All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 0/2] Enable -Wincompatible-function-pointer-types-strict under W=1
@ 2023-12-06 16:49 Nathan Chancellor
  2023-12-06 16:49 ` [PATCH v2 1/2] um: net: Fix return type of uml_net_start_xmit() Nathan Chancellor
  2023-12-06 16:49 ` [PATCH v2 2/2] kbuild: Enable -Wincompatible-function-pointer-types-strict in W=1 Nathan Chancellor
  0 siblings, 2 replies; 5+ messages in thread
From: Nathan Chancellor @ 2023-12-06 16:49 UTC (permalink / raw)
  To: masahiroy
  Cc: ndesaulniers, morbo, justinstitt, keescook, samitolvanen,
	nicolas, linux-kbuild, llvm, patches, kernel test robot,
	Anton Ivanov, Nathan Chancellor, richard, johannes, linux-um

-Wincompatible-function-pointer-types-strict is a warning in clang-16
and newer that is designed to catch potential kCFI failures at runtime.
There is one set of warnings in drivers/counter that I have not been
able to figure out a solution for so this cannot be enabled for a
default build but adding the warning under W=1 will allow various CI
systems to catch and report new instances so it will be easier to
enable in a default build in the future.

The kbuild test robot reported one instance in arch/um, which is cleared
up by the first patch and has an ack from an arch/um maintainer, so this
should be able to go in via the kbuild tree.

---
Changes in v2:
- Rebase on latest kbuild tree.
- Pick up Nick's reviewed-by tag.
- Include arch/um patch with Anton's ack to clear up warning reported by
  kbuild test robot on v1.
- Link to v1: https://lore.kernel.org/r/20231002-enable-wincompatible-function-pointer-types-strict-w-1-v1-1-808ab955d42d@kernel.org

---
Nathan Chancellor (2):
      um: net: Fix return type of uml_net_start_xmit()
      kbuild: Enable -Wincompatible-function-pointer-types-strict in W=1

 arch/um/drivers/net_kern.c | 2 +-
 scripts/Makefile.extrawarn | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
---
base-commit: 4b391dcb7cda8d1353d3bd123d0989550d48c0c9
change-id: 20231002-enable-wincompatible-function-pointer-types-strict-w-1-4a56b99b8c6f

Best regards,
-- 
Nathan Chancellor <nathan@kernel.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 1/2] um: net: Fix return type of uml_net_start_xmit()
  2023-12-06 16:49 [PATCH v2 0/2] Enable -Wincompatible-function-pointer-types-strict under W=1 Nathan Chancellor
@ 2023-12-06 16:49 ` Nathan Chancellor
  2023-12-06 20:30   ` Kees Cook
  2023-12-06 16:49 ` [PATCH v2 2/2] kbuild: Enable -Wincompatible-function-pointer-types-strict in W=1 Nathan Chancellor
  1 sibling, 1 reply; 5+ messages in thread
From: Nathan Chancellor @ 2023-12-06 16:49 UTC (permalink / raw)
  To: masahiroy
  Cc: ndesaulniers, morbo, justinstitt, keescook, samitolvanen,
	nicolas, linux-kbuild, llvm, patches, kernel test robot,
	Anton Ivanov, Nathan Chancellor, richard, johannes, linux-um

With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
warning in clang aims to catch these at compile time, which reveals:

  arch/um/drivers/net_kern.c:353:21: warning: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Wincompatible-function-pointer-types-strict]
    353 |         .ndo_start_xmit         = uml_net_start_xmit,
        |                                   ^~~~~~~~~~~~~~~~~~
  1 warning generated.

->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of uml_net_start_xmit()
to match the prototype's to resolve the warning. While UML does not
currently implement support for kCFI, it could in the future, which
means this warning becomes a fatal CFI failure at run time.

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202310031340.v1vPh207-lkp@intel.com/
Acked-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
---
Cc: richard@nod.at
Cc: johannes@sipsolutions.net
Cc: linux-um@lists.infradead.org
---
 arch/um/drivers/net_kern.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/um/drivers/net_kern.c b/arch/um/drivers/net_kern.c
index 3d7836c46507..cabcc501b448 100644
--- a/arch/um/drivers/net_kern.c
+++ b/arch/um/drivers/net_kern.c
@@ -204,7 +204,7 @@ static int uml_net_close(struct net_device *dev)
 	return 0;
 }
 
-static int uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
 {
 	struct uml_net_private *lp = netdev_priv(dev);
 	unsigned long flags;

-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v2 2/2] kbuild: Enable -Wincompatible-function-pointer-types-strict in W=1
  2023-12-06 16:49 [PATCH v2 0/2] Enable -Wincompatible-function-pointer-types-strict under W=1 Nathan Chancellor
  2023-12-06 16:49 ` [PATCH v2 1/2] um: net: Fix return type of uml_net_start_xmit() Nathan Chancellor
@ 2023-12-06 16:49 ` Nathan Chancellor
  2023-12-06 20:31   ` Kees Cook
  1 sibling, 1 reply; 5+ messages in thread
From: Nathan Chancellor @ 2023-12-06 16:49 UTC (permalink / raw)
  To: masahiroy
  Cc: ndesaulniers, morbo, justinstitt, keescook, samitolvanen,
	nicolas, linux-kbuild, llvm, patches, Nathan Chancellor

-Wincompatible-function-pointer-types-strict aims to catch clang kernel
Control Flow Integrity (kCFI) violations at build time (rather than run
time) by validating function pointer assignments against the expected
prototype, similar to the existing -Wincompatible-function-pointer-types
that is considered a hard error in the kernel. The -strict variant
requires the types to match exactly, as opposed to just matching in
terms of ABI compatibility. This is primarily visible with int/unsigned
int in lieu of enum types or vice versa.

