From nobody Tue Feb 10 05:10:00 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1644844000; cv=none; d=zohomail.com; s=zohoarc; b=Ttpir1M88iUo63er7IQ7LKcXbRgIbUNT5wiEAaycBjzKMXgU7/rasjiG36okQWx7s/IhPCIsJXXYlCIVt5wU2ZaLWMRssM9R2fFF7Jws5L4gO58kW8qNh8lEkEGj7LIe0RyHhbnjAh6iBWwLbPqBwFE9+J8xFODopvJOOqeqcwA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1644844000; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=6SpbZ1LAIxZcnK+uPs5qC7//ieFyKiVkyvOMCJz2jDs=; b=CYt0t1VmQlBP9Y8HAjHXlMmBJnT0hZb8crI8UpjvZr+IXOMkuLv/1YhjO7gFOfMGbbi42D335yaBiD7rejw4TzB64b6gUsmxogyfLuFfXfGUx503S+eeELEkm6HAHy/aJW3bq5pOmLXl09hi9z+d3cH2nU35oTYo10h3FNpRrAM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1644844000604790.9904088346733; Mon, 14 Feb 2022 05:06:40 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.271707.466336 (Exim 4.92) (envelope-from ) id 1nJb3W-0007Js-Pa; Mon, 14 Feb 2022 13:06:14 +0000 Received: by outflank-mailman (output) from mailman id 271707.466336; Mon, 14 Feb 2022 13:06:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJb3W-0007IL-AW; Mon, 14 Feb 2022 13:06:14 +0000 Received: by outflank-mailman (input) for mailman id 271707; Mon, 14 Feb 2022 13:06:12 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJb3D-0008IH-Cm for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 13:05:55 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id d730742f-8d96-11ec-8eb8-a37418f5ba1a; Mon, 14 Feb 2022 14:05:53 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: d730742f-8d96-11ec-8eb8-a37418f5ba1a DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843953; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=6nZ3O0wdLsQ8m8lXwVCWVEgPWujRaX5DsONJatSODKA=; b=G9ZJpayqO9bP82hoaP0FhIAwhSLDB5uKXAieVBXZm7zOHef4mzK1qcTw oJVASdUoWjm3dCI1ytz2mgoToabfmS+KTXPkaxVd9ftJquU+QP7LUQR26 cuLX2E6oSpOSbqgD1mIAUB1Cs1EzlkzrDbhtyHoA3XEJc481YXRmWsPdW s=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: GQTUxjXdtz64efFHYVYqhkT4VKeUQpZMdJCuq4Sb/IRQJEhcxYbZOMG5zuSpK645tT5EPt4UUR h5HMv3hPz+8PdBFGIRSI9kt7ds36n3JCKgmzfC74Q5jjjwe0pSYJ8koiTnWj2fD5k7uaM8Roy0 I2C6maIxHplB5oayzM4Dx57jP9AreX1BodhVgNKItg7KwvhlhtEGXBm5CYlvuBYVPj4v86s3cE sSBnEXysYO/P8DnHqxw+6TKbYWCV/j1VYU7HdbSl0MFi2BO6IRfUaWxE3rbMB9QEzMkdv7MfGR tC/lcu5OYTWxui7SX00mD8iC X-SBRS: 5.1 X-MesageID: 66374919 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:vmvu3ajx16L7aG6g1ayRceUaX161fhcKZh0ujC45NGQN5FlHY01je htvUT/Sb/2CazeneNslPo+/o04AvpbQy99jSwVqqXtmRXwb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oAMKRCQ7InQLlbGILes1htZGEk0GE/NtTo5w7Rj2tQx3YDga++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /12kpCxcwVwM5TCs+EcUERSSRg5MPdZreqvzXiX6aR/zmXDenrohf5vEFs3LcsT/eMf7WNmr KJCbmpXN1ba2rzwkOnTpupE36zPKOHCOo8Ft24m5jbeFfs8GrjIQrnQ5M8e1zA17ixLNaiAP JVFOGM+BPjGSzsTfVkIFYo7oN6LqGWgaiRVrFOQjpNitgA/yyQuieOwYbI5YOeiVchT20qVu G/C12D4GQ0BcsySzyKf9XChjfOJmjn0ML/+D5XhqKQs2gfKgDVOVltGDjNXvMVVlGaFfN5eE