Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <b16030c7-9ae3-8847-b75c-007e7519ece6@darkkirb.de>
Date: Tue, 29 Dec 2020 12:59:12 +0100
From: Charlotte Delenk <darkkirb@...kkirb.de>
To: musl@...ts.openwall.com
Subject: [PATCH 2/2] Add support for LLVM's Control Flow Integrity

Control Flow Integrity is a sanitization option found in clang which
attempts to prevent exploits and bugs that divert the control flow to an
unintended path. For more information about it, refer to clang's
documentation[1].

While there are many different schemes currently implemented, the only
one that is enabled for C code is the cfi-icall scheme, which attempts
to prevent indirect calls to function with the wrong type. In most of
musl's code this works without issues, however there are a few cases
where it does not work, or at least won't work without breaking a
considerable amount of applications.

This patch works by disabling CFI sanitization for these files:

ldso/dlstart.c
ldso/dynlink.c
src/env/__libc_start_main.c
src/exit/exit.c

These contain indirect function calls where the compiler is either
unable to find out the type of the function or where the actual function
type can be one of multiple equally valid ones.

I have checked all of the places with indirect function calls using the
output of Fangrui's clang tidy patch and only found the aforementioned
functions.

How to test: In addition to the -fsanitize=cfi flag, you also need to
pass
-flto=thin and -fvisibility=default (or hidden in a static build). The
application has to be compiled and linked with the same flags as well.
You might need to set the environment variables AR=llvm-ar and RANLIB=
llvm-ranlib for musl or the software you are compiling.

[1]: https://clang.llvm.org/docs/ControlFlowIntegrity.html
Special thanks to Fangrui Song <i@...kray.me>

This patch depends on the previous patch labelled "Fix LTO shared 
library build on GCC and Clang"

---
  Makefile | 8 ++++++++
  1 file changed, 8 insertions(+)

diff --git a/Makefile b/Makefile
index 15190fb9..9d937b21 100644
--- a/Makefile
+++ b/Makefile
@@ -134,6 +134,14 @@ $(LOBJS) $(LDSO_OBJS): CFLAGS_ALL += -fPIC
  # Work around LTO compiler bugs
  lib/libc.so: CFLAGS_ALL += -u_dlstart_c -u__dls2 -u__dls2b -u__dls3 
-u__stack_chk_guard -u_start_c

+# Disable CFI for problematic source files
+ifneq (,$(findstring cfi,$(filter -fsanitize=%,$(CFLAGS))))
+obj/ldso/dlstart.lo: CFLAGS_ALL += -fno-sanitize=cfi
+obj/ldso/dynlink.lo: CFLAGS_ALL += -fno-sanitize=cfi
+obj/src/env/__libc_start_main.lo: CFLAGS_ALL += -fno-sanitize=cfi
+obj/src/exit/exit.lo: CFLAGS_ALL += -fno-sanitize=cfi
+endif
+
  CC_CMD = $(CC) $(CFLAGS_ALL) -c -o $@ $<

  # Choose invocation of assembler to be used
-- 
2.29.2

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.