orig_insn, list); 888 return 0; 889 } 890 891 /* 892 * Read all the special sections which have alternate instructions which can be 893 * patched in or redirected to at runtime. Each instruction having alternate 894 * instruction(s) has them added to its insn->alts list, which will be 895 * traversed in validate_branch(). 896 */ 897 static int add_special_section_alts(struct objtool_file *file) 898 { 899 struct list_head special_alts; 900 struct instruction *orig_insn, *new_insn; 901 struct special_alt *special_alt, *tmp; 902 struct alternative *alt; 903 int ret; 904 905 ret = special_get_alts(file->elf, &special_alts); 906 if (ret) 907 return ret; 908 909 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) { 910 911 orig_insn = find_insn(file, special_alt->orig_sec, 912 special_alt->orig_off); 913 if (!orig_insn) { 914 WARN_FUNC("special: can't find orig instruction", 915 special_alt->orig_sec, special_alt->orig_off); 916 ret = -1; 917 goto out; 918 } 919 920 new_insn = NULL; 921 if (!special_alt->group || special_alt->new_len) { 922 new_insn = find_insn(file, special_alt->new_sec, 923 special_alt->new_off); 924 if (!new_insn) { 925 WARN_FUNC("special: can't find new instruction", 926 special_alt->new_sec, 927 special_alt->new_off); 928 ret = -1; 929 goto out; 930 } 931 } 932 933 if (special_alt->group) { 934 if (!special_alt->orig_len) { 935 WARN_FUNC("empty alternative entry", 936 orig_insn->sec, orig_insn->offset); 937 continue; 938 } 939 940 ret = handle_group_alt(file, special_alt, orig_insn, 941 &new_insn); 942 if (ret) 943 goto out; 944 } else if (special_alt->jump_or_nop) { 945 ret = handle_jump_alt(file, special_alt, orig_insn, 946 &new_insn); 947 if (ret) 948 goto out; 949 } 950 951 alt = malloc(sizeof(*alt)); 952 if (!alt) { 953 WARN("malloc failed"); 954 ret = -1; 955 goto out; 956 } 957 958 alt->insn = new_insn; 959 alt->skip_orig = special_alt->skip_orig; 960 orig_insn->ignore_alts |= special_alt->skip_alt; 961 list_add_tail(&alt->list, &orig_insn->alts); 962 963 list_del(&special_alt->list); 964 free(special_alt); 965 } 966 967 out: 968 return ret; 969 } 970 971 static int add_jump_table(struct objtool_file *file, struct instruction *insn, 972 struct rela *table) 973 { 974 struct rela *rela = table; 975 struct instruction *dest_insn; 976 struct alternative *alt; 977 struct symbol *pfunc = insn->func->pfunc; 978 unsigned int prev_offset = 0; 979 980 /* 981 * Each @rela is a switch table relocation which points to the target 982 * instruction. 983 */ 984 list_for_each_entry_from(rela, &table->sec->rela_list, list) { 985 986 /* Check for the end of the table: */ 987 if (rela != table && rela->jump_table_start) 988 break; 989 990 /* Make sure the table entries are consecutive: */ 991 if (prev_offset && rela->offset != prev_offset + 8) 992 break; 993 994 /* Detect function pointers from contiguous objects: */ 995 if (rela->sym->sec == pfunc->sec && 996 rela->addend == pfunc->offset) 997 break; 998 999 dest_insn = find_insn(file, rela->sym->sec, rela->addend); 1000 if (!dest_insn) 1001 break; 1002 1003 /* Make sure the destination is in the same function: */ 1004 if (!dest_insn->func || dest_insn->func->pfunc != pfunc) 1005 break; 1006 1007 alt = malloc(sizeof(*alt)); 1008 if (!alt) { 1009 WARN("malloc failed"); 1010 return -1; 1011 } 1012 1013 alt->insn = dest_insn; 1014 list_add_tail(&alt->list, &insn->alts); 1015 prev_offset = rela->offset; 1016 } 1017 1018 if (!prev_offset) { 1019 WARN_FUNC("can't find switch jump table", 1020 insn->sec, insn->offset); 1021 return -1; 1022 } 1023 1024 return 0; 1025 } 1026 1027 /* 1028 * find_jump_table() - Given a dynamic jump, find the switch jump table in 1029 * .rodata associated with it. 1030 * 1031 * There are 3 basic patterns: 1032 * 1033 * 1. jmpq *[rodata addr](,%reg,8) 1034 * 1035 * This is the most common case by far. It jumps to an address in a simple 1036 * jump table which is stored in .rodata. 1037 * 1038 * 2. jmpq *[rodata addr](%rip) 1039 * 1040 * This is caused by a rare GCC quirk, currently only seen in three driver 1041 * functions in the kernel, only with certain obscure non-distro configs. 1042 * 1043 * As part of an optimization, GCC makes a copy of an existing switch jump 1044 * table, modifies it, and then hard-codes the jump (albeit with an indirect 1045 * jump) to use a single entry in the table. The rest of the jump table and 1046 * some of its jump targets remain as dead code. 1047 * 1048 * In such a case we can just crudely ignore all unreachable instruction 1049 * warnings for the entire object file. Ideally we would just ignore them 1050 * for the function, but that would require redesigning the code quite a 1051 * bit. And honestly that's just not worth doing: unreachable instruction 1052 * warnings are of questionable value anyway, and this is such a rare issue. 1053 * 1054 * 3. mov [rodata addr],%reg1 1055 * ... some instructions ... 1056 * jmpq *(%reg1,%reg2,8) 1057 * 1058 * This is a fairly uncommon pattern which is new for GCC 6. As of this 1059 * writing, there are 11 occurrences of it in the allmodconfig kernel. 1060 * 1061 * As of GCC 7 there are quite a few more of these and the 'in between' code 1062 * is significant. Esp. with KASAN enabled some of the code between the mov 1063 * and jmpq uses .rodata itself, which can confuse things. 1064 * 1065 * TODO: Once we have DWARF CFI and smarter instruction decoding logic, 1066 * ensure the same register is used in the mov and jump instructions. 1067 * 1068 * NOTE: RETPOLINE made it harder still to decode dynamic jumps. 