From: Ard Biesheuvel <ardb@kernel.org>
To: linux-arm-kernel@lists.infradead.org
Cc: Mark Rutland <mark.rutland@arm.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Tony Lindgren <tony@atomide.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Sasha Levin <alexander.levin@microsoft.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Russell King <rmk+kernel@armlinux.org.uk>,
Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>,
Ard Biesheuvel <ardb@kernel.org>
Subject: [PATCH for-stable-v4.4 19/53] arm/arm64: smccc-1.1: Handle function result as parameters
Date: Tue, 5 Nov 2019 21:58:12 +0100 [thread overview]
Message-ID: <20191105205846.1394-20-ardb@kernel.org> (raw)
In-Reply-To: <20191105205846.1394-1-ardb@kernel.org>
From: Marc Zyngier <marc.zyngier@arm.com>
[ Upstream commit 755a8bf5579d22eb5636685c516d8dede799e27b ]
If someone has the silly idea to write something along those lines:
extern u64 foo(void);
void bar(struct arm_smccc_res *res)
{
arm_smccc_1_1_smc(0xbad, foo(), res);
}
they are in for a surprise, as this gets compiled as:
0000000000000588 <bar>:
588: a9be7bfd stp x29, x30, [sp, #-32]!
58c: 910003fd mov x29, sp
590: f9000bf3 str x19, [sp, #16]
594: aa0003f3 mov x19, x0
598: aa1e03e0 mov x0, x30
59c: 94000000 bl 0 <_mcount>
5a0: 94000000 bl 0 <foo>
5a4: aa0003e1 mov x1, x0
5a8: d4000003 smc #0x0
5ac: b4000073 cbz x19, 5b8 <bar+0x30>
5b0: a9000660 stp x0, x1, [x19]
5b4: a9010e62 stp x2, x3, [x19, #16]
5b8: f9400bf3 ldr x19, [sp, #16]
5bc: a8c27bfd ldp x29, x30, [sp], #32
5c0: d65f03c0 ret
5c4: d503201f nop
The call to foo "overwrites" the x0 register for the return value,
and we end up calling the wrong secure service.
A solution is to evaluate all the parameters before assigning
anything to specific registers, leading to the expected result:
0000000000000588 <bar>:
588: a9be7bfd stp x29, x30, [sp, #-32]!
58c: 910003fd mov x29, sp
590: f9000bf3 str x19, [sp, #16]
594: aa0003f3 mov x19, x0
598: aa1e03e0 mov x0, x30
59c: 94000000 bl 0 <_mcount>
5a0: 94000000 bl 0 <foo>
5a4: aa0003e1 mov x1, x0
5a8: d28175a0 mov x0, #0xbad
5ac: d4000003 smc #0x0
5b0: b4000073 cbz x19, 5bc <bar+0x34>
5b4: a9000660 stp x0, x1, [x19]
5b8: a9010e62 stp x2, x3, [x19, #16]
5bc: f9400bf3 ldr x19, [sp, #16]
5c0: a8c27bfd ldp x29, x30, [sp], #32
5c4: d65f03c0 ret
Reported-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
include/linux/arm-smccc.h | 30 +++++++++++++-------
1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h
index 642a764bcf50..14ccaea86e0e 100644
--- a/include/linux/arm-smccc.h
+++ b/include/linux/arm-smccc.h
@@ -200,41 +200,51 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1,
register unsigned long r3 asm("r3")
#define __declare_arg_1(a0, a1, res) \
+ typeof(a1) __a1 = a1; \
struct arm_smccc_res *___res = res; \
register unsigned long r0 asm("r0") = (u32)a0; \
- register unsigned long r1 asm("r1") = a1; \
+ register unsigned long r1 asm("r1") = __a1; \
register unsigned long r2 asm("r2"); \
register unsigned long r3 asm("r3")
#define __declare_arg_2(a0, a1, a2, res) \
+ typeof(a1) __a1 = a1; \
+ typeof(a2) __a2 = a2; \
struct arm_smccc_res *___res = res; \
register unsigned long r0 asm("r0") = (u32)a0; \
- register unsigned long r1 asm("r1") = a1; \
- register unsigned long r2 asm("r2") = a2; \
+ register unsigned long r1 asm("r1") = __a1; \
+ register unsigned long r2 asm("r2") = __a2; \
register unsigned long r3 asm("r3")
#define __declare_arg_3(a0, a1, a2, a3, res) \
+ typeof(a1) __a1 = a1; \
+ typeof(a2) __a2 = a2; \
+ typeof(a3) __a3 = a3; \
struct arm_smccc_res *___res = res; \
register unsigned long r0 asm("r0") = (u32)a0; \
- register unsigned long r1 asm("r1") = a1; \
- register unsigned long r2 asm("r2") = a2; \
- register unsigned long r3 asm("r3") = a3
+ register unsigned long r1 asm("r1") = __a1; \
+ register unsigned long r2 asm("r2") = __a2; \
+ register unsigned long r3 asm("r3") = __a3
#define __declare_arg_4(a0, a1, a2, a3, a4, res) \
+ typeof(a4) __a4 = a4; \
__declare_arg_3(a0, a1, a2, a3, res); \
- register typeof(a4) r4 asm("r4") = a4
+ register unsigned long r4 asm("r4") = __a4
#define __declare_arg_5(a0, a1, a2, a3, a4, a5, res) \
+ typeof(a5) __a5 = a5; \
__declare_arg_4(a0, a1, a2, a3, a4, res); \
- register typeof(a5) r5 asm("r5") = a5
+ register unsigned long r5 asm("r5") = __a5
#define __declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res) \
+ typeof(a6) __a6 = a6; \
__declare_arg_5(a0, a1, a2, a3, a4, a5, res); \
- register typeof(a6) r6 asm("r6") = a6
+ register unsigned long r6 asm("r6") = __a6
#define __declare_arg_7(a0, a1, a2, a3, a4, a5, a6, a7, res) \
+ typeof(a7) __a7 = a7; \
__declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res); \
- register typeof(a7) r7 asm("r7") = a7
+ register unsigned long r7 asm("r7") = __a7
#define ___declare_args(count, ...) __declare_arg_ ## count(__VA_ARGS__)
#define __declare_args(count, ...) ___declare_args(count, __VA_ARGS__)
--
2.17.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-11-05 21:04 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-05 20:57 [PATCH for-stable-v4.4 00/53] ARM: spectre v1/v2 mitigations Ard Biesheuvel
2019-11-05 20:57 ` [PATCH for-stable-v4.4 01/53] ARM: 8051/1: put_user: fix possible data corruption in put_user Ard Biesheuvel
2019-11-05 20:57 ` [PATCH for-stable-v4.4 02/53] ARM: 8478/2: arm/arm64: add arm-smccc Ard Biesheuvel
2019-11-05 20:57 ` [PATCH for-stable-v4.4 03/53] ARM: 8479/2: add implementation for arm-smccc Ard Biesheuvel
