[06/13] target/arm: Add v8M stack checks on exception entry

Message ID	20181002163556.10279-7-peter.maydell@linaro.org
State	Superseded
Headers	show Delivered-To: patches@linaro.org Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; From: Peter Maydell <peter.maydell@linaro.org> To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: patches@linaro.org Subject: [PATCH 06/13] target/arm: Add v8M stack checks on exception entry Date: Tue, 2 Oct 2018 17:35:49 +0100 Message-Id: <20181002163556.10279-7-peter.maydell@linaro.org> In-Reply-To: <20181002163556.10279-1-peter.maydell@linaro.org> References: <20181002163556.10279-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	target/arm: Implement v8M stack limit checks \| expand [00/13] target/arm: Implement v8M stack limit checks [01/13] target/arm: Define new TBFLAG for v8M stack checking [02/13] target/arm: Define new EXCP type for v8M stack overflows [03/13] target/arm: Move v7m_using_psp() to internals.h [04/13] target/arm: Add v8M stack checks on ADD/SUB/MOV of SP [05/13] target/arm: Add some comments in Thumb decode [06/13] target/arm: Add v8M stack checks on exception entry [07/13] target/arm: Add v8M stack limit checks on NS function calls [08/13] target/arm: Add v8M stack checks for LDRD/STRD (imm) [09/13] target/arm: Add v8M stack checks for Thumb2 LDM/STM [10/13] target/arm: Add v8M stack checks for T32 load/store single [11/13] target/arm: Add v8M stack checks for Thumb push/pop [12/13] target/arm: Add v8M stack checks for VLDM/VSTM [13/13] target/arm: Add v8M stack checks for MSR to SP_NS

Message ID

20181002163556.10279-7-peter.maydell@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: best guess record for domain of
	pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted
	sender) client-ip=2001:8b0:1d0::2; 
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-arm@nongnu.org,
	qemu-devel@nongnu.org
Cc: patches@linaro.org
Subject: [PATCH 06/13] target/arm: Add v8M stack checks on exception entry
Date: Tue,  2 Oct 2018 17:35:49 +0100
Message-Id: <20181002163556.10279-7-peter.maydell@linaro.org>
In-Reply-To: <20181002163556.10279-1-peter.maydell@linaro.org>
References: <20181002163556.10279-1-peter.maydell@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

target/arm: Implement v8M stack limit checks | expand

Commit Message

Peter Maydell Oct. 2, 2018, 4:35 p.m. UTC

Add checks for breaches of the v8M stack limit when the
stack pointer is decremented to push the exception frame
for exception entry.

Note that the exception-entry case is unique in that the
stack pointer is updated to be the limit value if the limit
is hit (per rule R_ZLZG).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---
 target/arm/helper.c | 54 ++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 46 insertions(+), 8 deletions(-)

-- 
2.19.0

Comments

Philippe Mathieu-Daudé Oct. 3, 2018, 8:58 a.m. UTC | #1

On 02/10/2018 18:35, Peter Maydell wrote:
> Add checks for breaches of the v8M stack limit when the

> stack pointer is decremented to push the exception frame

> for exception entry.

> 

> Note that the exception-entry case is unique in that the

> stack pointer is updated to be the limit value if the limit

> is hit (per rule R_ZLZG).

> 

> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>


> ---

>  target/arm/helper.c | 54 ++++++++++++++++++++++++++++++++++++++-------

>  1 file changed, 46 insertions(+), 8 deletions(-)

> 

> diff --git a/target/arm/helper.c b/target/arm/helper.c

> index ef8c244fb84..a10dff01a90 100644

> --- a/target/arm/helper.c

> +++ b/target/arm/helper.c

> @@ -6839,6 +6839,8 @@ static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,

>      uint32_t frameptr;

>      ARMMMUIdx mmu_idx;

>      bool stacked_ok;

> +    uint32_t limit;

> +    bool want_psp;

>  

>      if (dotailchain) {

>          bool mode = lr & R_V7M_EXCRET_MODE_MASK;

> @@ -6848,12 +6850,34 @@ static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,

>          mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);

>          frame_sp_p = get_v7m_sp_ptr(env, M_REG_S, mode,

>                                      lr & R_V7M_EXCRET_SPSEL_MASK);

> +        want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);

> +        if (want_psp) {

> +            limit = env->v7m.psplim[M_REG_S];

> +        } else {

> +            limit = env->v7m.msplim[M_REG_S];

> +        }

>      } else {

>          mmu_idx = core_to_arm_mmu_idx(env, cpu_mmu_index(env, false));

>          frame_sp_p = &env->regs[13];

> +        limit = v7m_sp_limit(env);

>      }

>  

>      frameptr = *frame_sp_p - 0x28;

> +    if (frameptr < limit) {

> +        /*

> +         * Stack limit failure: set SP to the limit value, and generate

> +         * STKOF UsageFault. Stack pushes below the limit must not be

> +         * performed. It is IMPDEF whether pushes above the limit are

> +         * performed; we choose not to.

> +         */

> +        qemu_log_mask(CPU_LOG_INT,

> +                      "...STKOF during callee-saves register stacking\n");

> +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;

> +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,

> +                                env->v7m.secure);

> +        *frame_sp_p = limit;

> +        return true;

> +    }

>  

>      /* Write as much of the stack frame as we can. A write failure may

>       * cause us to pend a derived exception.

> @@ -6877,10 +6901,7 @@ static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,

>          v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx,

>                          ignore_faults);

>  

> -    /* Update SP regardless of whether any of the stack accesses failed.

> -     * When we implement v8M stack limit checking then this attempt to

> -     * update SP might also fail and result in a derived exception.

> -     */

> +    /* Update SP regardless of whether any of the stack accesses failed. */

>      *frame_sp_p = frameptr;

>  

>      return !stacked_ok;

> @@ -7028,6 +7049,26 @@ static bool v7m_push_stack(ARMCPU *cpu)

>  

>      frameptr -= 0x20;

>  

> +    if (arm_feature(env, ARM_FEATURE_V8)) {

> +        uint32_t limit = v7m_sp_limit(env);

> +

> +        if (frameptr < limit) {

> +            /*

> +             * Stack limit failure: set SP to the limit value, and generate

> +             * STKOF UsageFault. Stack pushes below the limit must not be

> +             * performed. It is IMPDEF whether pushes above the limit are

> +             * performed; we choose not to.

> +             */

> +            qemu_log_mask(CPU_LOG_INT,

> +                          "...STKOF during stacking\n");

> +            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;

> +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,

> +                                    env->v7m.secure);

> +            env->regs[13] = limit;

> +            return true;

> +        }

> +    }

> +

>      /* Write as much of the stack frame as we can. If we fail a stack

>       * write this will result in a derived exception being pended

>       * (which may be taken in preference to the one we started with

> @@ -7043,10 +7084,7 @@ static bool v7m_push_stack(ARMCPU *cpu)

>          v7m_stack_write(cpu, frameptr + 24, env->regs[15], mmu_idx, false) &&

>          v7m_stack_write(cpu, frameptr + 28, xpsr, mmu_idx, false);

>  

> -    /* Update SP regardless of whether any of the stack accesses failed.

> -     * When we implement v8M stack limit checking then this attempt to

> -     * update SP might also fail and result in a derived exception.

> -     */

> +    /* Update SP regardless of whether any of the stack accesses failed. */

>      env->regs[13] = frameptr;

>  

>      return !stacked_ok;

>

Richard Henderson Oct. 3, 2018, 8:12 p.m. UTC | #2

On 10/2/18 11:35 AM, Peter Maydell wrote:
> Add checks for breaches of the v8M stack limit when the

> stack pointer is decremented to push the exception frame

> for exception entry.

> 

> Note that the exception-entry case is unique in that the

> stack pointer is updated to be the limit value if the limit

> is hit (per rule R_ZLZG).

> 

> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

> ---

>  target/arm/helper.c | 54 ++++++++++++++++++++++++++++++++++++++-------

>  1 file changed, 46 insertions(+), 8 deletions(-)


Reviewed-by: Richard Henderson <richard.henderson@linaro.org>


r~

diff --git a/target/arm/helper.c b/target/arm/helper.c
index ef8c244fb84..a10dff01a90 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6839,6 +6839,8 @@  static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
     uint32_t frameptr;
     ARMMMUIdx mmu_idx;
     bool stacked_ok;
+    uint32_t limit;
+    bool want_psp;
 
     if (dotailchain) {
         bool mode = lr & R_V7M_EXCRET_MODE_MASK;
@@ -6848,12 +6850,34 @@  static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
         mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);
         frame_sp_p = get_v7m_sp_ptr(env, M_REG_S, mode,
                                     lr & R_V7M_EXCRET_SPSEL_MASK);
+        want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);
+        if (want_psp) {
+            limit = env->v7m.psplim[M_REG_S];
+        } else {
+            limit = env->v7m.msplim[M_REG_S];
+        }
     } else {
         mmu_idx = core_to_arm_mmu_idx(env, cpu_mmu_index(env, false));
         frame_sp_p = &env->regs[13];
+        limit = v7m_sp_limit(env);
     }
 
     frameptr = *frame_sp_p - 0x28;
+    if (frameptr < limit) {
+        /*
+         * Stack limit failure: set SP to the limit value, and generate
+         * STKOF UsageFault. Stack pushes below the limit must not be
+         * performed. It is IMPDEF whether pushes above the limit are
+         * performed; we choose not to.
+         */
+        qemu_log_mask(CPU_LOG_INT,
+                      "...STKOF during callee-saves register stacking\n");
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                env->v7m.secure);
+        *frame_sp_p = limit;
+        return true;
+    }
 
     /* Write as much of the stack frame as we can. A write failure may
      * cause us to pend a derived exception.
@@ -6877,10 +6901,7 @@  static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
         v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx,
                         ignore_faults);
 
-    /* Update SP regardless of whether any of the stack accesses failed.
-     * When we implement v8M stack limit checking then this attempt to
-     * update SP might also fail and result in a derived exception.
-     */
+    /* Update SP regardless of whether any of the stack accesses failed. */
     *frame_sp_p = frameptr;
 
     return !stacked_ok;
@@ -7028,6 +7049,26 @@  static bool v7m_push_stack(ARMCPU *cpu)
 
     frameptr -= 0x20;
 
+    if (arm_feature(env, ARM_FEATURE_V8)) {
+        uint32_t limit = v7m_sp_limit(env);
+
+        if (frameptr < limit) {
+            /*
+             * Stack limit failure: set SP to the limit value, and generate
+             * STKOF UsageFault. Stack pushes below the limit must not be
+             * performed. It is IMPDEF whether pushes above the limit are
+             * performed; we choose not to.
+             */
+            qemu_log_mask(CPU_LOG_INT,
+                          "...STKOF during stacking\n");
+            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                    env->v7m.secure);
+            env->regs[13] = limit;
+            return true;
+        }
+    }
+
     /* Write as much of the stack frame as we can. If we fail a stack
      * write this will result in a derived exception being pended
      * (which may be taken in preference to the one we started with
@@ -7043,10 +7084,7 @@  static bool v7m_push_stack(ARMCPU *cpu)
         v7m_stack_write(cpu, frameptr + 24, env->regs[15], mmu_idx, false) &&
         v7m_stack_write(cpu, frameptr + 28, xpsr, mmu_idx, false);
 
-    /* Update SP regardless of whether any of the stack accesses failed.
-     * When we implement v8M stack limit checking then this attempt to
-     * update SP might also fail and result in a derived exception.
-     */
+    /* Update SP regardless of whether any of the stack accesses failed. */
     env->regs[13] = frameptr;
 
     return !stacked_ok;

[06/13] target/arm: Add v8M stack checks on exception entry

Commit Message

Comments

Patch