Linux kernel and device drivers for NXP i.MX platforms
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Yo'av Moshe" <linux@yoavmoshe.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI
Date: Sat, 18 Jul 2026 09:33:28 +0000	[thread overview]
Message-ID: <20260718093329.12DB11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260718091917.81738-1-linux@yoavmoshe.com>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [High] Applying `__nocfi` to `imx6q_suspend_finish` unintentionally disables KCFI checks for other indirect branches.
- [High] The CFI bypass mitigation is incomplete: `suspend_ocram_base` remains writable, enabling a Write-What-Where (Data-Oriented Programming) exploit.

Pre-existing issues:
- [High] The kCFI panic with `fncpy` relocated code affects multiple platforms, but is only fixed for i.MX6.
- [High] The `ccm_base` global variable is written only during initialization but lacks `__ro_after_init` protection, exposing it to manipulation for Read-Modify-Write (RMW) gadgets.
--

--- Patch [1]: [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI ---
commit 66327a9e81a0b45dd7493d089dd60f3a912e1240
Author: Yo'av Moshe <linux@yoavmoshe.com>

ARM: imx: Fix suspend/resume crash with Clang CFI

Relocated suspend code in OCRAM lacks compiler-generated CFI type
signatures. This patch annotates imx6q_suspend_finish with __nocfi to
bypass CFI checking for the indirect call, and marks the function pointer
as __ro_after_init.

> diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
> index a671ca498f887..b425a47019896 100644
> --- a/arch/arm/mach-imx/pm-imx6.c
> +++ b/arch/arm/mach-imx/pm-imx6.c
> @@ -63,7 +63,7 @@
>  
>  static void __iomem *ccm_base;

[Severity: High]
This is a pre-existing issue, but does ccm_base also need __ro_after_init
protection?

Since ccm_base is assigned once in imx6_pm_common_init() and then
repeatedly dereferenced in power management functions like imx6_set_lpm(),
could an attacker overwrite it to misdirect read/write operations?

For example, readl_relaxed(ccm_base + CLPCR) could be redirected to
arbitrary kernel addresses. Adding __ro_after_init here might prevent
trivial data-oriented programming exploitation of power management paths.

>  static void __iomem *suspend_ocram_base;

[Severity: High]
Since suspend_ocram_base is passed as the first argument to the __nocfi
function imx6_suspend_in_ocram_fn, does leaving it mutable in the .bss
section defeat the intent of the __ro_after_init protection?

The target assembly routine imx6_suspend trusts this pointer (passed in
r0), using it to derive target addresses for memory writes:

arch/arm/mach-imx/suspend-imx6.S:imx6_suspend()
    ldr r11, [r0, #PM_INFO_MX6Q_SRC_V_OFFSET]
    /* store physical resume addr and pm_info address. */
    str r9, [r11, #MX6Q_SRC_GPR1]

Could an attacker with arbitrary memory write capabilities overwrite
suspend_ocram_base to point to a crafted payload, yielding a
write-what-where primitive during suspend that completely bypasses CFI?

> -static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase);
> +static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase) __ro_after_init;
>  
>  /*
>   * suspend ocram space layout:

[ ... ]

> @@ -360,7 +360,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode mode)
>  	return 0;
>  }
>  
> -static int imx6q_suspend_finish(unsigned long val)
> +static int __nocfi imx6q_suspend_finish(unsigned long val)

[Severity: High]
By applying __nocfi to the entire imx6q_suspend_finish() function, are we
unintentionally disabling CFI checks for other indirect branches?

Within this function, cpu_do_idle() and flush_cache_all() expand to
indirect calls (cpu_vtable[smp_processor_id()]->_do_idle() and
cpu_cache.flush_kern_all()).

Could an attacker with arbitrary memory write capabilities overwrite these
architecture-level function pointers and bypass kCFI entirely when a
suspend is triggered?

Would it be safer to restrict the __nocfi annotation to a minimal inline
or noinline wrapper function that only executes the single unverified
indirect call to imx6_suspend_in_ocram_fn?

>  {
>  	if (!imx6_suspend_in_ocram_fn) {
>  		cpu_do_idle();
>  	} else {
>  		/*
>  		 * call low level suspend function in ocram,
>  		 * as we need to float DDR IO.
>  		 */
>  		local_flush_tlb_all();
>  		/* check if need to flush internal L2 cache */
>  		if (!((struct imx6_cpu_pm_info *)
>  			suspend_ocram_base)->l2_base.vbase)
>  			flush_cache_all();
>  		imx6_suspend_in_ocram_fn(suspend_ocram_base);

[Severity: High]
This is a pre-existing issue, but does fixing this kCFI panic only for
i.MX6 leave other 32-bit ARM platforms broken?

The kCFI panic with fncpy() relocated code appears to affect multiple
platforms since fncpy() copies only the instruction body and omits the
compiler-generated SYM_TYPED_FUNC_START header.

For example, mx5_suspend_enter() in arch/arm/mach-imx/pm-imx5.c invokes
imx5_suspend_in_ocram_fn(suspend_ocram_base), and at91_suspend_finish()
in arch/arm/mach-at91/pm.c invokes at91_suspend_sram_fn(&soc_pm.data).

Since neither seem to have a __nocfi bypass, would they suffer
deterministic kernel panics on suspend when CONFIG_CFI_CLANG is active?

>  	}
>  
>  	return 0;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260718091917.81738-1-linux@yoavmoshe.com?part=1

      reply	other threads:[~2026-07-18  9:33 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-18  9:19 [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI Yo'av Moshe
2026-07-18  9:33 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260718093329.12DB11F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=imx@lists.linux.dev \
    --cc=linux@yoavmoshe.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox