| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Oct 2021 19:51:11 -0700
From: "Andy Lutomirski" <luto@...nel.org>
To: "Sami Tolvanen" <samitolvanen@...gle.com>,
"the arch/x86 maintainers" <x86@...nel.org>
Cc: "Kees Cook" <keescook@...omium.org>,
"Josh Poimboeuf" <jpoimboe@...hat.com>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
"Nathan Chancellor" <nathan@...nel.org>,
"Nick Desaulniers" <ndesaulniers@...gle.com>,
"Sedat Dilek" <sedat.dilek@...il.com>,
"Steven Rostedt" <rostedt@...dmis.org>,
linux-hardening@...r.kernel.org,
"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
llvm@...ts.linux.dev
Subject: Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C
On Wed, Oct 13, 2021, at 11:16 AM, Sami Tolvanen wrote:
> The kernel has several assembly functions, which are not directly
> callable from C but need to be referred to from C code. This change adds
> the DECLARE_NOT_CALLED_FROM_C macro, which allows us to declare these
> symbols using an opaque type, which makes misuse harder, and avoids the
> need to annotate references to the functions for Clang's Control-Flow
> Integrity (CFI).
>
> Suggested-by: Andy Lutomirski <luto@...capital.net>
> Suggested-by: Steven Rostedt <rostedt@...dmis.org>
> Signed-off-by: Sami Tolvanen <samitolvanen@...gle.com>
> Tested-by: Nick Desaulniers <ndesaulniers@...gle.com>
> Tested-by: Sedat Dilek <sedat.dilek@...il.com>
> ---
> include/linux/linkage.h | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/include/linux/linkage.h b/include/linux/linkage.h
> index dbf8506decca..f982d5f550ac 100644
> --- a/include/linux/linkage.h
> +++ b/include/linux/linkage.h
> @@ -48,6 +48,19 @@
> #define __PAGE_ALIGNED_DATA .section ".data..page_aligned", "aw"
> #define __PAGE_ALIGNED_BSS .section ".bss..page_aligned", "aw"
>
> +/*
> + * Declares a function not callable from C using an opaque type. Defined as
> + * an array to allow the address of the symbol to be taken without '&'.
> + */
I’m not convinced that taking the address without using & is a laudable goal. The magical arrays-are-pointers-too behavior of C is a mistake, not a delightful simplification.
> +#ifndef DECLARE_NOT_CALLED_FROM_C
> +#define DECLARE_NOT_CALLED_FROM_C(sym) \
> + extern const u8 sym[]
> +#endif
The relevant property of these symbols isn’t that they’re not called from C. The relevant thing is that they are just and not objects of a type that the programmer cares to tell the compiler about. (Or that the compiler understands, for that matter. On a system with XO memory or if they’re in a funny section, dereferencing them may fail.)
So I think we should use incomplete structs, which can’t be dereferenced and will therefore be less error prone.
Powered by blists - more mailing lists