CFI: SIGILL reached via trait objects #106547

maurer · 2023-01-06T23:14:17Z

I tried this code:

struct T;
trait TT {
    fn foo(&self);
}

impl TT for T {
    fn foo(&self) {
        println!("foo");
    }
}

fn main() {
    let x = T;
    let y = &x as &dyn TT;
    y.foo();
}

I expected to see this happen: "foo" should be printed and the program should exit, as in

mmaurer@curtana:~/printer$ cargo run
   Compiling printer v0.1.0 (/usr/local/google/home/mmaurer/printer)
    Finished dev [unoptimized + debuginfo] target(s) in 0.29s
     Running `target/debug/printer`
foo
mmaurer@curtana:~/printer$

Instead, this happened: "Illegal instruction" is printed as the program has received a SIGILL

mmaurer@curtana:~/printer$ RUSTFLAGS="-Zsanitizer=cfi -C lto -Cembed-bitcode=yes" cargo run
   Compiling printer v0.1.0 (/usr/local/google/home/mmaurer/printer)
    Finished dev [unoptimized + debuginfo] target(s) in 2.51s
     Running `target/debug/printer`
Illegal instruction
mmaurer@curtana:~/printer$ echo $?
132
mmaurer@curtana:~/printer$

Meta

rustc --version --verbose:

rustc 1.68.0-nightly (388538fc9 2023-01-05)
binary: rustc
commit-hash: 388538fc963e07a94e3fc3ac8948627fd2d28d29
commit-date: 2023-01-05
host: x86_64-unknown-linux-gnu
release: 1.68.0-nightly
LLVM version: 15.0.6

The text was updated successfully, but these errors were encountered:

maurer · 2023-01-06T23:14:26Z

cc @rcvalle

maurer · 2023-01-06T23:14:38Z

@rustbot claim

Ran into this while trying to enable KCFI for Linux, and found that the same bug exists in a much more simple environment with the arguably-more-stable CFI support. I'll be debugging this later today or early next week, but wanted to post this since I know the problem exists.

maurer · 2023-01-11T17:17:20Z

The core of the problem here is that the type data for T::Foo correctly wants to receive a &T, not a &dyn TT. The thunk generated at the &dyn TT based call checks T::Foo expecting &dyn TT to be legal.

clang typechecks their vtables rather than their functions for this, which I think makes sense - it doesn't require us to thunk the function, and doesn't end up with a looser-than-true piece of metadata on each call.

I'll take a crack at that next.

CFI: Fix SIGILL reached via trait objects Fix rust-lang#106547 by transforming the concrete self into a reference to a trait object before emitting type metadata identifiers for trait methods.

Fixes rust-lang#111510 and complements rust-lang#106547 by adding support for encoding type parameters and also by transforming trait objects' traits into their identities before emitting type checks.

CFI: Fix encode_ty: unexpected Param(B/#1) Fixes rust-lang#111510 and complements rust-lang#106547 by adding support for encoding type parameters and also by transforming trait objects' traits into their identities before emitting type checks.

Fixes rust-lang#111515 and complements rust-lang#106547 by adding support for encoding early bound regions and also excluding projections when transforming trait objects' traits into their identities before emitting type checks.

CFI: Fix encode_region: unexpected ReEarlyBound(0, 'a) Fixes rust-lang#111515 and complements rust-lang#106547 by adding support for encoding early bound regions and also excluding projections when transforming trait objects' traits into their identities before emitting type checks.

Fixes rust-lang#100778 and rust-lang#113366, and complements rust-lang#106547 by adding support for encoding const parameters.

…ler-errors CFI: Fix ICE: encode_const: unexpected type [usize Fixes rust-lang#100778 and rust-lang#113366, and complements rust-lang#106547 by adding support for encoding const parameters.

maurer added the C-bug Category: This is a bug. label Jan 6, 2023

rustbot assigned maurer Jan 6, 2023

rcvalle added the PG-exploit-mitigations Project group: Exploit mitigations label Apr 18, 2023

rcvalle mentioned this issue Apr 25, 2023

Tracking Issue for LLVM Control Flow Integrity (CFI) Support for Rust #89653

Open

6 tasks

rcvalle mentioned this issue May 8, 2023

CFI: Fix SIGILL reached via trait objects #111375

Merged

bors closed this as completed in 7c7b22e May 12, 2023

rcvalle mentioned this issue May 17, 2023

CFI: Fix encode_ty: unexpected Param(B/#1) #111697

Merged

rcvalle mentioned this issue May 22, 2023

CFI: Fix encode_region: unexpected ReEarlyBound(0, 'a) #111851

Merged

rcvalle mentioned this issue Jul 14, 2023

CFI: Fix ICE: encode_const: unexpected type [usize #113708

Merged

rcvalle added a commit to rcvalle/rust that referenced this issue Jul 17, 2023

CFI: Fix ICE: encode_const: unexpected type [usize

55dea62

Fixes rust-lang#100778 and rust-lang#113366, and complements rust-lang#106547 by adding support for encoding const parameters.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CFI: SIGILL reached via trait objects #106547

CFI: SIGILL reached via trait objects #106547

maurer commented Jan 6, 2023 •

edited by rustbot

Loading

maurer commented Jan 6, 2023

maurer commented Jan 6, 2023

maurer commented Jan 11, 2023

CFI: SIGILL reached via trait objects #106547

CFI: SIGILL reached via trait objects #106547

Comments

maurer commented Jan 6, 2023 • edited by rustbot Loading

Meta

maurer commented Jan 6, 2023

maurer commented Jan 6, 2023

maurer commented Jan 11, 2023

maurer commented Jan 6, 2023 •

edited by rustbot

Loading