From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF0B62F25 for ; Sat, 14 May 2022 22:02:57 +0000 (UTC) Received: by mail-pg1-f173.google.com with SMTP id a191so10710590pge.2 for ; Sat, 14 May 2022 15:02:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=zzwdQrYIZGbhuKxn6txtvucH/uZdk818++RBQ6GUaIw=; b=PxaWEdjbiW3JJXRUQ37LWZGFGOX28YHe5IpymM9E99ZFyLMgSvUA3NBHsZObvhXgFf 2rSt5fPeIJL4ESJKx0qQpcgg/M9mCP/rqQ0EpVAzLrP45fXGzYzDvoJcilx+iH6k2PKL O9RY0oKUBzUCas2uurOWQcA3eKgqRAdDanq50= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=zzwdQrYIZGbhuKxn6txtvucH/uZdk818++RBQ6GUaIw=; b=kr+w2wMb0Z6tTy+dQ8nS+GWH+2f81CSYUEzAO4dfHNF+i/BL7Pfon7UiFGVJuBOBPA xkSyT3QS6bUIoi1+G+RKGSexP0HgeRh/YHINfk6VSY10rQcD9F09Rk+2pLRJWN5nqBsm mufBKnbPTcoD30Th5kHVQA8Xk0jJE19BHs25Vrf6MIx1ibg7FenNK6RaEvJIH2HKx1Zi alScywO599trMZwECsYfvOr8yt3bnoKtkr5StzkYmvO1jNbaQXspco0vvDFOfF9+bGBo 9l1/jhHRUeCNSqzhDLXh008hnXrvwaESMKbXxGNCjT9xRejyU8s6m0vS1quI+s8rirZj Yf1g== X-Gm-Message-State: AOAM5321Lz/DX+P5C65bBLfWXLX9o13bMKN/0WFJqBs282b+N0/z/hwt s1eNt4yvSNwhViIbpqGih5ddbA== X-Google-Smtp-Source: ABdhPJyVRydg9q5jS2e39x/pb7g7MLyUIeUrS1+CgeSiKUxdoQuQFP8o17cuLiwbXArXOMToLiZy9A== X-Received: by 2002:a63:561c:0:b0:3c1:42fb:cd81 with SMTP id k28-20020a63561c000000b003c142fbcd81mr9701649pgb.104.1652565777327; Sat, 14 May 2022 15:02:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b0050dc7628182sm4169865pfe.92.2022.05.14.15.02.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 May 2022 15:02:57 -0700 (PDT) Date: Sat, 14 May 2022 15:02:56 -0700 From: Kees Cook To: Sami Tolvanen Cc: linux-kernel@vger.kernel.org, Josh Poimboeuf , Peter Zijlstra , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG Message-ID: <202205141501.92A22264B4@keescook> References: <20220513202159.1550547-1-samitolvanen@google.com> <20220513202159.1550547-21-samitolvanen@google.com> Precedence: bulk X-Mailing-List: llvm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220513202159.1550547-21-samitolvanen@google.com> On Fri, May 13, 2022 at 01:21:58PM -0700, Sami Tolvanen wrote: > With CONFIG_CFI_CLANG, the compiler injects a type preamble > immediately before each function and a check to validate the target > function type before indirect calls: > > ; type preamble > __cfi_function: > int3 > int3 > mov , %eax > int3 > int3 > function: > ... > ; indirect call check > cmpl    , -6(%r11) > je .Ltmp1 > ud2 > .Ltmp1: > call __x86_indirect_thunk_r11 > > Define the __CFI_TYPE helper macro for manual type annotations in > assembly code, add error handling for the CFI ud2 traps, and allow > CONFIG_CFI_CLANG to be selected on x86_64. > > Signed-off-by: Sami Tolvanen > --- > arch/x86/Kconfig | 2 ++ > arch/x86/include/asm/linkage.h | 12 +++++++ > arch/x86/kernel/traps.c | 60 +++++++++++++++++++++++++++++++++- > 3 files changed, 73 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 4bed3abf444d..2e73d0792d48 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -108,6 +108,8 @@ config X86 > select ARCH_SUPPORTS_PAGE_TABLE_CHECK if X86_64 > select ARCH_SUPPORTS_NUMA_BALANCING if X86_64 > select ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP if NR_CPUS <= 4096 > + select ARCH_SUPPORTS_CFI_CLANG if X86_64 > + select ARCH_USES_CFI_TRAPS if X86_64 && CFI_CLANG > select ARCH_SUPPORTS_LTO_CLANG > select ARCH_SUPPORTS_LTO_CLANG_THIN > select ARCH_USE_BUILTIN_BSWAP > diff --git a/arch/x86/include/asm/linkage.h b/arch/x86/include/asm/linkage.h > index 85865f1645bd..0ee4a0af3974 100644 > --- a/arch/x86/include/asm/linkage.h > +++ b/arch/x86/include/asm/linkage.h > @@ -25,6 +25,18 @@ > #define RET ret > #endif > > +#ifdef CONFIG_CFI_CLANG > +#define __CFI_TYPE(name) \ > + .fill 7, 1, 0xCC ASM_NL \ > + SYM_START(__cfi_##name, SYM_L_LOCAL, SYM_A_NONE) \ > + int3 ASM_NL \ > + int3 ASM_NL \ > + mov __kcfi_typeid_##name, %eax ASM_NL \ > + int3 ASM_NL \ > + int3 ASM_NL \ > + SYM_FUNC_END(__cfi_##name) > +#endif > + > #else /* __ASSEMBLY__ */ > > #ifdef CONFIG_SLS > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c > index 1563fb995005..320e257eb4be 100644 > --- a/arch/x86/kernel/traps.c > +++ b/arch/x86/kernel/traps.c > @@ -40,6 +40,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -295,6 +296,62 @@ static inline void handle_invalid_op(struct pt_regs *regs) > ILL_ILLOPN, error_get_trap_addr(regs)); > } > > +#ifdef CONFIG_CFI_CLANG > +static void decode_cfi_insn(struct pt_regs *regs, unsigned long *target, > + unsigned long *type) > +{ > + char buffer[MAX_INSN_SIZE]; > + struct insn insn; > + int offset; > + > + *target = *type = 0; Should report_cfi_failure() have some additional hinting for the case where target/type are zero? Like, "hey, got an inexplicable CFI failure here, but preamble decode failed. Yikes!" Reviewed-by: Kees Cook -- Kees Cook From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C6EFAC433F5 for ; Sat, 14 May 2022 22:04:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Dl/0GZDrYXJRf2AsHD6iuSK5CYqkg0CAAewQdyEzpLs=; b=ilgp6+t9mZN7sU DG93kBHSKO7Wn0MsYxZko6XJgXEbawSR0PDUGfm6r2igElHPqx7kHLGUNgd1TCeupc8Vl55v+ICCk vbOAayE0fZ3p/LF6iierRCJNptCxixJfez6y0KEIzfDtJkMvmcUOduvsrbH2EKyWk9VHrLu8OwvbC 5LEfYqnFJhif3q2HR65xw+/E9vEJO2DJo1tu1WHL4h+FPRQYZCTwaIyOexbskj2ELvtp3ySmw/8Wq oKCUkcIs9zEzN7tDUv2wZbckLKNCouiKMSBumjwvISCQC4i9thym+W/nJb3cimhA/qyYR13suHVbc tW+J6T6jT0pln6T0EoKQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1npzqq-002Rao-7Y; Sat, 14 May 2022 22:03:04 +0000 Received: from mail-pg1-x534.google.com ([2607:f8b0:4864:20::534]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1npzql-002RYW-1I for linux-arm-kernel@lists.infradead.org; Sat, 14 May 2022 22:03:00 +0000 Received: by mail-pg1-x534.google.com with SMTP id x8so7272309pgr.4 for ; Sat, 14 May 2022 15:02:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=zzwdQrYIZGbhuKxn6txtvucH/uZdk818++RBQ6GUaIw=; b=PxaWEdjbiW3JJXRUQ37LWZGFGOX28YHe5IpymM9E99ZFyLMgSvUA3NBHsZObvhXgFf 2rSt5fPeIJL4ESJKx0qQpcgg/M9mCP/rqQ0EpVAzLrP45fXGzYzDvoJcilx+iH6k2PKL O9RY0oKUBzUCas2uurOWQcA3eKgqRAdDanq50= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=zzwdQrYIZGbhuKxn6txtvucH/uZdk818++RBQ6GUaIw=; b=Hm1XlssGIfa+UYpKMO6JJgh0QvQkx44/ETpGY8F3W9vjwNYLYiu+d58wpG/unHSH3A mXYxRI6dld9aGJ5xyllHCo4AOxmqpVoA+Kcl93IEUfnlP3TB1MgkZIJiJi13Xxix/Gyy Ii92reGP+ruJFwTtJvLUoPDl29rkeN9Pz2GFVV4d5HPzUr98bTyZDmAJ8KCNd7flQSta 7LwYKCv5PdV0zwjuMtKpPSu7qiCn2QgsxbtX1g4Wm0EB8TY4L8UL0g9gircAme/oAPq1 2bUVP2OWNI5JeV/1STnOhSYZJotbTJIQerRHrTr7rPxs0KoUzd8Kn+T22r6tvyMCBZiw /zLA== X-Gm-Message-State: AOAM5318tE2JHuHXG9IHEy6JFFIcrV35uoCjeWWVDLsfzAEJO9Xh8y7P wFpqcQH5gqxVg02tIn+kAn/qwg== X-Google-Smtp-Source: ABdhPJyVRydg9q5jS2e39x/pb7g7MLyUIeUrS1+CgeSiKUxdoQuQFP8o17cuLiwbXArXOMToLiZy9A== X-Received: by 2002:a63:561c:0:b0:3c1:42fb:cd81 with SMTP id k28-20020a63561c000000b003c142fbcd81mr9701649pgb.104.1652565777327; Sat, 14 May 2022 15:02:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b0050dc7628182sm4169865pfe.92.2022.05.14.15.02.