On Thu, Dec 19, 2024 at 5:44 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote: > > On 19/12/2024 4:14 pm, Sedat Dilek wrote: > > Hi, > > > > Linux v6.12.6 will include XEN CVE fixes from mainline. > > > > Here, I use Debian/unstable AMD64 and the SLIM LLVM toolchain 19.1.x > > from kernel.org. > > > > What does it mean in ISSUE DESCRIPTION... > > > > Furthermore, the hypercall page has no provision for Control-flow > > Integrity schemes (e.g. kCFI/CET-IBT/FineIBT), and will simply > > malfunction in such configurations. > > > > ...when someone uses Clang-kCFI? > > The hypercall page has functions of the form: > > MOV $x, %eax > VMCALL / VMMCALL / SYSCALL > RET > > There are no ENDBR instructions, and no prologue/epilogue for hash-based > CFI schemes. > > This is because it's code provided by Xen, not code provided by Linux. > > The absence of ENDBR instructions will yield #CP when CET-IBT is active, > and the absence of hash prologue/epilogue lets the function be used in a > type-confused manor that CFI should have caught. > > ~Andrew Thanks for the technical explanation, Andrew. Hope that helps the folks of "CLANG CONTROL FLOW INTEGRITY SUPPORT". I am not an active user of XEN in the Linux-kernel but I am willing to test when Linux v6.12.6 is officially released and give feedback. Best regards, -Sedat-
