Re: [PATCH v3 02/17] cfi: add __cficanonical
From: Sami Tolvanen <samitolvanen@google.com>
Date: 2021-03-24 16:40:03
Also in:
bpf, linux-arch, linux-hardening, linux-kbuild, linux-pci, lkml
On Wed, Mar 24, 2021 at 8:31 AM Rasmus Villemoes [off-list ref] wrote:
On 23/03/2021 21.39, Sami Tolvanen wrote:quoted
With CONFIG_CFI_CLANG, the compiler replaces a function address taken in C code with the address of a local jump table entry, which passes runtime indirect call checks. However, the compiler won't replace addresses taken in assembly code, which will result in a CFI failure if we later jump to such an address in instrumented C code. The code generated for the non-canonical jump table looks this: <noncanonical.cfi_jt>: /* In C, &noncanonical points here */ jmp noncanonical ... <noncanonical>: /* function body */ ... This change adds the __cficanonical attribute, which tells the compiler to use a canonical jump table for the function instead. This means the compiler will rename the actual function to <function>.cfi and points the original symbol to the jump table entry instead: <canonical>: /* jump table entry */ jmp canonical.cfi ... <canonical.cfi>: /* function body */ ... As a result, the address taken in assembly, or other non-instrumented code always points to the jump table and therefore, can be used for indirect calls in instrumented code without tripping CFI checks.Random ramblings, I'm trying to understand how this CFI stuff works. First, patch 1 and 2 explain the pros and cons of canonical vs non-canonical jump tables, in either case, there's problems with stuff implemented in assembly. But I don't understand why those pros and cons then end up with using the non-canonical jump tables by default. IIUC, with canonical jump tables, function pointer equality would keep working for functions implemented in C, because &func would always refer to the same stub "function" that lives in the same object file as func.cfi, whereas with the non-canonical version, each TU (or maybe DSO) that takes the address of func ends up with its own func.cfi_jt.
Correct.
There are of course lots of direct calls of assembly functions, but I don't think we take the address of such functions very often. So why can't we instead equip the declarations of those with a __cfi_noncanonical attribute?
Clang doesn't support these attributes in function declarations, unfortunately. If it did, that would certainly help, until someone wants to compare addresses of assembly functions, in which case we would again have a problem. Another way to work around the issue with canonical CFI would be to add C wrappers for all address-taken assembly functions, but that's not quite ideal either. I think most indirect calls to assembly functions happen in the crypto code, which would have required so many changes that we decided to default to non-canonical CFI instead. This resulted in far fewer kernel changes despite the cross-module function address equality issue. Sami _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel