Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp838958pxb; Thu, 26 Aug 2021 16:25:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzrfA3gaccMwHVYtuyC//+bw+SZdpObDb/Di+lloM2LgABUgK/Oc7ol49aoLAEWbr5dAt5W X-Received: by 2002:a05:6402:424c:: with SMTP id g12mr6841434edb.121.1630020355473; Thu, 26 Aug 2021 16:25:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630020355; cv=none; d=google.com; s=arc-20160816; b=GsOw0tcVhvHJanfcDk8HdzZOVsHZJjExz9hWf2XyC8MzuwJ/pzfx6ykYuNRkrQ2yWc zH267q4or484hUxRkaBEsRwdDRXw79wbDR90T5Y7y77ucSHWC2yqkal1jGwbg28LyH9S GppysT8y+Sp47HLoYxKqJ9CRYYHzngVWKs9rQuTCeshRVjsIhvd8dLN8MdOJakoY0gQU B/2rz9RdTZGtkLCZZOBkGCk+nYVLw5BdqhVf01X/w/RPX3kG8KurJfnSUTDtV+tnJMxQ 5ZwScNeh8f9n+w4lelltZlT77ldbnuxr4v6a5DmH28lV6Qd5yzdNlA4uxDfRrUneySVA r+7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:cc:to:from:date:references:in-reply-to :message-id:mime-version:user-agent:dkim-signature; bh=zrA2B1n2smMEgrYkLuAqwpAzZh+CE9+rD1ToKSBzNGI=; b=Wse68i/iK9cWh1wVrcj6BvpGsXI6cPinID+El7f0PRlVYT8Ddg+K9aPjKavqEj8Xpd BEgrw83QrtXbbVvG9joFowLO6wSZYBJK+itb0awrgmB7TYzCvK47cINYtHEYom0VjYPM 3KFskgtMcrtBFYpHjn2KR7P7++Gi9FLMYmsqr9CBJCa2C3RIzit62vtl+76f4d+5YBGu Ia/vBRRy399YEaVULgvyYBSpOktJyfIcHnJYfYQ8OmkW+q2xAS4CnL1bB619l77wQAmM Z1sTqEoU3OIyjkgL5fGdlQg9Z5MxoX/BEfMpq3LeBtKVdohClQ8W+/xrtGUeH/8hH1m5 hIYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=iDNj0Dtc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n15si4034891ejl.353.2021.08.26.16.25.31; Thu, 26 Aug 2021 16:25:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=iDNj0Dtc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231477AbhHZXZC (ORCPT + 99 others); Thu, 26 Aug 2021 19:25:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:38450 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231251AbhHZXZB (ORCPT ); Thu, 26 Aug 2021 19:25:01 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D476260E8B; Thu, 26 Aug 2021 23:24:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1630020253; bh=vLbg/rOKXJxRQLaFHT5woV57pEypVhgBxoCpcb5Lzlg=; h=In-Reply-To:References:Date:From:To:Cc:Subject:From; b=iDNj0DtcrqzTaSOsN1GRUllGceWEce5c1JYSKuhVipTHim6rubdMz5jqna0S6yEIf bm4bkYgpIuC/J4WXROCavLX4kJZf4ftpom6bw6OG8JwAmGBl+yKBV3oQZt70yhZPpe 80UpAULCFoLRzEMYy/4GdfZAcQaUUpp9ZsBsJ82sSobJAgIUKFKDRcDybMxU0/1Sj7 XV5SHZJUFIKviKS0xGeAsMDoNfIAxtVWyC7HvNIThCDQlRe1OTBzZJTPJTHwuUiUIj 8+BIjmLUsTh+oRYjiJOlk+gO1DUC3rmvoEm3e0VttTjVN5RaAHvd82pNR4ialjRYs1 SUe67zRjeSz0w== Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailauth.nyi.internal (Postfix) with ESMTP id F279027C0054; Thu, 26 Aug 2021 19:24:11 -0400 (EDT) Received: from imap2 ([10.202.2.52]) by compute6.internal (MEProxy); Thu, 26 Aug 2021 19:24:11 -0400 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudduvddgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreerjeenucfhrhhomhepfdetnhgu hicunfhuthhomhhirhhskhhifdcuoehluhhtoheskhgvrhhnvghlrdhorhhgqeenucggtf frrghtthgvrhhnpeegjefghfdtledvfeegfeelvedtgfevkeeugfekffdvveeffeetieeh ueetveekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpegrnhguhidomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduiedukeeh ieefvddqvdeifeduieeitdekqdhluhhtoheppehkvghrnhgvlhdrohhrgheslhhinhhugi drlhhuthhordhush X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id