On Fri, Jul 21, 2023 at 06:02:56PM +0200, Greg Kroah-Hartman wrote:
> From: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
>
> [ Upstream commit 04505bbbbb15da950ea0239e328a76a3ad2376e0 ]
>
> Alyssa noticed that when building the kernel with CFI_CLANG+IBT and
> booting on IBT enabled hardware to obtain FineIBT, the indirect
> functions look like:
>
> __cfi_foo:
> endbr64
> subl $hash, %r10d
> jz 1f
> ud2
> nop
> 1:
> foo:
> endbr64
>
> This is because the compiler generates code for kCFI+IBT. In that case
> the caller does the hash check and will jump to +0, so there must be
> an ENDBR there. The compiler doesn't know about FineIBT at all; also
> it is possible to actually use kCFI+IBT when booting with 'cfi=kcfi'
> on IBT enabled hardware.
>
> Having this second ENDBR however makes it possible to elide the CFI
> check. Therefore, we should poison this second ENDBR when switching to
> FineIBT mode.
>
> Fixes: 931ab63664f0 ("x86/ibt: Implement FineIBT")
> Reported-by: "Milburn, Alyssa" <alyssa.milburn@xxxxxxxxx>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Reviewed-by: Sami Tolvanen <samitolvanen@xxxxxxxxxx>
> Link: https://lore.kernel.org/r/20230615193722.194131053@xxxxxxxxxxxxx
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
If you take this patch you should also take the patches from Brian that
moves ret_from_fork() into C, otherwise you end up with a non-bootable
kernel.
