lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e48391c54a4ba27795919099f8ea25c29d868000.camel@infradead.org>
Date: Tue, 18 Mar 2025 21:06:58 +0000
From: David Woodhouse <dwmw2@...radead.org>
To: Josh Poimboeuf <jpoimboe@...nel.org>
Cc: kexec@...ts.infradead.org, Thomas Gleixner <tglx@...utronix.de>, Ingo
 Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen
 <dave.hansen@...ux.intel.com>, x86@...nel.org, "H . Peter Anvin"
 <hpa@...or.com>,  "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
 Kai Huang <kai.huang@...el.com>, Nikolay Borisov <nik.borisov@...e.com>, 
 linux-kernel@...r.kernel.org, Simon Horman <horms@...nel.org>, Dave Young
 <dyoung@...hat.com>, Peter Zijlstra <peterz@...radead.org>, bsz@...zon.de
Subject: Re: [PATCH v7 8/8] [DO NOT MERGE] x86/kexec: Add CFI type
 information to relocate_kernel()

On Tue, 2025-03-18 at 10:14 -0700, Josh Poimboeuf wrote:
> On Tue, Mar 18, 2025 at 03:56:36PM +0000, David Woodhouse wrote:
> > But on the whole, I'm not sure the CFI check is worth it.
> > 
> > CFI checks that the caller and callee agree about the prototype of the
> > function being called. There are two main benefits of this:
> > 
> >  • to protect against attacks where function pointers are substituted
> >    for gadgets.
> > 
> >  • to protect against genuine bugs, where the caller and the callee
> >    disagree about the function arguments.
> 
> AFAIK the first one is the main point of CFI.

In the general case yes. I just don't think it matters much for
relocate_kernel().

> > For the relocate_kernel() case I don't think we care much about the
> > first. Without a CFI prologue, no *other* code can be tricked into
> > calling relocate_kernel()
> 
> But for FineIBT the hash is checked on the callee side.  So it loses
> FineIBT protection.

Right now the relocate_kernel() code doesn't even have an endbr, does
it? So it isn't a useful gadget?

> > — and besides, it's in the kernel's data
> > section and isn't executable anyway until the kexec code copies it to a
> > page that *is*.
> 
> Does the code get copied immediately before getting called, or can it be
> initialized earlier during boot when kdump does its initial setup?

It's initialized earlier, in machine_kexec_prepare(), and then the page
is set ROX.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5069 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