From: Kees Cook <keescook@chromium.org>
To: Sami Tolvanen <samitolvanen@google.com>
Cc: x86@kernel.org, Josh Poimboeuf <jpoimboe@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Sedat Dilek <sedat.dilek@gmail.com>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
clang-built-linux@googlegroups.com
Subject: Re: [PATCH v3 10/16] x86/extable: Mark handlers __cficanonical
Date: Tue, 14 Sep 2021 12:37:40 -0700 [thread overview]
Message-ID: <202109141235.BE65491A4@keescook> (raw)
In-Reply-To: <20210914191045.2234020-11-samitolvanen@google.com>
On Tue, Sep 14, 2021 at 12:10:39PM -0700, Sami Tolvanen wrote:
> Exception tables are populated in assembly code, but the handlers are
> called in fixup_exception, which trips indirect call checking with
> CONFIG_CFI_CLANG. Mark the handlers __cficanonical to allow addresses
> taken in assembly to pass CFI checking.
>
> Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
> ---
> arch/x86/mm/extable.c | 64 ++++++++++++++++++++++++-------------------
> 1 file changed, 36 insertions(+), 28 deletions(-)
>
> diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
> index e1664e9f969c..d16912dcbb4e 100644
> --- a/arch/x86/mm/extable.c
> +++ b/arch/x86/mm/extable.c
> @@ -24,16 +24,18 @@ ex_fixup_handler(const struct exception_table_entry *x)
> return (ex_handler_t)((unsigned long)&x->handler + x->handler);
> }
>
> -__visible bool ex_handler_default(const struct exception_table_entry *fixup,
> - struct pt_regs *regs, int trapnr,
> - unsigned long error_code,
> - unsigned long fault_addr)
> +__visible __cficanonical
> +bool ex_handler_default(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr,
> + unsigned long error_code,
> + unsigned long fault_addr)
> {
> regs->ip = ex_fixup_addr(fixup);
> return true;
> }
> EXPORT_SYMBOL(ex_handler_default);
>
> +__visible __cficanonical
> __visible bool ex_handler_fault(const struct exception_table_entry *fixup,
Double __visible here, but with that fixed:
Reviewed-by: Kees Cook <keescook@chromium.org>
I would note that given Linus's recent comments on attribute locations,
it does seem that __cficanonical is more a function behavior attribute
than a storage class... I'm not really sure:
https://lore.kernel.org/mm-commits/CAHk-=wiOCLRny5aifWNhr621kYrJwhfURsa0vFPeUEm8mF0ufg@mail.gmail.com
-Kees
> struct pt_regs *regs, int trapnr,
> unsigned long error_code,
> @@ -55,10 +57,11 @@ EXPORT_SYMBOL_GPL(ex_handler_fault);
> * of vulnerability by restoring from the initial state (essentially, zeroing
> * out all the FPU registers) if we can't restore from the task's FPU state.
> */
> -__visible bool ex_handler_fprestore(const struct exception_table_entry *fixup,
> - struct pt_regs *regs, int trapnr,
> - unsigned long error_code,
> - unsigned long fault_addr)
> +__visible __cficanonical
> +bool ex_handler_fprestore(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr,
> + unsigned long error_code,
> + unsigned long fault_addr)
> {
> regs->ip = ex_fixup_addr(fixup);
>
> @@ -70,10 +73,11 @@ __visible bool ex_handler_fprestore(const struct exception_table_entry *fixup,
> }
> EXPORT_SYMBOL_GPL(ex_handler_fprestore);
>
> -__visible bool ex_handler_uaccess(const struct exception_table_entry *fixup,
> - struct pt_regs *regs, int trapnr,
> - unsigned long error_code,
> - unsigned long fault_addr)
> +__visible __cficanonical
> +bool ex_handler_uaccess(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr,
> + unsigned long error_code,
> + unsigned long fault_addr)
> {
> WARN_ONCE(trapnr == X86_TRAP_GP, "General protection fault in user access. Non-canonical address?");
> regs->ip = ex_fixup_addr(fixup);
> @@ -81,10 +85,11 @@ __visible bool ex_handler_uaccess(const struct exception_table_entry *fixup,
> }
> EXPORT_SYMBOL(ex_handler_uaccess);
>
> -__visible bool ex_handler_copy(const struct exception_table_entry *fixup,
> - struct pt_regs *regs, int trapnr,
> - unsigned long error_code,
> - unsigned long fault_addr)
> +__visible __cficanonical
> +bool ex_handler_copy(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr,
> + unsigned long error_code,
> + unsigned long fault_addr)
> {
> WARN_ONCE(trapnr == X86_TRAP_GP, "General protection fault in user access. Non-canonical address?");
> regs->ip = ex_fixup_addr(fixup);
> @@ -93,10 +98,11 @@ __visible bool ex_handler_copy(const struct exception_table_entry *fixup,
> }
> EXPORT_SYMBOL(ex_handler_copy);
>
> -__visible bool ex_handler_rdmsr_unsafe(const struct exception_table_entry *fixup,
