From: Linus Walleij <linus.walleij@linaro.org>
To: Russell King <linux@armlinux.org.uk>,
Sami Tolvanen <samitolvanen@google.com>,
Kees Cook <keescook@chromium.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Ard Biesheuvel <ardb@kernel.org>, Arnd Bergmann <arnd@arndb.de>
Cc: linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev,
Linus Walleij <linus.walleij@linaro.org>
Subject: [PATCH v3 9/9] ARM: KCFI: Allow permissive CFI mode
Date: Mon, 11 Mar 2024 10:15:46 +0100 [thread overview]
Message-ID: <20240311-arm32-cfi-v3-9-224a0f0a45c2@linaro.org> (raw)
In-Reply-To: <20240311-arm32-cfi-v3-0-224a0f0a45c2@linaro.org>
This registers a breakpoint handler for the new breakpoint type
(0x03) inserted by LLVM CLANG for CFI breakpoints.
If we are in permissive mode, just print a backtrace and continue.
Example with CONFIG_CFI_PERMISSIVE enabled:
> echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT
lkdtm: Performing direct entry CFI_FORWARD_PROTO
lkdtm: Calling matched prototype ...
lkdtm: Calling mismatched prototype ...
CFI failure at lkdtm_indirect_call+0x40/0x4c (target: 0x0; expected type: 0x00000000)
WARNING: CPU: 1 PID: 112 at lkdtm_indirect_call+0x40/0x4c
CPU: 1 PID: 112 Comm: sh Not tainted 6.8.0-rc1+ #150
Hardware name: ARM-Versatile Express
(...)
lkdtm: FAIL: survived mismatched prototype function call!
lkdtm: Unexpected! This kernel (6.8.0-rc1+ armv7l) was built with CONFIG_CFI_CLANG=y
As you can see the LKDTM test fails, but I expect that this would be
expected behaviour in the permissive mode.
We are currently not implementing target and type for the CFI
breakpoint as this requires additional operand bundling compiler
extensions.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
arch/arm/include/asm/hw_breakpoint.h | 1 +
arch/arm/kernel/hw_breakpoint.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/arch/arm/include/asm/hw_breakpoint.h b/arch/arm/include/asm/hw_breakpoint.h
index 62358d3ca0a8..e7f9961c53b2 100644
--- a/arch/arm/include/asm/hw_breakpoint.h
+++ b/arch/arm/include/asm/hw_breakpoint.h
@@ -84,6 +84,7 @@ static inline void decode_ctrl_reg(u32 reg,
#define ARM_DSCR_MOE(x) ((x >> 2) & 0xf)
#define ARM_ENTRY_BREAKPOINT 0x1
#define ARM_ENTRY_ASYNC_WATCHPOINT 0x2
+#define ARM_ENTRY_CFI_BREAKPOINT 0x3
#define ARM_ENTRY_SYNC_WATCHPOINT 0xa
/* DSCR monitor/halting bits. */
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index dc0fb7a81371..61a984b83bfe 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -17,6 +17,7 @@
#include <linux/perf_event.h>
#include <linux/hw_breakpoint.h>
#include <linux/smp.h>
+#include <linux/cfi.h>
#include <linux/cpu_pm.h>
#include <linux/coresight.h>
@@ -903,6 +904,32 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
watchpoint_single_step_handler(addr);
}
+#ifdef CONFIG_CFI_CLANG
+static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
+{
+ /* TODO: implementing target and type requires compiler work */
+ unsigned long target = 0;
+ u32 type = 0;
+
+ switch (report_cfi_failure(regs, instruction_pointer(regs), &target, type)) {
+ case BUG_TRAP_TYPE_BUG:
+ die("Oops - CFI", regs, 0);
+ break;
+ case BUG_TRAP_TYPE_WARN:
+ /* Skip the breaking instruction */
+ instruction_pointer(regs) += 4;
+ break;
+ default:
+ pr_crit("Unknown CFI error\n");
+ break;
+ }
+}
+#else
+static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
+{
+}
+#endif
+
/*
* Called from either the Data Abort Handler [watchpoint] or the
* Prefetch Abort Handler [breakpoint] with interrupts disabled.
