From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A0BA9C54E4A for ; Thu, 7 Mar 2024 18:58:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=H46R+s16aw785Y7WsHYg2KrcsKKs7IJH5RUv5uT5mNo=; b=PTmTtd3t/y4zAK Glz75ShYD49w0Fkblj4uX67Vfbfu1OUKQ69fvPQw8TON+XuYJIRkeUJnkVn1CJmjV1fBD5lcyA1XI a9/LTByzLBdsN1LtnZGf0OmkRAYFX2qkUrUacxFJ6crybHiJm71m3bc+RjIedWivlyoDKxja2FFRk MKdI+lUJFsB+3MMnbpZuYyhUThEGam4bjiqeErEeOWKCgvSJ2eS1EM/ZL0jvhiTNojnwiiOwJ6/qo Zgp677SyMsWikBkIx+nubryYoKq07+3FqHAOE9Lup1Pg02A+Wjf9Cf4wyabKgxtDG/GFo6fOEBzq9 VRZcugjb7voEUvW1hkJg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1riIwq-00000005xB5-2dlF; Thu, 07 Mar 2024 18:58:32 +0000 Received: from mail-pl1-x636.google.com ([2607:f8b0:4864:20::636]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1riIwn-00000005xAK-1Eda for linux-arm-kernel@lists.infradead.org; Thu, 07 Mar 2024 18:58:30 +0000 Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-1dd6198c4e2so4525745ad.2 for ; Thu, 07 Mar 2024 10:58:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709837908; x=1710442708; darn=lists.infradead.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=i5KeInTN1yUJS/UDV4dQ9Ckv/gA9YRMLKit8OigORVE=; b=Dng11OlNeRuc30P/y9pUto/Mw0itDAqrfZPUgs5SLKTtXo354YDYLR4Yfg+3aZRcF/ jqJgomd4du7Hx+By7u+Kh8ZG3jsH4H7SBb64krBXMnqJvfWQHeBUp9z6sdm+aHAPRJrY /q7n6yUVCUMnf/3i3aDUnW1dhIuod86bGwYCE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709837908; x=1710442708; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=i5KeInTN1yUJS/UDV4dQ9Ckv/gA9YRMLKit8OigORVE=; b=Cv8FJqpGcGnSB4z/RHXy3j0TROiQYWpeeLBCssBwxi6Npt7yvuHuU7Rq+jzLHoJNi5 R7xwSfqpbanl4zsA/WR/G0EkSCEZ9CKJ+X9Yvn5+hZYPgoQ4rU4+vDL73AxvrCJbAkQ+ wYZ5dVQWsvmPrvTsFSf9wWGzlzkPtxpNeBM04SkNrcKGF9LbvUB43vF1DyO8yiYSnnoZ sYxglH4rYLYUQ8LAR9UHBl7FLmgqckVrdm2Eo3J/XqPEvQ0WH0a9x5OAdsqhtH3ZpYxV IahR4a5amJ9OYn2iurvmL6aTzli1VWDluVCyqRDEwId4wALJ0sAf/4Y6t55KgIZJIQU7 rWCA== X-Forwarded-Encrypted: i=1; AJvYcCXorutK6i07zOcxEAhaScodLRoAsQL9UTeDDcgdHebZN12DwoaHYOpP54L1EZ4en0x6alG/K9RI28+x9r6QiDrxLS/cxvUBDgt/pNppKXL4lEbMdqs= X-Gm-Message-State: AOJu0YyXvEZAoerAhEhPXH4eoHOsr9vRCAt5TtOrLKQvm+aKTLLLL5VP KGMHNGd4lGAJZ6U9nej3rN5O0adtTkGIDWsIYirn8GM9sxioq04Ezlz+FaRYlA== X-Google-Smtp-Source: AGHT+IHS6/gd4NB+AVJVXDE6UGWX96UPUw2hYAe9vzirYY4f7XTjGaGQQl+Zlfiqk2mzf8Obhm1Nag== X-Received: by 2002:a17:902:b610:b0:1dc:66ac:c34b with SMTP id b16-20020a170902b61000b001dc66acc34bmr6822305pls.68.1709837907807; Thu, 07 Mar 2024 10:58:27 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id kx4-20020a170902f94400b001d9aa663282sm15007036plb.266.2024.03.07.10.58.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 10:58:26 -0800 (PST) Date: Thu, 7 Mar 2024 10:58:25 -0800 From: Kees Cook To: Linus Walleij Cc: Russell King , Sami Tolvanen , Nathan Chancellor , Nick Desaulniers , Ard Biesheuvel , Arnd Bergmann , linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev Subject: Re: [PATCH v2 9/9] ARM: KCFI: Allow permissive CFI mode Message-ID: <202403071002.542D167D65@keescook> References: <20240307-arm32-cfi-v2-0-cc74ea0306b3@linaro.org> <20240307-arm32-cfi-v2-9-cc74ea0306b3@linaro.