Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3133956rwb; Fri, 9 Dec 2022 10:20:28 -0800 (PST) X-Google-Smtp-Source: AA0mqf6yf7w3KEWPDjhZS4H4UbsRyrqHVXT2xn6Cp91Z7kO5LK93IIY8nUKmDpxWZAa7sefiCzu0 X-Received: by 2002:a05:6402:4493:b0:46d:9471:8d9f with SMTP id er19-20020a056402449300b0046d94718d9fmr5801092edb.5.1670610028682; Fri, 09 Dec 2022 10:20:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670610028; cv=none; d=google.com; s=arc-20160816; b=hpv0Nw7XdSdCEbHeC+anYJAdLu4IM8ZvlkvKRFACzk0UkokNcsDD2I/wS4ZBlMU8oS oJnYUWrzhH5giBnniOdbpSqOdXXkl2hzpKmxNv0apEKDsPcknzaLII4p930Zl1Re6H5R bwDRmnCH1tMx6kKCYxZIfRzDxNVd0y2UGmaSAGdqsMZYXQ8hEIGhwtmuW0T4ID7XpKVC ArPIH/Wx+drOkFpGv79FQRMuHPYVLOe5ZrsfmY0eAA54ax/EdrRRPUVfJQjcpALw6MTk vbtUNR86tUSGCuwqm0E2Et0zHg5G98So2vTvVzO7Bo5fPYEZQ9B36s7KYG2MURkDipyE vIow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=HJB2Kkp7wS1gf4qsobTzo0lO1cFmbK7o4VUFr3XmJjQ=; b=hugQGDzT7oZyny30zZILjqNwB8xPaGfGmJJPRi6IKD+I3lblBhdBNzGCDXEp303g8c TOO9+1jE2mz0MGEo0Akh+Hf/jTN64NkzKsV7D3ex/iF0c1kCT+mSiPa3mwXvnJi4RHMY +iAVMhvSQ/CmIZh4IzxNAc8Zmckih3uWlG9sdDCtnoCOJiXsanusCSiUH7jp/aWna6st Shf7LvfY0Q9c6CDkm4sA/HkFj+MRD+3a0Pzix/mWSMOkM5RFqGdYe5ZnwugxQHfArX+0 kQQQ34lXvgOJXvjzlz4Ax5b4ByXBeltiZ9kvGBIygJZys9S6nD2r7MObPNZEKn/ioe0I kPvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x15-20020a05640226cf00b0046d76f75bd9si2211684edd.138.2022.12.09.10.20.11; Fri, 09 Dec 2022 10:20:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229955AbiLIRfE (ORCPT + 74 others); Fri, 9 Dec 2022 12:35:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229498AbiLIRfD (ORCPT ); Fri, 9 Dec 2022 12:35:03 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A7D446BC83; Fri, 9 Dec 2022 09:35:01 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F1B1623A; Fri, 9 Dec 2022 09:35:07 -0800 (PST) Received: from [10.57.7.11] (unknown [10.57.7.11]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C25993F73D; Fri, 9 Dec 2022 09:34:59 -0800 (PST) Message-ID: Date: Fri, 9 Dec 2022 17:34:41 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: [PATCH v2] lkdtm: Add CFI_BACKWARD to test ROP mitigations Content-Language: en-US To: Kees Cook , =?UTF-8?Q?Daniel_D=c3=adaz?= Cc: Dan Li , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org References: <20220416001103.1524653-1-keescook@chromium.org> <202212072221.A9FCC905CF@keescook> From: Kristina Martsenko In-Reply-To: <202212072221.A9FCC905CF@keescook> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/12/2022 06:22, Kees Cook wrote: > On Tue, Dec 06, 2022 at 06:28:53PM -0600, Daniel D�az wrote: >> Hello! >> >> On Sat, 16 Apr 2022 at 00:30, Kees Cook wrote: >>> In order to test various backward-edge control flow integrity methods, >>> add a test that manipulates the return address on the stack. Currently >>> only arm64 Pointer Authentication and Shadow Call Stack is supported. >>> >>> $ echo CFI_BACKWARD | cat >/sys/kernel/debug/provoke-crash/DIRECT >>> >>> Under SCS, successful test of the mitigation is reported as: >>> >>> lkdtm: Performing direct entry CFI_BACKWARD >>> lkdtm: Attempting unchecked stack return address redirection ... >>> lkdtm: ok: redirected stack return address. >>> lkdtm: Attempting checked stack return address redirection ... >>> lkdtm: ok: control flow unchanged. >>> >>> Under PAC, successful test of the mitigation is reported by the PAC >>> exception handler: >>> >>> lkdtm: Performing direct entry CFI_BACKWARD >>> lkdtm: Attempting unchecked stack return address redirection ... >>> lkdtm: ok: redirected stack return address. >>> lkdtm: Attempting checked stack return address redirection ... >>> Unable to handle kernel paging request at virtual address bfffffc0088d0514 >>> Mem abort info: >>> ESR = 0x86000004 >>> EC = 0x21: IABT (current EL), IL = 32 bits >>> SET = 0, FnV = 0 >>> EA = 0, S1PTW = 0 >>> FSC = 0x04: level 0 translation fault >>> [bfffffc0088d0514] address between user and kernel address ranges >>> ... >>> >>> If the CONFIGs are missing (or the mitigation isn't working), failure >>> is reported as: >>> >>> lkdtm: Performing direct entry CFI_BACKWARD >>> lkdtm: Attempting