@@ -6,6 +6,7 @@
#include <linux/linkage.h>
SYM_FUNC_START(__efi_rt_asm_wrapper)
+ protect_return_address
stp x29, x30, [sp, #-112]!
mov x29, sp
@@ -46,9 +47,7 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
ldp x1, x2, [sp, #16]
cmp x2, x18
ldp x29, x30, [sp], #112
- b.ne 0f
- ret
-0:
+
/*
* With CONFIG_SHADOW_CALL_STACK, the kernel uses x18 to store a
* shadow stack pointer, which we need to restore before returning to
@@ -59,7 +58,10 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
#ifdef CONFIG_SHADOW_CALL_STACK
ldr_this_cpu x18, __efi_rt_asm_recover_sp + 8, x9
#endif
-
+ b.ne 0f
+ restore_return_address
+ ret
+0:
b efi_handle_corrupted_x18 // tail call
SYM_FUNC_END(__efi_rt_asm_wrapper)
@@ -74,5 +76,7 @@ SYM_CODE_START(__efi_rt_asm_recover)
ldp x27, x28, [sp, #96]
ldp x29, x30, [sp], #112
+ restore_return_address
+
b efi_handle_runtime_exception
SYM_CODE_END(__efi_rt_asm_recover)
Add return address protection to the EFI runtime wrapper so that this code is less likely to be taken advantage for ROP/JOP style attacks. Signed-off-by: Ard Biesheuvel <ardb@kernel.org> --- arch/arm64/kernel/efi-rt-wrapper.S | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)