Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp89342rwb; Tue, 6 Dec 2022 17:45:04 -0800 (PST) X-Google-Smtp-Source: AA0mqf4O+PIe8ng1BBXXHW2Ot8s7gkN1DYafe8HrUwCnnZo6veFOQPqZ/Pw9CGgwgGDSNbxg2C3O X-Received: by 2002:a17:903:1d0:b0:189:ab1a:65a5 with SMTP id e16-20020a17090301d000b00189ab1a65a5mr33258839plh.168.1670377504276; Tue, 06 Dec 2022 17:45:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670377504; cv=none; d=google.com; s=arc-20160816; b=a6lxjO8pMPHwYyKbcH0ueWA5f/RUD+8Ax5IgX/QHKkifoe14AknIGWCz5L0OkAUC4M 1oZdecAdNqBkuU3djKGg4mln8Th+SU18S489DdX5R1Opfw5iegJ5tXI1XL9lhELuyKGf ZvvPgBFr4sOSUCATKw9H95TEJMG3UF2ycYMX59nLGAk6SawKjVi7pVL6iVuyyBRbewEH Hw15jhtWls4KCufq7wXHofHQvLE1mdHb6BlX8OTFa0SqbPIsCZ0G3l7fOiakCk1hQt1q fEf0h4uIEdVkwj+87VfqOQ/ghv8ShXp1SHRvvW0TW1GJno2/HSGKOpRdD4DLWL6D2iNS u/5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=voAudIRJP5sQutQIavFNeSzpqijZekkEGtvdiO471Ek=; b=j3vuPg5Vb4Y02WzSGTWo7aVYp2ytbS6byiC0C8XM/RaOYKBwLMqRdJu63I+7AxUyJ0 tQJJ/PFLZZIn/JFsx90//NlKL/64Ysn2DJ92SRRKLikOL7pbEajCNR2t+WodTKwBxWeh Kjt1dT4CctA2krqWHrRskyRHzmq2IgehoBxVK+Z4DSK7e6jNVsbpadAjfqeefY0kQqdx 5Rz1qOioGU80UCh5SuzumBk1LA7auIzC0rKXqJiYCOBTTSgeFAI1Cme2g6RjB73i19L5 Mzk70GpH40gtHgH7s26RGfyHFXrkAHeUttQZpuATGlP/g1dkcOwR6V2bGoeY3woyUbKr jBsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xkMxskjB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e6-20020a170902ef4600b00174f3a4935fsi19650047plx.249.2022.12.06.17.44.54; Tue, 06 Dec 2022 17:45:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xkMxskjB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229638AbiLGA3J (ORCPT + 77 others); Tue, 6 Dec 2022 19:29:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229501AbiLGA3G (ORCPT ); Tue, 6 Dec 2022 19:29:06 -0500 Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 642FF13E2B for ; Tue, 6 Dec 2022 16:29:05 -0800 (PST) Received: by mail-pg1-x533.google.com with SMTP id f3so14865311pgc.2 for ; Tue, 06 Dec 2022 16:29:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=voAudIRJP5sQutQIavFNeSzpqijZekkEGtvdiO471Ek=; b=xkMxskjBKkw+g8PokDgbx1oNKostwgPAnQwTwV2pjUGkDq2LkqDLpnzlaE2FoTiys7 BKlw2jyoB78h43kOm/P9FZIT2dVAnA9MShxCrADe/XyTdsTiAnfKJwEgAXOXyhXAlMxl BQaPS3einHxIEipylA5+oCrB5VUktxJxP5ua+LopBsXnqEqrcz1u2hQVATNO6Zo1dDLJ HZlE1aDSqSLVf2hF1dmJwDZnlXMljg2z8yQ3+NCXhYcnirNe8kx3QY1A3IB+3gpfTYZa kkQtPAASxz92LViCELkMcXdLbzgTmMSsrxHKdEj9PzKLDLu1Wk28Mq6xC3mZb5zU3Cpd GA6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=voAudIRJP5sQutQIavFNeSzpqijZekkEGtvdiO471Ek=; b=URBXWF0FegTMZb283ug3ytOLIBTyFEI5KJgTAecCViNSE4zxzYJrEb9dMZ3TCH5zrX cNR6stqlfwUYCxlGOSYr5F8Y+DAPVzSwqA8MEGNDF4mTE/HaHHVzRIPOR8JCcXDqkXym zctsg1xH3Rd1sCZtDFHSuyv5Smkj1si9rnzTqujpxsR3cGVJMpEMrKAD8oVmPLXtcypz zjXXZPIyG9BV6PdFhR3JbUo6c3d/ulAeNY3TJGRWyK1W6qkzFLDlLw72aglX6w9Bbun8 /BJFhdY/4HkUO0Wt4t17aF9W0u+XsYtbgJoCWGrW+uHIb+I7Onlp00JIVsuTrI+CAIWo hIMQ== X-Gm-Message-State: ANoB5pm4x9Vg5X9R+beLaXBg40rt7UEdWmSufr+FHIdLbSBNf0OhKjUN Ntw4uU9f1G14rzQTiIdAY3ziS1UoV2Ei6MqPB1kXOw== X-Received: by 2002:a65:45c5:0:b0:46e:c7be:16fc with SMTP id m5-20020a6545c5000000b0046ec7be16fcmr60608158pgr.462.1670372944823; Tue, 06 Dec 2022 16:29:04 -0800 (PST) MIME-Version: 1.0 References: <20220416001103.1524653-1-keescook@chromium.org> In-Reply-To: <20220416001103.1524653-1-keescook@chromium.org> From: =?UTF-8?B?RGFuaWVsIETDrWF6?= Date: Tue, 6 Dec 2022 18:28:53 -0600 Message-ID: Subject: Re: [PATCH v2] lkdtm: Add CFI_BACKWARD to test ROP mitigations To: Kees Cook Cc: Dan Li , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello! On Sat, 16 Apr 2022 at 00:30, Kees Cook wrote: > In order to test various backward-edge control flow integrity methods, > add a test that manipulates the return address on the stack. Currently > only arm64 Pointer Authentication and Shadow Call Stack is supported. > > $ echo CFI_BACKWARD | cat >/sys/kernel/debug/provoke-crash/DIRECT > > Under SCS, successful test of the mitigation is reported as: > > lkdtm: Performing direct entry