On Wed, Jan 04, 2023 at 01:09:12PM -0800, Kees Cook wrote:
> With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
> indirect call targets are validated against the expected function
> pointer prototype to make sure the call target is valid to help mitigate
> ROP attacks. If they are not identical, there is a failure at run time,
> which manifests as either a kernel panic or thread getting killed.
>
> ext4_feat_ktype was setting the "release" handler to "kfree", which
> doesn't have a matching function prototype. Add a simple wrapper
> with the correct prototype.
>
> This was found as a result of Clang's new -Wcast-function-type-strict
> flag, which is more sensitive than the simpler -Wcast-function-type,
> which only checks for type width mismatches.
>
> Note that this code is only reached when ext4 is a loadable module and
> it is being unloaded:
>
> CFI failure at kobject_put+0xbb/0x1b0 (target: kfree+0x0/0x180; expected type: 0x7c4aa698)
> ...
> RIP: 0010:kobject_put+0xbb/0x1b0
> ...
> Call Trace:
> <TASK>
> ext4_exit_sysfs+0x14/0x60 [ext4]
> cleanup_module+0x67/0xedb [ext4]
>
> Fixes: b99fee58a20a ("ext4: create ext4_feat kobject dynamically")
> Cc: Theodore Ts'o <tytso@xxxxxxx>
> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Build-tested-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
> Reviewed-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
> Reviewed-by: Nathan Chancellor <nathan@xxxxxxxxxx>
> Link: https://lore.kernel.org/r/20230103234616.never.915-kees@xxxxxxxxxx
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> v2: rename callback, improve commit log (ebiggers)
> v1: https://lore.kernel.org/lkml/20230103234616.never.915-kees@xxxxxxxxxx
> ---
> fs/ext4/sysfs.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx>
- Eric
