CFI: asan.module_ctor is missing a type hash #1742

samitolvanen · 2022-10-19T15:51:43Z

From Mark Rutland:

Looks like CFI && KASAN is borked on both arm64 and x86; the implicitly-generated asan.module_ctor functions aren't given a type hash by the compiler, so when those get invoked by do_ctors() the calls fail

cc @kees @nickdesaulniers @nathanchance @lvwr

samitolvanen · 2022-10-19T18:54:01Z

The asan.module_ctor function is created in the asan LLVM pass using createSanitizerCtor. Since this happens outside of Clang, it's a bit awkward to generate a type hash for the function at this point.

The reason we didn't have this problem earlier was that do_ctors is an __init function and CFI was disabled for it. I'm leaning towards simply marking the function __nocfi instead of hardcoding a type hash for these functions or hacking something together in LLVM to compute a hash. Thoughts?

samitolvanen · 2022-11-29T21:08:55Z

Perhaps setting the types in LLVM is reasonable after all, as we'd have to deal with module constructors as well otherwise. Here's an alternative solution: https://reviews.llvm.org/D138945

Set KCFI type metadata for the sanitizer constructors to prevent runtime failures when these functions are indirectly called in instrumented code. This fixes a compatibility issue with KASAN and -fsanitize=kcfi in the Linux kernel. Link: ClangBuiltLinux/linux#1742 Differential Revision: https://reviews.llvm.org/D138945

Set KCFI type metadata for the sanitizer constructors to prevent runtime failures when these functions are indirectly called in instrumented code. This fixes a compatibility issue with KASAN and -fsanitize=kcfi in the Linux kernel. Link: ClangBuiltLinux/linux#1742 Reviewed By: nickdesaulniers, MaskRay Differential Revision: https://reviews.llvm.org/D138945

samitolvanen · 2022-12-15T21:13:17Z

The remaining issue with CFI+KASAN is that asan.module_ctor still won't have a type hash in object files that were not compiled with -fsanitize=kcfi. With x86/arm64 defconfigs, it looks like only the constructor in kernel/cfi.o trips KASAN, but I don't see any reason we couldn't now enable CFI also for kernel/cfi.c.

When CFI_CLANG and KASAN are both enabled, LLVM doesn't generate a CFI type hash for asan.module_ctor functions in translation units where CFI is disabled, which leads to a CFI failure during boot when do_ctors calls the affected constructors: CFI failure at do_basic_setup+0x64/0x90 (target: asan.module_ctor+0x0/0x28; expected type: 0xa540670c) Specifically, this happens because CFI is disabled for kernel/cfi.c. There's no reason to keep CFI disabled here anymore, so fix the failure by not filtering out CC_FLAGS_CFI for the file. Note that https://reviews.llvm.org/rG3b14862f0a96 fixed the issue where LLVM didn't emit CFI type hashes for any sanitizer constructors, but now type hashes are emitted correctly for TUs that use CFI. Link: ClangBuiltLinux#1742 Fixes: 8924560 ("cfi: Switch to -fsanitize=kcfi") Reported-by: Mark Rutland <[email protected]> Signed-off-by: Sami Tolvanen <[email protected]>

samitolvanen · 2022-12-22T23:08:17Z

https://lore.kernel.org/lkml/[email protected]/

When CFI_CLANG and KASAN are both enabled, LLVM doesn't generate a CFI type hash for asan.module_ctor functions in translation units where CFI is disabled, which leads to a CFI failure during boot when do_ctors calls the affected constructors: CFI failure at do_basic_setup+0x64/0x90 (target: asan.module_ctor+0x0/0x28; expected type: 0xa540670c) Specifically, this happens because CFI is disabled for kernel/cfi.c. There's no reason to keep CFI disabled here anymore, so fix the failure by not filtering out CC_FLAGS_CFI for the file. Note that https://reviews.llvm.org/rG3b14862f0a96 fixed the issue where LLVM didn't emit CFI type hashes for any sanitizer constructors, but now type hashes are emitted correctly for TUs that use CFI. Link: ClangBuiltLinux#1742 Fixes: 8924560 ("cfi: Switch to -fsanitize=kcfi") Reported-by: Mark Rutland <[email protected]> Signed-off-by: Sami Tolvanen <[email protected]> Signed-off-by: Kees Cook <[email protected]> Link: https://lore.kernel.org/r/[email protected]

