From: Peter Zijlstra <peterz@infradead.org>
To: Brendan Jackman <jackmanb@google.com>
Cc: Kees Cook <keescook@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
Paul Renauld <renauld@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
James Morris <jmorris@namei.org>,
pjt@google.com, Jann Horn <jannh@google.com>,
rafael.j.wysocki@intel.com, thgarnie@chromium.org,
KP Singh <kpsingh@google.com>,
paul.renauld.epfl@gmail.com
Subject: Re: [RFC] security: replace indirect calls with static calls
Date: Mon, 24 Aug 2020 16:33:44 +0200 [thread overview]
Message-ID: <20200824143344.GB3982@worktop.programming.kicks-ass.net> (raw)
In-Reply-To: <CA+i-1C0XEuWWRm5nMPWCzEPUao7rp5346Eotpt1A_S3Za3Wysw@mail.gmail.com>
On Mon, Aug 24, 2020 at 04:09:09PM +0200, Brendan Jackman wrote:
> > > Why this trick with a switch statement? The table of static call is defined
> > > at compile time. The number of hook callbacks that will be defined is
> > > unknown at that time, and the table cannot be resized at runtime. Static
> > > calls do not define a conditional execution for a non-void function, so the
> > > executed slots must be non-empty. With this use of the table and the
> > > switch, it is possible to jump directly to the first used slot and execute
> > > all of the slots after. This essentially makes the entry point of the table
> > > dynamic. Instead, it would also be possible to start from 0 and break after
> > > the final populated slot, but that would require an additional conditional
> > > after each slot.
> >
> > Instead of just "NOP", having the static branches perform a jump would
> > solve this pretty cleanly, yes? Something like:
> >
> > ret = DEFAULT_RET;
> >
> > ret = A(args); <--- direct call, no retpoline
> > if ret != 0:
> > goto out;
> >
> > ret = B(args); <--- direct call, no retpoline
> > if ret != 0:
> > goto out;
> >
> > goto out;
> > if ret != 0:
> > goto out;
> >
> > out:
> > return ret;
>
> Hmm yeah that's a cool idea. This would either need to be implemented
> with custom code-modification logic for the LSM hooks, or we'd need to
> think of a way to express it in a sensible addition to the static_call
> API. I do wonder if the latter could take the form of a generic system
> for arrays of static calls.
So you basically want something like:
if (A[0] && (ret = static_call(A[0])(...)))
return ret;
if (A[1] && (ret = static_call(A[1])(...)))
return ret;
....
return ret;
Right? The problem with static_call_cond() is that we don't know what to
do with the return value when !func, which is why it's limited to void
return type.
You can however construct something like the above with a combination of
static_branch() and static_call() though. It'll not be pretty, but it
ought to work:
if (static_branch_likely(A[0].key)) {
ret = static_call(A[0].call)(...);
if (ret)
return ret;
}
...
return ret;
> It would also need to handle the fact that IIUC at the moment the last
> static_call may be a tail call, so we'd be patching an existing jump
> into a jump to a different target, I don't know if we can do that
> atomically.
Of course we can, the static_call() series supports tail-calls just
fine. In fact, patching jumps is far easier, it was patching call that
was the real problem because it mucks about with the stack.
next prev parent reply other threads:[~2020-08-24 14:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-20 16:47 [RFC] security: replace indirect calls with static calls Brendan Jackman
2020-08-20 18:43 ` James Morris
2020-08-20 19:04 ` KP Singh
2020-08-20 21:45 ` Kees Cook
2020-08-24 14:09 ` Brendan Jackman
2020-08-24 14:33 ` Peter Zijlstra [this message]
2020-08-24 15:05 ` Brendan Jackman
2020-08-20 22:46 ` Casey Schaufler
2020-08-24 15:20 ` Brendan Jackman
2020-08-24 16:42 ` Casey Schaufler
2020-08-24 17:04 ` Brendan Jackman
2020-08-24 17:54 ` Casey Schaufler
2021-02-05 15:09 ` Mathieu Desnoyers
2021-02-05 15:40 ` Peter Zijlstra
2021-02-05 15:47 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200824143344.GB3982@worktop.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@chromium.org \
--cc=jackmanb@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kpsingh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.renauld.epfl@gmail.com \
--cc=pjt@google.com \
--cc=rafael.j.wysocki@intel.com \
--cc=renauld@google.com \
--cc=thgarnie@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).