From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7F93AC433F5 for ; Fri, 4 Mar 2022 14:36:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=bOecibjdkfzZfjO3cKQb7TU+MMzl8977FsEdGqejqlg=; b=STo1oIkkLZDN9X nnxAAqXRHCV+m2wfXXC3jKvnqga04xGER2vvT/Jq98Vqu+koE1D8Hj44oYTxypjbkf2Oq+NYzFCMv ywej5wW0o7hItCuaTDwS9qTldH5ue3WzKJcVYitjXaqor055++L4BFp/CDSXJVth313ciZ4j/pCOj +yL0JlcRw+yYqDfTpxV3kN6Zyyd0PBRipDpnPzRFOv3o2RhnOy3iThjZHMYUYMd2tA0jTwPF38CS9 XSeKF6GtSIfozDWhCV5ZOSHfcxAh3agyW7dRSShYStl7a2GMqkfnKmlzeXAqJZH/hBhVAlq3Yk+Hp XNYmwko9hIzFfPBV6UCA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nQ915-00AW6L-TF; Fri, 04 Mar 2022 14:34:48 +0000 Received: from out30-132.freemail.mail.aliyun.com ([115.124.30.132]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nQ90z-00AW2c-8R for linux-arm-kernel@lists.infradead.org; Fri, 04 Mar 2022 14:34:43 +0000 X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R121e4; CH=green; DM=||false|; DS=||; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e01e01424; MF=ashimida@linux.alibaba.com; NM=1; PH=DS; RN=23; SR=0; TI=SMTPD_---0V6Cl-OW_1646404471; Received: from 192.168.193.155(mailfrom:ashimida@linux.alibaba.com fp:SMTPD_---0V6Cl-OW_1646404471) by smtp.aliyun-inc.com(127.0.0.1); Fri, 04 Mar 2022 22:34:32 +0800 Message-ID: <56217d87-84eb-000c-6773-93971f316fbe@linux.alibaba.com> Date: Fri, 4 Mar 2022 06:34:30 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 Subject: Re: [PATCH v3 2/2] lkdtm: Add Shadow Call Stack tests Content-Language: en-US To: Kees Cook Cc: akpm@linux-foundation.org, arnd@arndb.de, catalin.marinas@arm.com, gregkh@linuxfoundation.org, linux@roeck-us.net, luc.vanoostenryck@gmail.com, elver@google.com, mark.rutland@arm.com, masahiroy@kernel.org, ojeda@kernel.org, nathan@kernel.org, npiggin@gmail.com, ndesaulniers@google.com, samitolvanen@google.com, shuah@kernel.org, tglx@linutronix.de, will@kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org References: <20220303073340.86008-1-ashimida@linux.alibaba.com> <20220303074339.86337-1-ashimida@linux.alibaba.com> <202203031010.0A492D114@keescook> From: Dan Li In-Reply-To: <202203031010.0A492D114@keescook> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220304_063441_617395_B4FC2532 X-CRM114-Status: GOOD ( 34.80 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 3/3/22 10:42, Kees Cook wrote: > On Wed, Mar 02, 2022 at 11:43:39PM -0800, Dan Li wrote: >> Add tests for SCS (Shadow Call Stack) based >> backward CFI (as implemented by Clang and GCC). > > Cool; thanks for writing these! > >> +lkdtm-$(CONFIG_LKDTM) += scs.o > > I'd expect these to be in cfi.c, rather than making a new source file. > Got it. >> +static noinline void lkdtm_scs_clear_lr(void) >> +{ >> + unsigned long *lr = (unsigned long *)__builtin_frame_address(0) + 1; >> + >> + asm volatile("str xzr, [%0]\n\t" : : "r"(lr) : "x30"); > > Is the asm needed here? Why not: > > unsigned long *lr = (unsigned long *)__builtin_frame_address(0) + 1; > > *lr = 0; > Yeah, with "volatile", this one looks better. >> + >> +/* >> + * This tries to call a function protected by Shadow Call Stack, >> + * which corrupts its own return address during execution. >> + * Due to the protection, the corruption will not take effect >> + * when the function returns. >> + */ >> +void lkdtm_CFI_BACKWARD_SHADOW(void) > > I think these two tests should be collapsed into a single one. > It seems that there is currently no cross-line matching in selftests/lkdtm/run.sh, if we put these two into one function and assume we could make noscs_set_lr _survivable_ (like in your example). Then we could only match "CFI_BACKWARD_SHADOW ok: scs takes effect." in texts.txt But if the test result is: XPASS: Unexpectedly survived lr corruption without scs? ok: scs takes effect. It may not be a real pass, but the xxx_set_lr function doesn't work. >> +{ >> +#ifdef CONFIG_ARM64 >> + if (!IS_ENABLED(CONFIG_SHADOW_CALL_STACK)) { >> + pr_err("FAIL: kernel not built with CONFIG_SHADOW_CALL_STACK\n"); >> + return; >> + } >> + >> + pr_info("Trying to corrupt lr in a function with scs protection ...