From: Peter Zijlstra <peterz@infradead.org>
To: Kees Cook <kees@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
jannh@google.com, jmill@asu.edu, joao@overdrivepizza.com,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
luto@kernel.org, samitolvanen@google.com,
scott.d.constable@intel.com, x86@kernel.org
Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints
Date: Mon, 17 Feb 2025 11:39:52 +0100 [thread overview]
Message-ID: <20250217103952.GM14028@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <202502161547.B05817003F@keescook>
On Sun, Feb 16, 2025 at 03:51:27PM -0800, Kees Cook wrote:
> On Sat, Feb 15, 2025 at 10:07:29PM +0100, Peter Zijlstra wrote:
> > On Fri, Feb 14, 2025 at 10:57:51AM +0100, Peter Zijlstra wrote:
> > > On Thu, Feb 13, 2025 at 12:53:28PM -0800, Kees Cook wrote:
> > >
> > > > Right, the "if they can control a function pointer" is the part I'm
> > > > focusing on. This attack depends on making an indirect call with a
> > > > controlled pointer. Non-FineIBT CFI will protect against that step,
> > > > so I think this is only an issue for IBT-only and FineIBT, but not CFI
> > > > nor CFI+IBT.
> > >
> > > Yes, the whole caller side validation should stop this.
> >
> > And I think we can retro-fit that in FineIBT. Notably the current call
> > sites look like:
> >
> > 0000000000000060 <fineibt_caller>:
> > 60: 41 ba 78 56 34 12 mov $0x12345678,%r10d
> > 66: 49 83 eb 10 sub $0x10,%r11
> > 6a: 0f 1f 40 00 nopl 0x0(%rax)
> > 6e: 41 ff d3 call *%r11
> > 71: 0f 1f 00 nopl (%rax)
> >
> > Of which the last 6 bytes are the retpoline site (starting at 0x6e). It
> > is trivially possible to re-arrange things to have both nops next to one
> > another, giving us 7 bytes to muck about with.
> >
> > And I think we can just about manage to do a caller side hash validation
> > in them bytes like:
> >
> > 0000000000000080 <fineibt_paranoid>:
> > 80: 41 ba 78 56 34 12 mov $0x12345678,%r10d
> > 86: 49 83 eb 10 sub $0x10,%r11
> > 8a: 45 3b 53 07 cmp 0x7(%r11),%r10d
> > 8e: 74 01 je 91 <fineibt_paranoid+0x11>
> > 90: ea (bad)
> > 91: 41 ff d3 call *%r11
>
> Ah nice! Yes, that would be great and removes all my concerns about
> FineIBT. :)
Excellent!
> (And you went with EA just to distinguish it more easily?
> Can't we still use the UD2 bug tables to find this like normal?)
No space; UD2 is a 2 byte instruction. IIUC all the single byte
instructions that trip #UD are more or less 'reserved' and we shouldn't
be using them, but I think we can use 0xEA here since it is specific to
the paranoid FineIBT thing -- and if people want to reclaim the usage,
all they need to do is fix IBT :-) -- which as I said before should be
done once FRED happens.
(/me makes note to go read the very latest FRED spec -- its been a
while).
> > And while this is somewhat daft, it would close the hole vs this entry
> > point swizzle afaict, no?
> >
> > Patch against tip/x86/core (which includes the latest ibt bits as per
> > this morning).
> >
> > Boots and builds the next kernel on my ADL.
>
> Lovely! Based on the patch, I assume you were testing CFI crash location
> reporting too?
Sami was, he reminded me I forgot to hook up FineIBT, so I did :-)
> I'll try to get this spun up for testing here too.
Thanks!
next prev parent reply other threads:[~2025-02-17 10:39 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Z60NwR4w/28Z7XUa@ubun>
2025-02-12 22:29 ` [RFC] Circumventing FineIBT Via Entrypoints Jann Horn
2025-02-13 1:31 ` Andrew Cooper
2025-02-13 2:09 ` Jann Horn
2025-02-13 2:42 ` Andrew Cooper
2025-02-22 20:43 ` Rudolf Marek
2025-02-25 18:10 ` Andrew Cooper
2025-02-25 20:06 ` Rudolf Marek
2025-02-25 21:14 ` Andrew Cooper
2025-02-26 2:55 ` Kees Cook
2025-02-26 22:48 ` Rudolf Marek
2025-02-27 0:41 ` Andrew Cooper
2025-03-01 22:48 ` Rudolf Marek
2025-03-02 19:16 ` Rudolf Marek
2025-03-02 22:31 ` Andrew Cooper
2025-02-28 12:13 ` Florian Weimer
2025-02-13 20:28 ` Kees Cook
2025-02-13 20:41 ` Andrew Cooper
2025-02-13 20:53 ` Kees Cook
2025-02-13 20:57 ` Jann Horn
2025-02-16 23:42 ` Kees Cook
2025-02-14 9:57 ` Peter Zijlstra
2025-02-15 21:07 ` Peter Zijlstra
2025-02-16 23:51 ` Kees Cook
2025-02-17 10:39 ` Peter Zijlstra [this message]
2025-02-17 13:06 ` David Laight
2025-02-17 13:13 ` Peter Zijlstra
2025-02-17 18:38 ` David Laight
2025-02-17 18:54 ` Peter Zijlstra
2025-02-14 10:05 ` Peter Zijlstra
2025-02-14 9:54 ` Peter Zijlstra
2025-02-13 6:15 ` Jennifer Miller
2025-02-13 19:23 ` Jann Horn
2025-02-13 21:24 ` Andrew Cooper
2025-02-13 23:24 ` Jennifer Miller
2025-02-13 23:43 ` Jann Horn
2025-02-14 23:06 ` Andrew Cooper
2025-02-15 0:07 ` Jennifer Miller
2025-02-15 0:11 ` Andrew Cooper
2025-02-15 0:19 ` Jennifer Miller
2025-02-14 22:25 ` Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250217103952.GM14028@noisy.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=andrew.cooper3@citrix.com \
--cc=jannh@google.com \
--cc=jmill@asu.edu \
--cc=joao@overdrivepizza.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=samitolvanen@google.com \
--cc=scott.d.constable@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox