mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-17 22:05:08 +00:00
ff301ceb52
With CONFIG_CFI_CLANG, the compiler replaces a function address taken in C code with the address of a local jump table entry, which passes runtime indirect call checks. However, the compiler won't replace addresses taken in assembly code, which will result in a CFI failure if we later jump to such an address in instrumented C code. The code generated for the non-canonical jump table looks this: <noncanonical.cfi_jt>: /* In C, &noncanonical points here */ jmp noncanonical ... <noncanonical>: /* function body */ ... This change adds the __cficanonical attribute, which tells the compiler to use a canonical jump table for the function instead. This means the compiler will rename the actual function to <function>.cfi and points the original symbol to the jump table entry instead: <canonical>: /* jump table entry */ jmp canonical.cfi ... <canonical.cfi>: /* function body */ ... As a result, the address taken in assembly, or other non-instrumented code always points to the jump table and therefore, can be used for indirect calls in instrumented code without tripping CFI checks. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Bjorn Helgaas <bhelgaas@google.com> # pci.h Tested-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210408182843.1754385-3-samitolvanen@google.com
67 lines
2.2 KiB
C
67 lines
2.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __LINUX_COMPILER_TYPES_H
|
|
#error "Please don't include <linux/compiler-clang.h> directly, include <linux/compiler.h> instead."
|
|
#endif
|
|
|
|
/* Compiler specific definitions for Clang compiler */
|
|
|
|
/* same as gcc, this was present in clang-2.6 so we can assume it works
|
|
* with any version that can compile the kernel
|
|
*/
|
|
#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
|
|
|
|
/* all clang versions usable with the kernel support KASAN ABI version 5 */
|
|
#define KASAN_ABI_VERSION 5
|
|
|
|
#if __has_feature(address_sanitizer) || __has_feature(hwaddress_sanitizer)
|
|
/* Emulate GCC's __SANITIZE_ADDRESS__ flag */
|
|
#define __SANITIZE_ADDRESS__
|
|
#define __no_sanitize_address \
|
|
__attribute__((no_sanitize("address", "hwaddress")))
|
|
#else
|
|
#define __no_sanitize_address
|
|
#endif
|
|
|
|
#if __has_feature(thread_sanitizer)
|
|
/* emulate gcc's __SANITIZE_THREAD__ flag */
|
|
#define __SANITIZE_THREAD__
|
|
#define __no_sanitize_thread \
|
|
__attribute__((no_sanitize("thread")))
|
|
#else
|
|
#define __no_sanitize_thread
|
|
#endif
|
|
|
|
#if defined(CONFIG_ARCH_USE_BUILTIN_BSWAP)
|
|
#define __HAVE_BUILTIN_BSWAP32__
|
|
#define __HAVE_BUILTIN_BSWAP64__
|
|
#define __HAVE_BUILTIN_BSWAP16__
|
|
#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */
|
|
|
|
#if __has_feature(undefined_behavior_sanitizer)
|
|
/* GCC does not have __SANITIZE_UNDEFINED__ */
|
|
#define __no_sanitize_undefined \
|
|
__attribute__((no_sanitize("undefined")))
|
|
#else
|
|
#define __no_sanitize_undefined
|
|
#endif
|
|
|
|
/*
|
|
* Not all versions of clang implement the type-generic versions
|
|
* of the builtin overflow checkers. Fortunately, clang implements
|
|
* __has_builtin allowing us to avoid awkward version
|
|
* checks. Unfortunately, we don't know which version of gcc clang
|
|
* pretends to be, so the macro may or may not be defined.
|
|
*/
|
|
#if __has_builtin(__builtin_mul_overflow) && \
|
|
__has_builtin(__builtin_add_overflow) && \
|
|
__has_builtin(__builtin_sub_overflow)
|
|
#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
|
|
#endif
|
|
|
|
#if __has_feature(shadow_call_stack)
|
|
# define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
|
|
#endif
|
|
|
|
#define __nocfi __attribute__((__no_sanitize__("cfi")))
|
|
#define __cficanonical __attribute__((__cfi_canonical_jump_table__))
|