On Mon, Mar 07, 2022 at 07:16:36AM -0800, Dan Li wrote:
The following code seems to work fine under clang/gcc, x86_64/aarch64 (also tested in lkdtm_CFI_BACKWARD_SHADOW):
#include <stdio.h>
static __attribute__((noinline)) void set_return_addr(unsigned long *expected, unsigned long *addr) { /* Use of volatile is to make sure final write isn't seen as a dead store. */ unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
/* Make sure we've found the right place on the stack before writing it. */ if(*ret_addr == expected) *ret_addr = (addr);}
static volatile int force_label;
int main(void) { void *array[] = {0, &&normal, &&redirected};
if (force_label) { /* Call it with a NULL to avoid parameters being treated as constants in -02. */ set_return_addr(NULL, NULL); goto * array[force_label]; }
Hah! I like that. :) I had a weird switch statement that was working for me; this is cleaner.
do { set_return_addr(&&normal, &&redirected);normal: printf("I should be skipped\n"); break;
redirected: printf("Redirected\n");
} while (0); return 0;}
But currently it still crashes when I try to enable "-mbranch-protection=pac-ret+leaf+bti".
Because the address of "&&redirected" is not encrypted under pac, the autiasp check will fail when set_return_addr returns, and eventually cause the function to crash when it returns to "&&redirected" ("&&redirected" as a reserved label always seems to start with a bti j insn).
Strictly speaking, this is entirely correct. :)
For lkdtm, if we're going to handle both cases in one function, maybe it would be better to turn off the -mbranch-protection=pac-ret+leaf+bti and maybe also turn off -O2 options for the function :)
If we can apply a function attribute to turn off pac for the "does this work without protections", that should be sufficient.