Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp524718pxf; Wed, 24 Mar 2021 09:42:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzRr2ecNDgDlV3xf+w/K0XdMPEiL9+oyLHvBab9rWnBI7px03PXpWaWDL50TmJD92uZ00zs X-Received: by 2002:a17:906:d797:: with SMTP id pj23mr4714595ejb.367.1616604136328; Wed, 24 Mar 2021 09:42:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616604136; cv=none; d=google.com; s=arc-20160816; b=DW/JgqF7WuZJx+4OF2fby5boFBnH1uGx1ARXHqpdsjQwaSQSWoJXlfAUjFUkcrKj1b DhbrBeXf3oEqYTL7TtLKzR8+SUK4bynprPMin6I7xCpwwjUoKVfxBRYyMiS1zcyPgwZX z33ab5D4vcS9f0D55yKDy1CT1pW9A4AZlQhRP4iFiKe2RtrpslvdEx5vTcKAMPB4a94G cV/CJqQpLBv7HjWsDr0uMWMX3AQ2O8QKSKFIaVE283VUOGVtJK+rvchLOxepOsUD/YIL p5S5kayUb9isMQIRgQ7eVMLccMSuWF+af1UXhRa6HpNSPElYh2m+vJ9k9RBzL2C3i8SL 5DUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=wNHiEG33VxCvMonOriWGNjj3ArhqwshcClwSjyhBeSM=; b=b2tVThzT+l3pJm/3pavHEEZNUvy05Ygc9zPVCaMvtmX2GTFsW/yBeHpKckicJhDxt+ K+mdwOnCV2ITQezuxPiar9T2YVm1QZdAhS63sgiRbFgVldEgM24UqVktY++dq0RzUrTG amo8KCh6SrNFHR8b3/b5Auihco0btR00YUmSHo5uqVD9s2NCnoEMHn3/9R2jJ7ISFvGM /Qjd+us0A8hKc4Rzi+vL9OdprqBmN62fkVwRjthvxteNOyK//pKLtJKF9HQ5Qbixt5RW pnLhP6v28foyAJUdi56GQUe2PEECeE8WBVmY4zqMCQlUUH0bKw5CbLZSTtAqJOn/nxKh zDTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=aIdOLKog; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e15si2170293edz.11.2021.03.24.09.41.53; Wed, 24 Mar 2021 09:42:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=aIdOLKog; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236560AbhCXQja (ORCPT + 99 others); Wed, 24 Mar 2021 12:39:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236419AbhCXQi6 (ORCPT ); Wed, 24 Mar 2021 12:38:58 -0400 Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DA43DC0613E2 for ; Wed, 24 Mar 2021 09:38:57 -0700 (PDT) Received: by mail-vs1-xe32.google.com with SMTP id 124so11673552vsg.12 for ; Wed, 24 Mar 2021 09:38:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wNHiEG33VxCvMonOriWGNjj3ArhqwshcClwSjyhBeSM=; b=aIdOLKogREItDPzd5A+jRjsMTc+xmHWs2f8DXYi4nKG1WB6O5apxTb0kST6RgOkHem ghgvEZWjF8nRr4dbvSOuwWbwjFPuV/vbaRD3Z7CGoVZawIxEFV5mJsE5ZtJNXdRjxRPM /pgQmlNT52f7FhktYcLYtuo6wxnQ3p+E5JGCLX8DI9PAwVPuYWrmoFrgkcQEOH3bWko1 yeUR3ZGC2yXuGY5z4MB6db/ziAwUVV0vGN+TjSPkoDw6IcyU8wT+LKtbwhYggLzRtOkn QaW82SDYSI17mjm1c8GXof1fEQ8QDILZ6717zNSQ+sv7WNZgh0LtIzkVfeFDKEGTQ5cn qx9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wNHiEG33VxCvMonOriWGNjj3ArhqwshcClwSjyhBeSM=; b=XT5n92Sypxgh33TM49xEVc17OEy5FZj1dN8i5Z7nI6joExDlmUTJF/EY+6Ra+j8YWx uhgITJL6DtfEPifhWY5F6A2xZZVcBfV/HwDelgFiUzAtwqakjOFCvEwsysLL9/lqacAo dQjmApbc9FVqPqXIiAFNt5Dl/8LBNO/aPfq+OGY0RAW+W0h0+bz0FHJrouWZQ3UxvcJd OpcjzcGkOv+5il4TPtsmKgygtY4TZarKU9QOjZHbyFsxU7CgftSZI3lJFEKyBEFetKkp jr6mpYLU8njw+Nsm3ws3VB+vDpf0W/PlJaQsZAt8a4mCOoFBVi20RdUzLygt+mPx5CzO cgsg== X-Gm-Message-State: AOAM532LHC9MPi5443MKUJEbfYAv9XVBrj206eU3k+CW/f2xA65MrJdL QOsWVgip2ntV0RTrGwgTFkCiDFnWEn2OLICTpNlOrg== X-Received: by 2002:a67:2803:: with SMTP id o3mr2580346vso.36.1616603936571; Wed, 24 Mar 2021 09:38:56 -0700 (PDT) MIME-Version: 1.0 References: <20210323203946.2159693-1-samitolvanen@google.com> <20210323203946.2159693-3-samitolvanen@google.com> <92afcbea-1415-2df1-5e78-4e9a7a4d364b@rasmusvillemoes.dk> In-Reply-To: <92afcbea-1415-2df1-5e78-4e9a7a4d364b@rasmusvillemoes.dk> From: Sami