Control-flow integrity in 5.13

Posted May 25, 2021 16:52 UTC (Tue) by marcH (subscriber, #57642)
Parent article: Control-flow integrity in 5.13

> __cfi_check(); this function receives, along with the target address, the address of the jump table matching the prototype of the called function. It will verify that the target address is, indeed, an address within the expected jump table, extract the real function address from the table, and jump to that address.

I don't understand what there is to "extract"; isn't the real/target address a __cfi_check() argument already? Or is there some indirection that I missed?

to post comments

__cfi_check()

Posted May 25, 2021 16:58 UTC (Tue) by corbet (editor, #1) [Link] (1 responses)

The argument to __cfi_check() is an address in the jump table. Sorry if that wasn't clear.

__cfi_check()

Posted May 26, 2021 7:11 UTC (Wed) by marcH (subscriber, #57642) [Link]

Ah yes of course: much faster to check that the argument is within the given range compared to looking for some value in the whole jump table.

> Sorry if that wasn't clear.

I read again trying to understand how I got that wrong and I think it's because I assumed that the "target address" was the address of the "target function" mentioned earlier.