E7336A0378F; Thu, 26 Aug 2021 19:24:10 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-1125-g685cec594c-fm-20210825.001-g685cec59 Mime-Version: 1.0 Message-Id: <959b3e65-97c9-4e00-87c5-f4a31c6739de@www.fastmail.com> In-Reply-To: References: <20210823171318.2801096-1-samitolvanen@google.com> <20210823171318.2801096-8-samitolvanen@google.com> Date: Thu, 26 Aug 2021 16:23:50 -0700 From: "Andy Lutomirski" To: "Sami Tolvanen" Cc: "the arch/x86 maintainers" , "Kees Cook" , "Josh Poimboeuf" , "Peter Zijlstra (Intel)" , "Nathan Chancellor" , "Nick Desaulniers" , "Sedat Dilek" , linux-hardening@vger.kernel.org, "Linux Kernel Mailing List" , clang-built-linux Subject: =?UTF-8?Q?Re:_[PATCH_v2_07/14]_x86:_Use_an_opaque_type_for_functions_not?= =?UTF-8?Q?_callable_from_C?= Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 26, 2021, at 3:11 PM, Sami Tolvanen wrote: > On Thu, Aug 26, 2021 at 9:54 AM Andy Lutomirski wrote: > > > > On 8/23/21 10:13 AM, Sami Tolvanen wrote: > > > The kernel has several assembly functions that are not directly callable > > > from C. Use an opaque type for these function prototypes to make misuse > > > harder, and to avoid the need to annotate references to these functions > > > for Clang's Control-Flow Integrity (CFI). > > > > You have: > > > > typedef const u8 *asm_func_t; > > > > This is IMO a bit confusing. asm_func_t like this is an *address* of a > > function, not a function. > > > > To be fair, C is obnoxious, but I think this will lead to more confusion > > than is idea. For example: > > > > > -extern void __fentry__(void); > > > +DECLARE_ASM_FUNC_SYMBOL(__fentry__); > > > > Okay, __fentry__ is the name of a symbol, and the expression __fentry__ > > is a pointer (or an array that decays to a pointer, thanks C), which is > > at least somewhat sensible. But: > > > > > -extern void (*paravirt_iret)(void); > > > +extern asm_func_t paravirt_iret; > > > > Now paravirt_iret is a global variable that points to an asm func. I > > bet people will read this wrong and, worse, type it wrong. > > > > I think that there a couple ways to change this that would be a bit nicer. > > > > 1. typedef const u8 asm_func_t[]; > > > > This is almost nice, but asm_func_t will still be accepted as a function > > argument, and the automatic decay rules will probably be confusing. > > > > 2. Rename asm_func_t to asm_func_ptr. Then it's at least a bit more clear. > > > > 3. Use an incomplete struct: > > > > struct asm_func; > > > > typedef struct asm_func asm_func; > > > > extern asm_func some_func; > > > > void *get_ptr(void) > > { > > return &some_func; > > } > > > > No macros required, and I think it's quite hard to misuse this by > > accident. asm_func can't be passed as an argument or used as a variable > > because it has incomplete type, and there are no arrays so the decay > > rules aren't in effect. > > I considered using an incomplete struct, but that would require an > explicit '&' when we take the address of these symbols, which I > thought would be unnecessary churn. Unless you strongly prefer this > one, I'll go with option 2 and rename asm_func_t to asm_func_ptr in > v3. > Do you have a sense for how many occurrences there are that would need an &? > Sami >