From: Kees Cook <kees@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
jannh@google.com, jmill@asu.edu, joao@overdrivepizza.com,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
luto@kernel.org, samitolvanen@google.com,
scott.d.constable@intel.com, x86@kernel.org
Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints
Date: Sun, 16 Feb 2025 15:51:27 -0800 [thread overview]
Message-ID: <202502161547.B05817003F@keescook> (raw)
In-Reply-To: <20250215210729.GA25168@noisy.programming.kicks-ass.net>
On Sat, Feb 15, 2025 at 10:07:29PM +0100, Peter Zijlstra wrote:
> On Fri, Feb 14, 2025 at 10:57:51AM +0100, Peter Zijlstra wrote:
> > On Thu, Feb 13, 2025 at 12:53:28PM -0800, Kees Cook wrote:
> >
> > > Right, the "if they can control a function pointer" is the part I'm
> > > focusing on. This attack depends on making an indirect call with a
> > > controlled pointer. Non-FineIBT CFI will protect against that step,
> > > so I think this is only an issue for IBT-only and FineIBT, but not CFI
> > > nor CFI+IBT.
> >
> > Yes, the whole caller side validation should stop this.
>
> And I think we can retro-fit that in FineIBT. Notably the current call
> sites look like:
>
> 0000000000000060 <fineibt_caller>:
> 60: 41 ba 78 56 34 12 mov $0x12345678,%r10d
> 66: 49 83 eb 10 sub $0x10,%r11
> 6a: 0f 1f 40 00 nopl 0x0(%rax)
> 6e: 41 ff d3 call *%r11
> 71: 0f 1f 00 nopl (%rax)
>
> Of which the last 6 bytes are the retpoline site (starting at 0x6e). It
> is trivially possible to re-arrange things to have both nops next to one
> another, giving us 7 bytes to muck about with.
>
> And I think we can just about manage to do a caller side hash validation
> in them bytes like:
>
> 0000000000000080 <fineibt_paranoid>:
> 80: 41 ba 78 56 34 12 mov $0x12345678,%r10d
> 86: 49 83 eb 10 sub $0x10,%r11
> 8a: 45 3b 53 07 cmp 0x7(%r11),%r10d
> 8e: 74 01 je 91 <fineibt_paranoid+0x11>
> 90: ea (bad)
> 91: 41 ff d3 call *%r11
Ah nice! Yes, that would be great and removes all my concerns about
FineIBT. :) (And you went with EA just to distinguish it more easily?
Can't we still use the UD2 bug tables to find this like normal?)
> And while this is somewhat daft, it would close the hole vs this entry
> point swizzle afaict, no?
>
> Patch against tip/x86/core (which includes the latest ibt bits as per
> this morning).
>
> Boots and builds the next kernel on my ADL.
Lovely! Based on the patch, I assume you were testing CFI crash location
reporting too?
I'll try to get this spun up for testing here too.
--
Kees Cook
next prev parent reply other threads:[~2025-02-16 23:51 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-12 21:08 [RFC] Circumventing FineIBT Via Entrypoints Jennifer Miller
2025-02-12 22:29 ` Jann Horn
2025-02-13 1:31 ` Andrew Cooper
2025-02-13 2:09 ` Jann Horn
2025-02-13 2:42 ` Andrew Cooper
2025-02-22 20:43 ` Rudolf Marek
2025-02-25 18:10 ` Andrew Cooper
2025-02-25 20:06 ` Rudolf Marek
2025-02-25 21:14 ` Andrew Cooper
2025-02-26 2:55 ` Kees Cook
2025-02-26 22:48 ` Rudolf Marek
2025-02-27 0:41 ` Andrew Cooper
2025-03-01 22:48 ` Rudolf Marek
2025-03-02 19:16 ` Rudolf Marek
2025-03-02 22:31 ` Andrew Cooper
2025-02-28 12:13 ` Florian Weimer
2025-02-13 20:28 ` Kees Cook
2025-02-13 20:41 ` Andrew Cooper
2025-02-13 20:53 ` Kees Cook
2025-02-13 20:57 ` Jann Horn
2025-02-16 23:42 ` Kees Cook
2025-02-14 9:57 ` Peter Zijlstra
2025-02-15 21:07 ` Peter Zijlstra
2025-02-16 23:51 ` Kees Cook [this message]
2025-02-17 10:39 ` Peter Zijlstra
2025-02-17 13:06 ` David Laight
2025-02-17 13:13 ` Peter Zijlstra
2025-02-17 18:38 ` David Laight
2025-02-17 18:54 ` Peter Zijlstra
2025-02-14 10:05 ` Peter Zijlstra
2025-02-14 9:54 ` Peter Zijlstra
2025-02-13 6:15 ` Jennifer Miller
2025-02-13 19:23 ` Jann Horn
2025-02-13 21:24 ` Andrew Cooper
2025-02-13 23:24 ` Jennifer Miller
2025-02-13 23:43 ` Jann Horn
2025-02-14 23:06 ` Andrew Cooper
2025-02-15 0:07 ` Jennifer Miller
2025-02-15 0:11 ` Andrew Cooper
2025-02-15 0:19 ` Jennifer Miller
2025-02-14 22:25 ` Josh Poimboeuf
2025-02-18 19:18 ` Joao Moreira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202502161547.B05817003F@keescook \
--to=kees@kernel.org \
--cc=andrew.cooper3@citrix.com \
--cc=jannh@google.com \
--cc=jmill@asu.edu \
--cc=joao@overdrivepizza.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=samitolvanen@google.com \
--cc=scott.d.constable@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.