| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jul 2023 22:37:22 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org
Subject: [GIT PULL] x86/urgent for v6.5-rc2
Hi Linus,
please pull a bunch of CFI fixes for 6.5-rc2.
Thanks!
(also yeah, sometimes I can't type -- I only now noticed :/)
---
The following changes since commit 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5:
Linux 6.5-rc1 (2023-07-09 13:53:13 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git tags/x86_urgent_for_6.5_rc2
for you to fetch changes up to 535d0ae39185a266536a1e97ff9a8956d7fbb9df:
x86/cfi: Only define poison_cfi() if CONFIG_X86_KERNEL_IBT=y (2023-07-11 10:17:55 +0200)
----------------------------------------------------------------
Fix kCFI/FineIBT weaknesses
The primary bug Alyssa noticed was that with FineIBT enabled function
prologues have a spurious ENDBR instruction:
__cfi_foo:
endbr64
subl $hash, %r10d
jz 1f
ud2
nop
1:
foo:
endbr64 <--- *sadface*
This means that any indirect call that fails to target the __cfi symbol
and instead targets (the regular old) foo+0, will succeed due to that
second ENDBR.
Fixing this lead to the discovery of a single indirect call that was
still doing this: ret_from_fork(), since that's an assembly stub the
compmiler would not generate the proper kCFI indirect call magic and it
would not get patched.
Brian came up with the most comprehensive fix -- convert the thing to C
with only a very thin asm wrapper. This ensures the kernel thread
boostrap is a proper kCFI call.
While discussing all this, Kees noted that kCFI hashes could/should be
poisoned to seal all functions whose address is never taken, further
limiting the valid kCFI targets -- much like we already do for IBT.
So what was a 'simple' observation and fix cascaded into a bunch of
inter-related CFI infrastructure fixes.
----------------------------------------------------------------
Brian Gerst (2):
x86/32: Remove schedule_tail_wrapper()
x86: Rewrite ret_from_fork() in C
Ingo Molnar (1):
x86/cfi: Only define poison_cfi() if CONFIG_X86_KERNEL_IBT=y
Peter Zijlstra (4):
x86/cfi: Extend {JMP,CAKK}_NOSPEC comment
x86/alternative: Rename apply_ibt_endbr()
x86/cfi: Extend ENDBR sealing to kCFI
x86/fineibt: Poison ENDBR at +0
arch/um/kernel/um_arch.c | 2 +-
arch/x86/entry/entry_32.S | 53 +++++++--------------------
arch/x86/entry/entry_64.S | 33 ++++-------------
arch/x86/include/asm/alternative.h | 2 +-
arch/x86/include/asm/ibt.h | 2 +-
arch/x86/include/asm/nospec-branch.h | 4 ++
arch/x86/include/asm/switch_to.h | 4 +-
arch/x86/kernel/alternative.c | 71 ++++++++++++++++++++++++++++++++++--
arch/x86/kernel/module.c | 2 +-
arch/x86/kernel/process.c | 22 ++++++++++-
10 files changed, 120 insertions(+), 75 deletions(-)
Powered by blists - more mailing lists