1069 */ 1070 static struct rela *find_jump_table(struct objtool_file *file, 1071 struct symbol *func, 1072 struct instruction *insn) 1073 { 1074 struct rela *text_rela, *table_rela; 1075 struct instruction *dest_insn, *orig_insn = insn; 1076 struct section *table_sec; 1077 unsigned long table_offset; 1078 1079 /* 1080 * Backward search using the @first_jump_src links, these help avoid 1081 * much of the 'in between' code. Which avoids us getting confused by 1082 * it. 1083 */ 1084 for (; 1085 &insn->list != &file->insn_list && insn->func && insn->func->pfunc == func; 1086 insn = insn->first_jump_src ?: list_prev_entry(insn, list)) { 1087 1088 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC) 1089 break; 1090 1091 /* allow small jumps within the range */ 1092 if (insn->type == INSN_JUMP_UNCONDITIONAL && 1093 insn->jump_dest && 1094 (insn->jump_dest->offset <= insn->offset || 1095 insn->jump_dest->offset > orig_insn->offset)) 1096 break; 1097 1098 /* look for a relocation which references .rodata */ 1099 text_rela = find_rela_by_dest_range(file->elf, insn->sec, 1100 insn->offset, insn->len); 1101 if (!text_rela || text_rela->sym->type != STT_SECTION || 1102 !text_rela->sym->sec->rodata) 1103 continue; 1104 1105 table_offset = text_rela->addend; 1106 table_sec = text_rela->sym->sec; 1107 1108 if (text_rela->type == R_X86_64_PC32) 1109 table_offset += 4; 1110 1111 /* 1112 * Make sure the .rodata address isn't associated with a 1113 * symbol. GCC jump tables are anonymous data. 1114 * 1115 * Also support C jump tables which are in the same format as 1116 * switch jump tables. For objtool to recognize them, they 1117 * need to be placed in the C_JUMP_TABLE_SECTION section. They 1118 * have symbols associated with them. 1119 */ 1120 if (find_symbol_containing(table_sec, table_offset) && 1121 strcmp(table_sec->name, C_JUMP_TABLE_SECTION)) 1122 continue; 1123 1124 /* 1125 * Each table entry has a rela associated with it. The rela 1126 * should reference text in the same function as the original 1127 * instruction. 1128 */ 1129 table_rela = find_rela_by_dest(file->elf, table_sec, table_offset); 1130 if (!table_rela) 1131 continue; 1132 dest_insn = find_insn(file, table_rela->sym->sec, table_rela->addend); 1133 if (!dest_insn || !dest_insn->func || dest_insn->func->pfunc != func) 1134 continue; 1135 1136 /* 1137 * Use of RIP-relative switch jumps is quite rare, and 1138 * indicates a rare GCC quirk/bug which can leave dead code 1139 * behind. 1140 */ 1141 if (text_rela->type == R_X86_64_PC32) 1142 file->ignore_unreachables = true; 1143 1144 return table_rela; 1145 } 1146 1147 return NULL; 1148 } 1149 1150 /* 1151 * First pass: Mark the head of each jump table so that in the next pass, 1152 * we know when a given jump table ends and the next one starts. 1153 */ 1154 static void mark_func_jump_tables(struct objtool_file *file, 1155 struct symbol *func) 1156 { 1157 struct instruction *insn, *last = NULL; 1158 struct rela *rela; 1159 1160 func_for_each_insn(file, func, insn) { 1161 if (!last) 1162 last = insn; 1163 1164 /* 1165 * Store back-pointers for unconditional forward jumps such 1166 * that find_jump_table() can back-track using those and 1167 * avoid some potentially confusing code. 1168 */ 1169 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest && 1170 insn->offset > last->offset && 1171 insn->jump_dest->offset > insn->offset && 1172 !insn->jump_dest->first_jump_src) { 1173 1174 insn->jump_dest->first_jump_src = insn; 1175 last = insn->jump_dest; 1176 } 1177 1178 if (insn->type != INSN_JUMP_DYNAMIC) 1179 continue; 1180 1181 rela = find_jump_table(file, func, insn); 1182 if (rela) { 1183 rela->jump_table_start = true; 1184 insn->jump_table = rela; 1185 } 1186 } 1187 } 1188 1189 static int add_func_jump_tables(struct objtool_file *file, 1190 struct symbol *func) 1191 { 1192 struct instruction *insn; 1193 int ret; 1194 1195 func_for_each_insn(file, func, insn) { 1196 if (!insn->jump_table) 1197 continue; 1198 1199 ret = add_jump_table(file, insn, insn->jump_table); 1200 if (ret) 1201 return ret; 1202 } 1203 1204 return 0; 1205 } 1206 1207 /* 1208 * For some switch statements, gcc generates a jump table in the .rodata 1209 * section which contains a list of addresses within the function to jump to. 1210 * This finds these jump tables and adds them to the insn->alts lists. 1211 */ 1212 static int add_jump_table_alts(struct objtool_file *file) 1213 { 1214 struct section *sec; 1215 struct symbol *func; 1216 int ret; 1217 1218 if (!file->rodata) 1219 return 0; 1220 1221 for_each_sec(file, sec) { 1222 list_for_each_entry(func, &sec->symbol_list, list) { 1223 if (func->type != STT_FUNC) 1224 continue; 1225 1226 mark_func_jump_tables(file, func); 1227 ret = add_func_jump_tables(file, func); 1228 if (ret) 1229 return ret; 1230 } 1231 } 1232 1233 return 0; 1234 } 1235 1236 static int read_unwind_hints(struct objtool_file *file) 1237 { 1238 struct section *sec, *relasec; 1239 struct rela *rela; 1240 struct unwind_hint *hint; 1241 struct instruction *insn; 1242 struct cfi_reg *cfa; 1243 int i; 1244 1245 sec = find_section_by_name(file->elf, ".discard.unwind_hints"); 1246 if (!sec) 1247 return 0; 1248 1249 relasec = sec->rela; 1250 if (!relasec) { 1251 WARN("missing .rela.discard.unwind_hints section"); 1252 return -1; 1253 } 1254 1255 if (sec->len % sizeof(struct unwind_hint)) { 1256 WARN("struct unwind_hint size mismatch"); 1257 return -1; 1258 } 1259 1260 file->hints = true; 1261 1262 for (i = 0; i < sec->len / sizeof(struct unwind_hint); i++) { 1263 hint = (struct unwind_hint *)sec->data->d_buf + i; 1264 1265 rela = find_rela_by_dest(file->elf, sec, i * sizeof(*hint)); 1266 if (!rela) { 1267 WARN("can't find rela for unwind_hints[%d]", i); 1268 return -1; 1269 } 1270 1271 insn = find_insn(file, rela->sym->sec, rela->addend); 1272 if (!insn) { 1273 WARN("can't find insn for unwind_hints[%d]", i); 1274 return -1; 1275 } 1276 1277 cfa = &insn->cfi.cfa; 1278 1279 if (hint->type == UNWIND_HINT_TYPE_RET_OFFSET) { 1280 insn->ret_offset = hint->sp_offset; 1281 continue; 1282 } 1283 1284 insn->hint = true; 1285 1286 switch (hint->sp_reg) { 1287 case ORC_REG_UNDEFINED: 1288 cfa->base = CFI_UNDEFINED; 1289 break; 1290 case ORC_REG_SP: 1291 cfa->base = CFI_SP; 1292 break; 1293 case ORC_REG_BP: 1294 cfa->base = CFI_BP; 1295 break; 1296 case