[PATCH 0/1] Fix CFI hash randomization with KASAN

[PATCH 0/1] Fix CFI hash randomization with KASAN

[Sami Tolvanen]

Peter, Masahiro,

I noticed that KASAN+CFI fails to boot on x86_64 without
cfi=norand. The randomization code is missing a couple of KASAN
constructors in object files that are not part of vmlinux.o. This
happens because we don't run objtool for the files, which means
the type hashes are not included in the .cfi_sites section.

This patch simply disables KASAN for these files, which seems
reasonable to me and fixes the boot issue, but perhaps you have
better ideas?

Sami


Sami Tolvanen (1):
  kbuild: Fix CFI hash randomization with KASAN

 init/Makefile            | 1 +
 scripts/Makefile.vmlinux | 1 +
 2 files changed, 2 insertions(+)


base-commit: c757fc92a3f73734872c7793b97f06434773d65d
-- 
2.39.0.314.g84b9a713c41-goog

[PATCH 1/1] kbuild: Fix CFI hash randomization with KASAN

[Sami Tolvanen]

Clang emits a asan.module_ctor constructor to each object file
when KASAN is enabled, and these functions are indirectly called
in do_ctors. With CONFIG_CFI_CLANG, the compiler also emits a CFI
type hash before each address-taken global function so they can
pass indirect call checks.

However, in commit 0c3e806ec0f9 ("x86/cfi: Add boot time hash
randomization"), x86 implemented boot time hash randomization,
which relies on the .cfi_sites section generated by objtool. As
objtool is run against vmlinux.o instead of individual object
files with X86_KERNEL_IBT (enabled by default), CFI types in
object files that are not part of vmlinux.o end up not being
included in .cfi_sites, and thus won't get randomized and trip
CFI when called.

Only .vmlinux.export.o and init/version-timestamp.o are linked
into vmlinux separately from vmlinux.o. As these files don't
contain any functions, disable KASAN for both of them to avoid
breaking hash randomization.

Link: https://github.com/ClangBuiltLinux/linux/issues/1742
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
 init/Makefile            | 1 +
 scripts/Makefile.vmlinux | 1 +
 2 files changed, 2 insertions(+)

diff --git a/init/Makefile b/init/Makefile
index 8316c23bead2..26de459006c4 100644
--- a/init/Makefile
+++ b/init/Makefile
@@ -59,3 +59,4 @@ include/generated/utsversion.h: FORCE
 
 $(obj)/version-timestamp.o: include/generated/utsversion.h
 CFLAGS_version-timestamp.o := -include include/generated/utsversion.h
+KASAN_SANITIZE_version-timestamp.o := n
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index 49946cb96844..10176dec97ea 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -18,6 +18,7 @@ quiet_cmd_cc_o_c = CC      $@
 	$(call if_changed_dep,cc_o_c)
 
 ifdef CONFIG_MODULES
+KASAN_SANITIZE_.vmlinux.export.o := n
 targets += .vmlinux.export.o
 vmlinux: .vmlinux.export.o
 endif
-- 
2.39.0.314.g84b9a713c41-goog

Re: [PATCH 1/1] kbuild: Fix CFI hash randomization with KASAN

[Kees Cook]

On Thu, Jan 12, 2023 at 10:49:48PM +0000, Sami Tolvanen wrote:
> Clang emits a asan.module_ctor constructor to each object file
> when KASAN is enabled, and these functions are indirectly called
> in do_ctors. With CONFIG_CFI_CLANG, the compiler also emits a CFI
> type hash before each address-taken global function so they can
> pass indirect call checks.
> 
> However, in commit 0c3e806ec0f9 ("x86/cfi: Add boot time hash
> randomization"), x86 implemented boot time hash randomization,
> which relies on the .cfi_sites section generated by objtool. As
> objtool is run against vmlinux.o instead of individual object
> files with X86_KERNEL_IBT (enabled by default), CFI types in
> object files that are not part of vmlinux.o end up not being
> included in .cfi_sites, and thus won't get randomized and trip
> CFI when called.
> 
> Only .vmlinux.export.o and init/version-timestamp.o are linked
> into vmlinux separately from vmlinux.o. As these files don't
> contain any functions, disable KASAN for both of them to avoid
> breaking hash randomization.
> 
> Link: https://github.com/ClangBuiltLinux/linux/issues/1742
> Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

Re: [PATCH 1/1] kbuild: Fix CFI hash randomization with KASAN

[Peter Zijlstra]

On Thu, Jan 12, 2023 at 10:49:48PM +0000, Sami Tolvanen wrote:
> Clang emits a asan.module_ctor constructor to each object file
> when KASAN is enabled, and these functions are indirectly called
> in do_ctors. With CONFIG_CFI_CLANG, the compiler also emits a CFI
> type hash before each address-taken global function so they can
> pass indirect call checks.
> 
> However, in commit 0c3e806ec0f9 ("x86/cfi: Add boot time hash
> randomization"), x86 implemented boot time hash randomization,
> which relies on the .cfi_sites section generated by objtool. As
> objtool is run against vmlinux.o instead of individual object
> files with X86_KERNEL_IBT (enabled by default), CFI types in
> object files that are not part of vmlinux.o end up not being
> included in .cfi_sites, and thus won't get randomized and trip
> CFI when called.
> 
> Only .vmlinux.export.o and init/version-timestamp.o are linked
> into vmlinux separately from vmlinux.o. As these files don't
> contain any functions, disable KASAN for both of them to avoid
> breaking hash randomization.
> 
> Link: https://github.com/ClangBuiltLinux/linux/issues/1742
> Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

Must've been 'fun' to figure out, Thanks!

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>

Re: [PATCH 0/1] Fix CFI hash randomization with KASAN

[Kees Cook]

On Thu, 12 Jan 2023 22:49:47 +0000, Sami Tolvanen wrote:
> Peter, Masahiro,
> 
> I noticed that KASAN+CFI fails to boot on x86_64 without
> cfi=norand. The randomization code is missing a couple of KASAN
> constructors in object files that are not part of vmlinux.o. This
> happens because we don't run objtool for the files, which means
> the type hashes are not included in the .cfi_sites section.
> 
> [...]

Applied to for-linus/hardening, thanks!

[1/1] kbuild: Fix CFI hash randomization with KASAN
      https://git.kernel.org/kees/c/a6c5a3491b3f

-- 
Kees Cook