lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260107093639.GC3707891@noisy.programming.kicks-ass.net>
Date: Wed, 7 Jan 2026 10:36:39 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Rustam Kovhaev <rkovhaev@...il.com>
Cc: Sami Tolvanen <samitolvanen@...gle.com>,
	Alexei Starovoitov <ast@...nel.org>, linux-kernel@...r.kernel.org,
	bpf@...r.kernel.org
Subject: Re: kernel crashes in BPF JIT code with kCFI and clang on x86

On Mon, Dec 22, 2025 at 07:43:32PM -0800, Rustam Kovhaev wrote:

> Here is the patch that fixed it for me:
> 
> diff --git a/arch/x86/include/asm/cfi.h b/arch/x86/include/asm/cfi.h
> index c40b9ebc1fb4..48f232d4b9d6 100644
> --- a/arch/x86/include/asm/cfi.h
> +++ b/arch/x86/include/asm/cfi.h
> @@ -121,6 +121,8 @@ static inline int cfi_get_offset(void)
>         case CFI_FINEIBT:
>                 return 16;
>         case CFI_KCFI:
> +               if (IS_ENABLED(CONFIG_CC_IS_CLANG) && IS_ENABLED(CONFIG_CALL_PADDING))
> +                       return CONFIG_FUNCTION_PADDING_CFI + 5;
>                 if (IS_ENABLED(CONFIG_CALL_PADDING))
>                         return 16;
>                 return 5;
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index b0bac2a66eff..f8706d5b155f 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
> @@ -435,20 +435,16 @@ static void emit_fineibt(u8 **pprog, u8 *ip, u32 hash, int arity)
>  static void emit_kcfi(u8 **pprog, u32 hash)
>  {
>         u8 *prog = *pprog;
> +       size_t nop_len = 11;
> +       if (IS_ENABLED(CONFIG_CC_IS_CLANG) && IS_ENABLED(CONFIG_CALL_PADDING))
> +               nop_len = 55;
>  
>         EMIT1_off32(0xb8, hash);                        /* movl $hash, %eax     */
>  #ifdef CONFIG_CALL_PADDING
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> -       EMIT1(0x90);
> +       while( nop_len > 0) {
> +               EMIT1(0x90);
> +               nop_len--;
> +       }
>  #endif
>         EMIT_ENDBR();
> 
> After switching to clang kbuild always generates these huge paddings in my kernel config:
> rusty@...10:~/code/kbuild_rust$ grep -e IBT -e PADDING .config
> CONFIG_CC_HAS_IBT=y
> CONFIG_X86_KERNEL_IBT=y
> CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
> CONFIG_CC_HAS_ENTRY_PADDING=y
> CONFIG_FUNCTION_PADDING_CFI=59
> CONFIG_FUNCTION_PADDING_BYTES=59
> CONFIG_CALL_PADDING=y
> CONFIG_FINEIBT=y

Oh gawd, you have FUNCTION_ALIGNMENT_64B. Yeah, I suppose that wasn't
tested very well.

Let me go check all that code.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