Peter, Masahiro,
I noticed that KASAN+CFI fails to boot on x86_64 without
cfi=norand. The randomization code is missing a couple of KASAN
constructors in object files that are not part of vmlinux.o. This
happens because we don't run objtool for the files, which means
the type hashes are not included in the .cfi_sites section.
This patch simply disables KASAN for these files, which seems
reasonable to me and fixes the boot issue, but perhaps you have
better ideas?
Sami
Sami Tolvanen (1):
kbuild: Fix CFI hash randomization with KASAN
init/Makefile | 1 +
scripts/Makefile.vmlinux | 1 +
2 files changed, 2 insertions(+)
base-commit: c757fc92a3f73734872c7793b97f06434773d65d
--
2.39.0.314.g84b9a713c41-goog
Clang emits a asan.module_ctor constructor to each object file
when KASAN is enabled, and these functions are indirectly called
in do_ctors. With CONFIG_CFI_CLANG, the compiler also emits a CFI
type hash before each address-taken global function so they can
pass indirect call checks.
However, in commit 0c3e806ec0f9 ("x86/cfi: Add boot time hash
randomization"), x86 implemented boot time hash randomization,
which relies on the .cfi_sites section generated by objtool. As
objtool is run against vmlinux.o instead of individual object
files with X86_KERNEL_IBT (enabled by default), CFI types in
object files that are not part of vmlinux.o end up not being
included in .cfi_sites, and thus won't get randomized and trip
CFI when called.
Only .vmlinux.export.o and init/version-timestamp.o are linked
into vmlinux separately from vmlinux.o. As these files don't
contain any functions, disable KASAN for both of them to avoid
breaking hash randomization.
Link: https://github.com/ClangBuiltLinux/linux/issues/1742
Signed-off-by: Sami Tolvanen <[email protected]>
---
init/Makefile | 1 +
scripts/Makefile.vmlinux | 1 +
2 files changed, 2 insertions(+)
diff --git a/init/Makefile b/init/Makefile
index 8316c23bead2..26de459006c4 100644
--- a/init/Makefile
+++ b/init/Makefile
@@ -59,3 +59,4 @@ include/generated/utsversion.h: FORCE
$(obj)/version-timestamp.o: include/generated/utsversion.h
CFLAGS_version-timestamp.o := -include include/generated/utsversion.h
+KASAN_SANITIZE_version-timestamp.o := n
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index 49946cb96844..10176dec97ea 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -18,6 +18,7 @@ quiet_cmd_cc_o_c = CC $@
$(call if_changed_dep,cc_o_c)
ifdef CONFIG_MODULES
+KASAN_SANITIZE_.vmlinux.export.o := n
targets += .vmlinux.export.o
vmlinux: .vmlinux.export.o
endif
--
2.39.0.314.g84b9a713c41-goog
On Thu, Jan 12, 2023 at 10:49:48PM +0000, Sami Tolvanen wrote:
> Clang emits a asan.module_ctor constructor to each object file
> when KASAN is enabled, and these functions are indirectly called
> in do_ctors. With CONFIG_CFI_CLANG, the compiler also emits a CFI
> type hash before each address-taken global function so they can
> pass indirect call checks.
>
> However, in commit 0c3e806ec0f9 ("x86/cfi: Add boot time hash
> randomization"), x86 implemented boot time hash randomization,
> which relies on the .cfi_sites section generated by objtool. As
> objtool is run against vmlinux.o instead of individual object
> files with X86_KERNEL_IBT (enabled by default), CFI types in
> object files that are not part of vmlinux.o end up not being
> included in .cfi_sites, and thus won't get randomized and trip
> CFI when called.
>
> Only .vmlinux.export.o and init/version-timestamp.o are linked
> into vmlinux separately from vmlinux.o. As these files don't
> contain any functions, disable KASAN for both of them to avoid
> breaking hash randomization.
>
> Link: https://github.com/ClangBuiltLinux/linux/issues/1742
> Signed-off-by: Sami Tolvanen <[email protected]>
Must've been 'fun' to figure out, Thanks!
Acked-by: Peter Zijlstra (Intel) <[email protected]>
On Thu, 12 Jan 2023 22:49:47 +0000, Sami Tolvanen wrote:
> Peter, Masahiro,
>
> I noticed that KASAN+CFI fails to boot on x86_64 without
> cfi=norand. The randomization code is missing a couple of KASAN
> constructors in object files that are not part of vmlinux.o. This
> happens because we don't run objtool for the files, which means
> the type hashes are not included in the .cfi_sites section.
>
> [...]
Applied to for-linus/hardening, thanks!
[1/1] kbuild: Fix CFI hash randomization with KASAN
https://git.kernel.org/kees/c/a6c5a3491b3f
--
Kees Cook