Ahead of the Linux 6.5-rc2 release tomorrow there was a set of x86/x86_64 kernel changes merged overnight to deal with some weaknesses in the kernel's Control Flow Integrity (kCFI) / FineIBT (Indirect Branch Tracking) code.

Going back to the Linux 6.1 days there has been the kernel Control Flow Integrity code in good shape as a replacement to prior CFI code. Since Linux 6.2 has also been FineIBT as an alternative CFI scheme that uses the compiler-provided kCFI paired with hardware Control-Flow Integrity provided by Intel's Indirect Branch Tracking.

These efforts are to thwart control-flow hijacking attacks on the kernel but recently some weaknesses were discovered in the kernel's code. Merged overnight is new code to deal with those weaknesses and part of resolving the weaknesses are rewriting some of the Assembly code into C.


The link for this article located at Phoronix is no longer available.