From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F168568 for ; Tue, 2 Nov 2021 18:20:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=K0rz7LT+kgomD5KRNtzJy6G/J+BhWbgnVLi0ic650I0=; b=dJ9VibV9ZrIwDjTaMbTXmZwZJX bQdjfemLebGdpEQOacA+0IGSYwxaZ2EEsxlDJoBA/7WGVPPvXM28251CmPRdMYAXDntAQNHhHO0qV v/AZ3mS1k2WDG6fuSg4lrISg4c/IUw87Hr9DHet8l6dnXtycetIdmRuQ3dbe7aG2MIJsAKg8Ln/wf Du1BBQbjLlOkUWucCwT04KkXyBGzzx/FlqeOdprJT4oNWi1klCNgmOcCmpXjuv6DpERZKM5fcoUJt 3oWDqrb1qRK9nZQLnZGbk05TaWcsdWVfoTW1vBCysM9Zo3gH79uPwio2TEtFo2kUGosnxE9/JPTiS k3is7y+Q==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1mhyKF-004g3M-IV; Tue, 02 Nov 2021 18:16:10 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id C7A2630022C; Tue, 2 Nov 2021 19:15:58 +0100 (CET) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id B704E2D53269D; Tue, 2 Nov 2021 19:15:58 +0100 (CET) Date: Tue, 2 Nov 2021 19:15:58 +0100 From: Peter Zijlstra To: Kees Cook Cc: Sami Tolvanen , Ard Biesheuvel , Mark Rutland , X86 ML , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev, joao@overdrivepizza.com Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching Message-ID: References: <20211027124852.GK174703@worktop.programming.kicks-ass.net> <20211029200324.GR174703@worktop.programming.kicks-ass.net> <20211030074758.GT174703@worktop.programming.kicks-ass.net> <20211030081631.GF174730@worktop.programming.kicks-ass.net> <202111021029.79D81E590@keescook> Precedence: bulk X-Mailing-List: llvm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202111021029.79D81E590@keescook> On Tue, Nov 02, 2021 at 10:35:30AM -0700, Kees Cook wrote: > On Sat, Oct 30, 2021 at 10:16:31AM +0200, Peter Zijlstra wrote: > > foo.cfi: > > endbr > > xorl $0xdeadbeef, %r10d > > jz foo > > ud2 > > nop # make it an even 16 bytes > > foo: > > # actual function text > > > > > > Then have the address of foo, be the address of foo, like any normal > > sane person would expect. Have direct calls to foo, go to foo, again, as > > expected. > > > > When doing an indirect call (to r11, as clang does), then, and only > > then, do: > > > > movl $0xdeadbeef, %r10d > > subq $0x10, %r11 > > call *%r11 > > > > # if the r11 lives, add: > > addq $0x10, %r11 > > > > > > Then only when caller and callee agree 0xdeadbeef is the password, does > > the indirect call go through. > > > > Why isn't this a suitable CFI scheme even without IBT? > > The trouble is that the callee is doing the verification. There's no > protection against calling into a callee that doesn't perform a check > (e.g. BPF JIT, or otherwise constructed executable memory, etc). The > caller needs to do the verification that what they're calling into is > safe before it makes the call. Right, Ard said the same, see new crackpot scheme here: https://lkml.kernel.org/r/YYE1yPClPMHvyvIt@hirez.programming.kicks-ass.net