Google Git
Sign in
kernel / pub / scm / linux / kernel / git / mark / linux / refs/heads/lkdtm/cfi-tests
commitd7a4fd7aa1449dd51a017f44ad7e34ad492667a8[log] [tgz]
authorMark Rutland <mark.rutland@arm.com>Wed Jul 13 15:32:08 2022 +0100
committerMark Rutland <mark.rutland@arm.com>Wed Jul 13 16:15:33 2022 +0100
tree29398c237527c9c57ae479d6e53fd0cc6d804d66
parent32346491ddf24599decca06190ebca03ff9de7f8 [diff]
lkdtm: cfi: add test for HW landing pad CFI

Some architectures have coarse-grained HW CFI schemes where indirect
branches must target a "landing pad" instruction (e.g. BTI on arm64,
ENDBR on x86). These prevent gadgetization of arbitrary portions of
functions.

Add a test which checks these work as expected.

For example, on arm64 HW with BTI this should result in a BTI exception
being taken:

| # echo CFI_FORWARD_LANDING_PAD > /sys/kernel/debug/provoke-crash/DIRECT
| lkdtm: Performing direct entry CFI_FORWARD_LANDING_PAD
| lkdtm: Calling gadget address ...
| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI
| CPU: 0 PID: 152 Comm: bash Not tainted 5.19.0-rc6-00001-g1f3acfdc1799 #3
| Hardware name: linux,dummy-virt (DT)
| pstate: 60400809 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)
| pc : lkdtm_increment_void+0x4/0x20
| lr : lkdtm_CFI_FORWARD_LANDING_PAD+0x30/0x48
| sp : ffff80000a763cf0
| x29: ffff80000a763cf0 x28: ffff0000042c1d80 x27: 0000000000000000
| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000031a6fb80
| x23: ffff000002c2a0c0 x22: ffff80000a763df0 x21: 0000000000000018
| x20: ffff80000a231498 x19: ffff000004075000 x18: 0000000000000006
| x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720
| x14: 0720072007200720 x13: ffff800009f82ca8 x12: 0000000000000429
| x11: 0000000000000163 x10: ffff800009fdaca8 x9 : ffff800009f82ca8
| x8 : 00000000ffffefff x7 : ffff800009fdaca8 x6 : 80000000fffff000
| x5 : ffff00007fbcca08 x4 : 0000000000000000 x3 : 0000000000000000
| x2 : 0000000000000000 x1 : ffff8000088a9c94 x0 : ffff80000a334b70
| Kernel panic - not syncing: Unhandled exception
| CPU: 0 PID: 152 Comm: bash Not tainted 5.19.0-rc6-00001-g1f3acfdc1799 #3
| Hardware name: linux,dummy-virt (DT)
| Call trace:
|  dump_backtrace.part.0+0xcc/0xe0
|  show_stack+0x18/0x6c
|  dump_stack_lvl+0x64/0x80
|  dump_stack+0x18/0x34
|  panic+0x170/0x328
|  arm64_exit_nmi.isra.0+0x0/0x80
|  el1h_64_sync_handler+0x64/0xd0
|  el1h_64_sync+0x64/0x68
|  lkdtm_increment_void+0x4/0x20
|  lkdtm_do_action+0x24/0x30
|  direct_entry+0x160/0x174
|  full_proxy_write+0x60/0xbc
|  vfs_write+0xc4/0x2a0
|  ksys_write+0x70/0x104
|  __arm64_sys_write+0x20/0x2c
|  invoke_syscall+0x48/0x114
|  el0_svc_common.constprop.0+0xcc/0xec
|  do_el0_svc+0xa0/0xc0
|  el0_svc+0x2c/0x84
|  el0t_64_sync_handler+0x11c/0x150
|  el0t_64_sync+0x18c/0x190
| Kernel Offset: disabled
| CPU features: 0x000,0003a817,69a418cf
| Memory Limit: none

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
1 file changed
tree: 29398c237527c9c57ae479d6e53fd0cc6d804d66
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. LICENSES/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .clang-format
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README