lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YoecUo+D1XaphlA/@casper.infradead.org>
Date:   Fri, 20 May 2022 14:49:06 +0100
From:   Matthew Wilcox <willy@...radead.org>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     Sami Tolvanen <samitolvanen@...gle.com>,
        linux-kernel@...r.kernel.org, Kees Cook <keescook@...omium.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>, x86@...nel.org,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will@...nel.org>,
        Mark Rutland <mark.rutland@....com>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Joao Moreira <joao@...rdrivepizza.com>,
        Sedat Dilek <sedat.dilek@...il.com>,
        Steven Rostedt <rostedt@...dmis.org>,
        linux-hardening@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org, llvm@...ts.linux.dev
Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG

On Mon, May 16, 2022 at 02:58:44PM +0200, Peter Zijlstra wrote:
> @willy, how horribly broken is this xarray usage?

The xarray doesn't work very well as a hash ;-(  It has pretty much
pessimal memory usage if you have a good hash.  You'll end up allocating
essentially the entire 4 billion * ptr_size address space of the hash.
Can you use an rhashtable instead?

> ---
>  arch/x86/include/asm/traps.h            |   1 +
>  arch/x86/kernel/alternative.c           | 316 ++++++++++++++++++++++++++++++++
>  arch/x86/kernel/cpu/common.c            |   5 +
>  arch/x86/kernel/vmlinux.lds.S           |   9 +
>  tools/objtool/check.c                   |  67 ++++++-
>  tools/objtool/include/objtool/objtool.h |   1 +
>  tools/objtool/objtool.c                 |   1 +
>  7 files changed, 399 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
> index 35317c5c551d..a423343cffbc 100644
> --- a/arch/x86/include/asm/traps.h
> +++ b/arch/x86/include/asm/traps.h
> @@ -19,6 +19,7 @@ asmlinkage __visible noinstr struct pt_regs *vc_switch_off_ist(struct pt_regs *e
>  #endif
>  
>  extern bool ibt_selftest(void);
> +extern bool ibt_broken;
>  
>  #ifdef CONFIG_X86_F00F_BUG
>  /* For handling the FOOF bug */
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index d374cb3cf024..abce4e78a1e0 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -18,6 +18,9 @@
>  #include <linux/mmu_context.h>
>  #include <linux/bsearch.h>
>  #include <linux/sync_core.h>
> +#include <linux/moduleloader.h>
> +#include <linux/xarray.h>
> +#include <linux/set_memory.h>
>  #include <asm/text-patching.h>
>  #include <asm/alternative.h>
>  #include <asm/sections.h>
> @@ -115,6 +118,7 @@ static void __init_or_module add_nops(void *insns, unsigned int len)
>  }
>  
>  extern s32 __retpoline_sites[], __retpoline_sites_end[];
> +extern s32 __cfi_sites[], __cfi_sites_end[];
>  extern s32 __ibt_endbr_seal[], __ibt_endbr_seal_end[];
>  extern struct alt_instr __alt_instructions[], __alt_instructions_end[];
>  extern s32 __smp_locks[], __smp_locks_end[];
> @@ -549,6 +553,315 @@ void __init_or_module noinline apply_ibt_endbr(s32 *start, s32 *end) { }
>  
>  #endif /* CONFIG_X86_KERNEL_IBT */
>  
> +#ifdef CONFIG_CFI_CLANG
> +/*
> + *  FineIBT                                         kCFI
> + *
> + *  __fineibt_\hash:
> + *    xor     \hash, %r10     # 7
> + *    jz      1f              # 2
> + *    ud2                     # 2
> + *  1:ret                     # 1
> + *    int3                    # 1
> + *
> + *
> + *  __cfi_\sym:                                     __cfi_\sym:
> + *                                                    int3; int3                              # 2
> + *    endbr                   # 4                     mov     \hash, %eax                     # 5
> + *    call    __fineibt_\hash # 5                     int3; int3                              # 2
> + *  \sym:                                           \sym:
> + *  ...                                             ...
> + *
> + *
> + *  caller:                                         caller:
> + *    movl    \hash, %r10d    # 6                     cmpl    \hash, -6(%r11)                 # 8
> + *    sub     $9, %r11        # 4                     je      1f                              # 2
> + *    nop2                    # 2                     ud2                                     # 2
> + *
> + *    call    *%r11           # 3                     call    __x86_indirect_thunk_r11        # 5
> + *    nop2                    # 2
> + */
> +
> +static DEFINE_XARRAY(cfi_hashes);
> +static int nr_cfi_hashes;
> +
> +static u32 decode_cfi_preamble(void *addr)
> +{
> +	u8 *p = addr;
> +
> +	if (p[0] == 0xcc && p[1] == 0xcc &&
> +	    p[2] == 0xb8 &&
> +	    p[7] == 0xcc && p[8] == 0xcc)
> +		return *(u32 *)(addr + 3);
> +
> +	return 0; /* invalid hash value */
> +}
> +
> +static u32 decode_cfi_caller(void *addr)
> +{
> +	u8 *p = addr;
> +
> +	if (((p[0] == 0x41 && p[1] == 0x81) ||
> +	     (p[0] == 0xeb && p[1] == 0x0a)) && p[2] == 0x7b &&
> +	    p[8] == 0x74 && p[9] == 0x02 &&
> +	    p[10] == 0x0f && p[11] == 0x0b)
> +		return *(u32 *)(addr + 4);
> +
> +	return 0; /* invalid hash value */
> +}
> +
> +// .cfi_sites
> +static int cfi_index_hashes(s32 *start, s32 *end)
> +{
> +	s32 *s;
> +
> +	for (s = start; s < end; s++) {
> +		void *addr = (void *)s + *s;
> +		void *xa;
> +		u32 hash;
> +
> +		hash = decode_cfi_preamble(addr);
> +		if (!hash) {
> +			//WARN();
> +			return -EINVAL;
> +		}
> +
> +		xa = xa_store(&cfi_hashes, hash, NULL, GFP_KERNEL);
> +		if (xa_is_err(xa)) {
> +			//WARN();
> +			return xa_err(xa);
> +		}
> +		nr_cfi_hashes++;
> +	}
> +
> +	return 0;
> +}
> +
> +asm (	".pushsection .rodata\n"
> +	"fineibt_template_start:\n"
> +	"	xorl	$0x12345678, %r10d\n"	// 7
> +	"	je	1f\n"			// 2
> +	"	ud2\n"				// 2
> +	"1:	ret\n"				// 1
> +	"	int3\n"
> +	"	int3\n"
> +	"	int3\n"
> +	"	int3\n"				// 4
> +	"fineibt_template_end:\n"
> +	".popsection\n"
> +    );
> +
> +extern u8 fineibt_template_start[];
> +extern u8 fineibt_template_end[];
> +
> +static int cfi_create_fineibt_stubs(void)
> +{
> +	size_t size = 16 * nr_cfi_hashes;
> +	int pages = 1 + ((size - 1) >> PAGE_SHIFT);
> +	void *text, *entry, *xa;
> +	unsigned long hash;
> +	int err = -ENOMEM;
> +
> +	text = module_alloc(size);
> +	if (!text)
> +		return err;
> +
> +	entry = text;
> +	xa_for_each(&cfi_hashes, hash, xa) {
> +
> +		memcpy(entry, fineibt_template_start, 16);
> +		*(u32 *)(entry + 3) = hash;
> +
> +		xa = xa_store(&cfi_hashes, hash, entry, GFP_KERNEL);
> +		if (xa_is_err(xa)) {
> +			err = xa_err(xa);
> +			goto err_alloc;
> +		}
> +		if (xa) {
> +			err = -EINVAL;
> +			goto err_alloc;
> +		}
> +
> +		entry += 16;
> +	}
> +
> +	set_memory_ro((unsigned long)text, pages);
> +	set_memory_x((unsigned long)text, pages);
> +
> +	return 0;
> +
> +err_alloc:
> +	module_memfree(text);
> +	return -EINVAL;
> +}
> +
> +// .retpoline_sites
> +static int cfi_disable_callers(s32 *start, s32 *end)
> +{
> +	/*
> +	 * Disable CFI by patching in a 2 byte JMP, this leaves the hash in
> +	 * tact for later usage. Also see decode_cfi_caller() and
> +	 * cfu_rewrite_callers().
