Commit 894af4a1 authored by Peter Zijlstra's avatar Peter Zijlstra
Browse files

objtool: Validate kCFI calls 



Validate that all indirect calls adhere to kCFI rules. Notably doing
nocfi indirect call to a cfi function is broken.

Apparently some Rust 'core' code violates this and explodes when ran
with FineIBT.

All the ANNOTATE_NOCFI_SYM sites are prime targets for attackers.

 - runtime EFI is especially henous because it also needs to disable
   IBT. Basically calling unknown code without CFI protection at
   runtime is a massice security issue.

 - Kexec image handover; if you can exploit this, you get to keep it :-)

Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: default avatarJosh Poimboeuf <jpoimboe@kernel.org>
Acked-by: default avatarSean Christopherson <seanjc@google.com>
Link: https://lkml.kernel.org/r/20250714103441.496787279@infradead.org
parent 28d11e45

arch/x86/kernel/machine_kexec_64.c

+4 −0
Original line number Diff line number Diff line
@@ -453,6 +453,10 @@ void __nocfi machine_kexec(struct kimage *image) 


	__ftrace_enabled_restore(save_ftrace_enabled);

}

/*

 * Handover to the next kernel, no CFI concern.

 */

ANNOTATE_NOCFI_SYM(machine_kexec);



/* arch-dependent functionality related to kexec file-based syscall */

arch/x86/kvm/vmx/vmenter.S

+4 −0
Original line number Diff line number Diff line
@@ -361,6 +361,10 @@ SYM_FUNC_END(vmread_error_trampoline) 


.section .text, "ax"



#ifndef CONFIG_X86_FRED



SYM_FUNC_START(vmx_do_interrupt_irqoff)

	VMX_DO_EVENT_IRQOFF CALL_NOSPEC _ASM_ARG1

SYM_FUNC_END(vmx_do_interrupt_irqoff)



#endif

arch/x86/platform/efi/efi_stub_64.S

+4 −0
Original line number Diff line number Diff line
@@ -11,6 +11,10 @@ 
#include <asm/nospec-branch.h>



SYM_FUNC_START(__efi_call)

	/*

	 * The EFI code doesn't have any CFI, annotate away the CFI violation.

	 */

	ANNOTATE_NOCFI_SYM

	pushq %rbp

	movq %rsp, %rbp

	and $~0xf, %rsp

drivers/misc/lkdtm/perms.c

+5 −0
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ 
#include <linux/vmalloc.h>

#include <linux/mman.h>

#include <linux/uaccess.h>

#include <linux/objtool.h>

#include <asm/cacheflush.h>

#include <asm/sections.h>
@@ -86,6 +87,10 @@ static noinline __nocfi void execute_location(void *dst, bool write) 
	func();

	pr_err("FAIL: func returned\n");

}

/*

 * Explicitly doing the wrong thing for testing.

 */

ANNOTATE_NOCFI_SYM(execute_location);



static void execute_user_location(void *dst)

{

include/linux/objtool.h

+10 −0
Original line number Diff line number Diff line
@@ -184,6 +184,15 @@ 
 * WARN using UD2.

 */

#define ANNOTATE_REACHABLE(label)	__ASM_ANNOTATE(label, ANNOTYPE_REACHABLE)

/*

 * This should not be used; it annotates away CFI violations. There are a few

 * valid use cases like kexec handover to the next kernel image, and there is

 * no security concern there.

 *

 * There are also a few real issues annotated away, like EFI because we can't

 * control the EFI code.

 */

#define ANNOTATE_NOCFI_SYM(sym)		asm(__ASM_ANNOTATE(sym, ANNOTYPE_NOCFI))



#else

#define ANNOTATE_NOENDBR		ANNOTATE type=ANNOTYPE_NOENDBR
@@ -194,6 +203,7 @@ 
#define ANNOTATE_INTRA_FUNCTION_CALL	ANNOTATE type=ANNOTYPE_INTRA_FUNCTION_CALL

#define ANNOTATE_UNRET_BEGIN		ANNOTATE type=ANNOTYPE_UNRET_BEGIN

#define ANNOTATE_REACHABLE		ANNOTATE type=ANNOTYPE_REACHABLE

#define ANNOTATE_NOCFI_SYM		ANNOTATE type=ANNOTYPE_NOCFI

#endif



#if defined(CONFIG_NOINSTR_VALIDATION) && \