2023-07-10 18:35:49 +00:00
|
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
/*
|
|
|
|
|
* Clang Control Flow Integrity (CFI) support.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2023 Google LLC
|
|
|
|
|
*/
|
2023-12-15 09:12:17 +00:00
|
|
|
|
#include <linux/cfi.h>
|
2023-07-10 18:35:49 +00:00
|
|
|
|
#include <asm/insn.h>
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns the target address and the expected type when regs->epc points
|
|
|
|
|
* to a compiler-generated CFI trap.
|
|
|
|
|
*/
|
|
|
|
|
static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
|
|
|
|
|
u32 *type)
|
|
|
|
|
{
|
|
|
|
|
unsigned long *regs_ptr = (unsigned long *)regs;
|
|
|
|
|
int rs1_num;
|
|
|
|
|
u32 insn;
|
|
|
|
|
|
|
|
|
|
*target = *type = 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The compiler generates the following instruction sequence
|
|
|
|
|
* for indirect call checks:
|
|
|
|
|
*
|
|
|
|
|
* lw t1, -4(<reg>)
|
|
|
|
|
* lui t2, <hi20>
|
|
|
|
|
* addiw t2, t2, <lo12>
|
|
|
|
|
* beq t1, t2, .Ltmp1
|
|
|
|
|
* ebreak ; <- regs->epc
|
|
|
|
|
* .Ltmp1:
|
|
|
|
|
* jalr <reg>
|
|
|
|
|
*
|
|
|
|
|
* We can read the expected type and the target address from the
|
|
|
|
|
* registers passed to the beq/jalr instructions.
|
|
|
|
|
*/
|
|
|
|
|
if (get_kernel_nofault(insn, (void *)regs->epc - 4))
|
|
|
|
|
return false;
|
|
|
|
|
if (!riscv_insn_is_beq(insn))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
*type = (u32)regs_ptr[RV_EXTRACT_RS1_REG(insn)];
|
|
|
|
|
|
|
|
|
|
if (get_kernel_nofault(insn, (void *)regs->epc) ||
|
|
|
|
|
get_kernel_nofault(insn, (void *)regs->epc + GET_INSN_LENGTH(insn)))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (riscv_insn_is_jalr(insn))
|
|
|
|
|
rs1_num = RV_EXTRACT_RS1_REG(insn);
|
|
|
|
|
else if (riscv_insn_is_c_jalr(insn))
|
|
|
|
|
rs1_num = RVC_EXTRACT_C2_RS1_REG(insn);
|
|
|
|
|
else
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
*target = regs_ptr[rs1_num];
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Checks if the ebreak trap is because of a CFI failure, and handles the trap
|
|
|
|
|
* if needed. Returns a bug_trap_type value similarly to report_bug.
|
|
|
|
|
*/
|
|
|
|
|
enum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
|
|
|
|
|
{
|
|
|
|
|
unsigned long target;
|
|
|
|
|
u32 type;
|
|
|
|
|
|
|
|
|
|
if (!is_cfi_trap(regs->epc))
|
|
|
|
|
return BUG_TRAP_TYPE_NONE;
|
|
|
|
|
|
|
|
|
|
if (!decode_cfi_insn(regs, &target, &type))
|
|
|
|
|
return report_cfi_failure_noaddr(regs, regs->epc);
|
|
|
|
|
|
|
|
|
|
return report_cfi_failure(regs, regs->epc, &target, type);
|
|
|
|
|
}
|
2024-03-03 17:02:07 +00:00
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_CFI_CLANG
|
|
|
|
|
struct bpf_insn;
|
|
|
|
|
|
|
|
|
|
/* Must match bpf_func_t / DEFINE_BPF_PROG_RUN() */
|
|
|
|
|
extern unsigned int __bpf_prog_runX(const void *ctx,
|
|
|
|
|
const struct bpf_insn *insn);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Force a reference to the external symbol so the compiler generates
|
|
|
|
|
* __kcfi_typid.
|
|
|
|
|
*/
|
|
|
|
|
__ADDRESSABLE(__bpf_prog_runX);
|
|
|
|
|
|
|
|
|
|
/* u32 __ro_after_init cfi_bpf_hash = __kcfi_typeid___bpf_prog_runX; */
|
|
|
|
|
asm (
|
|
|
|
|
" .pushsection .data..ro_after_init,\"aw\",@progbits \n"
|
|
|
|
|
" .type cfi_bpf_hash,@object \n"
|
|
|
|
|
" .globl cfi_bpf_hash \n"
|
|
|
|
|
" .p2align 2, 0x0 \n"
|
|
|
|
|
"cfi_bpf_hash: \n"
|
|
|
|
|
" .word __kcfi_typeid___bpf_prog_runX \n"
|
|
|
|
|
" .size cfi_bpf_hash, 4 \n"
|
|
|
|
|
" .popsection \n"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
/* Must match bpf_callback_t */
|
|
|
|
|
extern u64 __bpf_callback_fn(u64, u64, u64, u64, u64);
|
|
|
|
|
|
|
|
|
|
__ADDRESSABLE(__bpf_callback_fn);
|
|
|
|
|
|
|
|
|
|
/* u32 __ro_after_init cfi_bpf_subprog_hash = __kcfi_typeid___bpf_callback_fn; */
|
|
|
|
|
asm (
|
|
|
|
|
" .pushsection .data..ro_after_init,\"aw\",@progbits \n"
|
|
|
|
|
" .type cfi_bpf_subprog_hash,@object \n"
|
|
|
|
|
" .globl cfi_bpf_subprog_hash \n"
|
|
|
|
|
" .p2align 2, 0x0 \n"
|
|
|
|
|
"cfi_bpf_subprog_hash: \n"
|
|
|
|
|
" .word __kcfi_typeid___bpf_callback_fn \n"
|
|
|
|
|
" .size cfi_bpf_subprog_hash, 4 \n"
|
|
|
|
|
" .popsection \n"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
u32 cfi_get_func_hash(void *func)
|
|
|
|
|
{
|
|
|
|
|
u32 hash;
|
|
|
|
|
|
|
|
|
|
if (get_kernel_nofault(hash, func - cfi_get_offset()))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return hash;
|
|
|
|
|
}
|
|
|
|
|
#endif
|