Re: [Linux-6.12.y] XEN: CVE-2024-53241 / XSA-466 and Clang-kCFI
From: Andrew Cooper
Date: Thu Dec 19 2024 - 11:44:27 EST
On 19/12/2024 4:14 pm, Sedat Dilek wrote:
> Hi,
>
> Linux v6.12.6 will include XEN CVE fixes from mainline.
>
> Here, I use Debian/unstable AMD64 and the SLIM LLVM toolchain 19.1.x
> from kernel.org.
>
> What does it mean in ISSUE DESCRIPTION...
>
> Furthermore, the hypercall page has no provision for Control-flow
> Integrity schemes (e.g. kCFI/CET-IBT/FineIBT), and will simply
> malfunction in such configurations.
>
> ...when someone uses Clang-kCFI?
The hypercall page has functions of the form:
MOV $x, %eax
VMCALL / VMMCALL / SYSCALL
RET
There are no ENDBR instructions, and no prologue/epilogue for hash-based
CFI schemes.
This is because it's code provided by Xen, not code provided by Linux.
The absence of ENDBR instructions will yield #CP when CET-IBT is active,
and the absence of hash prologue/epilogue lets the function be used in a
type-confused manor that CFI should have caught.
~Andrew