From: Kees Cook <kees@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
jannh@google.com, jmill@asu.edu, joao@overdrivepizza.com,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
luto@kernel.org, samitolvanen@google.com,
scott.d.constable@intel.com, x86@kernel.org
Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints
Date: Sun, 16 Feb 2025 15:51:27 -0800 [thread overview]
Message-ID: <202502161547.B05817003F@keescook> (raw)
In-Reply-To: <20250215210729.GA25168@noisy.programming.kicks-ass.net>
On Sat, Feb 15, 2025 at 10:07:29PM +0100, Peter Zijlstra wrote:
> On Fri, Feb 14, 2025 at 10:57:51AM +0100, Peter Zijlstra wrote:
> > On Thu, Feb 13, 2025 at 12:53:28PM -0800, Kees Cook wrote:
> >
> > > Right, the "if they can control a function pointer" is the part I'm
> > > focusing on. This attack depends on making an indirect call with a
> > > controlled pointer. Non-FineIBT CFI will protect against that step,
> > > so I think this is only an issue for IBT-only and FineIBT, but not CFI
> > > nor CFI+IBT.
> >
> > Yes, the whole caller side validation should stop this.
>
> And I think we can retro-fit that in FineIBT. Notably the current call
> sites look like:
>
> 0000000000000060 <fineibt_caller>:
> 60: 41 ba 78 56 34 12 mov $0x12345678,%r10d
> 66: 49 83 eb 10 sub $0x10,%r11
> 6a: 0f 1f 40 00 nopl 0x0(%rax)
> 6e: 41 ff d3 call *%r11
> 71: 0f 1f 00 nopl (%rax)
>
> Of which the last 6 bytes are the retpoline site (starting at 0x6e). It
> is trivially possible to re-arrange things to have both nops next to one
> another, giving us 7 bytes to muck about with.
>
> And I think we can just about manage to do a caller side hash validation
> in them bytes like:
>
> 0000000000000080 <fineibt_paranoid>:
> 80: 41 ba 78 56 34 12 mov $0x12345678,%r10d
> 86: 49 83 eb 10 sub $0x10,%r11
> 8a: 45 3b 53 07 cmp 0x7(%r11),%r10d
> 8e: 74 01 je 91 <fineibt_paranoid+0x11>
> 90: ea (bad)
> 91: 41 ff d3 call *%r11
Ah nice! Yes, that would be great and removes all my concerns about
FineIBT. :) (And you went with EA just to distinguish it more easily?
Can't we still use the UD2 bug tables to find this like normal?)
> And while this is somewhat daft, it would close the hole vs this entry
> point swizzle afaict, no?
>
> Patch against tip/x86/core (which includes the latest ibt bits as per
> this morning).
>
> Boots and builds the next kernel on my ADL.
Lovely! Based on the patch, I assume you were testing CFI crash location
reporting too?
I'll try to get this spun up for testing here too.
--
Kees Cook
next prev parent reply other threads:[~2025-02-16 23:51 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Z60NwR4w/28Z7XUa@ubun>
2025-02-12 22:29 ` [RFC] Circumventing FineIBT Via Entrypoints Jann Horn
2025-02-13 1:31 ` Andrew Cooper
2025-02-13 2:09 ` Jann Horn
2025-02-13 2:42 ` Andrew Cooper
2025-02-22 20:43 ` Rudolf Marek
2025-02-25 18:10 ` Andrew Cooper
2025-02-25 20:06 ` Rudolf Marek
2025-02-25 21:14 ` Andrew Cooper
2025-02-26 2:55 ` Kees Cook
2025-02-26 22:48 ` Rudolf Marek
2025-02-27 0:41 ` Andrew Cooper
2025-03-01 22:48 ` Rudolf Marek
2025-03-02 19:16 ` Rudolf Marek
2025-03-02 22:31 ` Andrew Cooper
2025-02-28 12:13 ` Florian Weimer
2025-02-13 20:28 ` Kees Cook
2025-02-13 20:41 ` Andrew Cooper
2025-02-13 20:53 ` Kees Cook
2025-02-13 20:57 ` Jann Horn
2025-02-16 23:42 ` Kees Cook
2025-02-14 9:57 ` Peter Zijlstra
2025-02-15 21:07 ` Peter Zijlstra
2025-02-16 23:51 ` Kees Cook [this message]
2025-02-17 10:39 ` Peter Zijlstra
2025-02-17 13:06 ` David Laight
2025-02-17 13:13 ` Peter Zijlstra
2025-02-17 18:38 ` David Laight
2025-02-17 18:54 ` Peter Zijlstra
2025-02-14 10:05 ` Peter Zijlstra
2025-02-14 9:54 ` Peter Zijlstra
2025-02-13 6:15 ` Jennifer Miller
2025-02-13 19:23 ` Jann Horn
2025-02-13 21:24 ` Andrew Cooper
2025-02-13 23:24 ` Jennifer Miller
2025-02-13 23:43 ` Jann Horn
2025-02-14 23:06 ` Andrew Cooper
2025-02-15 0:07 ` Jennifer Miller
2025-02-15 0:11 ` Andrew Cooper
2025-02-15 0:19 ` Jennifer Miller
2025-02-14 22:25 ` Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202502161547.B05817003F@keescook \
--to=kees@kernel.org \
--cc=andrew.cooper3@citrix.com \
--cc=jannh@google.com \
--cc=jmill@asu.edu \
--cc=joao@overdrivepizza.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=samitolvanen@google.com \
--cc=scott.d.constable@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox