| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250414111140.586315004@infradead.org> Date: Mon, 14 Apr 2025 13:11:40 +0200 From: Peter Zijlstra <peterz@...radead.org> To: x86@...nel.org Cc: kys@...rosoft.com, haiyangz@...rosoft.com, wei.liu@...nel.org, decui@...rosoft.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com, hpa@...or.com, peterz@...radead.org, jpoimboe@...nel.org, pawan.kumar.gupta@...ux.intel.com, seanjc@...gle.com, pbonzini@...hat.com, ardb@...nel.org, kees@...nel.org, Arnd Bergmann <arnd@...db.de>, gregkh@...uxfoundation.org, linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org, kvm@...r.kernel.org, linux-efi@...r.kernel.org, samitolvanen@...gle.com, ojeda@...nel.org Subject: [PATCH 0/6] objtool: Detect and warn about indirect calls in __nocfi functions Hi! On kCFI (CONFIG_CFI_CLANG=y) builds all indirect calls should have the CFI check on (with very few exceptions). Not having the CFI checks undermines the protection provided by CFI and will make these sites candidates for people wanting to steal your cookies. Specifically the ABI changes are so that doing indirect calls without the CFI magic, to a CFI adorned function is not compatible (although it happens to work for some setups, it very much does not for FineIBT). Rust people tripped over this the other day, since their 'core' happened to have some no_sanitize(kcfi) bits in, which promptly exploded when ran with FineIBT on. Since this is very much not a supported model -- on purpose, have objtool detect and warn about such constructs. This effort [1] found all existins [2] non-cfi indirect calls in the kernel. Notably the KVM fastop emulation stuff -- which reminded me I still had pending patches there. Included here since they reduce the amount of fastop call sites, and the final patch includes an annotation for that. Although ideally we should look at means of doing fastops differently. KVM has another; the interrupt injection stuff calls the IDT handler directly. Is there an alternative? Can we keep a table of Linux functions slighly higher up the call stack (asm_\cfunc ?) and add CFI to those? HyperV hypercall page stuff, which I've previously suggested use direct calls, and which I've now converted (after getting properly annoyed with that code). [1] https://lkml.kernel.org/r/20250410154556.GB9003@noisy.programming.kicks-ass.net [2] https://lkml.kernel.org/r/20250410194334.GA3248459@google.com
Powered by blists - more mailing lists