Tolvanen Date: Wed, 24 Mar 2021 09:38:45 -0700 Message-ID: Subject: Re: [PATCH v3 02/17] cfi: add __cficanonical To: Rasmus Villemoes Cc: Kees Cook , Nathan Chancellor , Nick Desaulniers , Masahiro Yamada , Will Deacon , Jessica Yu , Arnd Bergmann , Tejun Heo , "Paul E. McKenney" , Christoph Hellwig , Peter Zijlstra , bpf , linux-hardening@vger.kernel.org, linux-arch , linux-arm-kernel , linux-kbuild , PCI , LKML Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 24, 2021 at 8:31 AM Rasmus Villemoes wrote: > > On 23/03/2021 21.39, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler replaces a function address taken > > in C code with the address of a local jump table entry, which passes > > runtime indirect call checks. However, the compiler won't replace > > addresses taken in assembly code, which will result in a CFI failure > > if we later jump to such an address in instrumented C code. The code > > generated for the non-canonical jump table looks this: > > > > : /* In C, &noncanonical points here */ > > jmp noncanonical > > ... > > : /* function body */ > > ... > > > > This change adds the __cficanonical attribute, which tells the > > compiler to use a canonical jump table for the function instead. This > > means the compiler will rename the actual function to .cfi > > and points the original symbol to the jump table entry instead: > > > > : /* jump table entry */ > > jmp canonical.cfi > > ... > > : /* function body */ > > ... > > > > As a result, the address taken in assembly, or other non-instrumented > > code always points to the jump table and therefore, can be used for > > indirect calls in instrumented code without tripping CFI checks. > > Random ramblings, I'm trying to understand how this CFI stuff works. > > First, patch 1 and 2 explain the pros and cons of canonical vs > non-canonical jump tables, in either case, there's problems with stuff > implemented in assembly. But I don't understand why those pros and cons > then end up with using the non-canonical jump tables by default. IIUC, > with canonical jump tables, function pointer equality would keep working > for functions implemented in C, because &func would always refer to the > same stub "function" that lives in the same object file as func.cfi, > whereas with the non-canonical version, each TU (or maybe DSO) that > takes the address of func ends up with its own func.cfi_jt. Correct. > There are of course lots of direct calls of assembly functions, but > I don't think we take the address of such functions very often. So why > can't we instead equip the declarations of those with a > __cfi_noncanonical attribute? Clang doesn't support these attributes in function declarations, unfortunately. If it did, that would certainly help, until someone wants to compare addresses of assembly functions, in which case we would again have a problem. Another way to work around the issue with canonical CFI would be to add C wrappers for all address-taken assembly functions, but that's not quite ideal either. I think most indirect calls to assembly functions happen in the crypto code, which would have required so many changes that we decided to default to non-canonical CFI instead. This resulted in far fewer kernel changes despite the cross-module function address equality issue. Sami