From: Deepak Gupta <debug@rivosinc.com>
To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>
Cc: Deepak Gupta <debug@rivosinc.com>
Subject: [PATCH v1 RFC Zisslpcfi 13/20] riscv: illegal instruction handler for cfi violations
Date: Sun, 12 Feb 2023 20:53:42 -0800 [thread overview]
Message-ID: <20230213045351.3945824-14-debug@rivosinc.com> (raw)
In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com>
Zisslpcfi spec proposes that cfi violations are reported as illegal
instruction exception. Following are the cases
- elp missing: An indirect jmp/call landed on instruction which is
not `lpcll`
- label mismatch: Static label embedded in instr `lpcll/lpcml/lpcul`
doesn't match with repsective label in CSR_LPLR
- sscheckra: x1 and x5 don't match.
Current changes run user code in audit mode. That means that any cfi
violation is suppressed and app is allowed to continue.
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
---
arch/riscv/kernel/traps.c | 79 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 77 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 5553b8d48ba5..a292699f4f25 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -97,6 +97,10 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code,
/* Zisslpcfi instructions encodings */
#define SS_PUSH_POP 0x81C04073
#define SS_AMOSWAP 0x82004073
+#define SS_CHECKRA 0x8A12C073
+#define LP_C_LL 0x83004073
+#define LP_C_ML 0x86804073
+#define LP_C_UL 0x8B804073
bool is_ss_load_store_insn(unsigned long insn)
{
@@ -112,6 +116,71 @@ bool is_ss_load_store_insn(unsigned long insn)
return false;
}
+bool is_cfi_violation_insn(unsigned long insn)
+{
+ struct task_struct *task = current;
+ bool ss_exist = false, lp_exist = false;
+
+ ss_exist = arch_supports_shadow_stack();
+ lp_exist = arch_supports_indirect_br_lp_instr();
+
+ if (ss_exist && (insn == SS_CHECKRA)) {
+ pr_warn("cfi violation (sschkra): comm = %s, task = %p\n", task->comm, task);
+ return true;
+ }
+ if (lp_exist && ((insn & LP_C_LL) == LP_C_LL)) {
+ pr_warn("cfi violation (lpcll): comm = %s, task = %p\n", task->comm, task);
+ return true;
+ }
+ if (lp_exist && ((insn & LP_C_ML) == LP_C_ML)) {
+ pr_warn("cfi violation (lpcml): comm = %s, task = %p\n", task->comm, task);
+ return true;
+ }
+ if (lp_exist && ((insn & LP_C_UL) == LP_C_UL)) {
+ pr_warn("cfi violation (lpcul): comm = %s, task = %p\n", task->comm, task);
+ return true;
+ }
+
+ return false;
+}
+
+int handle_illegal_instruction(struct pt_regs *regs)
+{
+ /* stval should hold faulting opcode */
+ unsigned long insn = csr_read(stval);
+ struct thread_info *info = NULL;
+ struct task_struct *task = current;
+
+ info = current_thread_info();
+ /*
+ * If CFI enabled then following instructions leads to illegal instruction fault
+ * -- sscheckra: x1 and x5 mismatch
+ * -- ELP = 1, Any instruction other than lpcll will fault
+ * -- lpcll will fault if lower label don't match with LPLR.LL
+ * -- lpcml will fault if lower label don't match with LPLR.ML
+ * -- lpcul will fault if lower label don't match with LPLR.UL
+ */
+
+ /* If fcfi enabled and ELP = 1, suppress ELP (audit mode) and resume */
+ if (arch_supports_indirect_br_lp_instr() &&
+#ifdef CONFIG_USER_INDIRECT_BR_LP
+ info->user_cfi_state.ufcfi_en &&
+#endif
+ (regs->status & SR_ELP)) {
+ pr_warn("cfi violation (elp): comm = %s, task = %p\n", task->comm, task);
+ regs->status &= ~(SR_ELP);
+ return 0;
+ }
+ /* if faulting opcode is sscheckra/lpcll/lpcml/lpcll, advance PC and resume */
+ if (is_cfi_violation_insn(insn)) {
+ /* no compressed form for zisslpcfi instructions */
+ regs->epc += 4;
+ return 0;
+ }
+
+ return 1;
+}
+
ulong get_instruction(ulong epc)
{
ulong *epc_ptr = (ulong *) epc;
@@ -190,8 +259,14 @@ DO_ERROR_INFO(do_trap_insn_misaligned,
SIGBUS, BUS_ADRALN, "instruction address misaligned");
DO_ERROR_INFO(do_trap_insn_fault,
SIGSEGV, SEGV_ACCERR, "instruction access fault");
-DO_ERROR_INFO(do_trap_insn_illegal,
- SIGILL, ILL_ILLOPC, "illegal instruction");
+
+asmlinkage void __trap_section do_trap_insn_illegal(struct pt_regs *regs)
+{
+ if (!handle_illegal_instruction(regs))
+ return;
+ do_trap_error(regs, SIGILL, ILL_ILLOPC, regs->epc,
+ "illegal instruction");
+}
#ifdef CONFIG_USER_SHADOW_STACK
asmlinkage void __trap_section do_trap_load_fault(struct pt_regs *regs)
{
--
2.25.1
next prev parent reply other threads:[~2023-02-13 4:55 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-13 4:53 [PATCH v1 RFC Zisslpcfi 00/20] riscv control-flow integrity for U mode Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 01/20] sslp stubs: shadow stack and landing pad stubs Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 02/20] riscv: zisslpcfi enumeration Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 03/20] riscv: zisslpcfi extension csr and bit definitions Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 04/20] riscv: kernel enabling user code for shadow stack and landing pad Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 05/20] mmap : Introducing new protection "PROT_SHADOWSTACK" for mmap Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 06/20] riscv: Implementing "PROT_SHADOWSTACK" on riscv Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 07/20] elf: ELF header parsing in GNU property for cfi state Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 08/20] riscv: ELF header parsing in GNU property for riscv zisslpcfi Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 09/20] riscv mmu: riscv shadow stack page fault handling Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 10/20] riscv mmu: write protect and shadow stack Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 11/20] mmu: maybe_mkwrite updated to manufacture shadow stack PTEs Deepak Gupta
2023-02-13 12:05 ` David Hildenbrand
2023-02-13 14:37 ` Deepak Gupta
2023-02-13 14:56 ` David Hildenbrand
2023-02-13 20:01 ` Deepak Gupta
2023-02-14 12:10 ` David Hildenbrand
2023-02-14 18:27 ` Edgecombe, Rick P
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 12/20] riscv mm: manufacture shadow stack pte and is vma shadowstack Deepak Gupta
2023-02-13 4:53 ` Deepak Gupta [this message]
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 14/20] riscv: audit mode for cfi violations Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 15/20] sslp prctl: arch-agnostic prctl for shadow stack and landing pad instr Deepak Gupta
2023-05-25 17:17 ` Mark Brown
2023-06-07 20:22 ` Mark Brown
2023-10-09 21:22 ` Deepak Gupta
2023-10-10 16:17 ` Mark Brown
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 16/20] riscv: Implements sslp prctls Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 17/20] riscv ucontext: adding shadow stack pointer field in ucontext Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 18/20] riscv signal: Save and restore of shadow stack for signal Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 19/20] config: adding two new config for control flow integrity Deepak Gupta
2023-02-13 4:53 ` [PATCH v1 RFC Zisslpcfi 20/20] riscv: select config for shadow stack and landing pad instr support Deepak Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230213045351.3945824-14-debug@rivosinc.com \
--to=debug@rivosinc.com \
--cc=aou@eecs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox