On Mon, Mar 07, 2022 at 07:16:36AM -0800, Dan Li wrote:
> The following code seems to work fine under clang/gcc, x86_64/aarch64
> (also tested in lkdtm_CFI_BACKWARD_SHADOW):
>
> #include <stdio.h>
>
> static __attribute__((noinline))
> void set_return_addr(unsigned long *expected, unsigned long *addr)
> {
> /* Use of volatile is to make sure final write isn't seen as a dead store. */
> unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
>
> /* Make sure we've found the right place on the stack before writing it. */
> if(*ret_addr == expected)
> *ret_addr = (addr);
> }
>
> static volatile int force_label;
>
> int main(void)
> {
> void *array[] = {0, &&normal, &&redirected};
>
> if (force_label) {
> /* Call it with a NULL to avoid parameters being treated as constants in -02. */
> set_return_addr(NULL, NULL);
> goto * array[force_label];
> }
Hah! I like that. :) I had a weird switch statement that was working for
me; this is cleaner.
>
> do {
>
> set_return_addr(&&normal, &&redirected);
>
> normal:
> printf("I should be skipped\n");
> break;
>
> redirected:
> printf("Redirected\n");
>
> } while (0);
>
> return 0;
> }
>
> But currently it still crashes when I try to enable
> "-mbranch-protection=pac-ret+leaf+bti".
>
> Because the address of "&&redirected" is not encrypted under pac,
> the autiasp check will fail when set_return_addr returns, and
> eventually cause the function to crash when it returns to "&&redirected"
> ("&&redirected" as a reserved label always seems to start with a bti j
> insn).
Strictly speaking, this is entirely correct. :)
> For lkdtm, if we're going to handle both cases in one function, maybe
> it would be better to turn off the -mbranch-protection=pac-ret+leaf+bti
> and maybe also turn off -O2 options for the function :)
If we can apply a function attribute to turn off pac for the "does this
work without protections", that should be sufficient.
--
Kees Cook
