Re: [PATCH] [PATCH v2] AARCH64: Add gcc Shadow Call Stack support

From: Dan Li
Date: Mon Feb 28 2022 - 02:51:07 EST

Next message: Marc Kleine-Budde: "Re: [PATCH] can: usb: fix a possible memory leak in esd_usb2_start_xmit"
Previous message: Vignesh Raghavendra: "Re: [PATCH v3 2/2] arm64: dts: ti: k3-am64-main: Add ELM (Error Location Module) node"
In reply to: Kees Cook: "Re: [PATCH] [PATCH v2] AARCH64: Add gcc Shadow Call Stack support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/25/22 12:58, Kees Cook wrote:

On Thu, Feb 24, 2022 at 07:24:10PM -0800, Dan Li wrote:

Signed-off-by: Dan Li <ashimida@xxxxxxxxxxxxxxxxx>

Thanks for the tweaks!

---
FYI:
This function can be used to test if the shadow call stack works:
//noinline void __noscs scs_test(void)
noinline void scs_test(void)
{
unsigned long * lr = (unsigned long *)__builtin_frame_address(0) + 1;

asm volatile("str xzr, [%0]\n\t": : "r"(lr) : "x30");
}

Not a big deal, but just FYI, there's a lot of whitespace trailing the
"}" above...

Ah, sorry for the mistake.

If SCS protection is enabled, this function will return normally.
If the function has __noscs attribute (scs disabled), it will crash due to 0
address access.

It would be cool to turn this into an LKDTM test... (see things like the
CFI_FORWARD_PROTO test). I imagine this should be CFI_BACKWARD_SHADOW or
something...

OK, I'll add it in the next version.

Also, I assume you're using real hardware to test this? It'd be nice to
see if qemu can be convinced to run with the needed features. Whenever
I've tried this it becomes impossibly slow. :)

I also use qemu to test the patch (qemu 6.1.0 with command "-cpu max"),
and can feel the performance drop.

Maybe because my test environment only has simple busybox and ltp,
the feeling of a slow system running is not that strong for me :)

For comparison, I simply tested the difference in kernel boot time
in my test environment:
//run qemu with "-cpu cortex-a57",
[ 1.254481] Run /linuxrc as init process
//run qemu with "-cpu max"
[ 3.566091] Run /linuxrc as init process

diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index ccbbd31b3aae..deff5b308470 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -97,6 +97,10 @@
#define KASAN_ABI_VERSION 4
#endif
+#ifdef CONFIG_SHADOW_CALL_STACK
+#define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
+#endif

I initially wondered if we need a separate __no_sanitize(STUFF) patch to
make the compiler-clang.h macros easier, but I see there are places
where we do multiple ("address", "hwaddress") and have specialized
macros, so I think this is fine. And since GCC doesn't support
"__has_feature", I think this is the correct location for this.

As in:
https://lore.kernel.org/all/26a0a816-bc3e-2ac0-d773-0819d9f225af@xxxxxxxxxxxxxxxxx/

I think maybe we could use "#ifdef CONFIG_SHADOW_CALL_STACK"
instead of "#if __has_attribute(__no_sanitize_address__)" here,
then move it to `compiler_types.h`.

From my current test results, __noscs seems to work fine in
clang compilation.

Thanks,
Dan.

Next message: Marc Kleine-Budde: "Re: [PATCH] can: usb: fix a possible memory leak in esd_usb2_start_xmit"
Previous message: Vignesh Raghavendra: "Re: [PATCH v3 2/2] arm64: dts: ti: k3-am64-main: Add ELM (Error Location Module) node"
In reply to: Kees Cook: "Re: [PATCH] [PATCH v2] AARCH64: Add gcc Shadow Call Stack support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]