lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241008-cfi-fix-llvm-gate-v1-1-32d47459eee4@google.com>
Date: Tue, 08 Oct 2024 17:42:33 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: Sami Tolvanen <samitolvanen@...gle.com>, Kees Cook <kees@...nel.org>, 
	Nathan Chancellor <nathan@...nel.org>, Miguel Ojeda <ojeda@...nel.org>, 
	Matthew Maurer <mmaurer@...gle.com>
Cc: linux-kernel@...r.kernel.org, llvm@...ts.linux.dev, 
	rust-for-linux@...r.kernel.org, Alice Ryhl <aliceryhl@...gle.com>
Subject: [PATCH] cfi: fix conditions in HAVE_CFI_ICALL_NORMALIZE_INTEGERS

The CFI_ICALL_NORMALIZE_INTEGERS option is incompatible with KASAN
because LLVM will emit some constructors when using KASAN that are
assigned incorrect CFI tags. These constructors are emitted due to use
of -fsanitize=kernel-address or -fsanitize=kernel-hwaddress that are
respectively passed when KASAN_GENERIC or KASAN_SW_TAGS are enabled.
However, the KASAN_HW_TAGS option relies on hardware support for MTE
instead and does not pass either flag. (Note also that KASAN_HW_TAGS
does not `select CONSTRUCTORS`.)

Additionally, the option is configured to have a prompt and gated behind
EXPERT. The previous method for a user override of the option did not
actually work. This is expected to be temporary, as I intend to add a
precise detection check for 6.13 - I did not included that here to avoid
adding a RUSTC_LLVM_VERSION config in a fix.

Fixes: 4c66f8307ac0 ("cfi: encode cfi normalized integers + kasan/gcov bug in Kconfig")
Signed-off-by: Alice Ryhl <aliceryhl@...gle.com>
---
 arch/Kconfig | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index 8af374ea1adc..2632de28c05a 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -852,8 +852,9 @@ config CFI_ICALL_NORMALIZE_INTEGERS
 	  This option is necessary for using CFI with Rust. If unsure, say N.
 
 config HAVE_CFI_ICALL_NORMALIZE_INTEGERS
-	def_bool !GCOV_KERNEL && !KASAN
-	depends on CFI_CLANG
+	bool "Are normalized CFI tags for integers available?"
+	default !GCOV_KERNEL && !KASAN_GENERIC && !KASAN_SW_TAGS
+	depends on EXPERT || (!GCOV_KERNEL && !KASAN_GENERIC && !KASAN_SW_TAGS)
 	depends on $(cc-option,-fsanitize=kcfi -fsanitize-cfi-icall-experimental-normalize-integers)
 	help
 	  Is CFI_ICALL_NORMALIZE_INTEGERS supported with the set of compilers

---
base-commit: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b
change-id: 20241008-cfi-fix-llvm-gate-115e48d6acc9

Best regards,
-- 
Alice Ryhl <aliceryhl@...gle.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