This patch series makes it possible to use Rust together with the shadow call stack sanitizer. The first patch is intended to be backported to ensure that people don't try to use SCS with Rust on older kernel versions. The second patch makes it possible to use Rust with the shadow call stack sanitizer.
The second patch in this series doesn't make sense without [1], though it doesn't break the build if [1] is missing.
Link: https://lore.kernel.org/rust-for-linux/20240701183625.665574-12-ojeda@kernel... [1] Signed-off-by: Alice Ryhl aliceryhl@google.com --- Changes in v3: - Use -Zfixed-x18. - Add logic to reject unsupported rustc versions. - Also include a fix to be backported. - Link to v2: https://lore.kernel.org/rust-for-linux/20240305-shadow-call-stack-v2-1-c7b4a...
Changes in v2: - Add -Cforce-unwind-tables flag. - Link to v1: https://lore.kernel.org/rust-for-linux/20240304-shadow-call-stack-v1-1-f055e...
--- Alice Ryhl (2): rust: SHADOW_CALL_STACK is incompatible with Rust rust: add flags for shadow call stack sanitizer
Makefile | 1 + arch/Kconfig | 1 + arch/arm64/Makefile | 3 +++ 3 files changed, 5 insertions(+) --- base-commit: 83b1e6e4170cf96b2a7c49070dd43749649f454e change-id: 20240304-shadow-call-stack-9c197a4361d9
Best regards,
When using the shadow call stack sanitizer, all code must be compiled with the -ffixed-x18 flag, but this flag is not currently being passed to Rust. This results in crashes that are extremely difficult to debug.
To ensure that nobody else has to go through the same debugging session that I had to, prevent configurations that enable both SHADOW_CALL_STACK and RUST.
It is rather common for people to backport 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64"), so I recommend applying this fix all the way back to 6.1.
Cc: stable@vger.kernel.org # 6.1 and later Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64") Signed-off-by: Alice Ryhl aliceryhl@google.com --- arch/Kconfig | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/Kconfig b/arch/Kconfig index 975dd22a2dbd..238448a9cb71 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -690,6 +690,7 @@ config SHADOW_CALL_STACK bool "Shadow Call Stack" depends on ARCH_SUPPORTS_SHADOW_CALL_STACK depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER + depends on !RUST depends on MMU help This option enables the compiler's Shadow Call Stack, which
On Thu, Jul 04, 2024 at 03:07:57PM +0000, Alice Ryhl wrote:
When using the shadow call stack sanitizer, all code must be compiled with the -ffixed-x18 flag, but this flag is not currently being passed to Rust. This results in crashes that are extremely difficult to debug.
To ensure that nobody else has to go through the same debugging session that I had to, prevent configurations that enable both SHADOW_CALL_STACK and RUST.
It is rather common for people to backport 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64"), so I recommend applying this fix all the way back to 6.1.
Cc: stable@vger.kernel.org # 6.1 and later Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64") Signed-off-by: Alice Ryhl aliceryhl@google.com
Would it be better to move this to arch/arm64/Kconfig?
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 167e51067508..080907776db9 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -90,7 +90,7 @@ config ARM64 select ARCH_SUPPORTS_DEBUG_PAGEALLOC select ARCH_SUPPORTS_HUGETLBFS select ARCH_SUPPORTS_MEMORY_FAILURE - select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK + select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK && !RUST select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN select ARCH_SUPPORTS_LTO_CLANG_THIN select ARCH_SUPPORTS_CFI_CLANG
RISC-V probably needs the same change, which further leads me to believe that this workaround should be architecture specific, as they may be fixed and enabled at different rates.
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 6b4d71aa9bed..4d89afdd385d 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -213,6 +213,7 @@ config HAVE_SHADOW_CALL_STACK def_bool $(cc-option,-fsanitize=shadow-call-stack) # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f... depends on $(ld-option,--no-relax-gp) + depends on !RUST
config RISCV_USE_LINKER_RELAXATION def_bool y
arch/Kconfig | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/Kconfig b/arch/Kconfig index 975dd22a2dbd..238448a9cb71 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -690,6 +690,7 @@ config SHADOW_CALL_STACK bool "Shadow Call Stack" depends on ARCH_SUPPORTS_SHADOW_CALL_STACK depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
- depends on !RUST depends on MMU help This option enables the compiler's Shadow Call Stack, which
-- 2.45.2.803.g4e1b14247a-goog
On Thu, Jul 4, 2024 at 6:45 PM Nathan Chancellor nathan@kernel.org wrote:
On Thu, Jul 04, 2024 at 03:07:57PM +0000, Alice Ryhl wrote:
When using the shadow call stack sanitizer, all code must be compiled with the -ffixed-x18 flag, but this flag is not currently being passed to Rust. This results in crashes that are extremely difficult to debug.
To ensure that nobody else has to go through the same debugging session that I had to, prevent configurations that enable both SHADOW_CALL_STACK and RUST.
It is rather common for people to backport 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64"), so I recommend applying this fix all the way back to 6.1.
Cc: stable@vger.kernel.org # 6.1 and later Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64") Signed-off-by: Alice Ryhl aliceryhl@google.com
Would it be better to move this to arch/arm64/Kconfig?
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 167e51067508..080907776db9 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -90,7 +90,7 @@ config ARM64 select ARCH_SUPPORTS_DEBUG_PAGEALLOC select ARCH_SUPPORTS_HUGETLBFS select ARCH_SUPPORTS_MEMORY_FAILURE
select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK
select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK && !RUST select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN select ARCH_SUPPORTS_LTO_CLANG_THIN select ARCH_SUPPORTS_CFI_CLANGRISC-V probably needs the same change, which further leads me to believe that this workaround should be architecture specific, as they may be fixed and enabled at different rates.
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 6b4d71aa9bed..4d89afdd385d 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -213,6 +213,7 @@ config HAVE_SHADOW_CALL_STACK def_bool $(cc-option,-fsanitize=shadow-call-stack) # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f... depends on $(ld-option,--no-relax-gp)
depends on !RUSTconfig RISCV_USE_LINKER_RELAXATION def_bool y
Thanks for taking a look. For now, I went with placing the `depends on` in CONFIG_RUST as suggested by the others. This avoids cases where enabling Rust results in changes to how mitigations are configured.
As for riscv, it doesn't need any special flags. Please see the commit message for more details on riscv support.
https://lore.kernel.org/all/20240729-shadow-call-stack-v4-0-2a664b082ea4@goo...
Alice
linux-stable-mirror@lists.linaro.org
-
Alice Ryhl -
Nathan Chancellor