U5N9xMghq0z9xGhFOC6Uken9SvsUgEnZ/JcFOgz6Qeow6XS4hqECmVscgOteODKp+dtG2V0i wbhc8fBQGU27ebLES71GqK88GvqURX5O1PucsPtoeEtx9D46L8+gRvUJjqIOP7k14alcd0cL t3jkcTfu1nxpZNRv0lY1Qqe695JmnQuZlRrjjg7pkr/smtEiHeNPuREE2Tz4/daN5q+RVKcp nUCkMX2xLlQUc3SxHzQHb1UR+vBCxO53Nr02wAHInXc3271py7LkX54vFmS23uFwu5bIGS0M Sc/SCta5YNJPWvCUEOES9nZNije9oC5TY6NfqmNNrJmO8EtHCfarHAGTRPBhAjFzRlz+ZzTz L/GKK5A+15BUv85pNd3Ls9AuYIWKtcWmz+CG8Cjl07/uVdcDVbMIYo43JK1RrhRxMu5TM/9q r6z7uOGlEdSVvPQeC7S/dJBJFwGNyFjV5v3t9ZWZqiIJQ8/QDMtDPrYwLUAfY15nvsKyreUr y/lAkIImkDigXDnKBmRbiwxYr3YQpsi/2kwOjYhPAj01iF7M5qv9qoWa7A+YaIjqL541fdxQ vRcI5eAD/1DRy7p4TMYaZWh/oVueA7y3VCFPja/YSh5dJllHlSb9tjhdwrp1S8PEivo6pdu/ +z+jlvWGMNRSR5jAcDabOOU42mw5XVNyvhvW0boI8VIfBm++oZdNCGs3OQ8JNsBKEufy2LCh RqWGxoRucLEv5QxrIvSnamBooqkT7l+E05dEzWJ5Lq6L3CHrG+qwIsGW+eUZzHNEmjz/fz6N +lSyvj9NtwBnUpL7NUgQ+o6k/pm6ou9vaJewyRlAG7PPgaiBb5XK3Wb2dVC6/9WzbhDtArqA k+C97G241lS1B8JxLLJGDcYUw== IronPort-HdrOrdr: A9a23:2JFdqKOAtl1h+8BcTsWjsMiBIKoaSvp037Eqv3oRdfU1SL3hqy nApoV56faZslkssTQb6LS90cq7MArhHPxOkOss1N6ZNWGM0gbFEGgh1/qE/9SJIVyZygc378 ddmsZFZuEYdWIK6PrH3A== X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="66374919" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper Subject: [PATCH v2 58/70] x86/stack: CFI hardening Date: Mon, 14 Feb 2022 12:51:15 +0000 Message-ID: <20220214125127.17985-59-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125127.17985-1-andrew.cooper3@citrix.com> References: <20220214125127.17985-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1644844002850100005 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Control Flow Integrity schemes use toolchain and optionally hardware support to help protect against call/jump/return oriented programming attacks. Use cf_check to annotate function pointer targets for the toolchain. The function typecheck in switch_stack_and_jump() is incompatible with cont= rol flow typechecking. It's ok for reset_stack_and_jump_ind(), but for reset_stack_and_jump(), it would force us to ENDBR64 the targets which are branched to directly. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- v2: * Extend reset_stack_and_jump_ind() with ({ }) --- xen/arch/x86/domain.c | 6 +++--- xen/arch/x86/hvm/svm/svm.c | 6 +++--- xen/arch/x86/hvm/vmx/vmcs.c | 2 +- xen/arch/x86/hvm/vmx/vmx.c | 8 ++++---- xen/arch/x86/include/asm/current.h | 6 ++++-- xen/arch/x86/include/asm/hvm/vmx/vmx.h | 2 +- xen/arch/x86/include/asm/pv/domain.h | 4 ++-- xen/arch/x86/pv/domain.c | 2 +- xen/arch/x86/x86_64/entry.S | 1 + 9 files changed, 20 insertions(+), 17 deletions(-) diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index ae7c88b51af1..afccc1525f8b 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -132,7 +132,7 @@ void play_dead(void) dead_idle(); } =20 -static void noreturn idle_loop(void) +static void noreturn cf_check idle_loop(void) { unsigned int cpu =3D