Linux kCFI/FineIBT Weaknesses Addressed Through Rewriting Some Meeting In C

Forward of the Linux 6.5-rc2 leave the following day there was once a suite of x86/x86_64 kernel adjustments merged in a single day to do business in with some weaknesses within the kernel’s Keep an eye on Current Integrity (kCFI) / FineIBT (Oblique Area Monitoring) code.

Going again to the Linux 6.1 days there was the kernel Keep an eye on Current Integrity code in excellent condition instead to prior CFI code. Since Linux 6.2 has additionally been FineIBT as an spare CFI scheme that makes use of the compiler-provided kCFI paired with {hardware} Keep an eye on-Current Integrity offered via Intel’s Oblique Area Monitoring.

Those efforts are to thwart control-flow hijacking assaults at the kernel however lately some weaknesses had been found out within the kernel’s code. Merged in a single day is fresh code to do business in with the ones weaknesses and a part of resolving the weaknesses are rewriting probably the most Meeting code into C.

Safety problem solving via a tiny much less hand-written Meeting within the kernel.

Intel engineer Peter Zijlstra summed up within the snatch request:

The principle computer virus Alyssa spotted was once that with FineIBT enabled serve as prologues have a spurious ENDBR instruction:



subl $hash, %r10d

jz 1f





endbr64 <— *sadface*

Because of this any oblique name that fails to focus on the __cfi image and rather objectives (the familiar used) foo+0, will be successful because of that 2d ENDBR.

Solving this manage to the invention of a unmarried oblique name that was once nonetheless doing this: ret_from_fork(), since that’s an meeting stub the compiler would now not generate the right kind kCFI oblique name charm and it might now not get patched.

Brian got here up with probably the most complete healing — convert the item to C with just a very slim asm wrapper. This guarantees the kernel tale boostrap is a right kind kCFI name.

Hour discussing all this, Kees famous that kCFI hashes may just/will have to be poisoned to seal all purposes whose deal with is rarely taken, additional proscribing the legitimate kCFI objectives — similar to we already do for IBT.

So what was once a ‘easy’ remark and healing cascaded into a number of inter-related CFI infrastructure healings.

That code has been merged forward of Linux 6.5-rc2 and because it supplies healings it will have to finally end up getting back-ported to the hot kernel solid form too.

Leave a Comment