raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-17 23:34:24 +00:00
Code Issues Projects Releases Wiki Activity
Files
fee858fa032c258968f34af154b51b6c047d4afe
linux/arch/x86/kernel/cfi.c
Peter Zijlstra eb6fd16b4f x86/ibt: Handle FineIBT in handle_cfi_failure() 
[ Upstream commit 882b86fd4e ]

Sami reminded me that FineIBT failure does not hook into the regular
CFI failure case, and as such CFI_PERMISSIVE does not work.

Reported-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Link: https://lkml.kernel.org/r/20250214092619.GB21726@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-05-29 11:02:50 +02:00

101 lines
2.3 KiB
C
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// SPDX-License-Identifier: GPL-2.0
/*
* Clang Control Flow Integrity (CFI) support.
*
* Copyright (C) 2022 Google LLC
*/
#include <linux/string.h>
#include <linux/cfi.h>
#include <asm/insn.h>
#include <asm/insn-eval.h>
/*
* Returns the target address and the expected type when regs->ip points
* to a compiler-generated CFI trap.
*/
static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
u32 *type)
{
char buffer[MAX_INSN_SIZE];
struct insn insn;
int offset = 0;
*target = *type = 0;
/*
* The compiler generates the following instruction sequence
* for indirect call checks:
*
*   movl -<id>, %r10d ; 6 bytes
* addl -4(%reg), %r10d ; 4 bytes
* je .Ltmp1 ; 2 bytes
* ud2 ; <- regs->ip
* .Ltmp1:
*
* We can decode the expected type and the target address from the
* movl/addl instructions.
*/
if (copy_from_kernel_nofault(buffer, (void *)regs->ip - 12, MAX_INSN_SIZE))
return false;
if (insn_decode_kernel(&insn, &buffer[offset]))
return false;
if (insn.opcode.value != 0xBA)
return false;
*type = -(u32)insn.immediate.value;
if (copy_from_kernel_nofault(buffer, (void *)regs->ip - 6, MAX_INSN_SIZE))
return false;
if (insn_decode_kernel(&insn, &buffer[offset]))
return false;
if (insn.opcode.value != 0x3)
return false;
/* Read the target address from the register. */
offset = insn_get_modrm_rm_off(&insn, regs);
if (offset < 0)
return false;
*target = *(unsigned long *)((void *)regs + offset);
return true;
}
/*
* Checks if a ud2 trap is because of a CFI failure, and handles the trap
* if needed. Returns a bug_trap_type value similarly to report_bug.
*/
enum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
{
unsigned long target;
u32 type;
switch (cfi_mode) {
case CFI_KCFI:
if (!is_cfi_trap(regs->ip))
return BUG_TRAP_TYPE_NONE;
if (!decode_cfi_insn(regs, &target, &type))
return report_cfi_failure_noaddr(regs, regs->ip);
break;
case CFI_FINEIBT:
if (!decode_fineibt_insn(regs, &target, &type))
return BUG_TRAP_TYPE_NONE;
break;
default:
return BUG_TRAP_TYPE_NONE;
}
return report_cfi_failure(regs, regs->ip, &target, type);
}
/*
* Ensure that __kcfi_typeid_ symbols are emitted for functions that may
* not be indirectly called with all configurations.
*/
__ADDRESSABLE(__memcpy)
Reference in New Issue View Git Blame Copy Permalink