From: Sami Tolvanen <samitolvanen@google.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: X86 ML <x86@kernel.org>, Kees Cook <keescook@chromium.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Sedat Dilek <sedat.dilek@gmail.com>,
linux-hardening@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
clang-built-linux <clang-built-linux@googlegroups.com>
Subject: Re: [PATCH v2 08/14] x86/extable: Do not mark exception callback as CFI
Date: Mon, 30 Aug 2021 12:57:43 -0700 [thread overview]
Message-ID: <CABCJKufsdcfdSQ4JMx1dw1HXgqk4rtqGRoHMUdK6r5cxzrEg3Q@mail.gmail.com> (raw)
In-Reply-To: <e33bdfc8-6de9-0e91-eec6-39e6aca61758@kernel.org>
On Thu, Aug 26, 2021 at 9:56 AM Andy Lutomirski <luto@kernel.org> wrote:
>
> On 8/23/21 10:13 AM, Sami Tolvanen wrote:
> > From: Kees Cook <keescook@chromium.org>
> >
> > The exception table entries are constructed out of a relative offset
> > and point to the actual function, not the CFI table entry. For now,
> > just mark the caller as not checking CFI
>
> Does this *mark* the caller as not checking CFI or does it actually make
> the caller stop checking CFI? What are the semantics of a __nocfi function?
__nocfi disables CFI checking in the function, so in this case,
fixup_exception can make an indirect call anywhere.
> > The failure is most visible
> > at boot with CONFIG_DEBUG_RODATA_TEST=y.
>
> What's the failure?
>
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
> > ---
> > arch/x86/mm/extable.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
> > index e1664e9f969c..d150d4d12d53 100644
> > --- a/arch/x86/mm/extable.c
> > +++ b/arch/x86/mm/extable.c
> > @@ -155,6 +155,7 @@ enum handler_type ex_get_fault_handler_type(unsigned long ip)
> > return EX_HANDLER_OTHER;
> > }
> >
> > +__nocfi
> > int fixup_exception(struct pt_regs *regs, int trapnr, unsigned long error_code,
> > unsigned long fault_addr)
> > {
> >
>
>
> This at least needs a comment explaining what's going on. But maybe it
> could be fixed better by either having the extable entry resolve to the
> magic CFI table entry (can this be done?) or by marking the actual
> indirect call or the type of the variable through which the call is done
> as being a non-CFI call.
We can avoid the __nocfi here by marking the handlers __cficanonical.
This attribute tells the compiler to rename the function and point the
original name to the CFI jump table, which allows addresses taken in
assembly code to also pass CFI checking. I'll change this in v3.
Sami
next prev parent reply other threads:[~2021-08-30 19:57 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-23 17:13 [PATCH v2 00/14] x86: Add support for Clang CFI Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 01/14] objtool: Add CONFIG_CFI_CLANG support Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 02/14] objtool: Add ASM_STACK_FRAME_NON_STANDARD Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 03/14] linkage: Add DECLARE_ASM_FUNC_SYMBOL Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 04/14] ftrace: Use an opaque type for functions not callable from C Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 05/14] lkdtm: Disable UNSET_SMEP with CFI Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 06/14] lkdtm: Use an opaque type for lkdtm_rodata_do_nothing Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 07/14] x86: Use an opaque type for functions not callable from C Sami Tolvanen
2021-08-26 16:54 ` Andy Lutomirski
2021-08-26 22:11 ` Sami Tolvanen
2021-08-26 23:23 ` Andy Lutomirski
2021-08-26 23:45 ` Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 08/14] x86/extable: Do not mark exception callback as CFI Sami Tolvanen
2021-08-26 16:56 ` Andy Lutomirski
2021-08-30 19:57 ` Sami Tolvanen [this message]
2021-08-23 17:13 ` [PATCH v2 09/14] x86/purgatory: Disable CFI Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 10/14] x86, relocs: Ignore __typeid__ relocations Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 11/14] x86, module: " Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 12/14] x86, cpu: Use LTO for cpu.c with CFI Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 13/14] x86, kprobes: Fix optprobe_template_func type mismatch Sami Tolvanen
2021-08-23 17:13 ` [PATCH v2 14/14] x86, build: Allow CONFIG_CFI_CLANG to be selected Sami Tolvanen
2021-08-23 17:16 ` [PATCH v2 00/14] x86: Add support for Clang CFI Tom Stellard
2021-08-23 17:20 ` Sami Tolvanen
2021-08-24 17:26 ` Tom Stellard
2021-08-24 17:30 ` Sami Tolvanen
2021-08-24 19:46 ` Peter Zijlstra
2021-08-25 15:49 ` Sami Tolvanen
2021-08-26 11:43 ` Peter Zijlstra
2021-08-26 21:52 ` Sami Tolvanen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABCJKufsdcfdSQ4JMx1dw1HXgqk4rtqGRoHMUdK6r5cxzrEg3Q@mail.gmail.com \
--to=samitolvanen@google.com \
--cc=clang-built-linux@googlegroups.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=peterz@infradead.org \
--cc=sedat.dilek@gmail.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).