ORC_REG_SP_INDIRECT: 1297 cfa->base = CFI_SP_INDIRECT; 1298 break; 1299 case ORC_REG_R10: 1300 cfa->base = CFI_R10; 1301 break; 1302 case ORC_REG_R13: 1303 cfa->base = CFI_R13; 1304 break; 1305 case ORC_REG_DI: 1306 cfa->base = CFI_DI; 1307 break; 1308 case ORC_REG_DX: 1309 cfa->base = CFI_DX; 1310 break; 1311 default: 1312 WARN_FUNC("unsupported unwind_hint sp base reg %d", 1313 insn->sec, insn->offset, hint->sp_reg); 1314 return -1; 1315 } 1316 1317 cfa->offset = hint->sp_offset; 1318 insn->cfi.type = hint->type; 1319 insn->cfi.end = hint->end; 1320 } 1321 1322 return 0; 1323 } 1324 1325 static int read_retpoline_hints(struct objtool_file *file) 1326 { 1327 struct section *sec; 1328 struct instruction *insn; 1329 struct rela *rela; 1330 1331 sec = find_section_by_name(file->elf, ".rela.discard.retpoline_safe"); 1332 if (!sec) 1333 return 0; 1334 1335 list_for_each_entry(rela, &sec->rela_list, list) { 1336 if (rela->sym->type != STT_SECTION) { 1337 WARN("unexpected relocation symbol type in %s", sec->name); 1338 return -1; 1339 } 1340 1341 insn = find_insn(file, rela->sym->sec, rela->addend); 1342 if (!insn) { 1343 WARN("bad .discard.retpoline_safe entry"); 1344 return -1; 1345 } 1346 1347 if (insn->type != INSN_JUMP_DYNAMIC && 1348 insn->type != INSN_CALL_DYNAMIC) { 1349 WARN_FUNC("retpoline_safe hint not an indirect jump/call", 1350 insn->sec, insn->offset); 1351 return -1; 1352 } 1353 1354 insn->retpoline_safe = true; 1355 } 1356 1357 return 0; 1358 } 1359 1360 static int read_instr_hints(struct objtool_file *file) 1361 { 1362 struct section *sec; 1363 struct instruction *insn; 1364 struct rela *rela; 1365 1366 sec = find_section_by_name(file->elf, ".rela.discard.instr_end"); 1367 if (!sec) 1368 return 0; 1369 1370 list_for_each_entry(rela, &sec->rela_list, list) { 1371 if (rela->sym->type != STT_SECTION) { 1372 WARN("unexpected relocation symbol type in %s", sec->name); 1373 return -1; 1374 } 1375 1376 insn = find_insn(file, rela->sym->sec, rela->addend); 1377 if (!insn) { 1378 WARN("bad .discard.instr_end entry"); 1379 return -1; 1380 } 1381 1382 insn->instr--; 1383 } 1384 1385 sec = find_section_by_name(file->elf, ".rela.discard.instr_begin"); 1386 if (!sec) 1387 return 0; 1388 1389 list_for_each_entry(rela, &sec->rela_list, list) { 1390 if (rela->sym->type != STT_SECTION) { 1391 WARN("unexpected relocation symbol type in %s", sec->name); 1392 return -1; 1393 } 1394 1395 insn = find_insn(file, rela->sym->sec, rela->addend); 1396 if (!insn) { 1397 WARN("bad .discard.instr_begin entry"); 1398 return -1; 1399 } 1400 1401 insn->instr++; 1402 } 1403 1404 return 0; 1405 } 1406 1407 static void mark_rodata(struct objtool_file *file) 1408 { 1409 struct section *sec; 1410 bool found = false; 1411 1412 /* 1413 * Search for the following rodata sections, each of which can 1414 * potentially contain jump tables: 1415 * 1416 * - .rodata: can contain GCC switch tables 1417 * - .rodata.<func>: same, if -fdata-sections is being used 1418 * - .rodata..c_jump_table: contains C annotated jump tables 1419 * 1420 * .rodata.str1.* sections are ignored; they don't contain jump tables. 1421 */ 1422 for_each_sec(file, sec) { 1423 if (!strncmp(sec->name, ".rodata", 7) && 1424 !strstr(sec->name, ".str1.")) { 1425 sec->rodata = true; 1426 found = true; 1427 } 1428 } 1429 1430 file->rodata = found; 1431 } 1432 1433 static int decode_sections(struct objtool_file *file) 1434 { 1435 int ret; 1436 1437 mark_rodata(file); 1438 1439 ret = decode_instructions(file); 1440 if (ret) 1441 return ret; 1442 1443 ret = add_dead_ends(file); 1444 if (ret) 1445 return ret; 1446 1447 add_ignores(file); 1448 add_uaccess_safe(file); 1449 1450 ret = add_ignore_alternatives(file); 1451 if (ret) 1452 return ret; 1453 1454 ret = add_jump_destinations(file); 1455 if (ret) 1456 return ret; 1457 1458 ret = add_special_section_alts(file); 1459 if (ret) 1460 return ret; 1461 1462 ret = add_call_destinations(file); 1463 if (ret) 1464 return ret; 1465 1466 ret = add_jump_table_alts(file); 1467 if (ret) 1468 return ret; 1469 1470 ret = read_unwind_hints(file); 1471 if (ret) 1472 return ret; 1473 1474 ret = read_retpoline_hints(file); 1475 if (ret) 1476 return ret; 1477 1478 ret = read_instr_hints(file); 1479 if (ret) 1480 return ret; 1481 1482 return 0; 1483 } 1484 1485 static bool is_fentry_call(struct instruction *insn) 1486 { 1487 if (insn->type == INSN_CALL && 1488 insn->call_dest->type == STT_NOTYPE && 1489 !strcmp(insn->call_dest->name, "__fentry__")) 1490 return true; 1491 1492 return false; 1493 } 1494 1495 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state) 1496 { 1497 u8 ret_offset = insn->ret_offset; 1498 struct cfi_state *cfi = &state->cfi; 1499 int i; 1500 1501 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap) 1502 return true; 1503 1504 if (cfi->cfa.offset != initial_func_cfi.cfa.offset + ret_offset) 1505 return true; 1506 1507 if (cfi->stack_size != initial_func_cfi.cfa.offset + ret_offset) 1508 return true; 1509 1510 for (i = 0; i < CFI_NUM_REGS; i++) { 1511 if (cfi->regs[i].base != initial_func_cfi.regs[i].base || 1512 cfi->regs[i].offset != initial_func_cfi.regs[i].offset) 1513 return true; 1514 } 1515 1516 return false; 1517 } 1518 1519 static bool has_valid_stack_frame(struct insn_state *state) 1520 { 1521 struct cfi_state *cfi = &state->cfi; 1522 1523 if (cfi->cfa.base == CFI_BP && cfi->regs[CFI_BP].base == CFI_CFA && 1524 cfi->regs[CFI_BP].offset == -16) 1525 return true; 1526 1527 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP) 1528 return true; 1529 1530 return false; 1531 } 1532 1533 static int update_cfi_state_regs(struct instruction *insn, 1534 struct cfi_state *cfi, 1535 struct stack_op *op) 1536 { 1537 struct cfi_reg *cfa = &cfi->cfa; 1538 1539 if (cfa->base != CFI_SP) 1540 return 0; 1541 1542 /* push */ 1543 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF) 1544 cfa->offset += 8; 1545 1546 /* pop */ 1547 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF) 