lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Y7fVWulL0/yq7KaO@sol.localdomain>
Date:   Fri, 6 Jan 2023 00:01:30 -0800
From:   Eric Biggers <ebiggers@...nel.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Theodore Ts'o <tytso@....edu>, stable@...r.kernel.org,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Andreas Dilger <adilger.kernel@...ger.ca>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Tom Rix <trix@...hat.com>,
        Riccardo Schirone <sirmy15@...il.com>,
        linux-kernel@...r.kernel.org, linux-ext4@...r.kernel.org,
        llvm@...ts.linux.dev, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] ext4: Fix function prototype mismatch for
 ext4_feat_ktype

On Wed, Jan 04, 2023 at 01:09:12PM -0800, Kees Cook wrote:
> With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
> indirect call targets are validated against the expected function
> pointer prototype to make sure the call target is valid to help mitigate
> ROP attacks. If they are not identical, there is a failure at run time,
> which manifests as either a kernel panic or thread getting killed.
> 
> ext4_feat_ktype was setting the "release" handler to "kfree", which
> doesn't have a matching function prototype. Add a simple wrapper
> with the correct prototype.
> 
> This was found as a result of Clang's new -Wcast-function-type-strict
> flag, which is more sensitive than the simpler -Wcast-function-type,
> which only checks for type width mismatches.
> 
> Note that this code is only reached when ext4 is a loadable module and
> it is being unloaded:
> 
>  CFI failure at kobject_put+0xbb/0x1b0 (target: kfree+0x0/0x180; expected type: 0x7c4aa698)
>  ...
>  RIP: 0010:kobject_put+0xbb/0x1b0
>  ...
>  Call Trace:
>   <TASK>
>   ext4_exit_sysfs+0x14/0x60 [ext4]
>   cleanup_module+0x67/0xedb [ext4]
> 
> Fixes: b99fee58a20a ("ext4: create ext4_feat kobject dynamically")
> Cc: Theodore Ts'o <tytso@....edu>
> Cc: Eric Biggers <ebiggers@...nel.org>
> Cc: stable@...r.kernel.org
> Build-tested-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> Reviewed-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> Reviewed-by: Nathan Chancellor <nathan@...nel.org>
> Link: https://lore.kernel.org/r/20230103234616.never.915-kees@kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> v2: rename callback, improve commit log (ebiggers)
> v1: https://lore.kernel.org/lkml/20230103234616.never.915-kees@kernel.org
> ---
>  fs/ext4/sysfs.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 

Reviewed-by: Eric Biggers <ebiggers@...gle.com>

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