Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4540890pxb; Tue, 2 Nov 2021 11:23:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyFJwxIW0CgeJJ9a4zU6IrbOHiHCKgeUf+R0X0NfKVaaEsMQreXsSRGWBxPFwzZShlUx64X X-Received: by 2002:a17:906:6b0c:: with SMTP id q12mr48875740ejr.0.1635877431128; Tue, 02 Nov 2021 11:23:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635877431; cv=none; d=google.com; s=arc-20160816; b=rpEmyzS7q0bBBVKKCCMKOp8T1BMgcKVTNEIll5VV2xGMuiEG8boH8m+QthVCSg29s/ 72sHcT7mznWNjXa9vsGhty74qrilF7lNYyUUx6of46GOT5uDXwDPEmSI1F9JmIcJ08wy ouwpPyUjCqyXTR4pfPx1L8TMFU+QAA0yS7w/Yp8eO1VqbLjsKbHsUCuTrUTTrRrD7TmP jq0fJ5mRwP+K86GDKp/vgUlopVa4J2jaZcUb25DkXmE5TDK8JT6GN6iCnooJVQQQIYKY 19Bp2fN+lcDrs1Ob1KyHxp6dppjZ09Qs6Q58lKN1h1s3ntcN2bOkfhlD52x0p6Swyfgv ZHpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=K0rz7LT+kgomD5KRNtzJy6G/J+BhWbgnVLi0ic650I0=; b=Ta4Zb+R2KbW5Q4VMeQo4jdHcFGUsAPAz1ymyZJSKAZoOeI5XAs1y8tAErzOaKq5DTT nhjs8JWp3LZvTAK4DOQVMPNfXtb1MsQxf1aH1F3fTSnmfafmS2/XkweWmUCp3A7eD6Tv RcS18xLppZQ7me7CVNQ6AGiTzqDH9tiCQ6FnlyTbEOpB8O52RrfYs6XIxTGRx5F+Ujuo UEIFSvLUA5dFyQ1iubfQ9OFHbVE7bmiuL4KxwQxh/LzVnugf6ofhpkAOosZbW4okgooA MulDhvqG0/FdhvBmtuF1pPPKQauDruzVPc9l8SIcLmF2Cx3qlcvpPaKtJGozVIkFy3Da /hbQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=dJ9VibV9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e20si1193663ejx.696.2021.11.02.11.23.25; Tue, 02 Nov 2021 11:23:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=dJ9VibV9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235030AbhKBSYF (ORCPT + 99 others); Tue, 2 Nov 2021 14:24:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232211AbhKBSYE (ORCPT ); Tue, 2 Nov 2021 14:24:04 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E6C0C061714; Tue, 2 Nov 2021 11:21:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=K0rz7LT+kgomD5KRNtzJy6G/J+BhWbgnVLi0ic650I0=; b=dJ9VibV9ZrIwDjTaMbTXmZwZJX bQdjfemLebGdpEQOacA+0IGSYwxaZ2EEsxlDJoBA/7WGVPPvXM28251CmPRdMYAXDntAQNHhHO0qV v/AZ3mS1k2WDG6fuSg4lrISg4c/IUw87Hr9DHet8l6dnXtycetIdmRuQ3dbe7aG2MIJsAKg8Ln/wf Du1BBQbjLlOkUWucCwT04KkXyBGzzx/FlqeOdprJT4oNWi1klCNgmOcCmpXjuv6DpERZKM5fcoUJt 3oWDqrb1qRK9nZQLnZGbk05TaWcsdWVfoTW1vBCysM9Zo3gH79uPwio2TEtFo2kUGosnxE9/JPTiS k3is7y+Q==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1mhyKF-004g3M-IV; Tue, 02 Nov 2021 18:16:10 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id C7A2630022C; Tue, 2 Nov 2021 19:15:58 +0100 (CET) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id B704E2D53269D; Tue, 2 Nov 2021 19:15:58 +0100 (CET) Date: Tue, 2 Nov 2021 19:15:58 +0100 From: Peter Zijlstra To: Kees Cook Cc: Sami Tolvanen , Ard Biesheuvel , Mark Rutland , X86 ML , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev, joao@overdrivepizza.com Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching Message-ID: References: <20211027124852.GK174703@worktop.programming.kicks-ass.net> <20211029200324.GR174703@worktop.programming.kicks-ass.net> <20211030074758.GT174703@worktop.programming.kicks-ass.net> <20211030081631.GF174730@worktop.programming.kicks-ass.net> <202111021029.79D81E590@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202111021029.79D81E590@keescook> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 02, 2021 at 10:35:30AM -0700, Kees Cook wrote: > On Sat, Oct 30, 2021 at 10:16:31AM +0200, Peter Zijlstra wrote: > > foo.cfi: > > endbr > > xorl $0xdeadbeef, %r10d > > jz foo > > ud2 > > nop # make it an even 16 bytes > > foo: > > # actual function text > > > > > > Then have the address of foo, be the address of foo, like any normal > > sane person would expect. Have direct calls to foo, go to foo, again, as > > expected. > > > > When doing an indirect call (to r11, as clang does), then, and only > > then, do: > > > > movl $0xdeadbeef, %r10d > > subq $0x10, %r11 > > call *%r11 > > > > # if the r11 lives, add: > > addq $0x10, %r11 > > > > > > Then only when caller and callee agree 0xdeadbeef is the password, does > > the indirect call go through. > > > > Why isn't this a suitable CFI scheme even without IBT? > > The trouble is that the callee is doing the verification. There's no > protection against calling into a callee that doesn't perform a check > (e.g. BPF JIT, or otherwise constructed executable memory, etc). The > caller needs to do the verification that what they're calling into is > safe before it makes the call. Right, Ard said the same, see new crackpot scheme here: https://lkml.kernel.org/r/YYE1yPClPMHvyvIt@hirez.programming.kicks-ass.net