1548 cfa->offset -= 8; 1549 1550 /* add immediate to sp */ 1551 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD && 1552 op->dest.reg == CFI_SP && op->src.reg == CFI_SP) 1553 cfa->offset -= op->src.offset; 1554 1555 return 0; 1556 } 1557 1558 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset) 1559 { 1560 if (arch_callee_saved_reg(reg) && 1561 cfi->regs[reg].base == CFI_UNDEFINED) { 1562 cfi->regs[reg].base = base; 1563 cfi->regs[reg].offset = offset; 1564 } 1565 } 1566 1567 static void restore_reg(struct cfi_state *cfi, unsigned char reg) 1568 { 1569 cfi->regs[reg].base = initial_func_cfi.regs[reg].base; 1570 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset; 1571 } 1572 1573 /* 1574 * A note about DRAP stack alignment: 1575 * 1576 * GCC has the concept of a DRAP register, which is used to help keep track of 1577 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP 1578 * register. The typical DRAP pattern is: 1579 * 1580 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10 1581 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp 1582 * 41 ff 72 f8 pushq -0x8(%r10) 1583 * 55 push %rbp 1584 * 48 89 e5 mov %rsp,%rbp 1585 * (more pushes) 1586 * 41 52 push %r10 1587 * ... 1588 * 41 5a pop %r10 1589 * (more pops) 1590 * 5d pop %rbp 1591 * 49 8d 62 f8 lea -0x8(%r10),%rsp 1592 * c3 retq 1593 * 1594 * There are some variations in the epilogues, like: 1595 * 1596 * 5b pop %rbx 1597 * 41 5a pop %r10 1598 * 41 5c pop %r12 1599 * 41 5d pop %r13 1600 * 41 5e pop %r14 1601 * c9 leaveq 1602 * 49 8d 62 f8 lea -0x8(%r10),%rsp 1603 * c3 retq 1604 * 1605 * and: 1606 * 1607 * 4c 8b 55 e8 mov -0x18(%rbp),%r10 1608 * 48 8b 5d e0 mov -0x20(%rbp),%rbx 1609 * 4c 8b 65 f0 mov -0x10(%rbp),%r12 1610 * 4c 8b 6d f8 mov -0x8(%rbp),%r13 1611 * c9 leaveq 1612 * 49 8d 62 f8 lea -0x8(%r10),%rsp 1613 * c3 retq 1614 * 1615 * Sometimes r13 is used as the DRAP register, in which case it's saved and 1616 * restored beforehand: 1617 * 1618 * 41 55 push %r13 1619 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13 1620 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 1621 * ... 1622 * 49 8d 65 f0 lea -0x10(%r13),%rsp 1623 * 41 5d pop %r13 1624 * c3 retq 1625 */ 1626 static int update_cfi_state(struct instruction *insn, struct cfi_state *cfi, 1627 struct stack_op *op) 1628 { 1629 struct cfi_reg *cfa = &cfi->cfa; 1630 struct cfi_reg *regs = cfi->regs; 1631 1632 /* stack operations don't make sense with an undefined CFA */ 1633 if (cfa->base == CFI_UNDEFINED) { 1634 if (insn->func) { 1635 WARN_FUNC("undefined stack state", insn->sec, insn->offset); 1636 return -1; 1637 } 1638 return 0; 1639 } 1640 1641 if (cfi->type == ORC_TYPE_REGS || cfi->type == ORC_TYPE_REGS_IRET) 1642 return update_cfi_state_regs(insn, cfi, op); 1643 1644 switch (op->dest.type) { 1645 1646 case OP_DEST_REG: 1647 switch (op->src.type) { 1648 1649 case OP_SRC_REG: 1650 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP && 1651 cfa->base == CFI_SP && 1652 regs[CFI_BP].base == CFI_CFA && 1653 regs[CFI_BP].offset == -cfa->offset) { 1654 1655 /* mov %rsp, %rbp */ 1656 cfa->base = op->dest.reg; 1657 cfi->bp_scratch = false; 1658 } 1659 1660 else if (op->src.reg == CFI_SP && 1661 op->dest.reg == CFI_BP && cfi->drap) { 1662 1663 /* drap: mov %rsp, %rbp */ 1664 regs[CFI_BP].base = CFI_BP; 1665 regs[CFI_BP].offset = -cfi->stack_size; 1666 cfi->bp_scratch = false; 1667 } 1668 1669 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 1670 1671 /* 1672 * mov %rsp, %reg 1673 * 1674 * This is needed for the rare case where GCC 1675 * does: 1676 * 1677 * mov %rsp, %rax 1678 * ... 1679 * mov %rax, %rsp 1680 */ 1681 cfi->vals[op->dest.reg].base = CFI_CFA; 1682 cfi->vals[op->dest.reg].offset = -cfi->stack_size; 1683 } 1684 1685 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP && 1686 cfa->base == CFI_BP) { 1687 1688 /* 1689 * mov %rbp, %rsp 1690 * 1691 * Restore the original stack pointer (Clang). 1692 */ 1693 cfi->stack_size = -cfi->regs[CFI_BP].offset; 1694 } 1695 1696 else if (op->dest.reg == cfa->base) { 1697 1698 /* mov %reg, %rsp */ 1699 if (cfa->base == CFI_SP && 1700 cfi->vals[op->src.reg].base == CFI_CFA) { 1701 1702 /* 1703 * This is needed for the rare case 1704 * where GCC does something dumb like: 1705 * 1706 * lea 0x8(%rsp), %rcx 1707 * ... 1708 * mov %rcx, %rsp 1709 */ 1710 cfa->offset = -cfi->vals[op->src.reg].offset; 1711 cfi->stack_size = cfa->offset; 1712 1713 } else { 1714 cfa->base = CFI_UNDEFINED; 1715 cfa->offset = 0; 1716 } 1717 } 1718 1719 break; 1720 1721 case OP_SRC_ADD: 1722 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) { 1723 1724 /* add imm, %rsp */ 1725 cfi->stack_size -= op->src.offset; 1726 if (cfa->base == CFI_SP) 1727 cfa->offset -= op->src.offset; 1728 break; 1729 } 1730 1731 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) { 1732 1733 /* lea disp(%rbp), %rsp */ 1734 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset); 1735 break; 1736 } 1737 1738 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 1739 1740 /* drap: lea disp(%rsp), %drap */ 1741 cfi->drap_reg = op->dest.reg; 1742 1743 /* 1744 * lea disp(%rsp), %reg 1745 * 1746 * This is needed for the rare case where GCC 1747 * does something dumb like: 1748 * 1749 * lea 0x8(%rsp), %rcx 1750 * ... 1751 * mov %rcx, %rsp 1752 */ 1753 cfi->vals[op->dest.reg].base = CFI_CFA; 1754 cfi->vals[op->dest.reg].offset = \ 1755 -cfi->stack_size + op->src.offset; 1756 1757 break; 1758 } 1759 1760 if (cfi->drap && op->dest.reg == CFI_SP && 1761 op->src.reg == cfi->drap_reg) { 1762 1763 /* drap: lea disp(%drap), %rsp */ 1764 cfa->base = CFI_SP; 1765 cfa->offset = cfi->stack_size = -op->src.offset; 1766 cfi->drap_reg = CFI_UNDEFINED; 1767 cfi->drap = false; 1768 break; 1769 } 1770 1771 if (op->dest.reg == cfi->cfa.base) { 1772 WARN_FUNC("unsupported stack register modification", 1773 insn->sec, insn->offset); 1774 return -1; 1775 } 1776 1777 break; 1778 1779 case OP_SRC_AND: 1780 if (op->dest.reg != CFI_SP || 1781 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) || 1782 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) { 1783 WARN_FUNC("unsupported stack pointer realignment", 1784 insn->sec, insn->offset); 1785 return -1; 1786 } 1787 1788 if (cfi->drap_reg != CFI_UNDEFINED) { 1789 /* drap: and imm, %rsp */ 1790 cfa->base = cfi->drap_reg; 1791 cfa->offset = cfi->stack_size = 0; 1792 cfi->drap = true; 1793 } 1794 1795 /* 1796 * Older versions of GCC (4.8ish) realign the stack 1797 * without DRAP, with a frame pointer. 