| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YesPesOhftSzp2ft@sol.localdomain>
Date: Fri, 21 Jan 2022 11:54:34 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: Miles Chen <miles.chen@...iatek.com>,
Ard Biesheuvel <ardb@...nel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-mediatek@...ts.infradead.org,
Nick Desaulniers <ndesaulniers@...gle.com>,
Sami Tolvanen <samitolvanen@...gle.com>
Subject: Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression
function for Clang CFI
On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased to blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
>
> [ 0.000000][ T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [ 0.000000][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [ 0.000000][ T0] Hardware name: MT6873 (DT)
> [ 0.000000][ T0] Call trace:
> [ 0.000000][ T0] dump_backtrace+0xfc/0x1dc
> [ 0.000000][ T0] dump_stack_lvl+0xa8/0x11c
> [ 0.000000][ T0] panic+0x194/0x464
> [ 0.000000][ T0] __cfi_check_fail+0x54/0x58
> [ 0.000000][ T0] __cfi_slowpath_diag+0x354/0x4b0
> [ 0.000000][ T0] blake2s_update+0x14c/0x178
> [ 0.000000][ T0] _extract_entropy+0xf4/0x29c
> [ 0.000000][ T0] crng_initialize_primary+0x24/0x94
> [ 0.000000][ T0] rand_initialize+0x2c/0x6c
> [ 0.000000][ T0] start_kernel+0x2f8/0x65c
> [ 0.000000][ T0] __primary_switched+0xc4/0x7be4
> [ 0.000000][ T0] Rebooting in 5 seconds..
>
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.
>
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
>
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@...iatek.com>
> Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> Cc: Sami Tolvanen <samitolvanen@...gle.com>
> Cc: Ard Biesheuvel <ardb@...nel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@...c4.com>
> ---
> arch/arm/crypto/blake2s-shash.c | 4 ++--
> arch/x86/crypto/blake2s-shash.c | 4 ++--
> crypto/blake2s_generic.c | 4 ++--
> include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
> lib/crypto/blake2s.c | 4 ++--
> 5 files changed, 29 insertions(+), 23 deletions(-)
There are some lines over 80 columns in this patch.
Otherwise this looks fine. It would be really nice to fix this in clang,
though.
- Eric
Powered by blists - more mailing lists