@@ -932,6 +959,9 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr,
case ARM_ENTRY_SYNC_WATCHPOINT:
watchpoint_handler(addr, fsr, regs);
break;
+ case ARM_ENTRY_CFI_BREAKPOINT:
+ hw_breakpoint_cfi_handler(regs);
+ break;
default:
ret = 1; /* Unhandled fault. */
}
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Linus Walleij <linus.walleij@linaro.org>
To: Russell King <linux@armlinux.org.uk>,
Sami Tolvanen <samitolvanen@google.com>,
Kees Cook <keescook@chromium.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Ard Biesheuvel <ardb@kernel.org>, Arnd Bergmann <arnd@arndb.de>
Cc: linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev,
Linus Walleij <linus.walleij@linaro.org>
Subject: [PATCH v3 9/9] ARM: KCFI: Allow permissive CFI mode
Date: Mon, 11 Mar 2024 10:15:46 +0100 [thread overview]
Message-ID: <20240311-arm32-cfi-v3-9-224a0f0a45c2@linaro.org> (raw)
In-Reply-To: <20240311-arm32-cfi-v3-0-224a0f0a45c2@linaro.org>
This registers a breakpoint handler for the new breakpoint type
(0x03) inserted by LLVM CLANG for CFI breakpoints.
If we are in permissive mode, just print a backtrace and continue.
Example with CONFIG_CFI_PERMISSIVE enabled:
> echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT
lkdtm: Performing direct entry CFI_FORWARD_PROTO
lkdtm: Calling matched prototype ...
lkdtm: Calling mismatched prototype ...
CFI failure at lkdtm_indirect_call+0x40/0x4c (target: 0x0; expected type: 0x00000000)
WARNING: CPU: 1 PID: 112 at lkdtm_indirect_call+0x40/0x4c
CPU: 1 PID: 112 Comm: sh Not tainted 6.8.0-rc1+ #150
Hardware name: ARM-Versatile Express
(...)
lkdtm: FAIL: survived mismatched prototype function call!
lkdtm: Unexpected! This kernel (6.8.0-rc1+ armv7l) was built with CONFIG_CFI_CLANG=y
As you can see the LKDTM test fails, but I expect that this would be
expected behaviour in the permissive mode.
We are currently not implementing target and type for the CFI
breakpoint as this requires additional operand bundling compiler
extensions.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
arch/arm/include/asm/hw_breakpoint.h | 1 +
arch/arm/kernel/hw_breakpoint.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/arch/arm/include/asm/hw_breakpoint.h b/arch/arm/include/asm/hw_breakpoint.h
index 62358d3ca0a8..e7f9961c53b2 100644
--- a/arch/arm/include/asm/hw_breakpoint.h
+++ b/arch/arm/include/asm/hw_breakpoint.h
@@ -84,6 +84,7 @@ static inline void decode_ctrl_reg(u32 reg,
#define ARM_DSCR_MOE(x) ((x >> 2) & 0xf)
#define ARM_ENTRY_BREAKPOINT 0x1
#define ARM_ENTRY_ASYNC_WATCHPOINT 0x2
+#define ARM_ENTRY_CFI_BREAKPOINT 0x3
#define ARM_ENTRY_SYNC_WATCHPOINT 0xa
/* DSCR monitor/halting bits. */
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index dc0fb7a81371..61a984b83bfe 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -17,6 +17,7 @@
#include <linux/perf_event.h>
#include <linux/hw_breakpoint.h>
#include <linux/smp.h>
+#include <linux/cfi.h>
#include <linux/cpu_pm.h>
#include <linux/coresight.h>
@@ -903,6 +904,32 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
watchpoint_single_step_handler(addr);
}
+#ifdef CONFIG_CFI_CLANG
+static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
+{
+ /* TODO: implementing target and type requires compiler work */
+ unsigned long target = 0;
+ u32 type = 0;
+
+ switch (report_cfi_failure(regs, instruction_pointer(regs), &target, type)) {
+ case BUG_TRAP_TYPE_BUG:
+ die("Oops - CFI", regs, 0);
+ break;
+ case BUG_TRAP_TYPE_WARN:
+ /* Skip the breaking instruction */
+ instruction_pointer(regs) += 4;
+ break;
+ default:
+ pr_crit("Unknown CFI error\n");
+ break;
+ }
+}
+#else
+static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
+{
+}
+#endif
+
/*
* Called from either the Data Abort Handler [watchpoint] or the
* Prefetch Abort Handler [breakpoint] with interrupts disabled.
@@ -932,6 +959,9 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr,
case ARM_ENTRY_SYNC_WATCHPOINT:
watchpoint_handler(addr, fsr, regs);
break;
+ case ARM_ENTRY_CFI_BREAKPOINT:
+ hw_breakpoint_cfi_handler(regs);
+ break;
default:
ret = 1; /* Unhandled fault. */
}
--
2.34.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-03-11 9:15 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 9:15 [PATCH v3 0/9] CFI for ARM32 using LLVM Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 9:15 ` [PATCH v3 1/9] ARM: Support CLANG CFI Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 10:24 ` Ard Biesheuvel
2024-03-11 10:24 ` Ard Biesheuvel
2024-03-11 9:15 ` [PATCH v3 2/9] ARM: tlbflush: Make TLB flushes into static inlines Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 9:39 ` Russell King (Oracle)
2024-03-11 9:39 ` Russell King (Oracle)
2024-03-11 10:03 ` Ard Biesheuvel
2024-03-11 10:03 ` Ard Biesheuvel
2024-03-11 15:34 ` Sami Tolvanen
2024-03-11 15:34 ` Sami Tolvanen
2024-03-11 19:50 ` Linus Walleij
2024-03-11 19:50 ` Linus Walleij
2024-03-11 21:36 ` Sami Tolvanen
2024-03-11 21:36 ` Sami Tolvanen
2024-03-11 22:17 ` Linus Walleij
2024-03-11 22:17 ` Linus Walleij
2024-03-11 22:28 ` Sami Tolvanen
2024-03-11 22:28 ` Sami Tolvanen
2024-03-11 23:56 ` Linus Walleij
2024-03-11 23:56 ` Linus Walleij
2024-03-12 7:24 ` Ard Biesheuvel
2024-03-12 7:24 ` Ard Biesheuvel
2024-03-12 8:14 ` Linus Walleij
2024-03-12 8:14 ` Linus Walleij
2024-03-11 9:15 ` [PATCH v3 3/9] ARM: bugs: Check in the vtable instead of defined aliases Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 9:15 ` [PATCH v3 4/9] ARM: proc: Use inlines instead of defines Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 9:15 ` [PATCH v3 5/9] ARM: delay: Turn delay functions into static inlines Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 12:26 ` Ard Biesheuvel
2024-03-11 12:26 ` Ard Biesheuvel
2024-03-11 9:15 ` [PATCH v3 6/9] ARM: turn CPU cache flush " Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 9:15 ` [PATCH v3 7/9] ARM: page: Turn highpage accesses " Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 12:15 ` Ard Biesheuvel
2024-03-11 12:15 ` Ard Biesheuvel
2024-03-28 8:18 ` Linus Walleij
2024-03-28 8:18 ` Linus Walleij
2024-03-11 9:15 ` [PATCH v3 8/9] ARM: ftrace: Define ftrace_stub_graph Linus Walleij
2024-03-11 9:15 ` Linus Walleij
2024-03-11 9:15 ` Linus Walleij [this message]
2024-03-11 9:15 ` [PATCH v3 9/9] ARM: KCFI: Allow permissive CFI mode Linus Walleij
2024-03-11 22:03 ` Kees Cook
2024-03-11 22:03 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240311-arm32-cfi-v3-9-224a0f0a45c2@linaro.org \
--to=linus.walleij@linaro.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux@armlinux.org.uk \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=samitolvanen@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.