1798 */ 1799 1800 break; 1801 1802 case OP_SRC_POP: 1803 case OP_SRC_POPF: 1804 if (!cfi->drap && op->dest.reg == cfa->base) { 1805 1806 /* pop %rbp */ 1807 cfa->base = CFI_SP; 1808 } 1809 1810 if (cfi->drap && cfa->base == CFI_BP_INDIRECT && 1811 op->dest.reg == cfi->drap_reg && 1812 cfi->drap_offset == -cfi->stack_size) { 1813 1814 /* drap: pop %drap */ 1815 cfa->base = cfi->drap_reg; 1816 cfa->offset = 0; 1817 cfi->drap_offset = -1; 1818 1819 } else if (regs[op->dest.reg].offset == -cfi->stack_size) { 1820 1821 /* pop %reg */ 1822 restore_reg(cfi, op->dest.reg); 1823 } 1824 1825 cfi->stack_size -= 8; 1826 if (cfa->base == CFI_SP) 1827 cfa->offset -= 8; 1828 1829 break; 1830 1831 case OP_SRC_REG_INDIRECT: 1832 if (cfi->drap && op->src.reg == CFI_BP && 1833 op->src.offset == cfi->drap_offset) { 1834 1835 /* drap: mov disp(%rbp), %drap */ 1836 cfa->base = cfi->drap_reg; 1837 cfa->offset = 0; 1838 cfi->drap_offset = -1; 1839 } 1840 1841 if (cfi->drap && op->src.reg == CFI_BP && 1842 op->src.offset == regs[op->dest.reg].offset) { 1843 1844 /* drap: mov disp(%rbp), %reg */ 1845 restore_reg(cfi, op->dest.reg); 1846 1847 } else if (op->src.reg == cfa->base && 1848 op->src.offset == regs[op->dest.reg].offset + cfa->offset) { 1849 1850 /* mov disp(%rbp), %reg */ 1851 /* mov disp(%rsp), %reg */ 1852 restore_reg(cfi, op->dest.reg); 1853 } 1854 1855 break; 1856 1857 default: 1858 WARN_FUNC("unknown stack-related instruction", 1859 insn->sec, insn->offset); 1860 return -1; 1861 } 1862 1863 break; 1864 1865 case OP_DEST_PUSH: 1866 case OP_DEST_PUSHF: 1867 cfi->stack_size += 8; 1868 if (cfa->base == CFI_SP) 1869 cfa->offset += 8; 1870 1871 if (op->src.type != OP_SRC_REG) 1872 break; 1873 1874 if (cfi->drap) { 1875 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 1876 1877 /* drap: push %drap */ 1878 cfa->base = CFI_BP_INDIRECT; 1879 cfa->offset = -cfi->stack_size; 1880 1881 /* save drap so we know when to restore it */ 1882 cfi->drap_offset = -cfi->stack_size; 1883 1884 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) { 1885 1886 /* drap: push %rbp */ 1887 cfi->stack_size = 0; 1888 1889 } else if (regs[op->src.reg].base == CFI_UNDEFINED) { 1890 1891 /* drap: push %reg */ 1892 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size); 1893 } 1894 1895 } else { 1896 1897 /* push %reg */ 1898 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size); 1899 } 1900 1901 /* detect when asm code uses rbp as a scratch register */ 1902 if (!no_fp && insn->func && op->src.reg == CFI_BP && 1903 cfa->base != CFI_BP) 1904 cfi->bp_scratch = true; 1905 break; 1906 1907 case OP_DEST_REG_INDIRECT: 1908 1909 if (cfi->drap) { 1910 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 1911 1912 /* drap: mov %drap, disp(%rbp) */ 1913 cfa->base = CFI_BP_INDIRECT; 1914 cfa->offset = op->dest.offset; 1915 1916 /* save drap offset so we know when to restore it */ 1917 cfi->drap_offset = op->dest.offset; 1918 } 1919 1920 else if (regs[op->src.reg].base == CFI_UNDEFINED) { 1921 1922 /* drap: mov reg, disp(%rbp) */ 1923 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset); 1924 } 1925 1926 } else if (op->dest.reg == cfa->base) { 1927 1928 /* mov reg, disp(%rbp) */ 1929 /* mov reg, disp(%rsp) */ 1930 save_reg(cfi, op->src.reg, CFI_CFA, 1931 op->dest.offset - cfi->cfa.offset); 1932 } 1933 1934 break; 1935 1936 case OP_DEST_LEAVE: 1937 if ((!cfi->drap && cfa->base != CFI_BP) || 1938 (cfi->drap && cfa->base != cfi->drap_reg)) { 1939 WARN_FUNC("leave instruction with modified stack frame", 1940 insn->sec, insn->offset); 1941 return -1; 1942 } 1943 1944 /* leave (mov %rbp, %rsp; pop %rbp) */ 1945 1946 cfi->stack_size = -cfi->regs[CFI_BP].offset - 8; 1947 restore_reg(cfi, CFI_BP); 1948 1949 if (!cfi->drap) { 1950 cfa->base = CFI_SP; 1951 cfa->offset -= 8; 1952 } 1953 1954 break; 1955 1956 case OP_DEST_MEM: 1957 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) { 1958 WARN_FUNC("unknown stack-related memory operation", 1959 insn->sec, insn->offset); 1960 return -1; 1961 } 1962 1963 /* pop mem */ 1964 cfi->stack_size -= 8; 1965 if (cfa->base == CFI_SP) 1966 cfa->offset -= 8; 1967 1968 break; 1969 1970 default: 1971 WARN_FUNC("unknown stack-related instruction", 1972 insn->sec, insn->offset); 1973 return -1; 1974 } 1975 1976 return 0; 1977 } 1978 1979 static int handle_insn_ops(struct instruction *insn, struct insn_state *state) 1980 { 1981 struct stack_op *op; 1982 1983 list_for_each_entry(op, &insn->stack_ops, list) { 1984 int res; 1985 1986 if (insn->alt_group) { 1987 WARN_FUNC("alternative modifies stack", insn->sec, insn->offset); 1988 return -1; 1989 } 1990 1991 res = update_cfi_state(insn, &state->cfi, op); 1992 if (res) 1993 return res; 1994 1995 if (op->dest.type == OP_DEST_PUSHF) { 1996 if (!state->uaccess_stack) { 1997 state->uaccess_stack = 1; 1998 } else if (state->uaccess_stack >> 31) { 1999 WARN_FUNC("PUSHF stack exhausted", 2000 insn->sec, insn->offset); 2001 return 1; 2002 } 2003 state->uaccess_stack <<= 1; 2004 state->uaccess_stack |= state->uaccess; 2005 } 2006 2007 if (op->src.type == OP_SRC_POPF) { 2008 if (state->uaccess_stack) { 2009 state->uaccess = state->uaccess_stack & 1; 2010 state->uaccess_stack >>= 1; 2011 if (state->uaccess_stack == 1) 2012 state->uaccess_stack = 0; 2013 } 2014 } 2015 } 2016 2017 return 0; 2018 } 2019 2020 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2) 2021 { 