The tree is not completely clean, so this warning cannot currently be
enabled unconditionally. However, there are only warnings in one
subsystem ('drivers/counter'), so it is really close. In order to
benefit from CI infrastructure that tests with W=1, enable this warning
at that level, so that new instances have a chance of being caught and
fixed during development.

This should eventually be a hard error in a similar manner as
Wincompatible-function-pointer-types but some subsystems test
with W=1 + CONFIG_WERROR=n, so it would be rude to break their builds
when they do not care about warnings outside of their subsystem.

Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
---
 scripts/Makefile.extrawarn | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn
index 3f94915fab37..1452dd874a07 100644
--- a/scripts/Makefile.extrawarn
+++ b/scripts/Makefile.extrawarn
@@ -99,6 +99,7 @@ KBUILD_CFLAGS += $(call cc-option, -Wformat-overflow)
 KBUILD_CFLAGS += $(call cc-option, -Wformat-truncation)
 KBUILD_CFLAGS += $(call cc-option, -Wstringop-overflow)
 KBUILD_CFLAGS += $(call cc-option, -Wstringop-truncation)
+KBUILD_CFLAGS += $(call cc-option, -Wincompatible-function-pointer-types-strict)
 
 KBUILD_CPPFLAGS += -Wundef
 KBUILD_CPPFLAGS += -DKBUILD_EXTRA_WARN1

-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] um: net: Fix return type of uml_net_start_xmit()
  2023-12-06 16:49 ` [PATCH v2 1/2] um: net: Fix return type of uml_net_start_xmit() Nathan Chancellor
@ 2023-12-06 20:30   ` Kees Cook
  0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2023-12-06 20:30 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: masahiroy, ndesaulniers, morbo, justinstitt, samitolvanen,
	nicolas, linux-kbuild, llvm, patches, kernel test robot,
	Anton Ivanov, richard, johannes, linux-um

On Wed, Dec 06, 2023 at 09:49:46AM -0700, Nathan Chancellor wrote:
> With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
> indirect call targets are validated against the expected function
> pointer prototype to make sure the call target is valid to help mitigate
> ROP attacks. If they are not identical, there is a failure at run time,
> which manifests as either a kernel panic or thread getting killed. A
> warning in clang aims to catch these at compile time, which reveals:
> 
>   arch/um/drivers/net_kern.c:353:21: warning: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Wincompatible-function-pointer-types-strict]
>     353 |         .ndo_start_xmit         = uml_net_start_xmit,
>         |                                   ^~~~~~~~~~~~~~~~~~
>   1 warning generated.
> 
> ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
> 'netdev_tx_t', not 'int'. Adjust the return type of uml_net_start_xmit()
> to match the prototype's to resolve the warning. While UML does not
> currently implement support for kCFI, it could in the future, which
> means this warning becomes a fatal CFI failure at run time.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202310031340.v1vPh207-lkp@intel.com/
> Acked-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>

Yes please. :)

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 2/2] kbuild: Enable -Wincompatible-function-pointer-types-strict in W=1
  2023-12-06 16:49 ` [PATCH v2 2/2] kbuild: Enable -Wincompatible-function-pointer-types-strict in W=1 Nathan Chancellor
@ 2023-12-06 20:31   ` Kees Cook
  0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2023-12-06 20:31 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: masahiroy, ndesaulniers, morbo, justinstitt, samitolvanen,
	nicolas, linux-kbuild, llvm, patches

On Wed, Dec 06, 2023 at 09:49:47AM -0700, Nathan Chancellor wrote:
> -Wincompatible-function-pointer-types-strict aims to catch clang kernel
> Control Flow Integrity (kCFI) violations at build time (rather than run
> time) by validating function pointer assignments against the expected
> prototype, similar to the existing -Wincompatible-function-pointer-types
> that is considered a hard error in the kernel. The -strict variant
> requires the types to match exactly, as opposed to just matching in
> terms of ABI compatibility. This is primarily visible with int/unsigned
> int in lieu of enum types or vice versa.
> 
> The tree is not completely clean, so this warning cannot currently be
> enabled unconditionally. However, there are only warnings in one
> subsystem ('drivers/counter'), so it is really close. In order to
> benefit from CI infrastructure that tests with W=1, enable this warning
> at that level, so that new instances have a chance of being caught and
> fixed during development.
> 
> This should eventually be a hard error in a similar manner as
> Wincompatible-function-pointer-types but some subsystems test
> with W=1 + CONFIG_WERROR=n, so it would be rude to break their builds
> when they do not care about warnings outside of their subsystem.
> 
> Link: https://github.com/ClangBuiltLinux/linux/issues/1750
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>

Keeping these from leaking in is always good. Thanks!

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-12-06 20:31 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-06 16:49 [PATCH v2 0/2] Enable -Wincompatible-function-pointer-types-strict under W=1 Nathan Chancellor
2023-12-06 16:49 ` [PATCH v2 1/2] um: net: Fix return type of uml_net_start_xmit() Nathan Chancellor
2023-12-06 20:30   ` Kees Cook
2023-12-06 16:49 ` [PATCH v2 2/2] kbuild: Enable -Wincompatible-function-pointer-types-strict in W=1 Nathan Chancellor
2023-12-06 20:31   ` Kees Cook

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.