public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH v3 0/2] Rust and the shadow call stack sanitizer
@ 2024-07-04 15:07 Alice Ryhl
  2024-07-04 15:07 ` [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust Alice Ryhl
  0 siblings, 1 reply; 4+ messages in thread
From: Alice Ryhl @ 2024-07-04 15:07 UTC (permalink / raw)
  To: Catalin Marinas, Will Deacon, Jamie Cunliffe, Sami Tolvanen
  Cc: Masahiro Yamada, Nathan Chancellor, Nicolas Schier,
	Ard Biesheuvel, Marc Zyngier, Mark Rutland, Mark Brown,
	Nick Desaulniers, Kees Cook, Miguel Ojeda, Alex Gaynor,
	Wedson Almeida Filho, Boqun Feng, Gary Guo, Björn Roy Baron,
	Benno Lossin, Andreas Hindborg, Valentin Obst, linux-kbuild,
	linux-kernel, linux-arm-kernel, rust-for-linux, Alice Ryhl,
	stable

This patch series makes it possible to use Rust together with the shadow
call stack sanitizer. The first patch is intended to be backported to
ensure that people don't try to use SCS with Rust on older kernel
versions. The second patch makes it possible to use Rust with the shadow
call stack sanitizer.

The second patch in this series doesn't make sense without [1], though
it doesn't break the build if [1] is missing.

Link: https://lore.kernel.org/rust-for-linux/20240701183625.665574-12-ojeda@kernel.org/ [1]
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
Changes in v3:
- Use -Zfixed-x18.
- Add logic to reject unsupported rustc versions.
- Also include a fix to be backported.
- Link to v2: https://lore.kernel.org/rust-for-linux/20240305-shadow-call-stack-v2-1-c7b4a3f4d616@google.com/

Changes in v2:
- Add -Cforce-unwind-tables flag.
- Link to v1: https://lore.kernel.org/rust-for-linux/20240304-shadow-call-stack-v1-1-f055eaf40a2c@google.com/

---
Alice Ryhl (2):
      rust: SHADOW_CALL_STACK is incompatible with Rust
      rust: add flags for shadow call stack sanitizer

 Makefile            | 1 +
 arch/Kconfig        | 1 +
 arch/arm64/Makefile | 3 +++
 3 files changed, 5 insertions(+)
---
base-commit: 83b1e6e4170cf96b2a7c49070dd43749649f454e
change-id: 20240304-shadow-call-stack-9c197a4361d9

Best regards,
-- 
Alice Ryhl <aliceryhl@google.com>


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust
  2024-07-04 15:07 [PATCH v3 0/2] Rust and the shadow call stack sanitizer Alice Ryhl
@ 2024-07-04 15:07 ` Alice Ryhl
  2024-07-04 16:45   ` Nathan Chancellor
  0 siblings, 1 reply; 4+ messages in thread
From: Alice Ryhl @ 2024-07-04 15:07 UTC (permalink / raw)
  To: Catalin Marinas, Will Deacon, Jamie Cunliffe, Sami Tolvanen
  Cc: Masahiro Yamada, Nathan Chancellor, Nicolas Schier,
	Ard Biesheuvel, Marc Zyngier, Mark Rutland, Mark Brown,
	Nick Desaulniers, Kees Cook, Miguel Ojeda, Alex Gaynor,
	Wedson Almeida Filho, Boqun Feng, Gary Guo, Björn Roy Baron,
	Benno Lossin, Andreas Hindborg, Valentin Obst, linux-kbuild,
	linux-kernel, linux-arm-kernel, rust-for-linux, Alice Ryhl,
	stable

When using the shadow call stack sanitizer, all code must be compiled
with the -ffixed-x18 flag, but this flag is not currently being passed
to Rust. This results in crashes that are extremely difficult to debug.

To ensure that nobody else has to go through the same debugging session
that I had to, prevent configurations that enable both SHADOW_CALL_STACK
and RUST.

It is rather common for people to backport 724a75ac9542 ("arm64: rust:
Enable Rust support for AArch64"), so I recommend applying this fix all
the way back to 6.1.

Cc: <stable@vger.kernel.org> # 6.1 and later
Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 arch/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/Kconfig b/arch/Kconfig
index 975dd22a2dbd..238448a9cb71 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -690,6 +690,7 @@ config SHADOW_CALL_STACK
 	bool "Shadow Call Stack"
 	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
 	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
+	depends on !RUST
 	depends on MMU
 	help
 	  This option enables the compiler's Shadow Call Stack, which

-- 
2.45.2.803.g4e1b14247a-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust
  2024-07-04 15:07 ` [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust Alice Ryhl
@ 2024-07-04 16:45   ` Nathan Chancellor
  2024-07-29 14:25     ` Alice Ryhl
  0 siblings, 1 reply; 4+ messages in thread
From: Nathan Chancellor @ 2024-07-04 16:45 UTC (permalink / raw)
  To: Alice Ryhl
  Cc: Catalin Marinas, Will Deacon, Jamie Cunliffe, Sami Tolvanen,
	Masahiro Yamada, Nicolas Schier, Ard Biesheuvel, Marc Zyngier,
	Mark Rutland, Mark Brown, Nick Desaulniers, Kees Cook,
	Miguel Ojeda, Alex Gaynor, Wedson Almeida Filho, Boqun Feng,
	Gary Guo, Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Valentin Obst, linux-kbuild, linux-kernel, linux-arm-kernel,
	rust-for-linux, stable

On Thu, Jul 04, 2024 at 03:07:57PM +0000, Alice Ryhl wrote:
> When using the shadow call stack sanitizer, all code must be compiled
> with the -ffixed-x18 flag, but this flag is not currently being passed
> to Rust. This results in crashes that are extremely difficult to debug.
> 
> To ensure that nobody else has to go through the same debugging session
> that I had to, prevent configurations that enable both SHADOW_CALL_STACK
> and RUST.
> 
> It is rather common for people to backport 724a75ac9542 ("arm64: rust:
> Enable Rust support for AArch64"), so I recommend applying this fix all
> the way back to 6.1.
> 
> Cc: <stable@vger.kernel.org> # 6.1 and later
> Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64")
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>

Would it be better to move this to arch/arm64/Kconfig?