2022 struct cfi_state *cfi1 = &insn->cfi; 2023 int i; 2024 2025 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) { 2026 2027 WARN_FUNC("stack state mismatch: cfa1=%d%+d cfa2=%d%+d", 2028 insn->sec, insn->offset, 2029 cfi1->cfa.base, cfi1->cfa.offset, 2030 cfi2->cfa.base, cfi2->cfa.offset); 2031 2032 } else if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) { 2033 for (i = 0; i < CFI_NUM_REGS; i++) { 2034 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i], 2035 sizeof(struct cfi_reg))) 2036 continue; 2037 2038 WARN_FUNC("stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d", 2039 insn->sec, insn->offset, 2040 i, cfi1->regs[i].base, cfi1->regs[i].offset, 2041 i, cfi2->regs[i].base, cfi2->regs[i].offset); 2042 break; 2043 } 2044 2045 } else if (cfi1->type != cfi2->type) { 2046 2047 WARN_FUNC("stack state mismatch: type1=%d type2=%d", 2048 insn->sec, insn->offset, cfi1->type, cfi2->type); 2049 2050 } else if (cfi1->drap != cfi2->drap || 2051 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) || 2052 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) { 2053 2054 WARN_FUNC("stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)", 2055 insn->sec, insn->offset, 2056 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset, 2057 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset); 2058 2059 } else 2060 return true; 2061 2062 return false; 2063 } 2064 2065 static inline bool func_uaccess_safe(struct symbol *func) 2066 { 2067 if (func) 2068 return func->uaccess_safe; 2069 2070 return false; 2071 } 2072 2073 static inline const char *call_dest_name(struct instruction *insn) 2074 { 2075 if (insn->call_dest) 2076 return insn->call_dest->name; 2077 2078 return "{dynamic}"; 2079 } 2080 2081 static int validate_call(struct instruction *insn, struct insn_state *state) 2082 { 2083 if (state->noinstr && state->instr <= 0 && 2084 (!insn->call_dest || !insn->call_dest->sec->noinstr)) { 2085 WARN_FUNC("call to %s() leaves .noinstr.text section", 2086 insn->sec, insn->offset, call_dest_name(insn)); 2087 return 1; 2088 } 2089 2090 if (state->uaccess && !func_uaccess_safe(insn->call_dest)) { 2091 WARN_FUNC("call to %s() with UACCESS enabled", 2092 insn->sec, insn->offset, call_dest_name(insn)); 2093 return 1; 2094 } 2095 2096 if (state->df) { 2097 WARN_FUNC("call to %s() with DF set", 2098 insn->sec, insn->offset, call_dest_name(insn)); 2099 return 1; 2100 } 2101 2102 return 0; 2103 } 2104 2105 static int validate_sibling_call(struct instruction *insn, struct insn_state *state) 2106 { 2107 if (has_modified_stack_frame(insn, state)) { 2108 WARN_FUNC("sibling call from callable instruction with modified stack frame", 2109 insn->sec, insn->offset); 2110 return 1; 2111 } 2112 2113 return validate_call(insn, state); 2114 } 2115 2116 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state) 2117 { 2118 if (state->noinstr && state->instr > 0) { 2119 WARN_FUNC("return with instrumentation enabled", 2120 insn->sec, insn->offset); 2121 return 1; 2122 } 2123 2124 if (state->uaccess && !func_uaccess_safe(func)) { 2125 WARN_FUNC("return with UACCESS enabled", 2126 insn->sec, insn->offset); 2127 return 1; 2128 } 2129 2130 if (!state->uaccess && func_uaccess_safe(func)) { 2131 WARN_FUNC("return with UACCESS disabled from a UACCESS-safe function", 2132 insn->sec, insn->offset); 2133 return 1; 2134 } 2135 2136 if (state->df) { 2137 WARN_FUNC("return with DF set", 2138 insn->sec, insn->offset); 2139 return 1; 2140 } 2141 2142 if (func && has_modified_stack_frame(insn, state)) { 2143 WARN_FUNC("return with modified stack frame", 2144 insn->sec, insn->offset); 2145 return 1; 2146 } 2147 2148 if (state->cfi.bp_scratch) { 2149 WARN_FUNC("BP used as a scratch register", 2150 insn->sec, insn->offset); 2151 return 1; 2152 } 2153 2154 return 0; 2155 } 2156 2157 /* 2158 * Alternatives should not contain any ORC entries, this in turn means they 2159 * should not contain any CFI ops, which implies all instructions should have 2160 * the same same CFI state. 2161 * 2162 * It is possible to constuct alternatives that have unreachable holes that go 2163 * unreported (because they're NOPs), such holes would result in CFI_UNDEFINED 2164 * states which then results in ORC entries, which we just said we didn't want. 2165 * 2166 * Avoid them by copying the CFI entry of the first instruction into the whole 2167 * alternative. 2168 */ 2169 static void fill_alternative_cfi(struct objtool_file *file, struct instruction *insn) 2170 { 2171 struct instruction *first_insn = insn; 2172 int alt_group = insn->alt_group; 2173 2174 sec_for_each_insn_continue(file, insn) { 2175 if (insn->alt_group != alt_group) 2176 break; 2177 insn->cfi = first_insn->cfi; 2178 } 2179 } 2180 2181 /* 2182 * Follow the branch starting at the given instruction, and recursively follow 2183 * any other branches (jumps). Meanwhile, track the frame pointer state at 2184 * each instruction and validate all the rules described in 2185 * tools/objtool/Documentation/stack-validation.txt. 2186 */ 2187 static int validate_branch(struct objtool_file *file, struct symbol *func, 2188 struct instruction *insn, struct insn_state state) 2189 { 2190 struct alternative *alt; 2191 struct instruction *next_insn; 2192 struct section *sec; 2193 u8 visited; 2194 int ret; 2195 2196 sec = insn->sec; 2197 2198 while (1) { 2199 next_insn = next_insn_same_sec(file, insn); 2200 2201 if (file->c_file && func && insn->func && func != insn->func->pfunc) { 2202 WARN("%s() falls through to next function %s()", 2203 func->name, insn->func->name); 2204 return 1; 2205 } 2206 2207 if (func && insn->ignore) { 2208 WARN_FUNC("BUG: why am I validating an ignored function?", 2209 sec, insn->offset); 2210 return 1; 2211 } 2212 2213 visited = 1 << state.uaccess; 2214 if (insn->visited) { 2215 if (!insn->hint && !insn_cfi_match(insn, &state.cfi)) 2216 return 1; 2217 2218 if (insn->visited & visited) 2219 return 0; 2220 } 2221 2222 if (state.noinstr) 