| Message ID | 20180310064059.12720-1-jmoreira@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, Mar 9, 2018 at 10:40 PM, Joao Moreira <jmoreira@suse.de> wrote: > It is possible to indirectly invoke functions with prototypes that do not > match those of the respectively used function pointers by using void types. > Despite widely used as a feature for relaxing function invocation, this > should be avoided when possible as it may prevent the use of heuristics > such as prototype matching-based Control-Flow Integrity, which can be used > to prevent ROP-based attacks. > > Given the above, the current efforts to improve the Linux security, and the > upcoming kernel support to compilers with CFI features, fix prototypes in > vgacon console driver. > > Another similar fix can be seen in [1]. > > [1] https://android-review.googlesource.com/c/kernel/common/+/602010 > > Signed-off-by: João Moreira <jmoreira@suse.de> Whoops, I missed this one. :) Thanks! Greg, do you need this resent directly to you? Acked-by: Kees Cook <keescook@chromium.org> -Kees > --- > drivers/video/console/vgacon.c | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) > > diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c > index a17ba1465815..f00b630f6839 100644 > --- a/drivers/video/console/vgacon.c > +++ b/drivers/video/console/vgacon.c > @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, > * The console `switch' structure for the VGA based console > */ > > -static int vgacon_dummy(struct vc_data *c) > +static int vgacon_clear(struct vc_data *c) > { > return 0; > } > > -#define DUMMY (void *) vgacon_dummy > +static void vgacon_putc(struct vc_data *c, int a, int b, int d) > +{ > + return; > +} > + > +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) > +{ > + return; > +} > > const struct consw vga_con = { > .owner = THIS_MODULE, > .con_startup = vgacon_startup, > .con_init = vgacon_init, > .con_deinit = vgacon_deinit, > - .con_clear = DUMMY, > - .con_putc = DUMMY, > - .con_putcs = DUMMY, > + .con_clear = vgacon_clear, > + .con_putc = vgacon_putc, > + .con_putcs = vgacon_putcs, > .con_cursor = vgacon_cursor, > .con_scroll = vgacon_scroll, > .con_switch = vgacon_switch, > -- > 2.13.6 >
Hi, On Saturday, March 10, 2018 07:27:21 AM Kees Cook wrote: > On Fri, Mar 9, 2018 at 10:40 PM, Joao Moreira <jmoreira@suse.de> wrote: > > It is possible to indirectly invoke functions with prototypes that do not > > match those of the respectively used function pointers by using void types. > > Despite widely used as a feature for relaxing function invocation, this > > should be avoided when possible as it may prevent the use of heuristics > > such as prototype matching-based Control-Flow Integrity, which can be used > > to prevent ROP-based attacks. > > > > Given the above, the current efforts to improve the Linux security, and the > > upcoming kernel support to compilers with CFI features, fix prototypes in > > vgacon console driver. > > > > Another similar fix can be seen in [1]. > > > > [1] https://android-review.googlesource.com/c/kernel/common/+/602010 > > > > Signed-off-by: João Moreira <jmoreira@suse.de> > > Whoops, I missed this one. :) Thanks! Greg, do you need this resent > directly to you? I would prefer for drivers/video/console/ changes to go through fbdev tree (like suggested by scripts/get_maintainers.pl).. However since Greg has already merged your CFI patches: Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> > Acked-by: Kees Cook <keescook@chromium.org> > > -Kees > > > --- > > drivers/video/console/vgacon.c | 18 +++++++++++++----- > > 1 file changed, 13 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c > > index a17ba1465815..f00b630f6839 100644 > > --- a/drivers/video/console/vgacon.c > > +++ b/drivers/video/console/vgacon.c > > @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, > > * The console `switch' structure for the VGA based console > > */ > > > > -static int vgacon_dummy(struct vc_data *c) > > +static int vgacon_clear(struct vc_data *c) > > { > > return 0; > > } > > > > -#define DUMMY (void *) vgacon_dummy > > +static void vgacon_putc(struct vc_data *c, int a, int b, int d) > > +{ > > + return; > > +} > > + > > +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) > > +{ > > + return; > > +} > > > > const struct consw vga_con = { > > .owner = THIS_MODULE, > > .con_startup = vgacon_startup, > > .con_init = vgacon_init, > > .con_deinit = vgacon_deinit, > > - .con_clear = DUMMY, > > - .con_putc = DUMMY, > > - .con_putcs = DUMMY, > > + .con_clear = vgacon_clear, > > + .con_putc = vgacon_putc, > > + .con_putcs = vgacon_putcs, > > .con_cursor = vgacon_cursor, > > .con_scroll = vgacon_scroll, > > .con_switch = vgacon_switch, > > -- > > 2.13.6 Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics
On Sat, Mar 10, 2018 at 03:40:59AM -0300, Joao Moreira wrote: > It is possible to indirectly invoke functions with prototypes that do not > match those of the respectively used function pointers by using void types. > Despite widely used as a feature for relaxing function invocation, this > should be avoided when possible as it may prevent the use of heuristics > such as prototype matching-based Control-Flow Integrity, which can be used > to prevent ROP-based attacks. > > Given the above, the current efforts to improve the Linux security, and the > upcoming kernel support to compilers with CFI features, fix prototypes in > vgacon console driver. > > Another similar fix can be seen in [1]. > > [1] https://android-review.googlesource.com/c/kernel/common/+/602010 > > Signed-off-by: João Moreira <jmoreira@suse.de> > Acked-by: Kees Cook <keescook@chromium.org> > Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> > --- > drivers/video/console/vgacon.c | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) This fails the build :( drivers/video/console/vgacon.c:1432:15: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types] .con_putcs = vgacon_putcs, ^~~~~~~~~~~~ What tree should this go to? It doesn't apply at all to my tty tree, which is where I thought it should go, so I tried a different one and got this mess :( confused, greg k-h
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index a17ba1465815..f00b630f6839 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, * The console `switch' structure for the VGA based console */ -static int vgacon_dummy(struct vc_data *c) +static int vgacon_clear(struct vc_data *c) { return 0; } -#define DUMMY (void *) vgacon_dummy +static void vgacon_putc(struct vc_data *c, int a, int b, int d) +{ + return; +} + +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) +{ + return; +} const struct consw vga_con = { .owner = THIS_MODULE, .con_startup = vgacon_startup, .con_init = vgacon_init, .con_deinit = vgacon_deinit, - .con_clear = DUMMY, - .con_putc = DUMMY, - .con_putcs = DUMMY, + .con_clear = vgacon_clear, + .con_putc = vgacon_putc, + .con_putcs = vgacon_putcs, .con_cursor = vgacon_cursor, .con_scroll = vgacon_scroll, .con_switch = vgacon_switch,