Message ID | 20221102163252.49175-1-nathan@kernel.org (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | [1/3] s390/ctcm: Fix return type of ctc{mp,}m_tx() | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Not a local patch |
On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), > indirect call targets are validated against the expected function > pointer prototype to make sure the call target is valid to help mitigate > ROP attacks. If they are not identical, there is a failure at run time, > which manifests as either a kernel panic or thread getting killed. A > proposed warning in clang aims to catch these at compile time, which > reveals: > > drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] > .ndo_start_xmit = ctcm_tx, > ^~~~~~~ > drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] > .ndo_start_xmit = ctcmpc_tx, > ^~~~~~~~~ > > ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of > 'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to > match the prototype's to resolve the warning and potential CFI failure, > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > Link: https://github.com/ClangBuiltLinux/linux/issues/1750 > Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org>
Hi Nathan, On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. Yes, s390 should select that :) But, is there any switch or option I need to set when compiling clang, so it knows about the kcfi sanitizer? I get: clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > clang --version clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed)
Hi Heiko, On Wed, Nov 02, 2022 at 08:48:42PM +0100, Heiko Carstens wrote: > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > Yes, s390 should select that :) > > But, is there any switch or option I need to set when compiling clang, > so it knows about the kcfi sanitizer? > > I get: > clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > > > clang --version > clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed) No, kCFI is currently implemented in a target specific manner and Sami only added AArch64 and X86 support in the initial change: https://github.com/llvm/llvm-project/commit/cff5bef948c91e4919de8a5fb9765e0edc13f3de He does have a generic version in progress but I assume it would not be hard for one of your LLVM folks to add the kCFI operand bundle lowering to the SystemZ backend to get access to it sooner (and it may allow for a more optimized sequence of instructions if I understand correctly?): https://reviews.llvm.org/D135411 Cheers, Nathan
On Wed, Nov 02, 2022 at 08:48:42PM +0100, Heiko Carstens wrote: > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > Yes, s390 should select that :) > > But, is there any switch or option I need to set when compiling clang, > so it knows about the kcfi sanitizer? > > I get: > clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > > > clang --version > clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed) You'll need the "generic arch support": https://reviews.llvm.org/D135411 which is _almost_ landed. Testing would be welcome, for sure! Sami, do you have any notes on what common things were needed to get arm64 and x86_64 booting under kCFI? My only oh-so-helpful notes are "keep CFI away from early boot code". :P
On 02.11.22 20:09, Kees Cook wrote: > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: >> With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), >> indirect call targets are validated against the expected function >> pointer prototype to make sure the call target is valid to help mitigate >> ROP attacks. If they are not identical, there is a failure at run time, >> which manifests as either a kernel panic or thread getting killed. A >> proposed warning in clang aims to catch these at compile time, which >> reveals: >> >> drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] >> .ndo_start_xmit = ctcm_tx, >> ^~~~~~~ >> drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] >> .ndo_start_xmit = ctcmpc_tx, >> ^~~~~~~~~ >> >> ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of >> 'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to >> match the prototype's to resolve the warning and potential CFI failure, >> should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. >> >> Link: https://github.com/ClangBuiltLinux/linux/issues/1750 >> Signed-off-by: Nathan Chancellor <nathan@kernel.org> > > Reviewed-by: Kees Cook <keescook@chromium.org> > Could you please also remove the corresponding comments: diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c index 37b551bd43bf..14200548704a 100644 --- a/drivers/s390/net/ctcm_main.c +++ b/drivers/s390/net/ctcm_main.c @@ -825,13 +825,6 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb) /* * Start transmission of a packet. * Called from generic network device layer. - * - * skb Pointer to buffer containing the packet. - * dev Pointer to interface struct. - * - * returns 0 if packet consumed, !0 if packet rejected. - * Note: If we return !0, then the packet is free'd by - * the generic network layer. */ /* first merge version - leaving both functions separated */ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
On Wed, Nov 2, 2022 at 1:01 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Nov 02, 2022 at 08:48:42PM +0100, Heiko Carstens wrote: > > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > > > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > > > Yes, s390 should select that :) > > > > But, is there any switch or option I need to set when compiling clang, > > so it knows about the kcfi sanitizer? > > > > I get: > > clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > > > > > clang --version > > clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed) > > You'll need the "generic arch support": https://reviews.llvm.org/D135411 > which is _almost_ landed. Testing would be welcome, for sure! > > Sami, do you have any notes on what common things were needed to get > arm64 and x86_64 booting under kCFI? My only oh-so-helpful notes are > "keep CFI away from early boot code". :P You don't need to keep CFI away from early boot code, but bringing this up in qemu+gdb initially is probably the best way forward. We also had plenty of type mismatches in syscall wrappers in the currently supported architectures, so that's another thing to watch out for once your kernel boots far enough to start init. Sami
diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c index 37b551bd43bf..4eea7d0285c1 100644 --- a/drivers/s390/net/ctcm_main.c +++ b/drivers/s390/net/ctcm_main.c @@ -834,7 +834,7 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb) * the generic network layer. */ /* first merge version - leaving both functions separated */ -static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) +static netdev_tx_t ctcm_tx(struct sk_buff *skb, struct net_device *dev) { struct ctcm_priv *priv = dev->ml_priv; @@ -877,7 +877,7 @@ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) } /* unmerged MPC variant of ctcm_tx */ -static int ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) +static netdev_tx_t ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) { int len = 0; struct ctcm_priv *priv = dev->ml_priv;
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = ctcm_tx, ^~~~~~~ drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = ctcmpc_tx, ^~~~~~~~~ ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to match the prototype's to resolve the warning and potential CFI failure, should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Signed-off-by: Nathan Chancellor <nathan@kernel.org> --- drivers/s390/net/ctcm_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: 9abf2313adc1ca1b6180c508c25f22f9395cc780