> +	 */
> +	const u8 jmp12[] = { 0xeb, 0x0a };
> +	s32 *s;
> +
> +	for (s = start; s < end; s++) {
> +		void *addr = (void *)s + *s;
> +		u32 hash;
> +
> +		hash = decode_cfi_caller(addr - 12);
> +		if (!hash) {
> +			// WARN();
> +			return -EINVAL;
> +		}
> +
> +		text_poke_early(addr - 12, jmp12, 2);
> +	}
> +
> +	return 0;
> +}
> +
> +asm (	".pushsection .rodata\n"
> +	"fineibt_cfi_start:\n"
> +	"	endbr64\n"
> +	"	call fineibt_caller_start\n"
> +	"fineibt_cfi_end:"
> +	".popsection\n"
> +    );
> +
> +extern u8 fineibt_cfi_start[];
> +extern u8 fineibt_cfi_end[];
> +
> +// .cfi_sites
> +static int cfi_rewrite_cfi(s32 *start, s32 *end)
> +{
> +	s32 *s;
> +
> +	for (s = start; s < end; s++) {
> +		void *dest, *addr = (void *)s + *s;
> +		unsigned long index;
> +		u32 hash;
> +
> +		index = hash = decode_cfi_preamble(addr);
> +		dest = xa_find(&cfi_hashes, &index, hash, XA_PRESENT);
> +
> +		if (WARN_ON_ONCE(index != hash || !dest))
> +			return -EINVAL;
> +
> +		text_poke_early(addr, fineibt_cfi_start,
> +				(fineibt_cfi_end - fineibt_cfi_start));
> +
> +		__text_gen_insn(addr + 4,
> +				CALL_INSN_OPCODE, addr + 4,
> +				dest, CALL_INSN_SIZE);
> +	}
> +
> +	return 0;
> +}
> +
> +asm (	".pushsection .rodata\n"
> +	"fineibt_caller_start:\n"
> +	"	movl	$0x12345678, %r10d\n"
> +	"	sub	$9, %r11\n"
> +	"	.nops	2\n"
> +	"fineibt_caller_end:"
> +	".popsection\n"
> +    );
> +
> +extern u8 fineibt_caller_start[];
> +extern u8 fineibt_caller_end[];
> +
> +// .retpoline_sites
> +static int cfi_rewrite_callers(s32 *start, s32 *end)
> +{
> +	s32 *s;
> +
> +	for (s = start; s < end; s++) {
> +		void *addr = (void *)s + *s;
> +		u32 hash;
> +
> +		hash = decode_cfi_caller(addr - 12);
> +
> +		if (WARN_ON_ONCE(!hash))
> +			return -EINVAL;
> +
> +		text_poke_early(addr - 12, fineibt_caller_start,
> +				(fineibt_caller_end - fineibt_caller_end));
> +
> +		*(u32 *)(addr - 12 + 2) = hash;
> +
> +		/* rely on apply_retpolines() to rewrite the actual call */
> +	}
> +
> +	return 0;
> +}
> +
> +bool __ro_after_init ibt_broken = false;
> +
> +static void apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
> +			  s32 *start_cfi, s32 *end_cfi)
> +{
> +	int ret;
> +
> +	/* If IBT, use FineIBT */
> +	if (!HAS_KERNEL_IBT || !cpu_feature_enabled(X86_FEATURE_IBT))
> +		return;
> +
> +	/*
> +	 * Find and count all unique hash values.
> +	 */
> +	ret = cfi_index_hashes(start_cfi, end_cfi);
> +	if (ret)
> +		goto err;
> +
> +	/*
> +	 * Allocate module memory and write FineIBT stubs.
