Open
Bug 1470264
(cfi-icall)
Opened 6 years ago
Updated 2 years ago
Resolve CFI icall errors
Categories
(Core :: Security, enhancement, P3)
Core
Security
Tracking
()
NEW
People
(Reporter: tjr, Unassigned)
References
(Depends on 3 open bugs, Blocks 2 open bugs)
Details
Attachments
(4 files, 2 obsolete files)
Attached is a file that contains sorted and uniq-ed runtime icall errors. We need to clean these up.
Bug 1468382 tracks removing -fsanitize-cfi-icall-generalize-pointers which currently silences ~70 startup lines (which are _not_ included in the attached log).
Bug 1465863 tracks fixing _in the correct way_ dynamically resolved cross-DSO calls. These errors _are_ included in the attached log.
So to close out this bug we have the following options for each icall error we generate:
1: Allow it through without protection using the CFI blacklist (generally going to be our best option for third party code)
2: Allow it through using __attribute__((no_sanitize("cfi-icall"))) (this is ugly, better to use the blacklist)
3: If it's a dynamically-resolved cross-DSO call, develop a solution in/for Bug 1465863 and use it (this will be our preferred solution for Mozilla code, but as a stopgap we may choose to do Option 1 temporarily)
4: Fix whatever strange and potentially incorrect behavior we're doing (If it's Mozilla code and #3 doesn't apply, #4 should.)
I believe the majority of our issues here are going to be dynamically resolved cross-DSO in third party code and we'll use Option 1.
|
Reporter | |
Updated•6 years ago
|
Alias: cfi-icall
Assignee: nobody → tom
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
|
Reporter | |
Comment 10•6 years ago
|
||
|
|
Reporter | |
Comment 11•6 years ago
|
||
Depends on D3048
|
|
Reporter | |
Updated•6 years ago
|
Attachment #8987190 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•6 years ago
|
Attachment #8986870 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 12•6 years ago
|
||
|
|
Reporter | |
Comment 13•6 years ago
|
||
Depends on D3246
|
|
Reporter | |
Updated•5 years ago
|
Assignee: tom → nobody
Type: defect → enhancement
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 14•2 years ago
|
||
The following patches are waiting for review from an inactive reviewer:
| ID | Title | Author | Reviewer Status |
|---|---|---|---|
| D3048 | Bug 1470264 Enable cfi-icall on the LTO build r=Alex_Gaynor | tjr | Alex_Gaynor: Inactive |
| D3049 | Bug 1470264 Switch the -lto build over to using a cfi-specific clang toolchain that is a much newer rev r=Alex_Gaynor | tjr | Alex_Gaynor: Inactive |
| D3246 | Bug 1470264 Enable cfi-icall on the LTO build r=Alex_Gaynor | tjr | Alex_Gaynor: Inactive |
| D3247 | Bug 1470264 Switch the -lto build over to using a cfi-specific clang toolchain that is a much newer rev r=Alex_Gaynor | tjr | Alex_Gaynor: Inactive |
:tjr, could you please find another reviewer or abandon the patch if it is no longer relevant?
For more information, please visit auto_nag documentation.
Flags: needinfo?(tom)
|
|
Reporter | |
Updated•2 years ago
|
Flags: needinfo?(tom)
You need to log in
before you can comment on or make changes to this bug.
Description
•