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 May 2022 15:02:57 -0700 (PDT) Date: Sat, 14 May 2022 15:02:56 -0700 From: Kees Cook To: Sami Tolvanen Cc: linux-kernel@vger.kernel.org, Josh Poimboeuf , Peter Zijlstra , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG Message-ID: <202205141501.92A22264B4@keescook> References: <20220513202159.1550547-1-samitolvanen@google.com> <20220513202159.1550547-21-samitolvanen@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220513202159.1550547-21-samitolvanen@google.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220514_150259_145510_7E689CD9 X-CRM114-Status: GOOD ( 23.52 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, May 13, 2022 at 01:21:58PM -0700, Sami Tolvanen wrote: > With CONFIG_CFI_CLANG, the compiler injects a type preamble > immediately before each function and a check to validate the target > function type before indirect calls: > = > ; type preamble > __cfi_function: > int3 > int3 > mov , %eax > int3 > int3 > function: > ... > ; indirect call check > cmpl=A0 =A0 , -6(%r11) > je .Ltmp1 > ud2 > .Ltmp1: > call __x86_indirect_thunk_r11 > = > Define the __CFI_TYPE helper macro for manual type annotations in > assembly code, add error handling for the CFI ud2 traps, and allow > CONFIG_CFI_CLANG to be selected on x86_64. > = > Signed-off-by: Sami Tolvanen > --- > arch/x86/Kconfig | 2 ++ > arch/x86/include/asm/linkage.h | 12 +++++++ > arch/x86/kernel/traps.c | 60 +++++++++++++++++++++++++++++++++- > 3 files changed, 73 insertions(+), 1 deletion(-) > = > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 4bed3abf444d..2e73d0792d48 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -108,6 +108,8 @@ config X86 > select ARCH_SUPPORTS_PAGE_TABLE_CHECK if X86_64 > select ARCH_SUPPORTS_NUMA_BALANCING if X86_64 > select ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP if NR_CPUS <=3D 4096 > + select ARCH_SUPPORTS_CFI_CLANG if X86_64 > + select ARCH_USES_CFI_TRAPS if X86_64 && CFI_CLANG > select ARCH_SUPPORTS_LTO_CLANG > select ARCH_SUPPORTS_LTO_CLANG_THIN > select ARCH_USE_BUILTIN_BSWAP > diff --git a/arch/x86/include/asm/linkage.h b/arch/x86/include/asm/linkag= e.h > index 85865f1645bd..0ee4a0af3974 100644 > --- a/arch/x86/include/asm/linkage.h > +++ b/arch/x86/include/asm/linkage.h > @@ -25,6 +25,18 @@ > #define RET ret > #endif > = > +#ifdef CONFIG_CFI_CLANG > +#define __CFI_TYPE(name) \ > + .fill 7, 1, 0xCC ASM_NL \ > + SYM_START(__cfi_##name, SYM_L_LOCAL, SYM_A_NONE) \ > + int3 ASM_NL \ > + int3 ASM_NL \ > + mov __kcfi_typeid_##name, %eax ASM_NL \ > + int3 ASM_NL \ > + int3 ASM_NL \ > + SYM_FUNC_END(__cfi_##name) > +#endif > + > #else /* __ASSEMBLY__ */ > = > #ifdef CONFIG_SLS > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c > index 1563fb995005..320e257eb4be 100644 > --- a/arch/x86/kernel/traps.c > +++ b/arch/x86/kernel/traps.c > @@ -40,6 +40,7 @@ > #include > #include > #include > +#include > = > #include > #include > @@ -295,6 +296,62 @@ static inline void handle_invalid_op(struct pt_regs = *regs) > ILL_ILLOPN, error_get_trap_addr(regs)); > } > = > +#ifdef CONFIG_CFI_CLANG > +static void decode_cfi_insn(struct pt_regs *regs, unsigned long *target, > + unsigned long *type) > +{ > + char buffer[MAX_INSN_SIZE]; > + struct insn insn; > + int offset; > + > + *target =3D *type =3D 0; Should report_cfi_failure() have some additional hinting for the case where target/type are zero? Like, "hey, got an inexplicable CFI failure here, but preamble decode failed. Yikes!" Reviewed-by: Kees Cook -- = Kees Cook _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel