Hi all,
I am happy to introduce to you that I have contacted a colleague Likun Wang, who
is willing to continue completing this patch.
This patch has been delayed for a long time. I hope that gcc will
support this feature
in the near future.
Thanks.
Dan.
On Mon, 19 Dec 2022 at 14:18, Dan Li <ashimida.1990@xxxxxxxxx> wrote:
>
> Based on Sami's patch[1], this patch makes the corresponding kernel
> configuration of CFI available when compiling the kernel with the gcc[2].
>
> The code after enabling cfi is as follows:
>
> int (*p)(void);
> int func (int)
> {
> p();
> }
>
> __cfi_func:
> .4byte 0x439d3502
> func:
> ......
> adrp x0, p
> add x0, x0, :lo12:p
> mov w1, 23592
> movk w1, 0x4601, lsl 16
> cmp w0, w1
> beq .L2
> ......
> bl cfi_check_failed
> .L2:
> blr x19
> ret
>
> In the compiler part[4], there are some differences from Sami's
> implementation[3], mainly including:
>
> 1. When a typeid mismatch is detected, the cfi_check_failed function
> will be called instead of the brk instruction. This function needs
> to be implemented by the compiler user.
> If there are user mode programs or other systems that want to use
> this feature, it may be more convenient to use a callback (so this
> compilation option is set to -fsanitize=cfi instead of kcfi).
>
> 2. A reserved typeid (such as 0x0U on the aarch64 platform) is always
> inserted in front of functions that should not be called indirectly.
> Functions that can be called indirectly will not use this hash value,
> which prevents instructions/data before the function from being used
> as a typeid by an attacker.
>
> 3. Some bits are ignored in the typeid to avoid conflicts between the
> typeid and the instruction set of a specific platform, thereby
> preventing an attacker from bypassing the CFI check by using the
> instruction as a typeid, such as on the aarch64 platform:
> * If the following instruction sequence exists:
> 400620: a9be7bfd stp x29, x30, [sp, #-32]!
> 400624: 910003fd mov x29, sp
> 400628: f9000bf3 str x19, [sp, #16]
> * If the expected typeid of the indirect call is exactly 0x910003fd,
> the attacker can jump to the next instruction position of any
> "mov x29,sp" instruction (such as 0x400628 here).
>
> 4. Insert a symbol __cfi_<function> before each function's typeid,
> which may be helpful for fine-grained KASLR implementations (or not?).
>
> 5. The current implementation of gcc only supports the aarch64 platform.
>
> This produces the following oops on CFI failure (generated using lkdtm):
>
> /kselftest_install/lkdtm # ./CFI_FORWARD_PROTO.sh
> [ 74.856516] lkdtm: Performing direct entry CFI_FORWARD_PROTO
> [ 74.856878] lkdtm: Calling matched prototype ...
> [ 74.857011] lkdtm: Calling mismatched prototype ...
> [ 74.857133] CFI failure at lkdtm_indirect_call+0x30/0x50 (target: lkdtm_increment_int+0x0/0x1c; expected type: 0xc59c68f1)
> [ 74.858185] Kernel panic - not syncing: Oops - CFI
> [ 74.859240] CPU: 0 PID: 129 Comm: cat Not tainted 6.0.0-rc4-00024-g32bf7f14f497-dirty #150
> [ 74.859481] Hardware name: linux,dummy-virt (DT)
> [ 74.859795] Call trace:
> [ 74.859959] dump_backtrace.part.0+0xcc/0xe0
> [ 74.860212] show_stack+0x18/0x5c
> [ 74.860327] dump_stack_lvl+0x64/0x84
> [ 74.860398] dump_stack+0x18/0x38
> [ 74.860443] panic+0x170/0x36c
> [ 74.860496] cfi_check_failed+0x38/0x44
> [ 74.860564] lkdtm_indirect_call+0x30/0x50
> [ 74.860614] lkdtm_CFI_FORWARD_PROTO+0x3c/0x6c
> [ 74.860701] lkdtm_do_action+0x44/0x58
> [ 74.860764] direct_entry+0x148/0x160
> [ 74.860814] full_proxy_write+0x74/0xe0
> [ 74.860874] vfs_write+0xd8/0x2d0
> [ 74.860942] ksys_write+0x70/0x110
> [ 74.861000] __arm64_sys_write+0x1c/0x30
> [ 74.861067] invoke_syscall+0x5c/0x140
> [ 74.861117] el0_svc_common.constprop.0+0x44/0xf0
> [ 74.861190] do_el0_svc+0x2c/0xc0
> [ 74.861233] el0_svc+0x20/0x60
> [ 74.861287] el0t_64_sync_handler+0xf4/0x124
> [ 74.861340] el0t_64_sync+0x160/0x164
> [ 74.861782] SMP: stopping secondary CPUs
> [ 74.862336] Kernel Offset: disabled
> [ 74.862439] CPU features: 0x0000,00075024,699418af
> [ 74.862799] Memory Limit: none
> [ 74.863373] ---[ end Kernel panic - not syncing: Oops - CFI ]---
>
> The gcc-related patches[4] are based on tag: releases/gcc-12.2.0.