> - struct pt_regs *regs, int trapnr,
> - unsigned long error_code,
> - unsigned long fault_addr)
> +__visible __cficanonical
> +bool ex_handler_rdmsr_unsafe(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr,
> + unsigned long error_code,
> + unsigned long fault_addr)
> {
> if (pr_warn_once("unchecked MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n",
> (unsigned int)regs->cx, regs->ip, (void *)regs->ip))
> @@ -110,10 +116,11 @@ __visible bool ex_handler_rdmsr_unsafe(const struct exception_table_entry *fixup
> }
> EXPORT_SYMBOL(ex_handler_rdmsr_unsafe);
>
> -__visible bool ex_handler_wrmsr_unsafe(const struct exception_table_entry *fixup,
> - struct pt_regs *regs, int trapnr,
> - unsigned long error_code,
> - unsigned long fault_addr)
> +__visible __cficanonical
> +bool ex_handler_wrmsr_unsafe(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr,
> + unsigned long error_code,
> + unsigned long fault_addr)
> {
> if (pr_warn_once("unchecked MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n",
> (unsigned int)regs->cx, (unsigned int)regs->dx,
> @@ -126,10 +133,11 @@ __visible bool ex_handler_wrmsr_unsafe(const struct exception_table_entry *fixup
> }
> EXPORT_SYMBOL(ex_handler_wrmsr_unsafe);
>
> -__visible bool ex_handler_clear_fs(const struct exception_table_entry *fixup,
> - struct pt_regs *regs, int trapnr,
> - unsigned long error_code,
> - unsigned long fault_addr)
> +__visible __cficanonical
> +bool ex_handler_clear_fs(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr,
> + unsigned long error_code,
> + unsigned long fault_addr)
> {
> if (static_cpu_has(X86_BUG_NULL_SEG))
> asm volatile ("mov %0, %%fs" : : "rm" (__USER_DS));
> --
> 2.33.0.309.g3052b89438-goog
>
--
Kees Cook
next prev parent reply other threads:[~2021-09-14 19:37 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 19:10 [PATCH v3 00/16] x86: Add support for Clang CFI Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 01/16] objtool: Add CONFIG_CFI_CLANG support Sami Tolvanen
2021-09-14 19:29 ` Nick Desaulniers
2021-09-14 21:01 ` Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 02/16] objtool: Add ASM_STACK_FRAME_NON_STANDARD Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 03/16] linkage: Add DECLARE_ASM_FUNC_SYMBOL Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 04/16] cfi: Add DEFINE_CFI_IMMEDIATE_RETURN_STUB Sami Tolvanen
2021-09-14 19:36 ` Nick Desaulniers
2021-09-14 20:32 ` Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 05/16] tracepoint: Exclude tp_stub_func from CFI checking Sami Tolvanen
2021-09-14 19:39 ` Nick Desaulniers
2021-09-14 19:10 ` [PATCH v3 06/16] ftrace: Use an opaque type for functions not callable from C Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 07/16] lkdtm: Disable UNSET_SMEP with CFI Sami Tolvanen
2021-09-14 19:30 ` Kees Cook
2021-09-14 19:10 ` [PATCH v3 08/16] lkdtm: Use an opaque type for lkdtm_rodata_do_nothing Sami Tolvanen
2021-09-14 19:32 ` Kees Cook
2021-09-14 19:10 ` [PATCH v3 09/16] x86: Use an opaque type for functions not callable from C Sami Tolvanen
2021-09-14 19:33 ` Kees Cook
2021-09-14 19:10 ` [PATCH v3 10/16] x86/extable: Mark handlers __cficanonical Sami Tolvanen
2021-09-14 19:37 ` Kees Cook [this message]
2021-09-14 20:38 ` Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 11/16] x86/purgatory: Disable CFI Sami Tolvanen
2021-09-14 20:02 ` Nick Desaulniers
2021-09-14 20:30 ` Sami Tolvanen
2021-09-14 22:31 ` Nick Desaulniers
2021-09-15 6:24 ` Kees Cook
2021-09-14 19:10 ` [PATCH v3 12/16] x86, relocs: Ignore __typeid__ relocations Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 13/16] x86, module: " Sami Tolvanen
2021-09-14 19:10 ` [PATCH v3 14/16] x86, cpu: Use LTO for cpu.c with CFI Sami Tolvanen
2021-09-14 19:44 ` Kees Cook
2021-09-14 19:46 ` Nick Desaulniers
2021-09-14 19:10 ` [PATCH v3 15/16] x86, kprobes: Fix optprobe_template_func type mismatch Sami Tolvanen
2021-09-14 19:40 ` Kees Cook
2021-09-14 19:10 ` [PATCH v3 16/16] x86, build: Allow CONFIG_CFI_CLANG to be selected Sami Tolvanen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109141235.BE65491A4@keescook \
--to=keescook@chromium.org \
--cc=clang-built-linux@googlegroups.com \
--cc=jpoimboe@redhat.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=peterz@infradead.org \
--cc=samitolvanen@google.com \
--cc=sedat.dilek@gmail.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.