| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250913231256.make.519-kees@kernel.org> Date: Sat, 13 Sep 2025 16:23:56 -0700 From: Kees Cook <kees@...nel.org> To: Qing Zhao <qing.zhao@...cle.com> Cc: Kees Cook <kees@...nel.org>, Andrew Pinski <pinskia@...il.com>, Jakub Jelinek <jakub@...hat.com>, Martin Uecker <uecker@...raz.at>, Richard Biener <rguenther@...e.de>, Joseph Myers <josmyers@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Jan Hubicka <hubicka@....cz>, Richard Earnshaw <richard.earnshaw@....com>, Richard Sandiford <richard.sandiford@....com>, Marcus Shawcroft <marcus.shawcroft@....com>, Kyrylo Tkachov <kyrylo.tkachov@....com>, Kito Cheng <kito.cheng@...il.com>, Palmer Dabbelt <palmer@...belt.com>, Andrew Waterman <andrew@...ive.com>, Jim Wilson <jim.wilson.gcc@...il.com>, Dan Li <ashimida.1990@...il.com>, Sami Tolvanen <samitolvanen@...gle.com>, Ramon de C Valle <rcvalle@...gle.com>, Joao Moreira <joao@...rdrivepizza.com>, Nathan Chancellor <nathan@...nel.org>, Bill Wendling <morbo@...gle.com>, gcc-patches@....gnu.org, linux-hardening@...r.kernel.org Subject: [PATCH v3 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Hi! Here is v3, which has continued to evolve a lot from v2[1]. This series implements[2][3] the Linux Kernel Control Flow Integrity ABI, which provides a function prototype based forward edge control flow integrity protection by instrumenting every indirect call to check for a hash value before the target function address. If the hash at the call site and the hash at the target do not match, execution will trap. Changes since v2: - Refactored mangling to provide actual builtins, making it SO much easier to test. This is good not just for KCFI but also for coming type-aware allocators that need to have a stable value (32-bit hash) to represent C types. - Consolidated DECL vs TYPE attributes for KCFI type_id, allowing for the removal of all the GIMPLE type wrapping and the GIMPLE passes entirely. - Tightened testsuite to be much more target and option aware. - Support nocf_check to disable preamble generation. - Passes contrib/check_GNU_style.py (with some clear exceptions). - Added more documentation. - General cleanups and comment clarifications. Thanks! -Kees [1] https://lore.kernel.org/linux-hardening/20250905001157.it.269-kees@kernel.org/ [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048 [3] https://github.com/KSPP/linux/issues/369 Kees Cook (7): typeinfo: Introduce KCFI typeinfo mangling API kcfi: Add core Kernel Control Flow Integrity infrastructure x86: Add x86_64 Kernel Control Flow Integrity implementation aarch64: Add AArch64 Kernel Control Flow Integrity implementation arm: Add ARM 32-bit Kernel Control Flow Integrity implementation riscv: Add RISC-V Kernel Control Flow Integrity implementation kcfi: Add regression test suite gcc/kcfi.h | 52 ++ gcc/kcfi.cc | 601 ++++++++++++++++++ gcc/Makefile.in | 2 + gcc/c-family/c-common.h | 1 + gcc/config/aarch64/aarch64-protos.h | 5 + gcc/config/arm/arm-protos.h | 4 + gcc/config/i386/i386-protos.h | 1 + gcc/config/i386/i386.h | 3 +- gcc/config/riscv/riscv-protos.h | 3 + gcc/flag-types.h | 2 + gcc/gimple.h | 22 + gcc/kcfi-typeinfo.h | 32 + gcc/tree-pass.h | 1 + .../gcc.dg/builtin-typeinfo-errors.c | 28 + gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 ++++++++++ gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 72 +++ gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 108 ++++ gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 84 +++ .../gcc.dg/kcfi/kcfi-cold-partition.c | 136 ++++ .../gcc.dg/kcfi/kcfi-complex-addressing.c | 135 ++++ .../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++ .../gcc.dg/kcfi/kcfi-move-preservation.c | 55 ++ .../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 +++ gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 ++ .../gcc.dg/kcfi/kcfi-offset-validation.c | 48 ++ .../gcc.dg/kcfi/kcfi-patchable-basic.c | 70 ++ .../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 62 ++ .../gcc.dg/kcfi/kcfi-patchable-large.c | 51 ++ .../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++ .../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 60 ++ .../gcc.dg/kcfi/kcfi-pic-addressing.c | 104 +++ .../gcc.dg/kcfi/kcfi-retpoline-r11.c | 50 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 151 +++++ gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 142 +++++ .../gcc.dg/kcfi/kcfi-trap-encoding.c | 54 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 41 ++ gcc/c-family/c-attribs.cc | 17 +- gcc/c-family/c-common.cc | 2 + gcc/c/c-parser.cc | 72 +++ gcc/config/aarch64/aarch64.cc | 116 ++++ gcc/config/aarch64/aarch64.md | 64 +- gcc/config/arm/arm.cc | 146 +++++ gcc/config/arm/arm.md | 62 ++ gcc/config/i386/i386-expand.cc | 22 +- gcc/config/i386/i386.cc | 130 ++++ gcc/config/i386/i386.md | 62 +- gcc/config/riscv/riscv.cc | 159 +++++ gcc/config/riscv/riscv.md | 76 ++- gcc/df-scan.cc | 7 + gcc/doc/extend.texi | 132 ++++ gcc/doc/invoke.texi | 100 +++ gcc/doc/tm.texi | 31 + gcc/doc/tm.texi.in | 12 + gcc/final.cc | 3 + gcc/kcfi-typeinfo.cc | 475 ++++++++++++++ gcc/opts.cc | 1 + gcc/passes.cc | 1 + gcc/passes.def | 1 + gcc/rtl.def | 6 + gcc/rtlanal.cc | 5 + gcc/target.def | 38 ++ gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 64 ++ gcc/toplev.cc | 10 + gcc/tree-inline.cc | 10 + gcc/varasm.cc | 37 +- 65 files changed, 4611 insertions(+), 33 deletions(-) create mode 100644 gcc/kcfi.h create mode 100644 gcc/kcfi.cc create mode 100644 gcc/kcfi-typeinfo.h create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-basic.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-pic-addressing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-retpoline-r11.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c create mode 100644 gcc/kcfi-typeinfo.cc create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp -- 2.34.1
Powered by blists - more mailing lists