From: Kees Cook <keescook@chromium.org>
To: "Daniel Díaz" <daniel.diaz@linaro.org>
Cc: Dan Li <ashimida@linux.alibaba.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] lkdtm: Add CFI_BACKWARD to test ROP mitigations
Date: Wed, 7 Dec 2022 22:22:36 -0800 [thread overview]
Message-ID: <202212072221.A9FCC905CF@keescook> (raw)
In-Reply-To: <CAEUSe78kDPxQmQqCWW-_9LCgJDFhAeMoVBFnX9QLx18Z4uT4VQ@mail.gmail.com>
On Tue, Dec 06, 2022 at 06:28:53PM -0600, Daniel Díaz wrote:
> Hello!
>
> On Sat, 16 Apr 2022 at 00:30, Kees Cook <keescook@chromium.org> wrote:
> > In order to test various backward-edge control flow integrity methods,
> > add a test that manipulates the return address on the stack. Currently
> > only arm64 Pointer Authentication and Shadow Call Stack is supported.
> >
> > $ echo CFI_BACKWARD | cat >/sys/kernel/debug/provoke-crash/DIRECT
> >
> > Under SCS, successful test of the mitigation is reported as:
> >
> > lkdtm: Performing direct entry CFI_BACKWARD
> > lkdtm: Attempting unchecked stack return address redirection ...
> > lkdtm: ok: redirected stack return address.
> > lkdtm: Attempting checked stack return address redirection ...
> > lkdtm: ok: control flow unchanged.
> >
> > Under PAC, successful test of the mitigation is reported by the PAC
> > exception handler:
> >
> > lkdtm: Performing direct entry CFI_BACKWARD
> > lkdtm: Attempting unchecked stack return address redirection ...
> > lkdtm: ok: redirected stack return address.
> > lkdtm: Attempting checked stack return address redirection ...
> > Unable to handle kernel paging request at virtual address bfffffc0088d0514
> > Mem abort info:
> > ESR = 0x86000004
> > EC = 0x21: IABT (current EL), IL = 32 bits
> > SET = 0, FnV = 0
> > EA = 0, S1PTW = 0
> > FSC = 0x04: level 0 translation fault
> > [bfffffc0088d0514] address between user and kernel address ranges
> > ...
> >
> > If the CONFIGs are missing (or the mitigation isn't working), failure
> > is reported as:
> >
> > lkdtm: Performing direct entry CFI_BACKWARD
> > lkdtm: Attempting unchecked stack return address redirection ...
> > lkdtm: ok: redirected stack return address.
> > lkdtm: Attempting checked stack return address redirection ...
> > lkdtm: FAIL: stack return address was redirected!
> > lkdtm: This is probably expected, since this kernel was built *without* CONFIG_ARM64_PTR_AUTH_KERNEL=y nor CONFIG_SHADOW_CALL_STACK=y
> >
> > Co-developed-by: Dan Li <ashimida@linux.alibaba.com>
> > Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
> > Cc: Arnd Bergmann <arnd@arndb.de>
> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v1: https://lore.kernel.org/lkml/20220413213917.711770-1-keescook@chromium.org
> > v2:
> > - add PAGE_OFFSET setting for PAC bits (Dan Li)
> > ---
> > drivers/misc/lkdtm/cfi.c | 134 ++++++++++++++++++++++++
> > tools/testing/selftests/lkdtm/tests.txt | 1 +
> > 2 files changed, 135 insertions(+)
> >
> > diff --git a/drivers/misc/lkdtm/cfi.c b/drivers/misc/lkdtm/cfi.c
> > index e88f778be0d5..804965a480b7 100644
> > --- a/drivers/misc/lkdtm/cfi.c
> > +++ b/drivers/misc/lkdtm/cfi.c
> > @@ -3,6 +3,7 @@
> > * This is for all the tests relating directly to Control Flow Integrity.
> > */
> > #include "lkdtm.h"
> > +#include <asm/page.h>
> >
> > static int called_count;
> >
> > @@ -42,8 +43,141 @@ static void lkdtm_CFI_FORWARD_PROTO(void)
> > pr_expected_config(CONFIG_CFI_CLANG);
> > }
> >
> > +/*
> > + * This can stay local to LKDTM, as there should not be a production reason
> > + * to disable PAC && SCS.
> > + */
> > +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL
> > +# ifdef CONFIG_ARM64_BTI_KERNEL
> > +# define __no_pac "branch-protection=bti"
> > +# else
> > +# define __no_pac "branch-protection=none"
> > +# endif
> > +# define __no_ret_protection __noscs __attribute__((__target__(__no_pac)))
> > +#else
> > +# define __no_ret_protection __noscs
> > +#endif
>
> We're seeing this problem with allmodconfig on arm64 and GCC 8 (this
> one observed on 6.0.12-rc3):
>
> -----8<----------8<----------8<-----
> make --silent --keep-going --jobs=8
> O=/home/tuxbuild/.cache/tuxmake/builds/2/build
> CROSS_COMPILE_COMPAT=arm-linux-gnueabihf- ARCH=arm64
> CROSS_COMPILE=aarch64-linux-gnu- 'CC=sccache aarch64-linux-gnu-gcc'
> 'HOSTCC=sccache gcc'
> /builds/linux/drivers/misc/lkdtm/cfi.c:67:1: error: pragma or
> attribute 'target("branch-protection=none")' is not valid
> {
> ^
Uuuh... how is CONFIG_ARM64_PTR_AUTH_KERNEL getting set if the compiler
can't support the 'target("branch-protection=none")' attribute?
--
Kees Cook
next prev parent reply other threads:[~2022-12-08 6:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-16 0:11 [PATCH v2] lkdtm: Add CFI_BACKWARD to test ROP mitigations Kees Cook
2022-04-17 9:15 ` Dan Li
2022-04-18 21:51 ` Kees Cook
2022-12-07 0:28 ` Daniel Díaz
2022-12-08 6:22 ` Kees Cook [this message]
2022-12-09 17:34 ` Kristina Martsenko
2022-12-14 22:48 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202212072221.A9FCC905CF@keescook \
--to=keescook@chromium.org \
--cc=arnd@arndb.de \
--cc=ashimida@linux.alibaba.com \
--cc=daniel.diaz@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.