> +	 */
> +	ret = cfi_create_fineibt_stubs();
> +	if (ret)
> +		goto err;
> +
> +	/*
> +	 * Rewrite the callers to not use the __cfi_ stubs, such that we might
> +	 * rewrite them. Disables all CFI. If this succeeds but any of the
> +	 * later stages fails, we're CFI-less.
> +	 */
> +	ret = cfi_disable_callers(start_retpoline, end_retpoline);
> +	if (ret)
> +		goto err;
> +
> +	/*
> +	 * Rewrite the __cfi_ stubs from kCFI to FineIBT.
> +	 */
> +	ret = cfi_rewrite_cfi(start_cfi, end_cfi);
> +	if (ret)
> +		goto err;
> +
> +	/*
> +	 * Now that everything is in place; rewrite the callers to FineIBT.
> +	 */
> +	ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
> +	if (ret)
> +		goto err;
> +
> +	return;
> +
> +err:
> +	pr_err("Something went horribly wrong trying to rewrite the CFI implementation.\n");
> +	/* must *NOT* enable IBT */
> +	ibt_broken = true;
> +}
> +
> +#else
> +
> +static void apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
> +			  s32 *start_cfi, s32 *end_cfi)
> +{
> +}
> +
> +#endif
> +
>  #ifdef CONFIG_SMP
>  static void alternatives_smp_lock(const s32 *start, const s32 *end,
>  				  u8 *text, u8 *text_end)
> @@ -855,6 +1168,9 @@ void __init alternative_instructions(void)
>  	 */
>  	apply_paravirt(__parainstructions, __parainstructions_end);
>  
> +	apply_fineibt(__retpoline_sites, __retpoline_sites_end,
> +		      __cfi_sites, __cfi_sites_end);
> +
>  	/*
>  	 * Rewrite the retpolines, must be done before alternatives since
>  	 * those can rewrite the retpoline thunks.
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index e342ae4db3c4..e4377256b952 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -630,6 +630,11 @@ static __always_inline void setup_cet(struct cpuinfo_x86 *c)
>  	    !cpu_feature_enabled(X86_FEATURE_IBT))
>  		return;
>  
> +#ifdef CONFIG_CFI_CLANG
> +	if (ibt_broken)
> +		return;
> +#endif
> +
>  	wrmsrl(MSR_IA32_S_CET, msr);
>  	cr4_set_bits(X86_CR4_CET);
>  
> diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
> index 7fda7f27e762..72ffc91ddd20 100644
> --- a/arch/x86/kernel/vmlinux.lds.S
> +++ b/arch/x86/kernel/vmlinux.lds.S
> @@ -294,6 +294,15 @@ SECTIONS
>  	}
>  #endif
>  
> +#if defined(CONFIG_CFI_CLANG) && defined(CONFIG_RETPOLINE) && defined(CONFIG_X86_KERNEL_IBT)
> +	. = ALIGN(8);
> +	.cfi_sites : AT(ADDR(.cfi_sites) - LOAD_OFFSET) {
> +		__cfi_sites = .;
> +		*(.cfi_sites)
> +		__cfi_sites_end = .;
> +	}
> +#endif
> +
>  	/*
>  	 * struct alt_inst entries. From the header (alternative.h):
>  	 * "Alternative instructions for different CPU types or capabilities"
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index 88f005ae6dcc..edc8aecf229c 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -797,6 +797,52 @@ static int create_ibt_endbr_seal_sections(struct objtool_file *file)
>  	return 0;
>  }
>  
> +static int create_cfi_sections(struct objtool_file *file)
> +{
> +	struct instruction *insn;
> +	struct section *sec;
> +	int idx;
> +
> +	sec = find_section_by_name(file->elf, ".cfi_sites");
> +	if (sec) {
> +		WARN("file already has .cfi_sites, skipping");
> +		return 0;
> +	}
> +
> +	idx = 0;
> +	list_for_each_entry(insn, &file->cfi_list, call_node)
