Conversation

Replying to
Issue 1: Code uses getrandom(), which is reasonably new. The travis environment is not very up-to-date. Default is Ubuntu 16. No getrandom. Latest available is Ubuntu 18.
3
3
Issue 2: MSAN. Again the environment is old. MSAN has a issue with getrandom before version 10, no current clang easily available on travis.
1
2
Issue 3: CFI. CFI uses the gold linker, which is not installed in the clang image. Okay, no problem, we can install it, right? well. travis uses its own version of clang, not the one from ubuntu, for whatever reasons. and no gold, thus no CFI.
3
1
Replying to
Interesting! I was thinking about runtime checks / sanitizing. Sounds like CFI ramps up compiler and linker warnings or introduces additional checks? Did you try if -Wextra, -Wall, -Wpedantic combined with Werror find these bugs as well?
2
Replying to and
Clang CFI provides runtime checks for indirect calls via function pointers, C++ method pointers or C++ virtual methods. It verifies that the type used by the caller matches the callee. Only functions identified as potentially called indirectly are allowed to be called indirectly.
1
1
Replying to and
It also expands the runtime cast checks for C++. It uses link-time analysis, which is essentially whole program analysis but per executable / shared object. Cross-DSO CFI is supported but compiling as a single executable provides more precision and avoids the cross-DSO slow path.
1
Replying to and
AOSP uses CFI (and ShadowCallStack) for the Linux kernel on the Pixel 3 / 3 XL / 3a / 3a XL / 4 / 4 XL but it uses dynamic modules to reuse the kernel across multiple devices and improve boot time via async loading. Using !CONFIG_MODULES in GrapheneOS improves the CFI precision.
1
Replying to and
Type-based checks and cast checks are what will find most bugs during testing and fuzzing. It can definitely be considered a bug for a function to be indirectly called without the compiler seeing it's possible though, since it will optimize with the assumption it can't happen.
1