linux/arch/x86/kernel/cfi.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Clang Control Flow Integrity (CFI) support.
 *
 * Copyright (C) 2022 Google LLC
 */
#include <linux/string.h>
#include <linux/cfi.h>
#include <asm/insn.h>
#include <asm/insn-eval.h>

/*
 * Returns the target address and the expected type when regs->ip points
 * to a compiler-generated CFI trap.
 */
static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
			    u32 *type)
{
	char buffer[MAX_INSN_SIZE];
	struct insn insn;
	int offset = 0;

	*target = *type = 0;

	/*
	 * The compiler generates the following instruction sequence
	 * for indirect call checks:
	 *
	 *   movl    -<id>, %r10d       ; 6 bytes
	 *   addl    -4(%reg), %r10d    ; 4 bytes
	 *   je      .Ltmp1             ; 2 bytes
	 *   ud2                        ; <- regs->ip
	 *   .Ltmp1:
	 *
	 * We can decode the expected type and the target address from the
	 * movl/addl instructions.
	 */
	if (copy_from_kernel_nofault(buffer, (void *)regs->ip - 12, MAX_INSN_SIZE))
		return false;
	if (insn_decode_kernel(&insn, &buffer[offset]))
		return false;
	if (insn.opcode.value != 0xBA)
		return false;

	*type = -(u32)insn.immediate.value;

	if (copy_from_kernel_nofault(buffer, (void *)regs->ip - 6, MAX_INSN_SIZE))
		return false;
	if (insn_decode_kernel(&insn, &buffer[offset]))
		return false;
	if (insn.opcode.value != 0x3)
		return false;

	/* Read the target address from the register. */
	offset = insn_get_modrm_rm_off(&insn, regs);
	if (offset < 0)
		return false;

	*target = *(unsigned long *)((void *)regs + offset);

	return true;
}

/*
 * Checks if a ud2 trap is because of a CFI failure, and handles the trap
 * if needed. Returns a bug_trap_type value similarly to report_bug.
 */
enum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
{
	unsigned long target;
	u32 type;

	if (!is_cfi_trap(regs->ip))
		return BUG_TRAP_TYPE_NONE;

	if (!decode_cfi_insn(regs, &target, &type))
		return report_cfi_failure_noaddr(regs, regs->ip);

	return report_cfi_failure(regs, regs->ip, &target, type);
}

/*
 * Ensure that __kcfi_typeid_ symbols are emitted for functions that may
 * not be indirectly called with all configurations.
 */
__ADDRESSABLE(__memcpy)