>
> Any suggestion please let me know :).
>
> Thanks, Dan.
>
> [1] https://lore.kernel.org/all/20220908215504.3686827-1-samitolvanen@xxxxxxxxxx/
> [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
> [3] https://reviews.llvm.org/D119296
> [4] https://lore.kernel.org/linux-hardening/20221219055431.22596-1-ashimida.1990@xxxxxxxxx/
>
> Signed-off-by: Dan Li <ashimida.1990@xxxxxxxxx>
> ---
> Makefile | 6 ++++++
> arch/Kconfig | 24 +++++++++++++++++++++++-
> arch/arm64/Kconfig | 1 +
> include/linux/cfi_types.h | 15 +++++++++++----
> include/linux/compiler-gcc.h | 4 ++++
> kernel/Makefile | 1 +
> kernel/cfi.c | 23 +++++++++++++++++++++++
> scripts/kallsyms.c | 4 +++-
> 8 files changed, 72 insertions(+), 6 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 43e08c9f95e9..7c74dac57aa4 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -926,6 +926,12 @@ KBUILD_CFLAGS += $(CC_FLAGS_CFI)
> export CC_FLAGS_CFI
> endif
>
> +ifdef CONFIG_CFI_GCC
> +CC_FLAGS_CFI := -fsanitize=cfi
> +KBUILD_CFLAGS += $(CC_FLAGS_CFI)
> +export CC_FLAGS_CFI
> +endif
> +
> ifdef CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B
> KBUILD_CFLAGS += -falign-functions=64
> endif
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 1c1eca0c0019..8b43a9fd3b54 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -756,9 +756,31 @@ config CFI_CLANG
>
> https://clang.llvm.org/docs/ControlFlowIntegrity.html
>
> +config ARCH_SUPPORTS_CFI_GCC
> + bool
> + help
> + An architecture should select this option if it can support GCC's
> + Control-Flow Integrity (CFI) checking.
> +
> +config CFI_GCC
> + bool "Use GCC's Control Flow Integrity (CFI)"
> + depends on ARCH_SUPPORTS_CFI_GCC
> + depends on $(cc-option,-fsanitize=cfi)
> + help
> + This option enables GCC’s forward-edge Control Flow Integrity
> + (CFI) checking, where the compiler injects a runtime check to each
> + indirect function call to ensure the target is a valid function with
> + the correct static type. This restricts possible call targets and
> + makes it more difficult for an attacker to exploit bugs that allow
> + the modification of stored function pointers. More information can be
> + found from the compiler's documentation:
> +
> + - Clang: https://clang.llvm.org/docs/ControlFlowIntegrity.html
> + - GCC: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options
> +
> config CFI_PERMISSIVE
> bool "Use CFI in permissive mode"
> - depends on CFI_CLANG
> + depends on CFI_CLANG || CFI_GCC
> help
> When selected, Control Flow Integrity (CFI) violations result in a
> warning instead of a kernel panic. This option should only be used
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 9fb9fff08c94..60fdfb01cecb 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -89,6 +89,7 @@ config ARM64
> select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN
> select ARCH_SUPPORTS_LTO_CLANG_THIN
> select ARCH_SUPPORTS_CFI_CLANG
> + select ARCH_SUPPORTS_CFI_GCC
> select ARCH_SUPPORTS_ATOMIC_RMW
> select ARCH_SUPPORTS_INT128 if CC_HAS_INT128
> select ARCH_SUPPORTS_NUMA_BALANCING
> diff --git a/include/linux/cfi_types.h b/include/linux/cfi_types.h
> index 6b8713675765..1c3b7ea6a79f 100644
> --- a/include/linux/cfi_types.h
> +++ b/include/linux/cfi_types.h
> @@ -8,18 +8,25 @@
> #ifdef __ASSEMBLY__
> #include <linux/linkage.h>
>
> -#ifdef CONFIG_CFI_CLANG
> +#if defined(CONFIG_CFI_CLANG) || defined(CONFIG_CFI_GCC)
> /*
> - * Use the __kcfi_typeid_<function> type identifier symbol to
> + * Use the __[k]cfi_typeid_<function> type identifier symbol to
> * annotate indirectly called assembly functions. The compiler emits
> * these symbols for all address-taken function declarations in C
> * code.
> */
> #ifndef __CFI_TYPE
> +
> +#ifdef CONFIG_CFI_GCC
> +#define __CFI_TYPE(name) \
> + .4byte __cfi_typeid_##name
> +#else
> #define __CFI_TYPE(name) \
> .4byte __kcfi_typeid_##name
> #endif
>
> +#endif
> +
> #define SYM_TYPED_ENTRY(name, linkage, align...) \
> linkage(name) ASM_NL \
> align ASM_NL \
> @@ -29,12 +36,12 @@
> #define SYM_TYPED_START(name, linkage, align...) \
> SYM_TYPED_ENTRY(name, linkage, align)
>
> -#else /* CONFIG_CFI_CLANG */
> +#else /* defined(CONFIG_CFI_CLANG) || defined(CONFIG_CFI_GCC) */
>
> #define SYM_TYPED_START(name, linkage, align...) \
> SYM_START(name, linkage, align)
>
> -#endif /* CONFIG_CFI_CLANG */
> +#endif /* defined(CONFIG_CFI_CLANG) || defined(CONFIG_CFI_GCC) */
>
> #ifndef SYM_TYPED_FUNC_START
> #define SYM_TYPED_FUNC_START(name) \
> diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> index 9b157b71036f..aec1ce327b1a 100644
> --- a/include/linux/compiler-gcc.h
> +++ b/include/linux/compiler-gcc.h
> @@ -82,6 +82,10 @@
> #define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
> #endif
>
> +#ifdef CONFIG_CFI_GCC
> +#define __nocfi __attribute__((no_sanitize("cfi")))
> +#endif
> +
> #if __has_attribute(__no_sanitize_address__)
> #define __no_sanitize_address __attribute__((no_sanitize_address))
> #else
> diff --git a/kernel/Makefile b/kernel/Makefile
> index 318789c728d3..923d3e060852 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -114,6 +114,7 @@ obj-$(CONFIG_SHADOW_CALL_STACK) += scs.o
> obj-$(CONFIG_HAVE_STATIC_CALL) += static_call.o
> obj-$(CONFIG_HAVE_STATIC_CALL_INLINE) += static_call_inline.o
> obj-$(CONFIG_CFI_CLANG) += cfi.o
> +obj-$(CONFIG_CFI_GCC) += cfi.o
>
> obj-$(CONFIG_PERF_EVENTS) += events/
>
> diff --git a/kernel/cfi.c b/kernel/cfi.c
> index 08caad776717..9bff35736756 100644
> --- a/kernel/cfi.c
> +++ b/kernel/cfi.c
> @@ -25,6 +25,7 @@ enum bug_trap_type report_cfi_failure(struct pt_regs *regs, unsigned long addr,
> return BUG_TRAP_TYPE_BUG;
> }
>
> +#ifdef CONFIG_CFI_CLANG
> #ifdef CONFIG_ARCH_USES_CFI_TRAPS
> static inline unsigned long trap_address(s32 *p)
> {
> @@ -99,3 +100,25 @@ bool is_cfi_trap(unsigned long addr)
> return is_module_cfi_trap(addr);
> }
> #endif /* CONFIG_ARCH_USES_CFI_TRAPS */
> +#endif /* CONFIG_CFI_CLANG */
> +
> +
> +#ifdef CONFIG_CFI_GCC
> +void cfi_check_failed(u32 caller_hash, u32 callee_hash, void *callee_addr)
> +{
> + unsigned long pc, target;
> +
> + pc = (unsigned long)__builtin_return_address(0);
> + target = (unsigned long)callee_addr;
> +
> + switch (report_cfi_failure(NULL, pc, &target, caller_hash)) {
> + case BUG_TRAP_TYPE_WARN:
> + break;
> +
> + default:
> + panic("Oops - CFI");
> + }
> +}
> +EXPORT_SYMBOL(cfi_check_failed);
> +
> +#endif /* CONFIG_CFI_GCC */
> diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
> index ccdf0c897f31..ed8db513b918 100644
> --- a/scripts/kallsyms.c
> +++ b/scripts/kallsyms.c
> @@ -119,7 +119,9 @@ static bool is_ignored_symbol(const char *name, char type)
> "__ThumbV7PILongThunk_",
> "__LA25Thunk_", /* mips lld */
> "__microLA25Thunk_",
> - "__kcfi_typeid_", /* CFI type identifiers */
> + "__kcfi_typeid_", /* CFI type identifiers in Clang */
> + "__cfi_", /* CFI type identifiers in GCC */
> + "__pi___cfi", /* CFI type identifiers in GCC */
> NULL
> };
>
> --
> 2.17.1
>
