lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Oct 2021 19:42:54 -0700 From: Josh Poimboeuf <jpoimboe@...hat.com> To: Sami Tolvanen <samitolvanen@...gle.com> Cc: X86 ML <x86@...nel.org>, Kees Cook <keescook@...omium.org>, Peter Zijlstra <peterz@...radead.org>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Sedat Dilek <sedat.dilek@...il.com>, linux-hardening@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, llvm@...ts.linux.dev Subject: Re: [PATCH v4 00/15] x86: Add support for Clang CFI On Tue, Oct 05, 2021 at 02:52:46PM -0700, Sami Tolvanen wrote: > On Tue, Oct 5, 2021 at 1:37 PM Josh Poimboeuf <jpoimboe@...hat.com> wrote: > > > > On Thu, Sep 30, 2021 at 11:05:16AM -0700, Sami Tolvanen wrote: > > > This series adds support for Clang's Control-Flow Integrity (CFI) > > > checking to x86_64. With CFI, the compiler injects a runtime > > > check before each indirect function call to ensure the target is > > > a valid function with the correct static type. This restricts > > > possible call targets and makes it more difficult for an attacker > > > to exploit bugs that allow the modification of stored function > > > pointers. For more details, see: > > > > > > https://clang.llvm.org/docs/ControlFlowIntegrity.html > > > > > > Note that v4 is based on tip/master. The first two patches contain > > > objtool support for CFI, the remaining patches change function > > > declarations to use opaque types, fix type mismatch issues that > > > confuse the compiler, and disable CFI where it can't be used. > > > > > > You can also pull this series from > > > > > > https://github.com/samitolvanen/linux.git x86-cfi-v4 > > > > Does this work for indirect calls made from alternatives? > > It works in the sense that indirect calls made from alternatives won't > trip CFI. The compiler doesn't instrument inline assembly. > > > I'm also wondering whether this works on CONFIG_RETPOLINE systems which > > disable retpolines at runtime, combined with Peter's patch to use > > objtool to replace retpoline thunk calls with indirect branches: > > > > 9bc0bb50727c ("objtool/x86: Rewrite retpoline thunk calls") > > > > Since presumably objtool runs after the CFI stuff is inserted. > > The indirect call checking is before the retpoline thunk call, so > replacing the call with an indirect call isn't a problem. Ah right. I managed to forget how this worked and was thinking this intercepted the indirect call rather than the function pointer. -- Josh
Powered by blists - more mailing lists