Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp883348pxb; Wed, 27 Oct 2021 14:25:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGzmIZVATbvGoD9P6ZhKK5Uj6A9+eaoGMFk5nRERbnegbfKtVpQJG/PZZ0mvURulyo2xij X-Received: by 2002:a05:6a00:d69:b0:47b:e629:ceb7 with SMTP id n41-20020a056a000d6900b0047be629ceb7mr247903pfv.27.1635369922576; Wed, 27 Oct 2021 14:25:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635369922; cv=none; d=google.com; s=arc-20160816; b=SG7HEVmFV3oiaHkU6euZZ2RvGkeiJvGgQZbfWSdbqsvcfWC0apyGOkNn/Nc/L3ESn4 P4fqUEK1B8MdQrEO/yRMmYkNkh+Xuxa0YJsUIdpvJLd3baVKTyr/mx/r8hIJf50Iy8qy 7w61L+3f9X/DYwP3uaxd+EHAIobgL7dp1Iow7Gx+5gok8yM32RN5pxccFr9gzCpL+eTa HiMw4mAhWoDync7at7gX/tdb1XjLh57t1hrZlgyLpuTXOmAV0IOGNK4N6CJFhotmJoKY y5+r5Vx5Vr29wATH/c5AAT8LZWFNc9dQmRG96NxaZMCLqN6+l1txr3ZP3pXS5sEiciY3 PT0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=1m1qTmUt+y+/uzF1u6BF4FmfchMzrQWyStjFdru6EwI=; b=XxVZ0tQPtOXM/hJyuaabsERaWLl8xzPKAIR98Fc8v9ygsHkEiQ3MKprBcj5NCuH1i9 O8NV7x9R+quzOtv2TA89D5oVyDN2bc9IhbsAVBK3iAZbes/Y4pZQgacOOpw5QhGZgoPH 963lamiQt2rdPYAtifB/296fz1z8zWEyDaWFh41/9x0nULyJ0+S8UvGUL9CwQZxlMsmv tf2Op/m6xQitoWCXPFo0cgM3a47kpBwSWqxJ4AFjlR6lY9taWrN1UJxCP9EpX1hEck4Y fzsECGV/YLHC9elgKRp2sUz4UL4Hy5N/GhsGEhFL9Pt78kFd22ONjWyztLP9sPb329ok 8wAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r12si1605026pgv.21.2021.10.27.14.25.09; Wed, 27 Oct 2021 14:25:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236131AbhJ0M5r convert rfc822-to-8bit (ORCPT + 97 others); Wed, 27 Oct 2021 08:57:47 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([185.58.86.151]:60511 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235988AbhJ0M5q (ORCPT ); Wed, 27 Oct 2021 08:57:46 -0400 Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-253-wPONUwz2OL6lc0R2QWVEYg-1; Wed, 27 Oct 2021 13:55:18 +0100 X-MC-Unique: wPONUwz2OL6lc0R2QWVEYg-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP Server (TLS) id 15.0.1497.24; Wed, 27 Oct 2021 13:55:17 +0100 Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id 15.00.1497.024; Wed, 27 Oct 2021 13:55:17 +0100 From: David Laight To: 'Mark Rutland' , Peter Zijlstra CC: Sami Tolvanen , "x86@kernel.org" , Kees Cook , Josh Poimboeuf , Nathan Chancellor , "Nick Desaulniers" , Sedat Dilek , Steven Rostedt , "linux-hardening@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "llvm@lists.linux.dev" , "ardb@kernel.org" Subject: RE: [PATCH v5 00/15] x86: Add support for Clang CFI Thread-Topic: [PATCH v5 00/15] x86: Add support for Clang CFI Thread-Index: AQHXyyrmFu1L74SRSES6mpaoExEoXavmyV5Q Date: Wed, 27 Oct 2021 12:55:17 +0000 Message-ID: <456321a9fc5245408fc0d2798e497fe0@AcuMS.aculab.com> References: <20211013181658.1020262-1-samitolvanen@google.com> <20211026201622.GG174703@worktop.programming.kicks-ass.net> <20211027120515.GC54628@C02TD0UTHF1T.local> In-Reply-To: <20211027120515.GC54628@C02TD0UTHF1T.local> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mark Rutland > Sent: 27 October 2021 13:05 ... > Taking a step back, it'd be nicer if we didn't have the jump-table shim > at all, and had some SW landing pad (e.g. a NOP with some magic bytes) > in the callees that the caller could check for. Then function pointers > would remain callable in call cases, and we could explcitly add landing > pads to asm to protect those. I *think* that's what the grsecurity folk > do, but I could be mistaken. It doesn't need to be a 'landing pad'. The 'magic value' could be at 'label - 8'. Provided you can generate the required value it could be added to asm functions. (Or you could patch it at startup by stealing the value from a C function.) Depending on the threat model, you may even want the called function to do some sanity checks on the caller. I suspect that anything you do is easy to subvert by anything that can actually write asm. So if the real threat is overwritten function tables then something relatively simple is adequate. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)