lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <7377e6b9-7130-4c20-a0c8-16de4620c995@www.fastmail.com>
Date:   Thu, 14 Oct 2021 19:51:11 -0700
From:   "Andy Lutomirski" <luto@...nel.org>
To:     "Sami Tolvanen" <samitolvanen@...gle.com>,
        "the arch/x86 maintainers" <x86@...nel.org>
Cc:     "Kees Cook" <keescook@...omium.org>,
        "Josh Poimboeuf" <jpoimboe@...hat.com>,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        "Nathan Chancellor" <nathan@...nel.org>,
        "Nick Desaulniers" <ndesaulniers@...gle.com>,
        "Sedat Dilek" <sedat.dilek@...il.com>,
        "Steven Rostedt" <rostedt@...dmis.org>,
        linux-hardening@...r.kernel.org,
        "Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
        llvm@...ts.linux.dev
Subject: Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C



On Wed, Oct 13, 2021, at 11:16 AM, Sami Tolvanen wrote:
> The kernel has several assembly functions, which are not directly
> callable from C but need to be referred to from C code. This change adds
> the DECLARE_NOT_CALLED_FROM_C macro, which allows us to declare these
> symbols using an opaque type, which makes misuse harder, and avoids the
> need to annotate references to the functions for Clang's Control-Flow
> Integrity (CFI).
>
> Suggested-by: Andy Lutomirski <luto@...capital.net>
> Suggested-by: Steven Rostedt <rostedt@...dmis.org>
> Signed-off-by: Sami Tolvanen <samitolvanen@...gle.com>
> Tested-by: Nick Desaulniers <ndesaulniers@...gle.com>
> Tested-by: Sedat Dilek <sedat.dilek@...il.com>
> ---
>  include/linux/linkage.h | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>
> diff --git a/include/linux/linkage.h b/include/linux/linkage.h
> index dbf8506decca..f982d5f550ac 100644
> --- a/include/linux/linkage.h
> +++ b/include/linux/linkage.h
> @@ -48,6 +48,19 @@
>  #define __PAGE_ALIGNED_DATA	.section ".data..page_aligned", "aw"
>  #define __PAGE_ALIGNED_BSS	.section ".bss..page_aligned", "aw"
> 
> +/*
> + * Declares a function not callable from C using an opaque type. Defined as
> + * an array to allow the address of the symbol to be taken without '&'.
> + */

I’m not convinced that taking the address without using & is a laudable goal.  The magical arrays-are-pointers-too behavior of C is a mistake, not a delightful simplification.

> +#ifndef DECLARE_NOT_CALLED_FROM_C
> +#define DECLARE_NOT_CALLED_FROM_C(sym) \
> +	extern const u8 sym[]
> +#endif

The relevant property of these symbols isn’t that they’re not called from C.  The relevant thing is that they are just and not objects of a type that the programmer cares to tell the compiler about. (Or that the compiler understands, for that matter. On a system with XO memory or if they’re in a funny section, dereferencing them may fail.)

So I think we should use incomplete structs, which can’t be dereferenced and will therefore be less error prone.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