Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp543409pxb;
        Wed, 25 Aug 2021 09:05:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyt83rljJEs5t7l3kMtkbh+nC66QWpZnS/lC5a63XF4xwKU7Cev8eFdXJLa+f+CpauGOOGb
X-Received: by 2002:a17:907:9602:: with SMTP id gb2mr47957040ejc.354.1629907536240;
        Wed, 25 Aug 2021 09:05:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629907536; cv=none;
        d=google.com; s=arc-20160816;
        b=YuoS+e+bKwooHpdBoWHxPWSHYsznVwdew6KJpab5noeGfh0NekikxFFbDaZY8NGKya
         AexKvj+GPQIT4JMrWKI3NwJh7hdV3yVIz8jtmebi4nhHwv8vqInv8VfJtgOJLwBGwB+5
         W6VZgNno1TrmWKtvNxB25ilHLpHzniZRAbmYtEUFE/Wme9M5R0KBcQcgylcfG9u4d7A0
         tXfvXUof64ofNOAaLFoS3xW9aaagablhCtfEys5X3DUsGYfEE5AyVszF/skG9HN7YW9p
         8x1Lt3N0pJB78W5NSOhL2p47kzyPVCzPGnkeHeCksNFP+nMBGIcqoUgbGUyXi7VacTQG
         qePQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=CmSiaPcuPj0OC9Van/3kI9pixgS7KKx7iRvuRFfLqzs=;
        b=iKlPTiIBElvdy566YqKOkXC/5AA1MrOs5LWGo4YbecYSRgM+nX6NIusHicqY6FuVDj
         F0Ep9Hdv3YFRSv0s+6TEoWFZZ06t6smC6wmwfbk95pY190J6gFuoPzLiQosmVG2+4TMI
         LwyEPQMul59xL5pppctf9OXIXeb/SQehrSC3UU9neYcjQBP7lzOKuiBhSx2T5PVN4eGS
         dzQqaiwWqqSoujaaus3RBfoPmqIV01syHFyGdysvAKLpYendfz2rrqwHtKgLt4Ky08S4
         E3nDxNOjrjKfW43TzaURXuqA+9vHR3mOAfRgPW5QUVt6XDYQXv6PEovH4XqvniFUbX+Y
         zo6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="Peytc/M3";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bl4si256791ejb.283.2021.08.25.09.05.09;
        Wed, 25 Aug 2021 09:05:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="Peytc/M3";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241254AbhHYPug (ORCPT <rfc822;liukuiyu0707@gmail.com>
        + 99 others); Wed, 25 Aug 2021 11:50:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60072 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241145AbhHYPug (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 25 Aug 2021 11:50:36 -0400
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CF62C061757
        for <linux-kernel@vger.kernel.org>; Wed, 25 Aug 2021 08:49:50 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id a10so18948922qka.12
        for <linux-kernel@vger.kernel.org>; Wed, 25 Aug 2021 08:49:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=CmSiaPcuPj0OC9Van/3kI9pixgS7KKx7iRvuRFfLqzs=;
        b=Peytc/M3TMIW68kU/Omye5ggz9Bylqxo7fyeD68yNutz2S+6ay5EYPu7yQ3JqOPsct
         v6PHrI6gnq21/DRdmRK1EjWGe2EAgpMQDgl0fZVcf2k6MZ3f26Td9rW8hylsGfYla+x3
         RaolUpZ7wE+vDOTZioGMJiqLlp28toWmx51FXkQKFUuIpXe9eJTWO/+V32MNvR8NyTDV
         z0vCxHETT8GlVOrFL9ktJCpnAT0e+yofwCKuBWy8VbK8BnUVegAH+xwYVbERlOeHjV8H
         Tc75arrREfM3h8vYwUt88DhQkgKezV2KMf9+UGBpezev0Zt8HP7Bs0nQSFDzAkqJQyuc
         sgXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=CmSiaPcuPj0OC9Van/3kI9pixgS7KKx7iRvuRFfLqzs=;
        b=QOtILWlJNGnCJPE6hTZhHpWr4e4VrGrWaBRn8cymiHIPYSgfRWm7DjWaL4b34uLUF6
         Z7jNKq0CeaonoqeYC0ZQvgRPcvh7caqtgVcE+ySmD3FboqnUTcxGfAGXyNxSR6pxbWRH
         WJF4JuGkUKg9w8zrSWlFMeHMLbkp1OfmMIjxgn6BwcCzZZAPvC0Mb6uksOYTTYscl0yG
         4aAkpHg2gGvko+cYEt/EQ2BYzso368nfdh7XVS410ziA7Mn4uOIgKtcIiy4p1J/dkV7q
         92MXl3QHr6W2QUlHMjv1pkDBPJO3EhNa+5FJAuCMlnPNza21JRXQU/0LxVZS/HvXaRfL
         yT8Q==
X-Gm-Message-State: AOAM5320dag+AzFCiqGRi/jABDTksDXV7EtB46L6dKsLAO88PtUutzer
        LHfVFtcQbG/2WtdiKA1VO1j1FvPtNWNWmc2kq6c68Q==
X-Received: by 2002:a25:1c06:: with SMTP id c6mr10632452ybc.498.1629906587436;
 Wed, 25 Aug 2021 08:49:47 -0700 (PDT)
MIME-Version: 1.0
References: <20210823171318.2801096-1-samitolvanen@google.com> <20210824194652.GB17784@worktop.programming.kicks-ass.net>
In-Reply-To: <20210824194652.GB17784@worktop.programming.kicks-ass.net>
From:   Sami Tolvanen <samitolvanen@google.com>
Date:   Wed, 25 Aug 2021 08:49:36 -0700
Message-ID: <CABCJKud6JBk0QP0aSqM3ptRqbZLfKpfsHNF0RcTq4L-rbc7+uw@mail.gmail.com>
Subject: Re: [PATCH v2 00/14] x86: Add support for Clang CFI
To:     Peter Zijlstra <peterz@infradead.org>
Cc:     X86 ML <x86@kernel.org>, Kees Cook <keescook@chromium.org>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Nathan Chancellor <nathan@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Sedat Dilek <sedat.dilek@gmail.com>,
        linux-hardening@vger.kernel.org,
        LKML <linux-kernel@vger.kernel.org>,
        clang-built-linux <clang-built-linux@googlegroups.com>,
        Steven Rostedt <rostedt@goodmis.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Aug 24, 2021 at 12:47 PM Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Mon, Aug 23, 2021 at 10:13:04AM -0700, Sami Tolvanen wrote:
> > This series adds support for Clang's Control-Flow Integrity (CFI)
> > checking to x86_64. With CFI, the compiler injects a runtime
> > check before each indirect function call to ensure the target is
> > a valid function with the correct static type. This restricts
> > possible call targets and makes it more difficult for an attacker
> > to exploit bugs that allow the modification of stored function
> > pointers. For more details, see:
>
> If I understand this right; tp_stub_func() in kernel/tracepoint.c
> violates this (as would much of the HAVE_STATIC_CALL=n code, luckily
> that is not a valid x86_64 configuration).
>
> Specifically, we assign &tp_stub_func to tracepoint_func::func, but that
> function pointer is only ever indirectly called when cast to the
> tracepoint prototype:
>
>   ((void(*)(void *, proto))(it_func))(__data, args);
>
> (see DEFINE_TRACE_FN() in linux/tracepoint.h)
>
> This means the indirect function type and the target function type
> mismatch, resulting in that runtime check you added to trigger.

Thanks for pointing this out. Yes, that would clearly trip CFI.

Any concerns about just writing a magic value to the slot instead of
pointing it to a stub function, and checking for it before the call?

> Hitting tp_stub_func() at runtime is exceedingly rare, but possible.
>
> I realize this is strictly UB per C, but realistically any CDECL ABI
> requires that any function with arbitrary signature:
>
>   void foo(...)
>   {
>   }
>
> translates to the exact same code. Specifically on x86-64, the super
> impressive:
>
> foo:
>         RET
>
> And as such this works just fine. Except now you wrecked it.

Sure. Another option is to disable CFI for the functions that perform
the call, but I would rather avoid that whenever possible.

Sami