Originally posted by Grinch
View Post
Announcement
Collapse
No announcement yet.
Google Posts Patches So The Linux Kernel Can Be LTO-Optimized By Clang
Collapse
X
-
-
In addition to the performance focus of LTO, the other motive for Google LTO'ing the kernel is for enabling Clang Control-Flow Integrity (CFI) in conjunction with LTO.
CFI seems to find C++ bugs https://clang.llvm.org/docs/ControlFlowIntegrity.html
None seem to apply to C code.
The kernel has no C++ code.
Comment
-
Originally posted by Hugh View PostWhy is that useful for the kernel?
CFI seems to find C++ bugs https://clang.llvm.org/docs/ControlFlowIntegrity.html
None seem to apply to C code.
The kernel has no C++ code.
The Linux kernel uses a lot of indirect function calls. That's every call through a function pointer. The entire kernel module system relies on indirect function calls.
Plus, I believe that if you compile for the right CPU types clang and GCC will use hardware support for CFI. That means that if any code jumps to a function, it has to arrive at a special marker instruction or abort the program. That makes ROP abuse hard because malware can no longer jump into the middle of a useful function.
In this post, we look at Control-Flow Integrity (CFI) protection implemented by the Clang compiler for x86_64 architecture.
Comment
-
Originally posted by Zan Lynx View Post
You missed everything under "indirect function call checking."
The Linux kernel uses a lot of indirect function calls. That's every call through a function pointer. The entire kernel module system relies on indirect function calls.
Plus, I believe that if you compile for the right CPU types clang and GCC will use hardware support for CFI. That means that if any code jumps to a function, it has to arrive at a special marker instruction or abort the program. That makes ROP abuse hard because malware can no longer jump into the middle of a useful function.
https://www.redhat.com/en/blog/fight...rity-cfi-clang
https://software.intel.com/sites/def...gy-preview.pdf
My code is almost always type-checked and type-checkable statically, including and especially function pointers. The very few exceptions are checked (by hand) very carefully. I don't know about kernel code.
Although void * can point at any object in C, a function isn't an object. The C standard doesn't really provide an equivalent for pointers to functions. Unless it was added since I last looked carefully.
Putting a marker instruction on each function's object code certainly should not require anything like LTO. Why would it not be a completely separate flag?
Double ahh: after posting I saw the URLs. So this is catching function pointers overwritten at run-time. Not bad type-punning.Last edited by Hugh; 12 July 2020, 09:23 PM.
Comment
Comment