Re: [PATCH] [PATCH V4]ARM64: SCS: Add gcc plugin to support Shadow Call Stack
From: Nick Desaulniers <hidden>
Date: 2021-10-15 19:13:55
Also in:
linux-hardening, linux-kbuild, lkml
On Fri, Oct 15, 2021 at 11:29 AM Dan Li [off-list ref] wrote:
On 10/15/21 2:44 AM, Nick Desaulniers wrote:quoted
On Wed, Oct 13, 2021 at 4:28 PM Dan Li [off-list ref] wrote:quoted
--- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h@@ -50,6 +50,10 @@ #define __latent_entropy __attribute__((latent_entropy)) #endif +#if defined(SHADOW_CALL_STACK_PLUGIN) && !defined(__CHECKER__) +#define __noscs __attribute__((no_shadow_call_stack)) +#endifCool this is a nice addition, and something I don't think that clang has. For any new feature, having a function attribute to disable it at the function granularity is nice, and plays better with LTO than -f group flags. Though that begs the question: what happens if a __noscs callee is inlined into a non-__noscs caller, or vice versa?Thanks Nick, According to my understanding, all inline optimizations in gcc should happen before inserting scs insns (scs and paciasp/autiasp use the same insertion point). Therefore, the check for the __noscs attribute will also occur after all inlining is completed. As in the following example: - Since __noscs attribute is specified, scs_test1 does not insert scs insns - Since normal functions scs_test2/3 uses x30, it needs to insert scs insns - Since __noscs attribute is specified, scs_test4 after inlining does not need to insert scs insns __always_inline __noscs void scs_test1(void) { asm volatile("mov x1, x1\n\t":::"x30"); } //scs insns inserted after function inline void scs_test2(void) { scs_test1(); }
That may be surprising to developers. Perhaps __always_inline on scs_test1 is distracting this test case, but I suspect it may not make a difference. This particular issue comes up time and again with stack protectors; ie. the callee is marked no stack protector, then gets inlined into a caller and suddenly gets a stack protector.
__always_inline void scs_test3(void) { asm volatile("mov x3, x3\n\t":::"x30"); } //no scs insns inserted __noscs void scs_test4(void) { scs_test3(); } ffff800010012900 <scs_test1>: ffff800010012900: a9bf7bfd stp x29, x30, [sp, #-16]! ffff800010012904: 910003fd mov x29, sp ffff800010012908: aa0103e1 mov x1, x1 ffff80001001290c: a8c17bfd ldp x29, x30, [sp], #16 ffff800010012910: d65f03c0 ret ffff800010012914 <scs_test2>: ffff800010012914: f800865e str x30, [x18], #8 ffff800010012918: a9bf7bfd stp x29, x30, [sp, #-16]! ffff80001001291c: 910003fd mov x29, sp ffff800010012920: aa0103e1 mov x1, x1 ffff800010012924: a8c17bfd ldp x29, x30, [sp], #16 ffff800010012928: f85f8e5e ldr x30, [x18, #-8]! ffff80001001292c: d65f03c0 ret ffff800010012930 <scs_test3>: ffff800010012930: f800865e str x30, [x18], #8 ffff800010012934: a9bf7bfd stp x29, x30, [sp, #-16]! ffff800010012938: 910003fd mov x29, sp ffff80001001293c: aa0303e3 mov x3, x3 ffff800010012940: a8c17bfd ldp x29, x30, [sp], #16 ffff800010012944: f85f8e5e ldr x30, [x18, #-8]! ffff800010012948: d65f03c0 ret ffff80001001294c: d503201f nop ffff800010012950 <scs_test4>: ffff800010012950: a9bf7bfd stp x29, x30, [sp, #-16]! ffff800010012954: 910003fd mov x29, sp ffff800010012958: aa0303e3 mov x3, x3 ffff80001001295c: a8c17bfd ldp x29, x30, [sp], #16 ffff800010012960: d65f03c0 retquoted
I noticed that __noscs isn't actually applied anywhere in the kernel, yet, at least in this series. Were there any places necessary that you've found thus far?At present, I have not found a function that must use the __noscs attribute in the kernel. I have only used this attribute in test cases.
-- Thanks, ~Nick Desaulniers _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel