lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jul 2022 16:18:15 +0100 From: Mark Rutland <mark.rutland@....com> To: linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, Kees Cook <keescook@...omium.org> Cc: broonie@...nel.org, mark.rutland@....com, peterz@...radead.org Subject: [PATCH] lkdtm: cfi: add test for HW landing pad CFI Some architectures have coarse-grained HW CFI schemes where indirect branches must target a "landing pad" instruction (e.g. BTI on arm64, ENDBR on x86). These prevent gadgetization of arbitrary portions of functions. Add a test which checks these work as expected. For example, on arm64 HW with BTI this should result in a BTI exception being taken: | # echo CFI_FORWARD_LANDING_PAD > /sys/kernel/debug/provoke-crash/DIRECT | lkdtm: Performing direct entry CFI_FORWARD_LANDING_PAD | lkdtm: Calling gadget address ... | Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI | CPU: 0 PID: 152 Comm: bash Not tainted 5.19.0-rc6-00001-g1f3acfdc1799 #3 | Hardware name: linux,dummy-virt (DT) | pstate: 60400809 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c) | pc : lkdtm_increment_void+0x4/0x20 | lr : lkdtm_CFI_FORWARD_LANDING_PAD+0x30/0x48 | sp : ffff80000a763cf0 | x29: ffff80000a763cf0 x28: ffff0000042c1d80 x27: 0000000000000000 | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000031a6fb80 | x23: ffff000002c2a0c0 x22: ffff80000a763df0 x21: 0000000000000018 | x20: ffff80000a231498 x19: ffff000004075000 x18: 0000000000000006 | x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 | x14: 0720072007200720 x13: ffff800009f82ca8 x12: 0000000000000429 | x11: 0000000000000163 x10: ffff800009fdaca8 x9 : ffff800009f82ca8 | x8 : 00000000ffffefff x7 : ffff800009fdaca8 x6 : 80000000fffff000 | x5 : ffff00007fbcca08 x4 : 0000000000000000 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffff8000088a9c94 x0 : ffff80000a334b70 | Kernel panic - not syncing: Unhandled exception | CPU: 0 PID: 152 Comm: bash Not tainted 5.19.0-rc6-00001-g1f3acfdc1799 #3 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace.part.0+0xcc/0xe0 | show_stack+0x18/0x6c | dump_stack_lvl+0x64/0x80 | dump_stack+0x18/0x34 | panic+0x170/0x328 | arm64_exit_nmi.isra.0+0x0/0x80 | el1h_64_sync_handler+0x64/0xd0 | el1h_64_sync+0x64/0x68 | lkdtm_increment_void+0x4/0x20 | lkdtm_do_action+0x24/0x30 | direct_entry+0x160/0x174 | full_proxy_write+0x60/0xbc | vfs_write+0xc4/0x2a0 | ksys_write+0x70/0x104 | __arm64_sys_write+0x20/0x2c | invoke_syscall+0x48/0x114 | el0_svc_common.constprop.0+0xcc/0xec | do_el0_svc+0xa0/0xc0 | el0_svc+0x2c/0x84 | el0t_64_sync_handler+0x11c/0x150 | el0t_64_sync+0x18c/0x190 | Kernel Offset: disabled | CPU features: 0x000,0003a817,69a418cf | Memory Limit: none Signed-off-by: Mark Rutland <mark.rutland@....com> Cc: Kees Cook <keescook@...omium.org> Cc: Mark Brown <broonie@...nel.org> Cc: Peter Zijlstra <peterz@...radead.org> --- drivers/misc/lkdtm/cfi.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/misc/lkdtm/cfi.c b/drivers/misc/lkdtm/cfi.c index 666a7f4bc137..7cfdda73f561 100644 --- a/drivers/misc/lkdtm/cfi.c +++ b/drivers/misc/lkdtm/cfi.c @@ -43,6 +43,23 @@ static void lkdtm_CFI_FORWARD_PROTO(void) pr_expected_config(CONFIG_CFI_CLANG); } +/* + * This tries to call an indirect function with an address which is not a + * function entry point. This should be caught by architectures with "landing + * pad" instructions (e.g. BTI on arm64, or ENDBR on x86). + */ +static void lkdtm_CFI_FORWARD_LANDING_PAD(void) +{ + void (*func)(int *); + + func = (void *)((unsigned long)lkdtm_increment_void + 4); + + pr_info("Calling gadget address ...\n"); + func(&called_count); + + pr_err("FAIL: survived gadget function call!\n"); +} + /* * This can stay local to LKDTM, as there should not be a production reason * to disable PAC && SCS. @@ -177,6 +194,7 @@ static void lkdtm_CFI_BACKWARD(void) static struct crashtype crashtypes[] = { CRASHTYPE(CFI_FORWARD_PROTO), + CRASHTYPE(CFI_FORWARD_LANDING_PAD), CRASHTYPE(CFI_BACKWARD), }; -- 2.30.2
Powered by blists - more mailing lists