Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2814254pxb; Mon, 19 Apr 2021 14:54:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx/SsRWoVew/2Es+XfBo8nvenmV0BxsB95utpVCGqHsRgyvNxhTxKNt4HglkiNBpyWUyF7B X-Received: by 2002:a63:4848:: with SMTP id x8mr13374392pgk.362.1618869275765; Mon, 19 Apr 2021 14:54:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618869275; cv=none; d=google.com; s=arc-20160816; b=yDLIZIysa2Ek4v5wq4Mie34hzX5hcUWYW1iGRUMs/t8NFHh9uapPOQkg1pOojfYeoS rlHbYPbCnfF2nUFF1ODQpfbNFnJ3EuUHmGmhCpKAqZOpUNtHs8SgsSvQiJXa6rSeFTiY l0RMOUH3lX+c8dabIA4CwY3XXx5vj8hj6eqMqoXbAcNgrTC07GJnZnTzHsOaCKl2XqYq 9dVZexoNLfojp3PaFkDoRcX7P7RwHf3jfluF3e9eOcB83f9H9jcqr5gyrCacy9pUcijn 2P7EnKU0SlZUhRDiJqIDhf4N7wKb8E1Ndn3xeiOFAjbrcq6koY4e5a0GApM1Ht6Jfti3 oG5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=vVqfPtV1Hs+upT8dc8pZ8bvveaKFUZ3tKWMyfGbmvCQ=; b=kVx2ZFMLPZtFejqWSQTnWt+2vMRiRYlVMInObww1fKyeBKZUFSpp5V5en2OrqVZIvS +xiLJ/1DbbGDGEXI09b7mSnTM3cDchH0wdnJ9ACgQDQ20HWdz2mcR+qZXlb+fnGfA1XN cL53xupIkq6mcb9BU4EHsKstyqAffM5EekglNWl1Qi0IhDA/xBKG2n/eNIh80InutE54 2EDKGt/Abm33bjigE790f9I9cfxiucwPhMHIFoyeeoaAT9sxIHUNpcEwvUm7yXvHy1Uk 2su28Sd3epS/W+OXxVq6fvY3BjAjSkEG5np+gDfS8dg7ozWK6+vYU2dEe7xvmA+TedJH aYQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j9si18235320plj.86.2021.04.19.14.54.23; Mon, 19 Apr 2021 14:54:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232746AbhDSVxX convert rfc822-to-8bit (ORCPT + 99 others); Mon, 19 Apr 2021 17:53:23 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([185.58.85.151]:32074 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232468AbhDSVxW (ORCPT ); Mon, 19 Apr 2021 17:53:22 -0400 Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-122-5PwNCrjSNRSPg_lGIzvSdg-1; Mon, 19 Apr 2021 22:52:49 +0100 X-MC-Unique: 5PwNCrjSNRSPg_lGIzvSdg-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 19 Apr 2021 22:52:49 +0100 Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id 15.00.1497.015; Mon, 19 Apr 2021 22:52:49 +0100 From: David Laight To: 'Rasmus Villemoes' , Kees Cook , Andy Lutomirski CC: Borislav Petkov , Sami Tolvanen , X86 ML , Josh Poimboeuf , Peter Zijlstra , Nathan Chancellor , "Nick Desaulniers" , Sedat Dilek , "linux-hardening@vger.kernel.org" , LKML , clang-built-linux Subject: RE: [PATCH 05/15] x86: Implement function_nocfi Thread-Topic: [PATCH 05/15] x86: Implement function_nocfi Thread-Index: AQHXNPeauSsNstP2FUia6sIzu9nmdKq8X6yA Date: Mon, 19 Apr 2021 21:52:48 +0000 Message-ID: References: <20210416203844.3803177-1-samitolvanen@google.com> <20210416203844.3803177-6-samitolvanen@google.com> <20210416211855.GD22348@zn.tnic> <20210416220251.GE22348@zn.tnic> <202104161519.1D37B6D26@keescook> <2812c98b-3b5a-7be5-9fd9-2a6260406a45@rasmusvillemoes.dk> In-Reply-To: <2812c98b-3b5a-7be5-9fd9-2a6260406a45@rasmusvillemoes.dk> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rasmus Villemoes > Sent: 19 April 2021 09:40 > > On 17/04/2021 00.28, Kees Cook wrote: > > On Fri, Apr 16, 2021 at 03:06:17PM -0700, Andy Lutomirski wrote: > > >> The > >> foo symbol would point to whatever magic is needed. > > > > No, the symbol points to the jump table entry. Direct calls get minimal > > overhead and indirect calls can add the "is this function in the right > > table" checking. > > > > > > But note that this shouldn't turn into a discussion of "maybe Clang could > > do CFI differently"; this is what Clang has. > > Why not? In particular, I'd really like somebody to answer the question > "why not just store a cookie before each address-taken or > external-linkage function?". > > (1) direct calls get _no_ overhead, not just "minimal". > (2) address comparison, intra- or inter-module, Just Works, no need to > disable one sanity check to get others. > (3) The overhead and implementation of the signature check is the same > for inter- and intra- module calls. > (4) passing (unsigned long)sym into asm code or stashing it in a table > Just Works. > > How much code would be needed on the clang side to provide a > --cfi-mode=inline ? > > The only issue, AFAICT, which is also a problem being handled in the > current proposal, is indirect calls to asm code from C. They either have > to be instrumented to not do any checking (which requires callers to > know that the pointer they have might point to an asm-implementation), > or the asm code could be taught to emit those cookies as well - which > would provide even better coverage. Something like > > CFI_COOKIE(foo) > foo: > ... > > with CFI_COOKIE expanding to nothing when !CONFIG_CFI, and otherwise to > (something like) ".quad cfi_cookie__foo" ; with some appropriate Kbuild > and compiler magic to generate a table of cfi_cookie__* defines from a > header file with the prototypes. I'm wondering what 'threat models' CFI is trying to protect from. Adding code to code doing 'call indirect' can only protect against calls to 'inappropriate' functions. You may also be worried about whether functions are being called from the right place - someone might manage to 'plant' an indirect jump somewhere - probably more likely than overwriting an address. But a truly malicious caller will be able to subvert most checks. And non-malicious errors can be largely eliminated by strengthening normal compiler type checking. A simple run-time check would be adding an extra 'hidden' function parameter that is a hash of the prototype. Especially if the hash is based on a build-id - so differs between kernel builds. Having the caller scan a list of valid targets seems just broken. You might as well replace the function pointer with an index into the array of valid targets. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)