> +		idx++;
> +
> +	if (!idx)
> +		return 0;
> +
> +	sec = elf_create_section(file->elf, ".cfi_sites", 0,
> +				 sizeof(int), idx);
> +	if (!sec) {
> +		WARN("elf_create_section: .cfi_sites");
> +		return -1;
> +	}
> +
> +	idx = 0;
> +	list_for_each_entry(insn, &file->cfi_list, call_node) {
> +
> +		int *site = (int *)sec->data->d_buf + idx;
> +		*site = 0;
> +
> +		if (elf_add_reloc_to_insn(file->elf, sec,
> +					  idx * sizeof(int),
> +					  R_X86_64_PC32,
> +					  insn->sec, insn->offset)) {
> +			WARN("elf_add_reloc_to_insn: .cfi_sites");
> +			return -1;
> +		}
> +
> +		idx++;
> +	}
> +
> +	return 0;
> +}
> +
>  static int create_mcount_loc_sections(struct objtool_file *file)
>  {
>  	struct section *sec;
> @@ -3301,6 +3347,7 @@ static int validate_branch(struct objtool_file *file, struct symbol *func,
>  {
>  	struct alternative *alt;
>  	struct instruction *next_insn, *prev_insn = NULL;
> +	struct instruction *first_insn = insn;
>  	struct section *sec;
>  	u8 visited;
>  	int ret;
> @@ -3312,8 +3359,19 @@ static int validate_branch(struct objtool_file *file, struct symbol *func,
>  
>  		if (func && insn->func && func != insn->func->pfunc) {
>  			/* Ignore KCFI type preambles, which always fall through */
> -			if (!strncmp(func->name, "__cfi_", 6))
> +			if (!strncmp(func->name, "__cfi_", 6)) {
> +				/*
> +				 * If the function has a __cfi_ preamble, the endbr
> +				 * will live in there.
> +				 */
> +				insn->noendbr = true;
> +				/*
> +				 * The preamble starts with INSN_TRAP,
> +				 * call_node cannot be used.
> +				 */
> +				list_add_tail(&first_insn->call_node, &file->cfi_list);
>  				return 0;
> +			}
>  
>  			WARN("%s() falls through to next function %s()",
>  			     func->name, insn->func->name);
> @@ -3953,6 +4011,13 @@ int check(struct objtool_file *file)
>  		warnings += ret;
>  	}
>  
> +	if (ibt && retpoline) {
> +		ret = create_cfi_sections(file);
> +		if (ret < 0)
> +			goto out;
> +		warnings += ret;
> +	}
> +
>  	if (stats) {
>  		printf("nr_insns_visited: %ld\n", nr_insns_visited);
>  		printf("nr_cfi: %ld\n", nr_cfi);
> diff --git a/tools/objtool/include/objtool/objtool.h b/tools/objtool/include/objtool/objtool.h
> index a6e72d916807..93f52e275fa6 100644
> --- a/tools/objtool/include/objtool/objtool.h
> +++ b/tools/objtool/include/objtool/objtool.h
> @@ -27,6 +27,7 @@ struct objtool_file {
>  	struct list_head static_call_list;
>  	struct list_head mcount_loc_list;
>  	struct list_head endbr_list;
> +	struct list_head cfi_list;
>  	bool ignore_unreachables, hints, rodata;
>  
>  	unsigned int nr_endbr;
> diff --git a/tools/objtool/objtool.c b/tools/objtool/objtool.c
> index 843ff3c2f28e..16ed3613b0e2 100644
> --- a/tools/objtool/objtool.c
> +++ b/tools/objtool/objtool.c
> @@ -129,6 +129,7 @@ struct objtool_file *objtool_open_read(const char *_objname)
>  	INIT_LIST_HEAD(&file.static_call_list);
>  	INIT_LIST_HEAD(&file.mcount_loc_list);
>  	INIT_LIST_HEAD(&file.endbr_list);
> +	INIT_LIST_HEAD(&file.cfi_list);
>  	file.ignore_unreachables = no_unreachable;
>  	file.hints = false;
>  

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