smp_processor_id(); /* @@ -1790,7 +1790,7 @@ static void save_segments(struct vcpu *v) } } =20 -void paravirt_ctxt_switch_from(struct vcpu *v) +void cf_check paravirt_ctxt_switch_from(struct vcpu *v) { save_segments(v); =20 @@ -1804,7 +1804,7 @@ void paravirt_ctxt_switch_from(struct vcpu *v) write_debugreg(7, 0); } =20 -void paravirt_ctxt_switch_to(struct vcpu *v) +void cf_check paravirt_ctxt_switch_to(struct vcpu *v) { root_pgentry_t *root_pgt =3D this_cpu(root_pgt); =20 diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index dedb2848e6a1..63535a74b504 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -944,7 +944,7 @@ static inline void svm_tsc_ratio_load(struct vcpu *v) wrmsrl(MSR_AMD64_TSC_RATIO, hvm_tsc_scaling_ratio(v->domain)); } =20 -static void svm_ctxt_switch_from(struct vcpu *v) +static void cf_check svm_ctxt_switch_from(struct vcpu *v) { int cpu =3D smp_processor_id(); =20 @@ -969,7 +969,7 @@ static void svm_ctxt_switch_from(struct vcpu *v) enable_each_ist(idt_tables[cpu]); } =20 -static void svm_ctxt_switch_to(struct vcpu *v) +static void cf_check svm_ctxt_switch_to(struct vcpu *v) { struct vmcb_struct *vmcb =3D v->arch.hvm.svm.vmcb; int cpu =3D smp_processor_id(); @@ -996,7 +996,7 @@ static void svm_ctxt_switch_to(struct vcpu *v) wrmsr_tsc_aux(v->arch.msrs->tsc_aux); } =20 -static void noreturn svm_do_resume(void) +static void noreturn cf_check svm_do_resume(void) { struct vcpu *v =3D current; struct vmcb_struct *vmcb =3D v->arch.hvm.svm.vmcb; diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index 60b506ac3f40..e1e1fa14e65e 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -1865,7 +1865,7 @@ void vmx_vmentry_failure(void) =20 void noreturn vmx_asm_do_vmentry(void); =20 -void vmx_do_resume(void) +void cf_check vmx_do_resume(void) { struct vcpu *v =3D current; bool_t debug_state; diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 2c4804f9b884..41db538a9e3d 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -63,8 +63,8 @@ static bool_t __initdata opt_force_ept; boolean_param("force-ept", opt_force_ept); =20 -static void vmx_ctxt_switch_from(struct vcpu *v); -static void vmx_ctxt_switch_to(struct vcpu *v); +static void cf_check vmx_ctxt_switch_from(struct vcpu *v); +static void cf_check vmx_ctxt_switch_to(struct vcpu *v); =20 static int alloc_vlapic_mapping(void); static void vmx_install_vlapic_mapping(struct vcpu *v); @@ -907,7 +907,7 @@ static void cf_check vmx_fpu_leave(struct vcpu *v) } } =20 -static void vmx_ctxt_switch_from(struct vcpu *v) +static void cf_check vmx_ctxt_switch_from(struct vcpu *v) { /* * Return early if trying to do a context switch without VMX enabled, @@ -939,7 +939,7 @@ static void vmx_ctxt_switch_from(struct vcpu *v) vmx_pi_switch_from(v); } =20 -static void vmx_ctxt_switch_to(struct vcpu *v) +static void cf_check vmx_ctxt_switch_to(struct vcpu *v) { vmx_restore_guest_msrs(v); vmx_restore_dr(v); diff --git a/xen/arch/x86/include/asm/current.h b/xen/arch/x86/include/asm/= current.h index dc0edd9ed07d..da5e152a10cc 100644 --- a/xen/arch/x86/include/asm/current.h +++ b/xen/arch/x86/include/asm/current.h @@ -173,7 +173,6 @@ unsigned long get_stack_dump_bottom (unsigned long sp); #define switch_stack_and_jump(fn, instr, constr) \ ({ \ unsigned int tmp; \ - (void)((fn) =3D=3D (void (*)(void))NULL); = \ BUILD_BUG_ON(!ssaj_has_attr_noreturn(fn)); \ __asm__ __volatile__ ( \ SHADOW_STACK_WORK \ @@ -198,7 +197,10 @@ unsigned long get_stack_dump_bottom (unsigned long sp); =20 /* The constraint may only specify non-call-clobbered registers. */ #define reset_stack_and_jump_ind(fn) \ - switch_stack_and_jump(fn, "INDIRECT_JMP %", "b") + ({ \ + (void)((fn) =3D=3D (void (*)(void))NULL); = \ + switch_stack_and_jump(fn, "INDIRECT_JMP %", "b"); \ + }) =20 /* * Which VCPU's state is currently running on each CPU? diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmx.h b/xen/arch/x86/include/= asm/hvm/vmx/vmx.h index 5284fe931f62..c2ebdd6864a5 100644 --- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h +++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h @@ -93,7 +93,7 @@ typedef enum { =20 void vmx_asm_vmexit_handler(struct cpu_user_regs); void vmx_intr_assist(void); -void noreturn vmx_do_resume(void); +void noreturn cf_check vmx_do_resume(void); void vmx_vlapic_msr_changed(struct vcpu *v); struct hvm_emulate_ctxt; void vmx_realmode_emulate_one(struct hvm_emulate_ctxt *hvmemul_ctxt); diff --git a/xen/arch/x86/include/asm/pv/domain.h b/xen/arch/x86/include/as= m/pv/domain.h index 6b16da9d187b..924508bbb4f0 100644 --- a/xen/arch/x86/include/asm/pv/domain.h +++ b/xen/arch/x86/include/asm/pv/domain.h @@ -118,8 +118,8 @@ static inline void pv_set_reg(struct vcpu *v, unsigned = int reg, uint64_t val) =20 #endif /* CONFIG_PV */ =20 -void paravirt_ctxt_switch_from(struct vcpu *v); -void paravirt_ctxt_switch_to(struct vcpu *v); +void cf_check paravirt_ctxt_switch_from(struct vcpu *v); +void cf_check paravirt_ctxt_switch_to(struct vcpu *v); =20 #endif /* __X86_PV_DOMAIN_H__ */ =20 diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c index 55146c15c853..f94f28c8e271 100644 --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -351,7 +351,7 @@ void pv_domain_destroy(struct domain *d) FREE_XENHEAP_PAGE(d->arch.pv.gdt_ldt_l1tab); } =20 -void noreturn continue_pv_domain(void); +void noreturn cf_check continue_pv_domain(void); =20 int pv_domain_initialise(struct domain *d) { diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 3eaf0e67b2b9..8494b97a54a2 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -625,6 +625,7 @@ ENTRY(dom_crash_sync_extable) /* No special register assumptions. */ #ifdef CONFIG_PV ENTRY(continue_pv_domain) + ENDBR64 call check_wakeup_from_wait ret_from_intr: GET_CURRENT(bx) --=20 2.11.0