Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3066813pxb; Mon, 1 Nov 2021 07:16:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzKBAEGyoFSJlXm0W9wBdLTRpk8F2eDGZGzIH7oC+Ax/TfMvU4J9bw3mVrhXTxYWcx6mnOq X-Received: by 2002:a02:b10e:: with SMTP id r14mr9289860jah.81.1635776166289; Mon, 01 Nov 2021 07:16:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635776166; cv=none; d=google.com; s=arc-20160816; b=bpBZtG+ElmB37mxLV5SdWsP28RY6GovyBf0yqIIbonsWw9wuNVO4oi4orp/cXz3MeC torhxEdUYYCPka+ajdTUGkROFnfKxV1Rgj+D4adiGMp6HrTM6t4KB3ui4qdsRJDrzLmm OSqXeTy7WTydz3A3tOxn65RBR4OzrdR7FpmM1DmL/uNGiFi+FrQEG5ekR+8qD0E/pzjE QNbXCzjEwjFsM9eQjIzJ2JXhRyPnmpPjsQSTPmUns/w6ShyrPYu0Wdgi+AAk1swrA8+S K5GSHwRF5f40BOkx9hvtfxQg7GqAY9n09P4x/N5HYi9fLb1QPimkZB16im8tNVqb5kr0 OP1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=i69vRlYEfIEqtrl+56kW0o4fiFskwEwT/Wm556pV/oM=; b=jxalRn7k4tpZwmkL+0z7tAkIpEolNlmbsnb4HOU3n0BZUPeYlVnR+Xf6DSDv/+cteY dHCISm4ammYm6YS2gS0EfmuMrT43Wyf6whQnqrYu6SRhaocWhTop0yyI2HkKP4YNI6p0 sWIxAhlEa0A8wOY1GY2Uk9im5cfEFn0yPX8Zog/7HmXPBEfve7zjxUZgxzDpnxR5Q5ej VnvFTn/uYx77fNgh3W8cwQSHOeqL7jtjvqr4QokhhHvxYZZfuj3CoQnbAnnbUlY29pX4 cTfGTs8SO1E5in6apdqL0SiLRRwh5zqncNljJkWRHmxZ1IMPmVLACYUPCtVJaSaHkeGV CHLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KY+EWlyJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t20si26198702iov.32.2021.11.01.07.15.52; Mon, 01 Nov 2021 07:16:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KY+EWlyJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231959AbhKAOR2 (ORCPT + 99 others); Mon, 1 Nov 2021 10:17:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:39246 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229826AbhKAOR2 (ORCPT ); Mon, 1 Nov 2021 10:17:28 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E288E610E5; Mon, 1 Nov 2021 14:14:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635776094; bh=i69vRlYEfIEqtrl+56kW0o4fiFskwEwT/Wm556pV/oM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=KY+EWlyJv/vVXqDNhN/kO3kGeR0AIHeiX0GgJa/ZlHHgoYYGtepeC0na+9ZWluf6P terwAgaFzocp1oDEiKvAA9xLMrUHfCBlrl2InIh/Jle8eqd0IF63ZQb3fIQF2phyxJ KVTQ3145KyJedZjHA/+GJix4sIiKh+2VYuuc9jL4Fi4738JHF/AKsBjIlsYW40C52e L0/jrZvTiBo7tU/vzZlacMjQ93EdJCliG9Hab2Ch/5JZIBangOsx5nAmTFHAKfcXVj FKtGApiEzUn3lB3w3aBgAxcaSlxwP82c+9r9LZSbvnnkqRDlI5yJaPRBMtmg5t3cVC ibWpldhmUc1qA== Received: by mail-oi1-f172.google.com with SMTP id q124so25079821oig.3; Mon, 01 Nov 2021 07:14:54 -0700 (PDT) X-Gm-Message-State: AOAM532hIdljLIkUptXxKvtXFRYv04do8cQ2L6EqJ6waSEFcRvopK/MY dkSGsvyvWMKqXvmbEcZH/feg7TezRn4hpWWqmAs= X-Received: by 2002:a05:6808:4d9:: with SMTP id a25mr19986405oie.33.1635776094081; Mon, 01 Nov 2021 07:14:54 -0700 (PDT) MIME-Version: 1.0 References: <20211030180249.GU174703@worktop.programming.kicks-ass.net> <20211031163920.GV174703@worktop.programming.kicks-ass.net> <20211101090155.GW174703@worktop.programming.kicks-ass.net> In-Reply-To: <20211101090155.GW174703@worktop.programming.kicks-ass.net> From: Ard Biesheuvel Date: Mon, 1 Nov 2021 15:14:41 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching To: Peter Zijlstra Cc: Sami Tolvanen , Mark Rutland , X86 ML , Kees Cook , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 1 Nov 2021 at 10:05, Peter Zijlstra wrote: > > On Mon, Nov 01, 2021 at 12:36:18AM +0100, Ard Biesheuvel wrote: > > On Sun, 31 Oct 2021 at 21:45, Peter Zijlstra wrote: > > > > > > On Sun, Oct 31, 2021 at 09:21:56PM +0100, Ard Biesheuvel wrote: > > > > > > > That means we can support static calls on arm64 now without breaking > > > > Clang CFI, and work on a solution for the redundant jumps on a more > > > > relaxed schedule. > > > > > > Yes, arm64 has a 'problem' with having already merged the clang-cfi > > > stuff :/ > > > > > > I'm hoping the x86 solution can be an alternative CFI scheme, I'm > > > starting to really hate this one. And I'm not at all convinced the > > > proposed scheme is the best possible scheme given the constraints of > > > kernel code. AFAICT it's a compromise made in userspace. > > > > Your scheme only works with IBT: the value of %r11 is under the > > adversary's control so it could just point it at 'foo+0x10' if it > > wants to call foo indirectly, and circumvent the check. So without IBT > > (or BTI), I think the check fundamentally belongs in the caller, not > > in the callee. > > How is that not true for the jump table approach? Like I showed earlier, > it is *trivial* to reconstruct the actual function pointer from a > jump-table entry pointer. > That is not the point. The point is that Clang instruments every indirect call that it emits, to check whether the type of the jump table entry it is about to call matches the type of the caller. IOW, the indirect calls can only branch into jump tables, and all jump table entries in a table each branch to the start of some function of the same type. So the only thing you could achieve by adding or subtracting a constant value from the indirect call address is either calling another function of the same type (if you are hitting another entry in the same table), or failing the CFI type check. Instrumenting the callee only needs something like BTI, and a consistent use of the landing pads to ensure that you cannot trivially omit the check by landing right after it. > In any case, I really want the discussion to start at square one, and > show/explain why any chosen CFI scheme is actually good for the kernel. > Just because clang happened to have implemented it, doesn't make it the > most suitable scheme for the kernel. Not disagreeing with that for x86, but again, we're already past that for arm64.