CFI_BACKWARD > lkdtm: Attempting unchecked stack return address redirection ... > lkdtm: ok: redirected stack return address. > lkdtm: Attempting checked stack return address redirection ... > lkdtm: ok: control flow unchanged. > > Under PAC, successful test of the mitigation is reported by the PAC > exception handler: > > lkdtm: Performing direct entry CFI_BACKWARD > lkdtm: Attempting unchecked stack return address redirection ... > lkdtm: ok: redirected stack return address. > lkdtm: Attempting checked stack return address redirection ... > Unable to handle kernel paging request at virtual address bfffffc0088d05= 14 > Mem abort info: > ESR =3D 0x86000004 > EC =3D 0x21: IABT (current EL), IL =3D 32 bits > SET =3D 0, FnV =3D 0 > EA =3D 0, S1PTW =3D 0 > FSC =3D 0x04: level 0 translation fault > [bfffffc0088d0514] address between user and kernel address ranges > ... > > If the CONFIGs are missing (or the mitigation isn't working), failure > is reported as: > > lkdtm: Performing direct entry CFI_BACKWARD > lkdtm: Attempting unchecked stack return address redirection ... > lkdtm: ok: redirected stack return address. > lkdtm: Attempting checked stack return address redirection ... > lkdtm: FAIL: stack return address was redirected! > lkdtm: This is probably expected, since this kernel was built *without* = CONFIG_ARM64_PTR_AUTH_KERNEL=3Dy nor CONFIG_SHADOW_CALL_STACK=3Dy > > Co-developed-by: Dan Li > Signed-off-by: Dan Li > Cc: Arnd Bergmann > Cc: Greg Kroah-Hartman > Signed-off-by: Kees Cook > --- > v1: https://lore.kernel.org/lkml/20220413213917.711770-1-keescook@chromiu= m.org > v2: > - add PAGE_OFFSET setting for PAC bits (Dan Li) > --- > drivers/misc/lkdtm/cfi.c | 134 ++++++++++++++++++++++++ > tools/testing/selftests/lkdtm/tests.txt | 1 + > 2 files changed, 135 insertions(+) > > diff --git a/drivers/misc/lkdtm/cfi.c b/drivers/misc/lkdtm/cfi.c > index e88f778be0d5..804965a480b7 100644 > --- a/drivers/misc/lkdtm/cfi.c > +++ b/drivers/misc/lkdtm/cfi.c > @@ -3,6 +3,7 @@ > * This is for all the tests relating directly to Control Flow Integrity= . > */ > #include "lkdtm.h" > +#include > > static int called_count; > > @@ -42,8 +43,141 @@ static void lkdtm_CFI_FORWARD_PROTO(void) > pr_expected_config(CONFIG_CFI_CLANG); > } > > +/* > + * This can stay local to LKDTM, as there should not be a production rea= son > + * to disable PAC && SCS. > + */ > +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL > +# ifdef CONFIG_ARM64_BTI_KERNEL > +# define __no_pac "branch-protection=3Dbti" > +# else > +# define __no_pac "branch-protection=3Dnone" > +# endif > +# define __no_ret_protection __noscs __attribute__((__target__(__no_pa= c))) > +#else > +# define __no_ret_protection __noscs > +#endif We're seeing this problem with allmodconfig on arm64 and GCC 8 (this one observed on 6.0.12-rc3): -----8<----------8<----------8<----- make --silent --keep-going --jobs=3D8 O=3D/home/tuxbuild/.cache/tuxmake/builds/2/build CROSS_COMPILE_COMPAT=3Darm-linux-gnueabihf- ARCH=3Darm64 CROSS_COMPILE=3Daarch64-linux-gnu- 'CC=3Dsccache aarch64-linux-gnu-gcc' 'HOSTCC=3Dsccache gcc' /builds/linux/drivers/misc/lkdtm/cfi.c:67:1: error: pragma or attribute 'target("branch-protection=3Dnone")' is not valid { ^ make[4]: *** [/builds/linux/scripts/Makefile.build:249: drivers/misc/lkdtm/cfi.o] Error 1 make[4]: Target '__build' not remade because of errors. make[3]: *** [/builds/linux/scripts/Makefile.build:465: drivers/misc/lkdtm] Error 2 make[3]: Target '__build' not remade because of errors. make[2]: *** [/builds/linux/scripts/Makefile.build:465: drivers/misc] Error= 2 make[2]: Target '__build' not remade because of errors. make[1]: *** [/builds/linux/Makefile:1852: drivers] Error 2 ----->8---------->8---------->8----- Reproducer: `tuxmake --runtime podman --target-arch arm64 --toolchain gcc-8 --kconfig allmodconfig CROSS_COMPILE_COMPAT=3Darm-linux-gnueabihf-` Is this a legit problem? Greetings! Daniel D=C3=ADaz daniel.diaz@linaro.org