\n"); >> + lkdtm_scs_clear_lr(); >> + >> + pr_err("ok: scs takes effect.\n"); >> +#else >> + pr_err("XFAIL: this test is arm64-only\n"); >> +#endif > > This is slightly surprising -- we have no detection when a function has > its non-shadow-stack return address corrupted: it just _ignores_ the > value stored there. That seems like a missed opportunity for warning > about an unexpected state. > Yes. Actually I used to try in the plugin to add a detection before the function returns, and call a callback when a mismatch is found. But since almost every function has to be instrumented, the performance penalty is improved from <3% to ~20% (rough calculation, should still be optimized). >> +} >> + >> +/* >> + * This tries to call a function not protected by Shadow Call Stack, >> + * which corrupts its own return address during execution. >> + */ >> +void lkdtm_CFI_BACKWARD_SHADOW_WITH_NOSCS(void) >> +{ >> +#ifdef CONFIG_ARM64 >> + if (!IS_ENABLED(CONFIG_SHADOW_CALL_STACK)) { >> + pr_err("FAIL: kernel not built with CONFIG_SHADOW_CALL_STACK\n"); >> + return; > > Other tests try to give some hints about failures, e.g.: > > pr_err("FAIL: cannot change for SCS\n"); > pr_expected_config(CONFIG_SHADOW_CALL_STACK); > > Though, having the IS_ENABLED in there makes me wonder if this test > should instead be made _survivable_ on failure. Something like this, > completely untested: > > > #ifdef CONFIG_ARM64 > static noinline void lkdtm_scs_set_lr(unsigned long *addr) > { > unsigned long **lr = (unsigned long **)__builtin_frame_address(0) + 1; > *lr = addr; > } > > /* Function with __noscs attribute clears its return address. */ > static noinline void __noscs lkdtm_noscs_set_lr(unsigned long *addr) > { > unsigned long **lr = (unsigned long **)__builtin_frame_address(0) + 1; > *lr = addr; > } > #endif > > > void lkdtm_CFI_BACKWARD_SHADOW(void) > { > #ifdef CONFIG_ARM64 > > /* Verify the "normal" condition of LR corruption working. */ > do { > /* Keep label in scope to avoid compiler warning. */ > if ((volatile int)0) > goto unexpected; > > pr_info("Trying to corrupt lr in a function without scs protection ...\n"); > lkdtm_noscs_set_lr(&&expected); > > unexpected: > pr_err("XPASS: Unexpectedly survived lr corruption without scs?!\n"); > break; > > expected: > pr_err("ok: lr corruption redirected without scs.\n"); > } while (0); > > > do { > /* Keep labe in scope to avoid compiler warning. */ > if ((volatile int)0) > goto good_scs; > > pr_info("Trying to corrupt lr in a function with scs protection ...\n"); > lkdtm_scs_set_lr(&&bad_scs); > > good_scs: > pr_info("ok: scs takes effect.\n"); > break; > > bad_scs: > pr_err("FAIL: return address rewritten!\n"); > pr_expected_config(CONFIG_SHADOW_CALL_STACK); > } while (0); > #else > pr_err("XFAIL: this test is arm64-only\n"); > #endif > } > Thanks for the example, Kees :) This code (with a little modification) works correctly with clang 12, but to make sure it's always correct, I think we might need to add the __attribute__((optnone)) attribute to it, because under -O2 the result doesn't seem to be "very stable" (as in your example in the next email). > And we should, actually, be able to make the "set_lr" functions be > arch-specific, leaving the test itself arch-agnostic.... > I'm not sure if my understanding is correct, do it means we should remove the "#ifdef CONFIG_ARM64" in lkdtm_CFI_BACKWARD_SHADOW? Then we may not be able to distinguish between failures caused by platform unsupported (XFAIL) and features not enabled (or not working properly). Thanks, Dan. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel