| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Ymx1JcO36h7YqLa0@hirez.programming.kicks-ass.net>
Date: Sat, 30 Apr 2022 01:30:45 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Sami Tolvanen <samitolvanen@...gle.com>
Cc: linux-kernel@...r.kernel.org, Kees Cook <keescook@...omium.org>,
Josh Poimboeuf <jpoimboe@...hat.com>, x86@...nel.org,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Joao Moreira <joao@...rdrivepizza.com>,
Sedat Dilek <sedat.dilek@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
linux-hardening@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, llvm@...ts.linux.dev
Subject: Re: [RFC PATCH 16/21] objtool: Add support for CONFIG_CFI_CLANG
On Fri, Apr 29, 2022 at 01:36:39PM -0700, Sami Tolvanen wrote:
> +static void *kcfi_alloc_hash(unsigned long size)
> +{
> + kcfi_bits = max(10, ilog2(size));
> + kcfi_hash = mmap(NULL, sizeof(struct hlist_head) << kcfi_bits,
> + PROT_READ|PROT_WRITE,
> + MAP_PRIVATE|MAP_ANON, -1, 0);
> + if (kcfi_hash == (void *)-1L) {
> + WARN("mmap fail kcfi_hash");
> + kcfi_hash = NULL;
> + } else if (stats) {
> + printf("kcfi_bits: %d\n", kcfi_bits);
> + }
> +
> + return kcfi_hash;
> +}
> +
> +static void add_kcfi_type(struct kcfi_type *type)
> +{
> + hlist_add_head(&type->hash,
> + &kcfi_hash[hash_min(
> + sec_offset_hash(type->sec, type->offset),
> + kcfi_bits)]);
:se cino=(0:0
Also, I'm thinking you can unwrap some lines at least.
> +}
> +
> +static bool is_kcfi_typeid(struct elf *elf, struct instruction *insn)
> +{
> + struct hlist_head *head;
> + struct kcfi_type *type;
> + struct reloc *reloc;
> +
> + if (!kcfi)
> + return false;
> +
> + /* Compiler-generated annotation in .kcfi_types. */
> + head = &kcfi_hash[hash_min(sec_offset_hash(insn->sec, insn->offset), kcfi_bits)];
> +
> + hlist_for_each_entry(type, head, hash)
> + if (type->sec == insn->sec && type->offset == insn->offset)
> + return true;
missing { }
> +
> + /* Manual annotation (in assembly code). */
> + reloc = find_reloc_by_dest(elf, insn->sec, insn->offset);
> +
> + if (reloc && !strncmp(reloc->sym->name, "__kcfi_typeid_", 14))
> + return true;
> +
> + return false;
> +}
> +
> /*
> * This checks to see if the given function is a "noreturn" function.
> *
> @@ -388,13 +487,18 @@ static int decode_instructions(struct objtool_file *file)
> insn->sec = sec;
> insn->offset = offset;
>
> - ret = arch_decode_instruction(file, sec, offset,
> - sec->sh.sh_size - offset,
> - &insn->len, &insn->type,
> - &insn->immediate,
> - &insn->stack_ops);
> - if (ret)
> - goto err;
> + if (is_kcfi_typeid(file->elf, insn)) {
> + insn->type = INSN_KCFI_TYPEID;
> + insn->len = KCFI_TYPEID_LEN;
Urgh, what does this do for decode speed? This is a hash-lookup for
every single instruction.
Is that kcfi location array sorted by the compiler? Because then you can
keep a running iterator and replace the whole lookup with a simple
equality comparison.
> + } else {
> + ret = arch_decode_instruction(file, sec, offset,
> + sec->sh.sh_size - offset,
> + &insn->len, &insn->type,
> + &insn->immediate,
> + &insn->stack_ops);
> + if (ret)
> + goto err;
> + }
>
> /*
> * By default, "ud2" is a dead end unless otherwise
Powered by blists - more mailing lists