From: Nathan Chancellor <nathan@kernel.org>
To: Dan Li <ashimida@linux.alibaba.com>
Cc: catalin.marinas@arm.com, will@kernel.org,
ndesaulniers@google.com, keescook@chromium.org,
masahiroy@kernel.org, tglx@linutronix.de,
akpm@linux-foundation.org, mark.rutland@arm.com,
samitolvanen@google.com, npiggin@gmail.com, linux@roeck-us.net,
mhiramat@kernel.org, ojeda@kernel.org,
luc.vanoostenryck@gmail.com, elver@google.com,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] [PATCH] AARCH64: Add gcc Shadow Call Stack support
Date: Tue, 22 Feb 2022 09:16:06 -0700 [thread overview]
Message-ID: <YhUMRoLDan7tJRiL@dev-arch.archlinux-ax161> (raw)
In-Reply-To: <20220222095736.24898-1-ashimida@linux.alibaba.com>
On Tue, Feb 22, 2022 at 01:57:36AM -0800, Dan Li wrote:
> Shadow call stack is available in GCC > 11.2.0, this patch makes
> the corresponding kernel configuration available when compiling
> the kernel with gcc.
>
> Note that the implementation in GCC is slightly different from Clang.
> With SCS enabled, functions will only pop x30 once in the epilogue,
> like:
>
> str x30, [x18], #8
> stp x29, x30, [sp, #-16]!
> ......
> - ldp x29, x30, [sp], #16 //clang
> + ldr x29, [sp], #16 //GCC
> ldr x30, [x18, #-8]!
>
> Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e
>
> Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
A few open-ended comments below.
> ---
> FYI:
> This function can be used to test if the shadow call stack works:
> //noinline void __noscs scs_test(void)
> noinline void scs_test(void)
> {
> register unsigned long *sp asm("sp");
> unsigned long * lr = sp + 1;
>
> asm volatile("":::"x30");
> *lr = 0;
> }
>
> ffff800008012704: d503233f paciasp
> ffff800008012708: f800865e str x30, [x18], #8
> ffff80000801270c: a9bf7bfd stp x29, x30, [sp, #-16]!
> ffff800008012710: 910003fd mov x29, sp
> ffff800008012714: 910003e0 mov x0, sp
> ffff800008012718: f900041f str xzr, [x0, #8]
> ffff80000801271c: f85f8e5e ldr x30, [x18, #-8]!
> ffff800008012720: f84107fd ldr x29, [sp], #16
> ffff800008012724: d50323bf autiasp
> ffff800008012728: d65f03c0 ret
>
> If SCS protection is enabled, this function will return normally.
> If the function has __noscs attribute (scs disabled), it will crash due to 0
> address access.
>
> arch/Kconfig | 6 +++---
> arch/arm64/Kconfig | 2 +-
> include/linux/compiler-gcc.h | 4 ++++
> 3 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 678a80713b21..35db7b72bdb0 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -604,11 +604,11 @@ config ARCH_SUPPORTS_SHADOW_CALL_STACK
> switching.
>
> config SHADOW_CALL_STACK
> - bool "Clang Shadow Call Stack"
> - depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK
> + bool "Shadow Call Stack"
> + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
> depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> help
> - This option enables Clang's Shadow Call Stack, which uses a
> + This option enables Clang/GCC's Shadow Call Stack, which uses a
I wonder if we want to just ditch the mention of the compiler if both
support it?
> shadow stack to protect function return addresses from being
> overwritten by an attacker. More information can be found in
> Clang's documentation:
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 09b885cc4db5..a48a604301aa 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1255,7 +1255,7 @@ config HW_PERF_EVENTS
> config ARCH_HAS_FILTER_PGPROT
> def_bool y
>
> -# Supported by clang >= 7.0
> +# Supported by clang >= 7.0 or GCC > 11.2.0
Same thing here, although eventually there may be a minimum GCC version
bump to something newer than 11.2.0, which would allow us to just drop
CONFIG_CC_HAVE_SHADOW_CALL_STACK altogether. No strong opinion.
> config CC_HAVE_SHADOW_CALL_STACK
> def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
>
> diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> index ccbbd31b3aae..deff5b308470 100644
> --- a/include/linux/compiler-gcc.h
> +++ b/include/linux/compiler-gcc.h
> @@ -97,6 +97,10 @@
> #define KASAN_ABI_VERSION 4
> #endif
>
> +#ifdef CONFIG_SHADOW_CALL_STACK
> +#define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
> +#endif
> +
> #if __has_attribute(__no_sanitize_address__)
> #define __no_sanitize_address __attribute__((no_sanitize_address))
> #else
> --
> 2.17.1
>
WARNING: multiple messages have this Message-ID (diff)
From: Nathan Chancellor <nathan@kernel.org>
To: Dan Li <ashimida@linux.alibaba.com>
Cc: catalin.marinas@arm.com, will@kernel.org,
ndesaulniers@google.com, keescook@chromium.org,
masahiroy@kernel.org, tglx@linutronix.de,
akpm@linux-foundation.org, mark.rutland@arm.com,
samitolvanen@google.com, npiggin@gmail.com, linux@roeck-us.net,
mhiramat@kernel.org, ojeda@kernel.org,
luc.vanoostenryck@gmail.com, elver@google.com,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] [PATCH] AARCH64: Add gcc Shadow Call Stack support
Date: Tue, 22 Feb 2022 09:16:06 -0700 [thread overview]
Message-ID: <YhUMRoLDan7tJRiL@dev-arch.archlinux-ax161> (raw)
In-Reply-To: <20220222095736.24898-1-ashimida@linux.alibaba.com>
On Tue, Feb 22, 2022 at 01:57:36AM -0800, Dan Li wrote:
> Shadow call stack is available in GCC > 11.2.0, this patch makes
> the corresponding kernel configuration available when compiling
> the kernel with gcc.
