Issue 3: CFI. CFI uses the gold linker, which is not installed in the clang image. Okay, no problem, we can install it, right? well. travis uses its own version of clang, not the one from ubuntu, for whatever reasons. and no gold, thus no CFI.
Conversation
Replying to
yes. it can find things like function declarations that aren't quite right, see blog.fuzzing-project.org/57-Diving-into also pretty much every chrome security advisory says they found issues with cfi, I believe it's often type confusion stuff.
1
1
1
Replying to
Interesting! I was thinking about runtime checks / sanitizing. Sounds like CFI ramps up compiler and linker warnings or introduces additional checks? Did you try if -Wextra, -Wall, -Wpedantic combined with Werror find these bugs as well?
2
Clang CFI provides runtime checks for indirect calls via function pointers, C++ method pointers or C++ virtual methods. It verifies that the type used by the caller matches the callee. Only functions identified as potentially called indirectly are allowed to be called indirectly.
1
1
It also expands the runtime cast checks for C++. It uses link-time analysis, which is essentially whole program analysis but per executable / shared object. Cross-DSO CFI is supported but compiling as a single executable provides more precision and avoids the cross-DSO slow path.
1
Here's a nice example where function addresses are taken in assembly so the compiler doesn't see them and prevents indirect calls to these functions when it can perform whole program analysis due to LTO with !CONFIG_MODULES:
github.com/GrapheneOS/ker
1
AOSP uses CFI (and ShadowCallStack) for the Linux kernel on the Pixel 3 / 3 XL / 3a / 3a XL / 4 / 4 XL but it uses dynamic modules to reuse the kernel across multiple devices and improve boot time via async loading. Using !CONFIG_MODULES in GrapheneOS improves the CFI precision.
1
The type-based checks work the same either way, but having nearly everything marked as an internal function allows the compiler to figure out that most of the non-static functions never have their address taken and don't need to be included in the sets of permitted callees.
1
Type-based checks and cast checks are what will find most bugs during testing and fuzzing. It can definitely be considered a bug for a function to be indirectly called without the compiler seeing it's possible though, since it will optimize with the assumption it can't happen.
1
So github.com/GrapheneOS/ker is a bug fix even without CFI since the compiler could change those functions based on interprocedural optimization.
Usually just find mismatched types. It's undefined to call function pointers with different type than the callee so those are bugs too.