[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CABCJKufsdcfdSQ4JMx1dw1HXgqk4rtqGRoHMUdK6r5cxzrEg3Q@mail.gmail.com>
Date: Mon, 30 Aug 2021 12:57:43 -0700
From: Sami Tolvanen <samitolvanen@...gle.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: X86 ML <x86@...nel.org>, Kees Cook <keescook@...omium.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Sedat Dilek <sedat.dilek@...il.com>,
linux-hardening@...r.kernel.org,
LKML <linux-kernel@...r.kernel.org>,
clang-built-linux <clang-built-linux@...glegroups.com>
Subject: Re: [PATCH v2 08/14] x86/extable: Do not mark exception callback as CFI
On Thu, Aug 26, 2021 at 9:56 AM Andy Lutomirski <luto@...nel.org> wrote:
>
> On 8/23/21 10:13 AM, Sami Tolvanen wrote:
> > From: Kees Cook <keescook@...omium.org>
> >
> > The exception table entries are constructed out of a relative offset
> > and point to the actual function, not the CFI table entry. For now,
> > just mark the caller as not checking CFI
>
> Does this *mark* the caller as not checking CFI or does it actually make
> the caller stop checking CFI? What are the semantics of a __nocfi function?
__nocfi disables CFI checking in the function, so in this case,
fixup_exception can make an indirect call anywhere.
> > The failure is most visible
> > at boot with CONFIG_DEBUG_RODATA_TEST=y.
>
> What's the failure?
>
> >
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > Signed-off-by: Sami Tolvanen <samitolvanen@...gle.com>
> > ---
> > arch/x86/mm/extable.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
> > index e1664e9f969c..d150d4d12d53 100644
> > --- a/arch/x86/mm/extable.c
> > +++ b/arch/x86/mm/extable.c
> > @@ -155,6 +155,7 @@ enum handler_type ex_get_fault_handler_type(unsigned long ip)
> > return EX_HANDLER_OTHER;
> > }
> >
> > +__nocfi
> > int fixup_exception(struct pt_regs *regs, int trapnr, unsigned long error_code,
> > unsigned long fault_addr)
> > {
> >
>
>
> This at least needs a comment explaining what's going on. But maybe it
> could be fixed better by either having the extable entry resolve to the
> magic CFI table entry (can this be done?) or by marking the actual
> indirect call or the type of the variable through which the call is done
> as being a non-CFI call.
We can avoid the __nocfi here by marking the handlers __cficanonical.
This attribute tells the compiler to rename the function and point the
original name to the CFI jump table, which allows addresses taken in
assembly code to also pass CFI checking. I'll change this in v3.
Sami
Powered by blists - more mailing lists