unchecked stack return address redirection ... >>> lkdtm: ok: redirected stack return address. >>> lkdtm: Attempting checked stack return address redirection ... >>> lkdtm: FAIL: stack return address was redirected! >>> lkdtm: This is probably expected, since this kernel was built *without* CONFIG_ARM64_PTR_AUTH_KERNEL=y nor CONFIG_SHADOW_CALL_STACK=y >>> >>> Co-developed-by: Dan Li >>> Signed-off-by: Dan Li >>> Cc: Arnd Bergmann >>> Cc: Greg Kroah-Hartman >>> Signed-off-by: Kees Cook >>> --- >>> v1: https://lore.kernel.org/lkml/20220413213917.711770-1-keescook@chromium.org >>> v2: >>> - add PAGE_OFFSET setting for PAC bits (Dan Li) >>> --- >>> drivers/misc/lkdtm/cfi.c | 134 ++++++++++++++++++++++++ >>> tools/testing/selftests/lkdtm/tests.txt | 1 + >>> 2 files changed, 135 insertions(+) >>> >>> diff --git a/drivers/misc/lkdtm/cfi.c b/drivers/misc/lkdtm/cfi.c >>> index e88f778be0d5..804965a480b7 100644 >>> --- a/drivers/misc/lkdtm/cfi.c >>> +++ b/drivers/misc/lkdtm/cfi.c >>> @@ -3,6 +3,7 @@ >>> * This is for all the tests relating directly to Control Flow Integrity. >>> */ >>> #include "lkdtm.h" >>> +#include >>> >>> static int called_count; >>> >>> @@ -42,8 +43,141 @@ static void lkdtm_CFI_FORWARD_PROTO(void) >>> pr_expected_config(CONFIG_CFI_CLANG); >>> } >>> >>> +/* >>> + * This can stay local to LKDTM, as there should not be a production reason >>> + * to disable PAC && SCS. >>> + */ >>> +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL >>> +# ifdef CONFIG_ARM64_BTI_KERNEL >>> +# define __no_pac "branch-protection=bti" >>> +# else >>> +# define __no_pac "branch-protection=none" >>> +# endif >>> +# define __no_ret_protection __noscs __attribute__((__target__(__no_pac))) >>> +#else >>> +# define __no_ret_protection __noscs >>> +#endif >> >> We're seeing this problem with allmodconfig on arm64 and GCC 8 (this >> one observed on 6.0.12-rc3): >> >> -----8<----------8<----------8<----- >> make --silent --keep-going --jobs=8 >> O=/home/tuxbuild/.cache/tuxmake/builds/2/build >> CROSS_COMPILE_COMPAT=arm-linux-gnueabihf- ARCH=arm64 >> CROSS_COMPILE=aarch64-linux-gnu- 'CC=sccache aarch64-linux-gnu-gcc' >> 'HOSTCC=sccache gcc' >> /builds/linux/drivers/misc/lkdtm/cfi.c:67:1: error: pragma or >> attribute 'target("branch-protection=none")' is not valid >> { >> ^ > > Uuuh... how is CONFIG_ARM64_PTR_AUTH_KERNEL getting set if the compiler > can't support the 'target("branch-protection=none")' attribute? > Older GCC versions supported the (now deprecated) -msign-return-address option instead of the newer -mbranch-protection option, and the kernel checks for that too when setting CONFIG_ARM64_PTR_AUTH_KERNEL. I guess the test has never compiled with older GCC versions. The following patch should fix it. -- 8< -- Subject: [PATCH] lkdtm: cfi: Make PAC test work with GCC 7 and 8 The CFI test uses the branch-protection=none compiler attribute to disable PAC return address protection on a function. While newer GCC versions support this attribute, older versions (GCC 7 and 8) instead supported the sign-return-address=none attribute, leading to a build failure when the test is built with older compilers. Fix it by checking which attribute is supported and using the correct one. Fixes: 2e53b877dc12 ("lkdtm: Add CFI_BACKWARD to test ROP mitigations") Reported-by: Daniel Díaz Signed-off-by: Kristina Martsenko Link: https://lore.kernel.org/all/CAEUSe78kDPxQmQqCWW-_9LCgJDFhAeMoVBFnX9QLx18Z4uT4VQ@mail.gmail.com/ --- drivers/misc/lkdtm/cfi.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/misc/lkdtm/cfi.c b/drivers/misc/lkdtm/cfi.c index 5245cf6013c9..d4bb8e31a2fe 100644 --- a/drivers/misc/lkdtm/cfi.c +++ b/drivers/misc/lkdtm/cfi.c @@ -54,7 +54,11 @@ static void lkdtm_CFI_FORWARD_PROTO(void) # ifdef CONFIG_ARM64_BTI_KERNEL # define __no_pac "branch-protection=bti" # else -# define __no_pac "branch-protection=none" +# ifdef CONFIG_CC_HAS_BRANCH_PROT_PAC_RET +# define __no_pac "branch-protection=none" +# else +# define __no_pac "sign-return-address=none" +# endif # endif # define __no_ret_protection __noscs __attribute__((__target__(__no_pac))) #else