2019-11-05 20:57 ` [PATCH for-stable-v4.4 04/53] ARM: 8480/2: arm64: " Ard Biesheuvel
2019-11-05 20:57 ` [PATCH for-stable-v4.4 05/53] ARM: 8481/2: drivers: psci: replace psci firmware calls Ard Biesheuvel
2019-11-05 20:57 ` [PATCH for-stable-v4.4 06/53] ARM: uaccess: remove put_user() code duplication Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 07/53] ARM: Move system register accessors to asm/cp15.h Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 08/53] arm: kernel: Add SMC structure parameter Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 09/53] firmware: qcom: scm: Fix interrupted SCM calls Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 10/53] ARM: smccc: Update HVC comment to describe new quirk parameter Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 11/53] arm/arm64: KVM: Advertise SMCCC v1.1 Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 12/53] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 13/53] firmware/psci: Expose PSCI conduit Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 14/53] firmware/psci: Expose SMCCC version through psci_ops Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 15/53] arm/arm64: smccc: Make function identifiers an unsigned quantity Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 16/53] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 17/53] arm/arm64: smccc: Add SMCCC-specific return codes Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 18/53] arm/arm64: smccc-1.1: Make return values unsigned long Ard Biesheuvel
2019-11-05 20:58 ` Ard Biesheuvel [this message]
2019-11-05 20:58 ` [PATCH for-stable-v4.4 20/53] ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 21/53] ARM: bugs: prepare processor bug infrastructure Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 22/53] ARM: bugs: hook processor bug checking into SMP and suspend paths Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 23/53] ARM: bugs: add support for per-processor bug checking Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 24/53] ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 25/53] ARM: spectre-v2: harden branch predictor on context switches Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 26/53] ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 27/53] ARM: spectre-v2: harden user aborts in kernel space Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 28/53] ARM: spectre-v2: add firmware based hardening Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 29/53] ARM: spectre-v2: warn about incorrect context switching functions Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 30/53] ARM: spectre-v1: add speculation barrier (csdb) macros Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 31/53] ARM: spectre-v1: add array_index_mask_nospec() implementation Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 32/53] ARM: spectre-v1: fix syscall entry Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 33/53] ARM: signal: copy registers using __copy_from_user() Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 34/53] ARM: vfp: use __copy_from_user() when restoring VFP state Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 35/53] ARM: oabi-compat: copy semops using __copy_from_user() Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 36/53] ARM: use __inttype() in get_user() Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 37/53] ARM: spectre-v1: use get_user() for __get_user() Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 38/53] ARM: spectre-v1: mitigate user accesses Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 39/53] ARM: 8789/1: signal: copy registers using __copy_to_user() Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 40/53] ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 41/53] ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user() Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 42/53] ARM: 8793/1: signal: replace __put_user_error with __put_user Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 43/53] ARM: 8794/1: uaccess: Prevent speculative use of the current addr_limit Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 44/53] ARM: 8795/1: spectre-v1.1: use put_user() for __put_user() Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 45/53] ARM: 8796/1: spectre-v1, v1.1: provide helpers for address sanitization Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 46/53] ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 47/53] ARM: make lookup_processor_type() non-__init Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 48/53] ARM: split out processor lookup Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 49/53] ARM: clean up per-processor check_bugs method call Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 50/53] ARM: add PROC_VTABLE and PROC_TABLE macros Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 51/53] ARM: spectre-v2: per-CPU vtables to work around big.Little systems Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 52/53] ARM: ensure that processor vtables is not lost after boot Ard Biesheuvel
2019-11-05 20:58 ` [PATCH for-stable-v4.4 53/53] ARM: fix the cockup in the previous patch Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191105205846.1394-20-ardb@kernel.org \
--to=ardb@kernel.org \
--cc=alexander.levin@microsoft.com \
--cc=catalin.marinas@arm.com \
--cc=f.fainelli@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=rmk+kernel@armlinux.org.uk \
--cc=tony@atomide.com \
--cc=will.deacon@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).