[05/12] aarch64: fix swapcontext for BTI

Message ID 20200430174115.GA29015@arm.com
State New
Headers show
Series
  • aarch64: branch protection support
Related show

Commit Message

Szabolcs Nagy April 30, 2020, 5:41 p.m.

Comments

Florian Weimer via Libc-alpha May 7, 2020, 6:42 p.m. | #1
On 30/04/2020 14:41, Szabolcs Nagy wrote:
> From c156ff9d5e332ad17d7fa74b777e8f5466aff0a4 Mon Sep 17 00:00:00 2001

> From: Szabolcs Nagy <szabolcs.nagy@arm.com>

> Date: Wed, 1 Apr 2020 10:31:41 +0100

> Subject: [PATCH 05/12] aarch64: fix swapcontext for BTI

> 

> setcontext returns to the specified context via an indirect jump,

> so there should be a BTI j.

> 

> In case of getcontext (and all other returns_twice functions) the

> compiler adds BTI j at the call site, but swapcontext is a normal

> c call that is currently not handled specially by the compiler.

> 

> So we change swapcontext such that the saved context returns to a

> local address that has BTI j and then swapcontext returns to the

> caller via a normal RET. For this we save the original return

> address in the slot for x1 of the context because x1 need not be

> preserved by swapcontext but it is restored when the context saved

> by swapcontext is resumed.

> 

> The alternative fix (which is done on x86) would make swapcontext

> special in the compiler so BTI j is emitted at call sites, on

> x86 there is an indirect_return attribute for this, on AArch64

> we would have to use returns_twice. It was decided against because

> such fix may need user code updates: the attribute has to be added

> when swapcontext is called via a function pointer and it breaks

> always_inline functions with swapcontext.


LGTM, thanks.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>


> ---

>  sysdeps/unix/sysv/linux/aarch64/swapcontext.S | 15 +++++++++++++--

>  1 file changed, 13 insertions(+), 2 deletions(-)

> 

> diff --git a/sysdeps/unix/sysv/linux/aarch64/swapcontext.S b/sysdeps/unix/sysv/linux/aarch64/swapcontext.S

> index d30c543e6f..b60cf04c92 100644

> --- a/sysdeps/unix/sysv/linux/aarch64/swapcontext.S

> +++ b/sysdeps/unix/sysv/linux/aarch64/swapcontext.S

> @@ -28,8 +28,12 @@

>  	.text

>  ENTRY(__swapcontext)

>  	DELOUSE (0)

> -	/* Set the value returned when swapcontext() returns in this context. */

> -	str	xzr,      [x0, oX0 +  0 * SZREG]

> +	/* Set the value returned when swapcontext() returns in this context.

> +	   And set up x1 to become the return address of the caller, so we

> +	   can return there with a normal RET instead of an indirect jump.  */

> +	stp	xzr, x30, [x0, oX0 +  0 * SZREG]

> +	/* Arrange the oucp context to return to 2f.  */

> +	adr	x30, 2f

>  

>  	stp	x18, x19, [x0, oX0 + 18 * SZREG]

>  	stp	x20, x21, [x0, oX0 + 20 * SZREG]

> @@ -97,5 +101,12 @@ ENTRY(__swapcontext)

>  

>  1:

>  	b	C_SYMBOL_NAME(__syscall_error)

> +2:

> +	/* The oucp context is restored here via an indirect branch,

> +	   x1 must be restored too which has the real return address.  */

> +	BTI_J

> +	mov	x30, x1

> +	RET

>  PSEUDO_END (__swapcontext)

>  weak_alias (__swapcontext, swapcontext)

> +END_FILE

> -- 

> 2.17.1

Patch

From c156ff9d5e332ad17d7fa74b777e8f5466aff0a4 Mon Sep 17 00:00:00 2001
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed, 1 Apr 2020 10:31:41 +0100
Subject: [PATCH 05/12] aarch64: fix swapcontext for BTI

setcontext returns to the specified context via an indirect jump,
so there should be a BTI j.

In case of getcontext (and all other returns_twice functions) the
compiler adds BTI j at the call site, but swapcontext is a normal
c call that is currently not handled specially by the compiler.

So we change swapcontext such that the saved context returns to a
local address that has BTI j and then swapcontext returns to the
caller via a normal RET. For this we save the original return
address in the slot for x1 of the context because x1 need not be
preserved by swapcontext but it is restored when the context saved
by swapcontext is resumed.

The alternative fix (which is done on x86) would make swapcontext
special in the compiler so BTI j is emitted at call sites, on
x86 there is an indirect_return attribute for this, on AArch64
we would have to use returns_twice. It was decided against because
such fix may need user code updates: the attribute has to be added
when swapcontext is called via a function pointer and it breaks
always_inline functions with swapcontext.
---
 sysdeps/unix/sysv/linux/aarch64/swapcontext.S | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/sysdeps/unix/sysv/linux/aarch64/swapcontext.S b/sysdeps/unix/sysv/linux/aarch64/swapcontext.S
index d30c543e6f..b60cf04c92 100644
--- a/sysdeps/unix/sysv/linux/aarch64/swapcontext.S
+++ b/sysdeps/unix/sysv/linux/aarch64/swapcontext.S
@@ -28,8 +28,12 @@ 
 	.text
 ENTRY(__swapcontext)
 	DELOUSE (0)
-	/* Set the value returned when swapcontext() returns in this context. */
-	str	xzr,      [x0, oX0 +  0 * SZREG]
+	/* Set the value returned when swapcontext() returns in this context.
+	   And set up x1 to become the return address of the caller, so we
+	   can return there with a normal RET instead of an indirect jump.  */
+	stp	xzr, x30, [x0, oX0 +  0 * SZREG]
+	/* Arrange the oucp context to return to 2f.  */
+	adr	x30, 2f
 
 	stp	x18, x19, [x0, oX0 + 18 * SZREG]
 	stp	x20, x21, [x0, oX0 + 20 * SZREG]
@@ -97,5 +101,12 @@  ENTRY(__swapcontext)
 
 1:
 	b	C_SYMBOL_NAME(__syscall_error)
+2:
+	/* The oucp context is restored here via an indirect branch,
+	   x1 must be restored too which has the real return address.  */
+	BTI_J
+	mov	x30, x1
+	RET
 PSEUDO_END (__swapcontext)
 weak_alias (__swapcontext, swapcontext)
+END_FILE
-- 
2.17.1