lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YYuoawC2CpornRSG@FVFF77S0Q05N>
Date:   Wed, 10 Nov 2021 11:09:40 +0000
From:   Mark Rutland <mark.rutland@....com>
To:     Quentin Perret <qperret@...gle.com>
Cc:     Ard Biesheuvel <ardb@...nel.org>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Catalin Marinas <catalin.marinas@....com>,
        James Morse <james.morse@....com>,
        Will Deacon <will@...nel.org>,
        Frederic Weisbecker <frederic@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Kees Cook <keescook@...omium.org>,
        Sami Tolvanen <samitolvanen@...gle.com>,
        Andy Lutomirski <luto@...nel.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Steven Rostedt <rostedt@...dmis.org>
Subject: Re: [PATCH v6 2/2] arm64: implement support for static call
 trampolines

Hi,

On Tue, Nov 09, 2021 at 07:02:21PM +0000, Quentin Perret wrote:
> On Tuesday 09 Nov 2021 at 19:09:21 (+0100), Ard Biesheuvel wrote:
> > Android relies heavily on tracepoints for vendor hooks, and given the
> > performance impact of CFI on indirect calls, there has been interest
> > in enabling static calls to replace them.

Hhmm.... what exactly is a "vendor hook" in this context, and what is it doing
with a tracepoint? From an upstream perspective that sounds somewhat fishy
usage.

> > Quentin, anything to add here?
> 
> Yes, Android should definitely benefit from static calls.
> 
> Modules attaching to tracepoints cause a measurable overhead w/ CFI as
> the jump target is a bit harder to verify if it is not in-kernel.

Where does that additional overhead come from when the target is not in-kernel?

I hope that I am wrong in understanding that __cfi_slowpath_diag() means we're
always doing an out-of-line check when calling into a module?

If that were the case, that would seem to be a much more general problem with
the current clang CFI scheme, and my fear here is that we're adding fragility
and complexity in specific plces to work around general problems with the CFI
scheme.

Thanks,
Mark.

> But sadly that's a common pattern for GKI. The current 'workaround' in
> Android has been to just plain disable CFI around all tracepoints in the
> kernel, which is a bit sad from a security PoV. But there was really no other
> option at the time, and we needed the performance back. Static calls would be
> a far superior solution as they would avoid much of the CFI overhead, and are
> not vulnerable in the CFI sense (that is, the branch target can't be easily
> overridden with a random OOB write from a dodgy driver). So yes, we'd really
> like to have those please :)
> 
> Thanks,
> Quentin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