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240307-arm32-cfi-v2-9-cc74ea0306b3@linaro.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240307_105829_383921_0CEB73A9 X-CRM114-Status: GOOD ( 25.12 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Mar 07, 2024 at 03:22:08PM +0100, Linus Walleij wrote: > This registers a breakpoint handler for the new breakpoint type > (0x03) inserted by LLVM CLANG for CFI breakpoints. > > If we are in permissive mode, just print a backtrace and continue. > > Example with CONFIG_CFI_PERMISSIVE enabled: > > root@Vexpress:/ echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT > lkdtm: Performing direct entry CFI_FORWARD_PROTO > lkdtm: Calling matched prototype ... > lkdtm: Calling mismatched prototype ... > hw-breakpoint: Permissive CFI breakpoint > CPU: 0 PID: 114 Comm: sh Not tainted 6.8.0-rc1+ #111 > Hardware name: ARM-Versatile Express > unwind_backtrace from show_stack+0x28/0x30 > (...) > lkdtm: FAIL: survived mismatched prototype function call! > lkdtm: Unexpected! This kernel (6.8.0-rc1+ armv7l) was > built with CONFIG_CFI_CLANG=y > > As you can see the LKDTM test fails, but I expect that this would be > expected behaviour in the permissive mode. > > Signed-off-by: Linus Walleij > --- > arch/arm/include/asm/hw_breakpoint.h | 1 + > arch/arm/kernel/hw_breakpoint.c | 10 ++++++++++ > 2 files changed, 11 insertions(+) > > diff --git a/arch/arm/include/asm/hw_breakpoint.h b/arch/arm/include/asm/hw_breakpoint.h > index 62358d3ca0a8..e7f9961c53b2 100644 > --- a/arch/arm/include/asm/hw_breakpoint.h > +++ b/arch/arm/include/asm/hw_breakpoint.h > @@ -84,6 +84,7 @@ static inline void decode_ctrl_reg(u32 reg, > #define ARM_DSCR_MOE(x) ((x >> 2) & 0xf) > #define ARM_ENTRY_BREAKPOINT 0x1 > #define ARM_ENTRY_ASYNC_WATCHPOINT 0x2 > +#define ARM_ENTRY_CFI_BREAKPOINT 0x3 > #define ARM_ENTRY_SYNC_WATCHPOINT 0xa > > /* DSCR monitor/halting bits. */ > diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c > index dc0fb7a81371..256146684813 100644 > --- a/arch/arm/kernel/hw_breakpoint.c > +++ b/arch/arm/kernel/hw_breakpoint.c > @@ -932,6 +932,16 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr, > case ARM_ENTRY_SYNC_WATCHPOINT: > watchpoint_handler(addr, fsr, regs); > break; > + case ARM_ENTRY_CFI_BREAKPOINT: > + if (IS_ENABLED(CONFIG_CFI_PERMISSIVE)) { > + pr_err("Permissive CFI breakpoint\n"); > + dump_stack(); > + /* Skip the breaking instruction */ Instead of open-coding this, can you make a call to report_cfi_failure() instead? This will keep the failure output the same across architectures. I think it would look something like: if (report_cfi_failure(regs, addr, ...) == BUG_TRAP_TYPE_WARN) instruction_pointer(regs) += 4; else die("Oops - CFI", regs, 0); -Kees -- Kees Cook _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel