From: Linus Walleij <linus.walleij@linaro.org>
To: Russell King <linux@armlinux.org.uk>,
Sami Tolvanen <samitolvanen@google.com>,
Kees Cook <keescook@chromium.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Ard Biesheuvel <ardb@kernel.org>, Arnd Bergmann <arnd@arndb.de>
Cc: linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev,
Linus Walleij <linus.walleij@linaro.org>
Subject: [PATCH v2 9/9] ARM: KCFI: Allow permissive CFI mode
Date: Thu, 07 Mar 2024 15:22:08 +0100 [thread overview]
Message-ID: <20240307-arm32-cfi-v2-9-cc74ea0306b3@linaro.org> (raw)
In-Reply-To: <20240307-arm32-cfi-v2-0-cc74ea0306b3@linaro.org>
This registers a breakpoint handler for the new breakpoint type
(0x03) inserted by LLVM CLANG for CFI breakpoints.
If we are in permissive mode, just print a backtrace and continue.
Example with CONFIG_CFI_PERMISSIVE enabled:
root@Vexpress:/ echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT
lkdtm: Performing direct entry CFI_FORWARD_PROTO
lkdtm: Calling matched prototype ...
lkdtm: Calling mismatched prototype ...
hw-breakpoint: Permissive CFI breakpoint
CPU: 0 PID: 114 Comm: sh Not tainted 6.8.0-rc1+ #111
Hardware name: ARM-Versatile Express
unwind_backtrace from show_stack+0x28/0x30
(...)
lkdtm: FAIL: survived mismatched prototype function call!
lkdtm: Unexpected! This kernel (6.8.0-rc1+ armv7l) was
built with CONFIG_CFI_CLANG=y
As you can see the LKDTM test fails, but I expect that this would be
expected behaviour in the permissive mode.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
arch/arm/include/asm/hw_breakpoint.h | 1 +
arch/arm/kernel/hw_breakpoint.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/arch/arm/include/asm/hw_breakpoint.h b/arch/arm/include/asm/hw_breakpoint.h
index 62358d3ca0a8..e7f9961c53b2 100644
--- a/arch/arm/include/asm/hw_breakpoint.h
+++ b/arch/arm/include/asm/hw_breakpoint.h
@@ -84,6 +84,7 @@ static inline void decode_ctrl_reg(u32 reg,
#define ARM_DSCR_MOE(x) ((x >> 2) & 0xf)
#define ARM_ENTRY_BREAKPOINT 0x1
#define ARM_ENTRY_ASYNC_WATCHPOINT 0x2
+#define ARM_ENTRY_CFI_BREAKPOINT 0x3
#define ARM_ENTRY_SYNC_WATCHPOINT 0xa
/* DSCR monitor/halting bits. */
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index dc0fb7a81371..256146684813 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -932,6 +932,16 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr,
case ARM_ENTRY_SYNC_WATCHPOINT:
watchpoint_handler(addr, fsr, regs);
break;
+ case ARM_ENTRY_CFI_BREAKPOINT:
+ if (IS_ENABLED(CONFIG_CFI_PERMISSIVE)) {
+ pr_err("Permissive CFI breakpoint\n");
+ dump_stack();
+ /* Skip the breaking instruction */
+ instruction_pointer(regs) += 4;
+ } else {
+ die("Oops - CFI", regs, 0);
+ }
+ break;
default:
ret = 1; /* Unhandled fault. */
}
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Linus Walleij <linus.walleij@linaro.org>
To: Russell King <linux@armlinux.org.uk>,
Sami Tolvanen <samitolvanen@google.com>,
Kees Cook <keescook@chromium.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Ard Biesheuvel <ardb@kernel.org>, Arnd Bergmann <arnd@arndb.de>
Cc: linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev,
Linus Walleij <linus.walleij@linaro.org>
Subject: [PATCH v2 9/9] ARM: KCFI: Allow permissive CFI mode
Date: Thu, 07 Mar 2024 15:22:08 +0100 [thread overview]
Message-ID: <20240307-arm32-cfi-v2-9-cc74ea0306b3@linaro.org> (raw)
In-Reply-To: <20240307-arm32-cfi-v2-0-cc74ea0306b3@linaro.org>
This registers a breakpoint handler for the new breakpoint type
(0x03) inserted by LLVM CLANG for CFI breakpoints.
If we are in permissive mode, just print a backtrace and continue.
Example with CONFIG_CFI_PERMISSIVE enabled:
root@Vexpress:/ echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT
lkdtm: Performing direct entry CFI_FORWARD_PROTO
lkdtm: Calling matched prototype ...
lkdtm: Calling mismatched prototype ...
hw-breakpoint: Permissive CFI breakpoint
CPU: 0 PID: 114 Comm: sh Not tainted 6.8.0-rc1+ #111
Hardware name: ARM-Versatile Express
unwind_backtrace from show_stack+0x28/0x30
(...)
lkdtm: FAIL: survived mismatched prototype function call!
lkdtm: Unexpected! This kernel (6.8.0-rc1+ armv7l) was
built with CONFIG_CFI_CLANG=y
As you can see the LKDTM test fails, but I expect that this would be
expected behaviour in the permissive mode.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
arch/arm/include/asm/hw_breakpoint.h | 1 +
arch/arm/kernel/hw_breakpoint.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/arch/arm/include/asm/hw_breakpoint.h b/arch/arm/include/asm/hw_breakpoint.h
index 62358d3ca0a8..e7f9961c53b2 100644
--- a/arch/arm/include/asm/hw_breakpoint.h
+++ b/arch/arm/include/asm/hw_breakpoint.h
@@ -84,6 +84,7 @@ static inline void decode_ctrl_reg(u32 reg,
#define ARM_DSCR_MOE(x) ((x >> 2) & 0xf)
#define ARM_ENTRY_BREAKPOINT 0x1
#define ARM_ENTRY_ASYNC_WATCHPOINT 0x2
+#define ARM_ENTRY_CFI_BREAKPOINT 0x3
#define ARM_ENTRY_SYNC_WATCHPOINT 0xa
/* DSCR monitor/halting bits. */
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index dc0fb7a81371..256146684813 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -932,6 +932,16 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr,
case ARM_ENTRY_SYNC_WATCHPOINT:
watchpoint_handler(addr, fsr, regs);
break;
+ case ARM_ENTRY_CFI_BREAKPOINT:
+ if (IS_ENABLED(CONFIG_CFI_PERMISSIVE)) {
+ pr_err("Permissive CFI breakpoint\n");
+ dump_stack();
+ /* Skip the breaking instruction */
+ instruction_pointer(regs) += 4;
+ } else {
+ die("Oops - CFI", regs, 0);
+ }
+ break;
default:
ret = 1; /* Unhandled fault. */
}
--
2.34.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-03-07 14:22 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 14:21 [PATCH v2 0/9] CFI for ARM32 using LLVM Linus Walleij
2024-03-07 14:21 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 1/9] ARM: Support CLANG CFI Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 2/9] ARM: tlbflush: Make TLB flushes into static inlines Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 3/9] ARM: bugs: Check in the vtable instead of defined aliases Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 4/9] ARM: proc: Use inlines instead of defines Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 5/9] ARM: delay: Turn delay functions into static inlines Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 6/9] ARM: turn CPU cache flush " Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 7/9] ARM: page: Turn highpage accesses " Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` [PATCH v2 8/9] ARM: ftrace: Define ftrace_stub_graph Linus Walleij
2024-03-07 14:22 ` Linus Walleij
2024-03-07 14:22 ` Linus Walleij [this message]
2024-03-07 14:22 ` [PATCH v2 9/9] ARM: KCFI: Allow permissive CFI mode Linus Walleij
2024-03-07 18:58 ` Kees Cook
2024-03-07 18:58 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240307-arm32-cfi-v2-9-cc74ea0306b3@linaro.org \
--to=linus.walleij@linaro.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux@armlinux.org.uk \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=samitolvanen@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.