[ Upstream commit cf80164 ] When CFI_CLANG and KASAN are both enabled, LLVM doesn't generate a CFI type hash for asan.module_ctor functions in translation units where CFI is disabled, which leads to a CFI failure during boot when do_ctors calls the affected constructors: CFI failure at do_basic_setup+0x64/0x90 (target: asan.module_ctor+0x0/0x28; expected type: 0xa540670c) Specifically, this happens because CFI is disabled for kernel/cfi.c. There's no reason to keep CFI disabled here anymore, so fix the failure by not filtering out CC_FLAGS_CFI for the file. Note that https://reviews.llvm.org/rG3b14862f0a96 fixed the issue where LLVM didn't emit CFI type hashes for any sanitizer constructors, but now type hashes are emitted correctly for TUs that use CFI. Link: ClangBuiltLinux/linux#1742 Fixes: 8924560 ("cfi: Switch to -fsanitize=kcfi") Reported-by: Mark Rutland <[email protected]> Signed-off-by: Sami Tolvanen <[email protected]> Signed-off-by: Kees Cook <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin <[email protected]>

Set KCFI type metadata for the sanitizer constructors to prevent runtime failures when these functions are indirectly called in instrumented code. This fixes a compatibility issue with KASAN and -fsanitize=kcfi in the Linux kernel. Link: ClangBuiltLinux/linux#1742 Reviewed By: nickdesaulniers, MaskRay Differential Revision: https://reviews.llvm.org/D138945

…ctions When -fpatchable-function-entry is used to emit prefix nops before functions, KCFI assumes all indirectly called functions have the same number of prefix nops, because the nops are emitted between the KCFI type hash and the function entry. However, as patchable-function-prefix is a function attribute set by Clang, functions later synthesized by LLVM don't inherit this attribute and end up not having prefix nops. One of these functions is asan.module_ctor, which the Linux kernel ends up calling indirectly when KASAN is enabled. In order to avoid tripping KCFI, save the expected prefix offset to a module flag, and use it when we're setting KCFI type for the relevant synthesized functions. Link: ClangBuiltLinux/linux#1742 Reviewed By: MaskRay Differential Revision: https://reviews.llvm.org/D141172

* This is causing crashes due to missing type hashes. * This should be reverted when ClangBuiltLinux/linux#1742 is fixed. Bug: 264407394 Change-Id: Iba23815e321c25ec0ad6aa7c078c834031a34dc8 Signed-off-by: Ulises Mendez Martinez <[email protected]>

samitolvanen added [FEATURE] CFI Related to building the kernel with Clang Control Flow Integrity [BUG] llvm (main) A bug in an unreleased version of LLVM (this label is appropriate for regressions) labels Oct 19, 2022

samitolvanen changed the title ~~CFI: asan.* functions are missing type hashes~~ CFI: asan.module_ctor is missing a type hash Oct 19, 2022

scottconstable mentioned this issue Nov 23, 2024

[X86] Enhance kCFI type IDs with a 3-bit arity indicator. llvm/llvm-project#117121

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CFI: asan.module_ctor is missing a type hash #1742

CFI: asan.module_ctor is missing a type hash #1742

samitolvanen commented Oct 19, 2022

samitolvanen commented Oct 19, 2022

samitolvanen commented Nov 29, 2022

samitolvanen commented Dec 15, 2022

samitolvanen commented Dec 22, 2022

CFI: asan.module_ctor is missing a type hash #1742

CFI: asan.module_ctor is missing a type hash #1742

Comments

samitolvanen commented Oct 19, 2022

samitolvanen commented Oct 19, 2022

samitolvanen commented Nov 29, 2022

samitolvanen commented Dec 15, 2022

samitolvanen commented Dec 22, 2022