Re: [PATCH 05/15] x86: Implement function_nocfi
From: Kees Cook
Date: Fri Apr 16 2021 - 18:28:20 EST
On Fri, Apr 16, 2021 at 03:06:17PM -0700, Andy Lutomirski wrote:
> On Fri, Apr 16, 2021 at 3:03 PM Borislav Petkov <bp@xxxxxxxxx> wrote:
> >
> > On Fri, Apr 16, 2021 at 02:49:23PM -0700, Sami Tolvanen wrote:
> > > __nocfi only disables CFI checking in a function, the compiler still
> > > changes function addresses to point to the CFI jump table, which is
> > > why we need function_nocfi().
> >
> > So call it __func_addr() or get_function_addr() or so, so that at least
> > it is clear what this does.
> >
>
> This seems backwards to me. If I do:
>
> extern void foo(some signature);
>
> then I would, perhaps naively, expect foo to be the actual symbol that
> gets called
Yes.
> and for the ABI to be changed to do the CFI checks.
Uh, no? There's no ABI change -- indirect calls are changed to do the
checking.
> The
> foo symbol would point to whatever magic is needed.
No, the symbol points to the jump table entry. Direct calls get minimal
overhead and indirect calls can add the "is this function in the right
table" checking.
> I assume I'm
> missing something.
Further symbol vs address stuff is discussed here:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/cfi&id=ff301ceb5299551c3650d0e07ba879b766da4cc0
But note that this shouldn't turn into a discussion of "maybe Clang could
do CFI differently"; this is what Clang has.
https://clang.llvm.org/docs/ControlFlowIntegrity.html
--
Kees Cook