All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Yo'av Moshe" <linux@yoavmoshe.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI
Date: Sat, 18 Jul 2026 09:33:28 +0000	[thread overview]
Message-ID: <20260718093329.12DB11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260718091917.81738-1-linux@yoavmoshe.com>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [High] Applying `__nocfi` to `imx6q_suspend_finish` unintentionally disables KCFI checks for other indirect branches.
- [High] The CFI bypass mitigation is incomplete: `suspend_ocram_base` remains writable, enabling a Write-What-Where (Data-Oriented Programming) exploit.

Pre-existing issues:
- [High] The kCFI panic with `fncpy` relocated code affects multiple platforms, but is only fixed for i.MX6.
- [High] The `ccm_base` global variable is written only during initialization but lacks `__ro_after_init` protection, exposing it to manipulation for Read-Modify-Write (RMW) gadgets.
--

--- Patch [1]: [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI ---
commit 66327a9e81a0b45dd7493d089dd60f3a912e1240
Author: Yo'av Moshe <linux@yoavmoshe.com>

ARM: imx: Fix suspend/resume crash with Clang CFI

Relocated suspend code in OCRAM lacks compiler-generated CFI type
signatures. This patch annotates imx6q_suspend_finish with __nocfi to
bypass CFI checking for the indirect call, and marks the function pointer
as __ro_after_init.

> diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
> index a671ca498f887..b425a47019896 100644
> --- a/arch/arm/mach-imx/pm-imx6.c
> +++ b/arch/arm/mach-imx/pm-imx6.c
> @@ -63,7 +63,7 @@
>  
>  static void __iomem *ccm_base;

[Severity: High]
This is a pre-existing issue, but does ccm_base also need __ro_after_init
protection?

Since ccm_base is assigned once in imx6_pm_common_init() and then
repeatedly dereferenced in power management functions like imx6_set_lpm(),
could an attacker overwrite it to misdirect read/write operations?

For example, readl_relaxed(ccm_base + CLPCR) could be redirected to
arbitrary kernel addresses. Adding __ro_after_init here might prevent
trivial data-oriented programming exploitation of power management paths.

>  static void __iomem *suspend_ocram_base;

[Severity: High]
Since suspend_ocram_base is passed as the first argument to the __nocfi
function imx6_suspend_in_ocram_fn, does leaving it mutable in the .bss
section defeat the intent of the __ro_after_init protection?

The target assembly routine imx6_suspend trusts this pointer (passed in
r0), using it to derive target addresses for memory writes:

arch/arm/mach-imx/suspend-imx6.S:imx6_suspend()
    ldr r11, [r0, #PM_INFO_MX6Q_SRC_V_OFFSET]
    /* store physical resume addr and pm_info address. */
    str r9, [r11, #MX6Q_SRC_GPR1]

Could an attacker with arbitrary memory write capabilities overwrite
suspend_ocram_base to point to a crafted payload, yielding a
write-what-where primitive during suspend that completely bypasses CFI?

> -static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase);
> +static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase) __ro_after_init;
>  
>  /*
>   * suspend ocram space layout:

[ ... ]

> @@ -360,7 +360,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode mode)
>  	return 0;
>  }
>  
> -static int imx6q_suspend_finish(unsigned long val)
> +static int __nocfi imx6q_suspend_finish(unsigned long val)

[Severity: High]
By applying __nocfi to the entire imx6q_suspend_finish() function, are we
unintentionally disabling CFI checks for other indirect branches?

Within this function, cpu_do_idle() and flush_cache_all() expand to
indirect calls (cpu_vtable[smp_processor_id()]->_do_idle() and
cpu_cache.flush_kern_all()).

Could an attacker with arbitrary memory write capabilities overwrite these
architecture-level function pointers and bypass kCFI entirely when a
suspend is triggered?

Would it be safer to restrict the __nocfi annotation to a minimal inline
or noinline wrapper function that only executes the single unverified
indirect call to imx6_suspend_in_ocram_fn?

>  {
>  	if (!imx6_suspend_in_ocram_fn) {
>  		cpu_do_idle();
>  	} else {
>  		/*
>  		 * call low level suspend function in ocram,
>  		 * as we need to float DDR IO.
>  		 */
>  		local_flush_tlb_all();
>  		/* check if need to flush internal L2 cache */
>  		if (!((struct imx6_cpu_pm_info *)
>  			suspend_ocram_base)->l2_base.vbase)
>  			flush_cache_all();
>  		imx6_suspend_in_ocram_fn(suspend_ocram_base);

[Severity: High]
This is a pre-existing issue, but does fixing this kCFI panic only for
i.MX6 leave other 32-bit ARM platforms broken?

The kCFI panic with fncpy() relocated code appears to affect multiple
platforms since fncpy() copies only the instruction body and omits the
compiler-generated SYM_TYPED_FUNC_START header.

For example, mx5_suspend_enter() in arch/arm/mach-imx/pm-imx5.c invokes
imx5_suspend_in_ocram_fn(suspend_ocram_base), and at91_suspend_finish()
in arch/arm/mach-at91/pm.c invokes at91_suspend_sram_fn(&soc_pm.data).

Since neither seem to have a __nocfi bypass, would they suffer
deterministic kernel panics on suspend when CONFIG_CFI_CLANG is active?

>  	}
>  
>  	return 0;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260718091917.81738-1-linux@yoavmoshe.com?part=1

      reply	other threads:[~2026-07-18  9:33 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-18  9:19 [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI Yo'av Moshe
2026-07-18  9:33 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260718093329.12DB11F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=imx@lists.linux.dev \
    --cc=linux@yoavmoshe.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.