2223 state.instr += insn->instr; 2224 2225 if (insn->hint) 2226 state.cfi = insn->cfi; 2227 else 2228 insn->cfi = state.cfi; 2229 2230 insn->visited |= visited; 2231 2232 if (!insn->ignore_alts && !list_empty(&insn->alts)) { 2233 bool skip_orig = false; 2234 2235 list_for_each_entry(alt, &insn->alts, list) { 2236 if (alt->skip_orig) 2237 skip_orig = true; 2238 2239 ret = validate_branch(file, func, alt->insn, state); 2240 if (ret) { 2241 if (backtrace) 2242 BT_FUNC("(alt)", insn); 2243 return ret; 2244 } 2245 } 2246 2247 if (insn->alt_group) 2248 fill_alternative_cfi(file, insn); 2249 2250 if (skip_orig) 2251 return 0; 2252 } 2253 2254 switch (insn->type) { 2255 2256 case INSN_RETURN: 2257 return validate_return(func, insn, &state); 2258 2259 case INSN_CALL: 2260 case INSN_CALL_DYNAMIC: 2261 ret = validate_call(insn, &state); 2262 if (ret) 2263 return ret; 2264 2265 if (!no_fp && func && !is_fentry_call(insn) && 2266 !has_valid_stack_frame(&state)) { 2267 WARN_FUNC("call without frame pointer save/setup", 2268 sec, insn->offset); 2269 return 1; 2270 } 2271 2272 if (dead_end_function(file, insn->call_dest)) 2273 return 0; 2274 2275 break; 2276 2277 case INSN_JUMP_CONDITIONAL: 2278 case INSN_JUMP_UNCONDITIONAL: 2279 if (func && is_sibling_call(insn)) { 2280 ret = validate_sibling_call(insn, &state); 2281 if (ret) 2282 return ret; 2283 2284 } else if (insn->jump_dest) { 2285 ret = validate_branch(file, func, 2286 insn->jump_dest, state); 2287 if (ret) { 2288 if (backtrace) 2289 BT_FUNC("(branch)", insn); 2290 return ret; 2291 } 2292 } 2293 2294 if (insn->type == INSN_JUMP_UNCONDITIONAL) 2295 return 0; 2296 2297 break; 2298 2299 case INSN_JUMP_DYNAMIC: 2300 case INSN_JUMP_DYNAMIC_CONDITIONAL: 2301 if (func && is_sibling_call(insn)) { 2302 ret = validate_sibling_call(insn, &state); 2303 if (ret) 2304 return ret; 2305 } 2306 2307 if (insn->type == INSN_JUMP_DYNAMIC) 2308 return 0; 2309 2310 break; 2311 2312 case INSN_EXCEPTION_RETURN: 2313 if (handle_insn_ops(insn, &state)) 2314 return 1; 2315 2316 /* 2317 * This handles x86's sync_core() case, where we use an 2318 * IRET to self. All 'normal' IRET instructions are in 2319 * STT_NOTYPE entry symbols. 2320 */ 2321 if (func) 2322 break; 2323 2324 return 0; 2325 2326 case INSN_CONTEXT_SWITCH: 2327 if (func && (!next_insn || !next_insn->hint)) { 2328 WARN_FUNC("unsupported instruction in callable function", 2329 sec, insn->offset); 2330 return 1; 2331 } 2332 return 0; 2333 2334 case INSN_STACK: 2335 if (handle_insn_ops(insn, &state)) 2336 return 1; 2337 break; 2338 2339 case INSN_STAC: 2340 if (state.uaccess) { 2341 WARN_FUNC("recursive UACCESS enable", sec, insn->offset); 2342 return 1; 2343 } 2344 2345 state.uaccess = true; 2346 break; 2347 2348 case INSN_CLAC: 2349 if (!state.uaccess && func) { 2350 WARN_FUNC("redundant UACCESS disable", sec, insn->offset); 2351 return 1; 2352 } 2353 2354 if (func_uaccess_safe(func) && !state.uaccess_stack) { 2355 WARN_FUNC("UACCESS-safe disables UACCESS", sec, insn->offset); 2356 return 1; 2357 } 2358 2359 state.uaccess = false; 2360 break; 2361 2362 case INSN_STD: 2363 if (state.df) 2364 WARN_FUNC("recursive STD", sec, insn->offset); 2365 2366 state.df = true; 2367 break; 2368 2369 case INSN_CLD: 2370 if (!state.df && func) 2371 WARN_FUNC("redundant CLD", sec, insn->offset); 2372 2373 state.df = false; 2374 break; 2375 2376 default: 2377 break; 2378 } 2379 2380 if (insn->dead_end) 2381 return 0; 2382 2383 if (!next_insn) { 2384 if (state.cfi.cfa.base == CFI_UNDEFINED) 2385 return 0; 2386 WARN("%s: unexpected end of section", sec->name); 2387 return 1; 2388 } 2389 2390 insn = next_insn; 2391 } 2392 2393 return 0; 2394 } 2395 2396 static int validate_unwind_hints(struct objtool_file *file, struct section *sec) 2397 { 2398 struct instruction *insn; 2399 struct insn_state state; 2400 int ret, warnings = 0; 2401 2402 if (!file->hints) 2403 return 0; 2404 2405 init_insn_state(&state, sec); 2406 2407 if (sec) { 2408 insn = find_insn(file, sec, 0); 2409 if (!insn) 2410 return 0; 2411 } else { 2412 insn = list_first_entry(&file->insn_list, typeof(*insn), list); 2413 } 2414 2415 while (&insn->list != &file->insn_list && (!sec || insn->sec == sec)) { 2416 if (insn->hint && !insn->visited) { 2417 ret = validate_branch(file, insn->func, insn, state); 2418 if (ret && backtrace) 2419 BT_FUNC("<=== (hint)", insn); 2420 warnings += ret; 2421 } 2422 2423 insn = list_next_entry(insn, list); 2424 } 2425 2426 return warnings; 2427 } 2428 2429 static int validate_retpoline(struct objtool_file *file) 2430 { 2431 struct instruction *insn; 2432 int warnings = 0; 2433 2434 for_each_insn(file, insn) { 2435 if (insn->type != INSN_JUMP_DYNAMIC && 2436 insn->type != INSN_CALL_DYNAMIC) 2437 continue; 2438 2439 if (insn->retpoline_safe) 2440 continue; 2441 2442 /* 2443 * .init.text code is ran before userspace and thus doesn't 2444 * strictly need retpolines, except for modules which are 2445 * loaded late, they very much do need retpoline in their 2446 * .init.text 2447 */ 2448 if (!strcmp(insn->sec->name, ".init.text") && !module) 2449 continue; 2450 2451 WARN_FUNC("indirect %s found in RETPOLINE build", 2452 insn->sec, insn->offset, 2453 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call"); 2454 2455 warnings++; 2456 } 2457 2458 return warnings; 2459 } 2460 2461 static bool is_kasan_insn(struct instruction *insn) 2462 { 2463 return (insn->type == INSN_CALL && 2464 !strcmp(insn->call_dest->name, "__asan_handle_no_return")); 2465 } 2466 2467 static bool is_ubsan_insn(struct instruction *insn) 2468 { 2469 return (insn->type == INSN_CALL && 2470 !strcmp(insn->call_dest->name, 2471 "__ubsan_handle_builtin_unreachable")); 2472 } 2473 2474 static bool ignore_unreachable_insn(struct instruction *insn) 2475 { 2476 int i; 2477 2478 if (insn->ignore || insn->type == INSN_NOP) 2479 return true; 2480 2481 /* 2482 * Ignore any unused exceptions. This can happen when a whitelisted 2483 * function has an exception table entry. 2484 * 2485 * Also ignore alternative replacement instructions. This can happen 2486 * when a whitelisted function uses one of the ALTERNATIVE macros. 2487 */ 2488 if (!strcmp(insn->sec->name, ".fixup") || 2489 !strcmp(insn->sec->name, ".altinstr_replacement") || 2490 !strcmp(insn->sec->name, ".altinstr_aux")) 2491 return true; 2492 2493 if (!insn->func) 2494 return false; 2495 2496 /* 2497 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees 2498 * __builtin_unreachable(). The BUG() macro has an unreachable() after 2499 * the UD2, which causes GCC's undefined trap logic to emit another UD2 2500 * (or occasionally a JMP to UD2). 2501 */ 2502 if (list_prev_entry(insn, list)->dead_end && 2503 (insn->type == INSN_BUG || 2504 (insn->type == INSN_JUMP_UNCONDITIONAL && 2505 insn->jump_dest && insn->jump_dest->type == INSN_BUG))) 2506 return true; 2507 2508 /* 2509 * Check if this (or a subsequent) instruction is related to 2510 * CONFIG_UBSAN or CONFIG_KASAN. 2511 * 2512 * End the search at 5 instructions to avoid going into the weeds. 2513 */ 2514 for (i = 0; i < 5; i++) { 2515 2516 if (is_kasan_insn(insn) || is_ubsan_insn(insn)) 2517 return true; 2518 2519 if (insn->type == INSN_JUMP_UNCONDITIONAL) { 2520 if (insn->jump_dest && 2521 insn->jump_dest->func == insn->func) { 2522 insn = insn->jump_dest; 2523 continue; 2524 } 2525 2526 break; 2527 } 2528 2529 if (insn->offset + insn->len >= insn->func->offset + insn->func->len) 2530 break; 2531 2532 insn = list_next_entry(insn, list); 2533 } 2534 2535 return false; 2536 } 2537 2538 static int validate_symbol(struct objtool_file *file, struct section *sec, 2539 struct symbol *sym, struct insn_state *state) 2540 { 2541 struct instruction *insn; 2542 int ret; 2543 2544 if (!sym->len) { 2545 WARN("%s() is missing an ELF size annotation", sym->name); 2546 return 1; 2547 } 2548 2549 if (sym->pfunc != sym || sym->alias != sym) 2550 return 0; 2551 2552 insn = find_insn(file, sec, sym->offset); 2553 if (!insn || insn->ignore || insn->visited) 2554 return 0; 2555 2556 state->uaccess = sym->uaccess_safe; 2557 2558 ret = validate_branch(file, insn->func, insn, *state); 2559 if (ret && backtrace) 2560 BT_FUNC("<=== (sym)", insn); 2561 return ret; 2562 } 2563 2564 static int validate_section(struct objtool_file *file, struct section *sec) 2565 { 2566 struct insn_state state; 2567 struct symbol *func; 2568 int warnings = 0; 2569 2570 list_for_each_entry(func, &sec->symbol_list, list) { 2571 if (func->type != STT_FUNC) 2572 continue; 2573 2574 init_insn_state(&state, sec); 2575 state.cfi.cfa = initial_func_cfi.cfa; 2576 memcpy(&state.cfi.regs, &initial_func_cfi.regs, 2577 CFI_NUM_REGS * sizeof(struct cfi_reg)); 2578 state.cfi.stack_size = initial_func_cfi.cfa.offset; 2579 2580 warnings += validate_symbol(file, sec, func, &state); 2581 } 2582 2583 return warnings; 2584 } 2585 2586 static int validate_vmlinux_functions(struct objtool_file *file) 2587 { 2588 struct section *sec; 2589 int warnings = 0; 2590 2591 sec = find_section_by_name(file->elf, ".noinstr.text"); 2592 if (sec) { 2593 warnings += validate_section(file, sec); 2594 warnings += validate_unwind_hints(file, sec); 2595 } 2596 2597 sec = find_section_by_name(file->elf, ".entry.text"); 2598 if (sec) { 2599 warnings += validate_section(file, sec); 2600 warnings += validate_unwind_hints(file, sec); 2601 } 2602 2603 return warnings; 2604 } 2605 2606 static int validate_functions(struct objtool_file *file) 2607 { 2608 struct section *sec; 2609 int warnings = 0; 2610 2611 for_each_sec(file, sec) { 2612 if (!(sec->sh.sh_flags & SHF_EXECINSTR)) 2613 continue; 2614 2615 warnings += validate_section(file, sec); 2616 } 2617 2618 return warnings; 2619 } 2620 2621 static int validate_reachable_instructions(struct objtool_file *file) 2622 { 2623 struct instruction *insn; 2624 2625 if (file->ignore_unreachables) 2626 return 0; 2627 2628 for_each_insn(file, insn) { 2629 if (insn->visited || ignore_unreachable_insn(insn)) 2630 continue; 2631 2632 WARN_FUNC("unreachable instruction", insn->sec, insn->offset); 2633 return 1; 2634 } 2635 2636 return 0; 2637 } 2638 2639 static struct objtool_file file; 2640 2641 int check(const char *_objname, bool orc) 2642 { 2643 int ret, warnings = 0; 2644 2645 objname = _objname; 2646 2647 file.elf = elf_open_read(objname, orc ? O_RDWR : O_RDONLY); 2648 if (!file.elf) 2649 return 1; 2650 2651 INIT_LIST_HEAD(&file.insn_list); 2652 hash_init(file.insn_hash); 2653 file.c_file = find_section_by_name(file.elf, ".comment"); 2654 file.ignore_unreachables = no_unreachable; 2655 file.hints = false; 2656 2657 arch_initial_func_cfi_state(&initial_func_cfi); 2658 2659 ret = decode_sections(&file); 2660 if (ret < 0) 2661 goto out; 2662 warnings += ret; 2663 2664 if (list_empty(&file.insn_list)) 2665 goto out; 2666 2667 if (vmlinux && !validate_dup) { 2668 ret = validate_vmlinux_functions(&file); 2669 if (ret < 0) 2670 goto out; 2671 2672 warnings += ret; 2673 goto out; 2674 } 2675 2676 if (retpoline) { 2677 ret = validate_retpoline(&file); 2678 if (ret < 0) 2679 return ret; 2680 warnings += ret; 2681 } 2682 2683 ret = validate_functions(&file); 2684 if (ret < 0) 2685 goto out; 2686 warnings += ret; 2687 2688 ret = validate_unwind_hints(&file, NULL); 2689 if (ret < 0) 2690 goto out; 2691 warnings += ret; 2692 2693 if (!warnings) { 2694 ret = validate_reachable_instructions(&file); 2695 if (ret < 0) 2696 goto out; 2697 warnings += ret; 2698 } 2699 2700 if (orc) { 2701 ret = create_orc(&file); 2702 if (ret < 0) 2703 goto out; 2704 2705 ret = create_orc_sections(&file); 2706 if (ret < 0) 2707 goto out; 2708 2709 ret = elf_write(file.elf); 2710 if (ret < 0) 2711 goto out; 2712 } 2713 2714 out: 2715 if (ret < 0) { 2716 /* 2717 * Fatal error. The binary is corrupt or otherwise broken in 2718 * some way, or objtool itself is broken. Fail the kernel 2719 * build. 2720 */ 2721 return ret; 2722 } 2723 2724 return 0; 2725 } 2726