Re: [PATCH v2] kunit: cfi: Add test for kCFI indirect-call type checks
From: Kees Cook
Date: Fri Jun 19 2026 - 16:44:51 EST
On Fri, Jun 19, 2026 at 11:51:29AM +0200, Peter Zijlstra wrote:
> > This is really rather horrible. Also, now all an attacker needs to do is
> > ensure cfi_kunit_handled() unconditionally returns true. IOW, no distro
> > must ever have this KUNIT crap enabled.
>
> Also, if this lives, the check should at least trip the cfi_warn path,
> being completely silent is terrible.
If anyone actually ships kunit in production, then no, I will NAK my own
patch. ;) In that case I will go back to a version I never sent, which
uses Kunit's try/catch Oops checker (which doesn't work on riscv). I
only did it this way (similar to the fortify kunit testing) so I could
get riscv coverage.
--
Kees Cook