From: Brendan Jackman <jackmanb@google.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Kees Cook <keescook@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
James Morris <jmorris@namei.org>,
pjt@google.com, Jann Horn <jannh@google.com>,
rafael.j.wysocki@intel.com, thgarnie@chromium.org,
KP Singh <kpsingh@google.com>,
paul.renauld.epfl@gmail.com
Subject: Re: [RFC] security: replace indirect calls with static calls
Date: Mon, 24 Aug 2020 17:05:04 +0200 [thread overview]
Message-ID: <20200824150504.GA575149@google.com> (raw)
In-Reply-To: <20200824143344.GB3982@worktop.programming.kicks-ass.net>
On Mon, Aug 24, 2020 at 04:33:44PM +0200, Peter Zijlstra wrote:
> On Mon, Aug 24, 2020 at 04:09:09PM +0200, Brendan Jackman wrote:
>
> > > > Why this trick with a switch statement? The table of static call is defined
> > > > at compile time. The number of hook callbacks that will be defined is
> > > > unknown at that time, and the table cannot be resized at runtime. Static
> > > > calls do not define a conditional execution for a non-void function, so the
> > > > executed slots must be non-empty. With this use of the table and the
> > > > switch, it is possible to jump directly to the first used slot and execute
> > > > all of the slots after. This essentially makes the entry point of the table
> > > > dynamic. Instead, it would also be possible to start from 0 and break after
> > > > the final populated slot, but that would require an additional conditional
> > > > after each slot.
> > >
> > > Instead of just "NOP", having the static branches perform a jump would
> > > solve this pretty cleanly, yes? Something like:
> > >
> > > ret = DEFAULT_RET;
> > >
> > > ret = A(args); <--- direct call, no retpoline
> > > if ret != 0:
> > > goto out;
> > >
> > > ret = B(args); <--- direct call, no retpoline
> > > if ret != 0:
> > > goto out;
> > >
> > > goto out;
> > > if ret != 0:
> > > goto out;
> > >
> > > out:
> > > return ret;
> >
> > Hmm yeah that's a cool idea. This would either need to be implemented
> > with custom code-modification logic for the LSM hooks, or we'd need to
> > think of a way to express it in a sensible addition to the static_call
> > API. I do wonder if the latter could take the form of a generic system
> > for arrays of static calls.
>
> So you basically want something like:
>
> if (A[0] && (ret = static_call(A[0])(...)))
> return ret;
>
> if (A[1] && (ret = static_call(A[1])(...)))
> return ret;
>
> ....
>
> return ret;
>
> Right? The problem with static_call_cond() is that we don't know what to
> do with the return value when !func, which is why it's limited to void
> return type.
>
> You can however construct something like the above with a combination of
> static_branch() and static_call() though. It'll not be pretty, but it
> ought to work:
>
> if (static_branch_likely(A[0].key)) {
> ret = static_call(A[0].call)(...);
> if (ret)
> return ret;
> }
>
> ...
>
> return ret;
>
Right. That's actually exactly what Paul's first implementation
looked like for call_int_hook. But we thought the switch thing was
easier to understand.
>
> > It would also need to handle the fact that IIUC at the moment the last
> > static_call may be a tail call, so we'd be patching an existing jump
> > into a jump to a different target, I don't know if we can do that
> > atomically.
>
> Of course we can, the static_call() series supports tail-calls just
> fine. In fact, patching jumps is far easier, it was patching call that
> was the real problem because it mucks about with the stack.
>
OK great. I had a vague apprehension that we could only patch to or from
a NOP.
next prev parent reply other threads:[~2020-08-24 15:07 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-20 16:47 [RFC] security: replace indirect calls with static calls Brendan Jackman
2020-08-20 18:43 ` James Morris
2020-08-20 19:04 ` KP Singh
2020-08-20 21:45 ` Kees Cook
2020-08-24 14:09 ` Brendan Jackman
2020-08-24 14:33 ` Peter Zijlstra
2020-08-24 15:05 ` Brendan Jackman [this message]
2020-08-20 22:46 ` Casey Schaufler
2020-08-24 15:20 ` Brendan Jackman
2020-08-24 16:42 ` Casey Schaufler
2020-08-24 17:04 ` Brendan Jackman
2020-08-24 17:54 ` Casey Schaufler
2021-02-05 15:09 ` Mathieu Desnoyers
2021-02-05 15:40 ` Peter Zijlstra
2021-02-05 15:47 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200824150504.GA575149@google.com \
--to=jackmanb@google.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@chromium.org \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kpsingh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.renauld.epfl@gmail.com \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=rafael.j.wysocki@intel.com \
--cc=thgarnie@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).