>
> Note that the implementation in GCC is slightly different from Clang.
> With SCS enabled, functions will only pop x30 once in the epilogue,
> like:
>
> str x30, [x18], #8
> stp x29, x30, [sp, #-16]!
> ......
> - ldp x29, x30, [sp], #16 //clang
> + ldr x29, [sp], #16 //GCC
> ldr x30, [x18, #-8]!
>
> Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e
>
> Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
A few open-ended comments below.
> ---
> FYI:
> This function can be used to test if the shadow call stack works:
> //noinline void __noscs scs_test(void)
> noinline void scs_test(void)
> {
> register unsigned long *sp asm("sp");
> unsigned long * lr = sp + 1;
>
> asm volatile("":::"x30");
> *lr = 0;
> }
>
> ffff800008012704: d503233f paciasp
> ffff800008012708: f800865e str x30, [x18], #8
> ffff80000801270c: a9bf7bfd stp x29, x30, [sp, #-16]!
> ffff800008012710: 910003fd mov x29, sp
> ffff800008012714: 910003e0 mov x0, sp
> ffff800008012718: f900041f str xzr, [x0, #8]
> ffff80000801271c: f85f8e5e ldr x30, [x18, #-8]!
> ffff800008012720: f84107fd ldr x29, [sp], #16
> ffff800008012724: d50323bf autiasp
> ffff800008012728: d65f03c0 ret
>
> If SCS protection is enabled, this function will return normally.
> If the function has __noscs attribute (scs disabled), it will crash due to 0
> address access.
>
> arch/Kconfig | 6 +++---
> arch/arm64/Kconfig | 2 +-
> include/linux/compiler-gcc.h | 4 ++++
> 3 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 678a80713b21..35db7b72bdb0 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -604,11 +604,11 @@ config ARCH_SUPPORTS_SHADOW_CALL_STACK
> switching.
>
> config SHADOW_CALL_STACK
> - bool "Clang Shadow Call Stack"
> - depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK
> + bool "Shadow Call Stack"
> + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
> depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> help
> - This option enables Clang's Shadow Call Stack, which uses a
> + This option enables Clang/GCC's Shadow Call Stack, which uses a
I wonder if we want to just ditch the mention of the compiler if both
support it?
> shadow stack to protect function return addresses from being
> overwritten by an attacker. More information can be found in
> Clang's documentation:
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 09b885cc4db5..a48a604301aa 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1255,7 +1255,7 @@ config HW_PERF_EVENTS
> config ARCH_HAS_FILTER_PGPROT
> def_bool y
>
> -# Supported by clang >= 7.0
> +# Supported by clang >= 7.0 or GCC > 11.2.0
Same thing here, although eventually there may be a minimum GCC version
bump to something newer than 11.2.0, which would allow us to just drop
CONFIG_CC_HAVE_SHADOW_CALL_STACK altogether. No strong opinion.
> config CC_HAVE_SHADOW_CALL_STACK
> def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
>
> diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> index ccbbd31b3aae..deff5b308470 100644
> --- a/include/linux/compiler-gcc.h
> +++ b/include/linux/compiler-gcc.h
> @@ -97,6 +97,10 @@
> #define KASAN_ABI_VERSION 4
> #endif
>
> +#ifdef CONFIG_SHADOW_CALL_STACK
> +#define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
> +#endif
> +
> #if __has_attribute(__no_sanitize_address__)
> #define __no_sanitize_address __attribute__((no_sanitize_address))
> #else
> --
> 2.17.1
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-02-22 16:16 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-22 9:57 [PATCH] [PATCH] AARCH64: Add gcc Shadow Call Stack support Dan Li
2022-02-22 9:57 ` Dan Li
2022-02-22 16:16 ` Nathan Chancellor [this message]
2022-02-22 16:16 ` Nathan Chancellor
2022-02-22 16:47 ` Guenter Roeck
2022-02-22 16:47 ` Guenter Roeck
2022-02-22 16:59 ` Miguel Ojeda
2022-02-22 16:59 ` Miguel Ojeda
2022-02-23 8:58 ` Dan Li
2022-02-23 8:58 ` Dan Li
2022-02-23 8:55 ` Dan Li
2022-02-23 8:55 ` Dan Li
2022-02-23 8:50 ` Dan Li
2022-02-23 8:50 ` Dan Li
2022-02-23 17:39 ` Nathan Chancellor
2022-02-23 17:39 ` Nathan Chancellor
2022-02-25 0:34 ` Dan Li
2022-02-25 0:34 ` Dan Li
2022-02-22 18:47 ` Mark Rutland
2022-02-22 18:47 ` Mark Rutland
2022-02-23 9:06 ` Dan Li
2022-02-23 9:06 ` Dan Li
2022-02-23 11:48 ` Ard Biesheuvel
2022-02-23 11:48 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YhUMRoLDan7tJRiL@dev-arch.archlinux-ax161 \
--to=nathan@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ashimida@linux.alibaba.com \
--cc=catalin.marinas@arm.com \
--cc=elver@google.com \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=llvm@lists.linux.dev \
--cc=luc.vanoostenryck@gmail.com \
--cc=mark.rutland@arm.com \
--cc=masahiroy@kernel.org \
--cc=mhiramat@kernel.org \
--cc=ndesaulniers@google.com \
--cc=npiggin@gmail.com \
--cc=ojeda@kernel.org \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.