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 167e51067508..080907776db9 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -90,7 +90,7 @@ config ARM64
 	select ARCH_SUPPORTS_DEBUG_PAGEALLOC
 	select ARCH_SUPPORTS_HUGETLBFS
 	select ARCH_SUPPORTS_MEMORY_FAILURE
-	select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK
+	select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK && !RUST
 	select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN
 	select ARCH_SUPPORTS_LTO_CLANG_THIN
 	select ARCH_SUPPORTS_CFI_CLANG

RISC-V probably needs the same change, which further leads me to believe
that this workaround should be architecture specific, as they may be
fixed and enabled at different rates.

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 6b4d71aa9bed..4d89afdd385d 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -213,6 +213,7 @@ config HAVE_SHADOW_CALL_STACK
 	def_bool $(cc-option,-fsanitize=shadow-call-stack)
 	# https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769
 	depends on $(ld-option,--no-relax-gp)
+	depends on !RUST
 
 config RISCV_USE_LINKER_RELAXATION
 	def_bool y

> ---
>  arch/Kconfig | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 975dd22a2dbd..238448a9cb71 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -690,6 +690,7 @@ config SHADOW_CALL_STACK
>  	bool "Shadow Call Stack"
>  	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
>  	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> +	depends on !RUST
>  	depends on MMU
>  	help
>  	  This option enables the compiler's Shadow Call Stack, which
> 
> -- 
> 2.45.2.803.g4e1b14247a-goog
> 

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust
  2024-07-04 16:45   ` Nathan Chancellor
@ 2024-07-29 14:25     ` Alice Ryhl
  0 siblings, 0 replies; 4+ messages in thread
From: Alice Ryhl @ 2024-07-29 14:25 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Catalin Marinas, Will Deacon, Jamie Cunliffe, Sami Tolvanen,
	Masahiro Yamada, Nicolas Schier, Ard Biesheuvel, Marc Zyngier,
	Mark Rutland, Mark Brown, Nick Desaulniers, Kees Cook,
	Miguel Ojeda, Alex Gaynor, Wedson Almeida Filho, Boqun Feng,
	Gary Guo, Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Valentin Obst, linux-kbuild, linux-kernel, linux-arm-kernel,
	rust-for-linux, stable

On Thu, Jul 4, 2024 at 6:45 PM Nathan Chancellor <nathan@kernel.org> wrote:
>
> On Thu, Jul 04, 2024 at 03:07:57PM +0000, Alice Ryhl wrote:
> > When using the shadow call stack sanitizer, all code must be compiled
> > with the -ffixed-x18 flag, but this flag is not currently being passed
> > to Rust. This results in crashes that are extremely difficult to debug.
> >
> > To ensure that nobody else has to go through the same debugging session
> > that I had to, prevent configurations that enable both SHADOW_CALL_STACK
> > and RUST.
> >
> > It is rather common for people to backport 724a75ac9542 ("arm64: rust:
> > Enable Rust support for AArch64"), so I recommend applying this fix all
> > the way back to 6.1.
> >
> > Cc: <stable@vger.kernel.org> # 6.1 and later
> > Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64")
> > Signed-off-by: Alice Ryhl <aliceryhl@google.com>
>
> Would it be better to move this to arch/arm64/Kconfig?
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 167e51067508..080907776db9 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -90,7 +90,7 @@ config ARM64
>         select ARCH_SUPPORTS_DEBUG_PAGEALLOC
>         select ARCH_SUPPORTS_HUGETLBFS
>         select ARCH_SUPPORTS_MEMORY_FAILURE
> -       select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK
> +       select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK && !RUST
>         select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN
>         select ARCH_SUPPORTS_LTO_CLANG_THIN
>         select ARCH_SUPPORTS_CFI_CLANG
>
> RISC-V probably needs the same change, which further leads me to believe
> that this workaround should be architecture specific, as they may be
> fixed and enabled at different rates.
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index 6b4d71aa9bed..4d89afdd385d 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -213,6 +213,7 @@ config HAVE_SHADOW_CALL_STACK
>         def_bool $(cc-option,-fsanitize=shadow-call-stack)
>         # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769
>         depends on $(ld-option,--no-relax-gp)
> +       depends on !RUST
>
>  config RISCV_USE_LINKER_RELAXATION
>         def_bool y

Thanks for taking a look. For now, I went with placing the `depends
on` in CONFIG_RUST as suggested by the others. This avoids cases where
enabling Rust results in changes to how mitigations are configured.

As for riscv, it doesn't need any special flags. Please see the commit
message for more details on riscv support.

https://lore.kernel.org/all/20240729-shadow-call-stack-v4-0-2a664b082ea4@google.com/

Alice

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-29 14:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-04 15:07 [PATCH v3 0/2] Rust and the shadow call stack sanitizer Alice Ryhl
2024-07-04 15:07 ` [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust Alice Ryhl
2024-07-04 16:45   ` Nathan Chancellor
2024-07-29 14:25     ` Alice Ryhl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox