On April 30, 2025 4:07:34 AM PDT, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote: >Hi! > >On kCFI (CONFIG_CFI_CLANG=y) builds all indirect calls should have the CFI >check on (with very few exceptions). Not having the CFI checks undermines the >protection provided by CFI and will make these sites candidates for people >wanting to steal your cookies. > >Specifically the ABI changes are so that doing indirect calls without the CFI >magic, to a CFI adorned function is not compatible (although it happens to work >for some setups, it very much does not for FineIBT). > >Rust people tripped over this the other day, since their 'core' happened to >have some no_sanitize(kcfi) bits in, which promptly exploded when ran with >FineIBT on. > >Since this is very much not a supported model -- on purpose, have objtool >detect and warn about such constructs. > >This effort [1] found all existing [2] non-cfi indirect calls in the kernel. > >Notably the KVM fastop emulation stuff -- which I've completely rewritten for >this version -- the generated code doesn't look horrific, but is slightly more >verbose. I'm running on the assumption that instruction emulation is not super >performance critical these days of zero VM-exit VMs etc. > >KVM has another; the VMX interrupt injection stuff calls the IDT handler >directly. Is there an alternative? Can we keep a table of Linux functions >slighly higher up the call stack (asm_\cfunc ?) and add CFI to those? > >HyperV hypercall page stuff, which I've previously suggested use direct calls, >and which I've now converted (after getting properly annoyed with that code). > >Also available at: > > git://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git x86/core > >Changes since v1: > > - complete rewrite of the fastop stuff > - HyperV tweaks (Michael) > - objtool changes (Josh) > > >[1] https://lkml.kernel.org/r/20250410154556.GB9003@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >[2] https://lkml.kernel.org/r/20250410194334.GA3248459@xxxxxxxxxx > We do have a table of handlers higher up in the stack in the form of the dispatch tables for FRED. They don't in general even need the assembly entry stubs, either.
