| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Dec 2022 11:40:19 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Dan Li <ashimida.1990@...il.com>
Cc: Masahiro Yamada <masahiroy@...nel.org>,
Michal Marek <michal.lkml@...kovi.net>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Sami Tolvanen <samitolvanen@...gle.com>,
Kees Cook <keescook@...omium.org>,
Nathan Chancellor <nathan@...nel.org>,
Tom Rix <trix@...hat.com>,
"Paul E. McKenney" <paulmck@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Frederic Weisbecker <frederic@...nel.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Marco Elver <elver@...gle.com>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Song Liu <song@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Uros Bizjak <ubizjak@...il.com>,
Kumar Kartikeya Dwivedi <memxor@...il.com>,
Juergen Gross <jgross@...e.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Borislav Petkov <bp@...e.de>,
Masami Hiramatsu <mhiramat@...nel.org>,
Dmitry Torokhov <dmitry.torokhov@...il.com>,
Aaron Tomlin <atomlin@...hat.com>,
Kalesh Singh <kaleshsingh@...gle.com>,
Yuntao Wang <ytcoode@...il.com>,
Changbin Du <changbin.du@...el.com>,
linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, llvm@...ts.linux.dev
Subject: Re: [RFC/RFT] CFI: Add support for gcc CFI in aarch64
On Sun, Dec 18, 2022 at 10:17:58PM -0800, Dan Li wrote:
> In the compiler part[4], there are some differences from Sami's
> implementation[3], mainly including:
>
> 1. When a typeid mismatch is detected, the cfi_check_failed function
> will be called instead of the brk instruction. This function needs
> to be implemented by the compiler user.
> If there are user mode programs or other systems that want to use
> this feature, it may be more convenient to use a callback (so this
> compilation option is set to -fsanitize=cfi instead of kcfi).
This is not going to be acceptible for x86_64.
> 2. A reserved typeid (such as 0x0U on the aarch64 platform) is always
> inserted in front of functions that should not be called indirectly.
> Functions that can be called indirectly will not use this hash value,
> which prevents instructions/data before the function from being used
> as a typeid by an attacker.
>
> 3. Some bits are ignored in the typeid to avoid conflicts between the
> typeid and the instruction set of a specific platform, thereby
> preventing an attacker from bypassing the CFI check by using the
> instruction as a typeid, such as on the aarch64 platform:
> * If the following instruction sequence exists:
> 400620: a9be7bfd stp x29, x30, [sp, #-32]!
> 400624: 910003fd mov x29, sp
> 400628: f9000bf3 str x19, [sp, #16]
> * If the expected typeid of the indirect call is exactly 0x910003fd,
> the attacker can jump to the next instruction position of any
> "mov x29,sp" instruction (such as 0x400628 here).
>
> 4. Insert a symbol __cfi_<function> before each function's typeid,
> which may be helpful for fine-grained KASLR implementations (or not?).
>
> 5. The current implementation of gcc only supports the aarch64 platform.
What, if any, are the plans for x86_64 support?
Powered by blists - more mailing lists