| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202511201606.079192C85@keescook>
Date: Thu, 20 Nov 2025 16:18:33 -0800
From: Kees Cook <kees@...nel.org>
To: Andrew Pinski <andrew.pinski@....qualcomm.com>
Cc: Qing Zhao <qing.zhao@...cle.com>, Uros Bizjak <ubizjak@...il.com>,
Joseph Myers <josmyers@...hat.com>,
Richard Biener <rguenther@...e.de>,
Jeff Law <jeffreyalaw@...il.com>, Andrew Pinski <pinskia@...il.com>,
Jakub Jelinek <jakub@...hat.com>, Martin Uecker <uecker@...raz.at>,
Peter Zijlstra <peterz@...radead.org>,
Ard Biesheuvel <ardb@...nel.org>, Jan Hubicka <hubicka@....cz>,
Richard Earnshaw <richard.earnshaw@....com>,
Richard Sandiford <richard.sandiford@....com>,
Marcus Shawcroft <marcus.shawcroft@....com>,
Kyrylo Tkachov <kyrylo.tkachov@....com>,
Kito Cheng <kito.cheng@...il.com>,
Palmer Dabbelt <palmer@...belt.com>,
Andrew Waterman <andrew@...ive.com>,
Jim Wilson <jim.wilson.gcc@...il.com>,
Dan Li <ashimida.1990@...il.com>,
Sami Tolvanen <samitolvanen@...gle.com>,
Ramon de C Valle <rcvalle@...gle.com>,
Joao Moreira <joao@...rdrivepizza.com>,
Nathan Chancellor <nathan@...nel.org>,
Bill Wendling <morbo@...gle.com>,
"Osterlund, Sebastian" <sebastian.osterlund@...el.com>,
"Constable, Scott D" <scott.d.constable@...el.com>,
gcc-patches@....gnu.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v8 5/7] aarch64: Add AArch64 Kernel Control Flow
Integrity implementation
On Thu, Nov 20, 2025 at 03:10:41PM -0800, Andrew Pinski wrote:
> On Thu, Nov 20, 2025 at 2:57 PM Andrew Pinski
> <andrew.pinski@....qualcomm.com> wrote:
> > Also I am still trying to figure out and understand the interaction
> > between x16 and x17 in some cases.
> > Because I thought indirect calls/jumps will be using x16/x17 for those
> > to support BTI.
>
> Oh yes:
> (define_register_constraint "Ucr"
> "aarch64_harden_sls_blr_p () ? STUB_REGS : GENERAL_REGS"
> "@internal Registers to be used for an indirect call.
> This is usually the general registers, but when we are hardening against
> Straight Line Speculation we disallow x16, x17, and x30 so we can use
> indirection stubs. These indirection stubs cannot use the above registers
> since they will be reached by a BL that may have to go through a linker
> veneer.")
>
> But you don't change Ucr so in theory x16/x17 could be used for call_value_insn.
> (I can't get that one using x16/x17 right now).
>
> Oh and sibcall_insn uses Ucs which is defined as:
> (define_register_constraint "Ucs" "TAILCALL_ADDR_REGS"
> "@internal Registers suitable for an indirect tail call")
> TAILCALL_ADDR_REGS is a register class which just contains x16/x17.
Hm, I will need to study this more closely. I wonder if both kcfi and sls
hardening end up being self-contained users of the scratch registers? I'll
double check that my kernel test builds have SLS hardening enabled. (And
I'll likely need to add some aarch64-specific sibcall tests with/without
SLS hardening to see the resulting asm.)
> I don't see a testcase for indirect sibcall either.
>
> ```
> typedef void (*fptr)(void);
> void f(fptr a)
> {
> a();
> }
> ```
> Is a testcase for the indirect sibcall case.
I did include basic tests for a variety of sibcalls in the patch that
added the general tests; see gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
(though I named it "tail calls"), and the fptr test includes an argument
(the comment is x86-specific, but it should be a valid test for all archs):
+/* Indirect call through function pointer parameter. */
+int test_param_indirect_call(func_ptr_t handler, int x) {
+ /* This is an indirect call that should be converted to tail call:
+ Without -fno-optimize-sibling-calls should become "jmp *%rdi"
+ With -fno-optimize-sibling-calls should be "call *%rdi" */
+ return handler(x);
+}
-Kees
--
Kees Cook
Powered by blists - more mailing lists