| Message ID | 20240311-arm32-cfi-v3-9-224a0f0a45c2@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | CFI for ARM32 using LLVM | expand |
On Mon, Mar 11, 2024 at 10:15:46AM +0100, Linus Walleij wrote: > This registers a breakpoint handler for the new breakpoint type > (0x03) inserted by LLVM CLANG for CFI breakpoints. > > If we are in permissive mode, just print a backtrace and continue. > > Example with CONFIG_CFI_PERMISSIVE enabled: > > > echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT > lkdtm: Performing direct entry CFI_FORWARD_PROTO > lkdtm: Calling matched prototype ... > lkdtm: Calling mismatched prototype ... > CFI failure at lkdtm_indirect_call+0x40/0x4c (target: 0x0; expected type: 0x00000000) > WARNING: CPU: 1 PID: 112 at lkdtm_indirect_call+0x40/0x4c > CPU: 1 PID: 112 Comm: sh Not tainted 6.8.0-rc1+ #150 > Hardware name: ARM-Versatile Express > (...) > lkdtm: FAIL: survived mismatched prototype function call! > lkdtm: Unexpected! This kernel (6.8.0-rc1+ armv7l) was built with CONFIG_CFI_CLANG=y > > As you can see the LKDTM test fails, but I expect that this would be > expected behaviour in the permissive mode. > > We are currently not implementing target and type for the CFI > breakpoint as this requires additional operand bundling compiler > extensions. > > Signed-off-by: Linus Walleij <linus.walleij@linaro.org> > --- > arch/arm/include/asm/hw_breakpoint.h | 1 + > arch/arm/kernel/hw_breakpoint.c | 30 ++++++++++++++++++++++++++++++ > 2 files changed, 31 insertions(+) > > diff --git a/arch/arm/include/asm/hw_breakpoint.h b/arch/arm/include/asm/hw_breakpoint.h > index 62358d3ca0a8..e7f9961c53b2 100644 > --- a/arch/arm/include/asm/hw_breakpoint.h > +++ b/arch/arm/include/asm/hw_breakpoint.h > @@ -84,6 +84,7 @@ static inline void decode_ctrl_reg(u32 reg, > #define ARM_DSCR_MOE(x) ((x >> 2) & 0xf) > #define ARM_ENTRY_BREAKPOINT 0x1 > #define ARM_ENTRY_ASYNC_WATCHPOINT 0x2 > +#define ARM_ENTRY_CFI_BREAKPOINT 0x3 > #define ARM_ENTRY_SYNC_WATCHPOINT 0xa > > /* DSCR monitor/halting bits. */ > diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c > index dc0fb7a81371..61a984b83bfe 100644 > --- a/arch/arm/kernel/hw_breakpoint.c > +++ b/arch/arm/kernel/hw_breakpoint.c > @@ -17,6 +17,7 @@ > #include <linux/perf_event.h> > #include <linux/hw_breakpoint.h> > #include <linux/smp.h> > +#include <linux/cfi.h> > #include <linux/cpu_pm.h> > #include <linux/coresight.h> > > @@ -903,6 +904,32 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs) > watchpoint_single_step_handler(addr); > } > > +#ifdef CONFIG_CFI_CLANG > +static void hw_breakpoint_cfi_handler(struct pt_regs *regs) > +{ > + /* TODO: implementing target and type requires compiler work */ > + unsigned long target = 0; > + u32 type = 0; > + > + switch (report_cfi_failure(regs, instruction_pointer(regs), &target, type)) { > + case BUG_TRAP_TYPE_BUG: > + die("Oops - CFI", regs, 0); > + break; > + case BUG_TRAP_TYPE_WARN: > + /* Skip the breaking instruction */ > + instruction_pointer(regs) += 4; > + break; This looks much better; thanks! > + default: > + pr_crit("Unknown CFI error\n"); > + break; For something like CFI, I think it would be better to fail closed. i.e.: die("Unknown CFI error", regs, 0); > + } > +} > +#else > +static void hw_breakpoint_cfi_handler(struct pt_regs *regs) > +{ > +} > +#endif > + > /* > * Called from either the Data Abort Handler [watchpoint] or the > * Prefetch Abort Handler [breakpoint] with interrupts disabled. > @@ -932,6 +959,9 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr, > case ARM_ENTRY_SYNC_WATCHPOINT: > watchpoint_handler(addr, fsr, regs); > break; > + case ARM_ENTRY_CFI_BREAKPOINT: > + hw_breakpoint_cfi_handler(regs); > + break; > default: > ret = 1; /* Unhandled fault. */ > } > > -- > 2.34.1 >
diff --git a/arch/arm/include/asm/hw_breakpoint.h b/arch/arm/include/asm/hw_breakpoint.h index 62358d3ca0a8..e7f9961c53b2 100644 --- a/arch/arm/include/asm/hw_breakpoint.h +++ b/arch/arm/include/asm/hw_breakpoint.h @@ -84,6 +84,7 @@ static inline void decode_ctrl_reg(u32 reg, #define ARM_DSCR_MOE(x) ((x >> 2) & 0xf) #define ARM_ENTRY_BREAKPOINT 0x1 #define ARM_ENTRY_ASYNC_WATCHPOINT 0x2 +#define ARM_ENTRY_CFI_BREAKPOINT 0x3 #define ARM_ENTRY_SYNC_WATCHPOINT 0xa /* DSCR monitor/halting bits. */ diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c index dc0fb7a81371..61a984b83bfe 100644 --- a/arch/arm/kernel/hw_breakpoint.c +++ b/arch/arm/kernel/hw_breakpoint.c @@ -17,6 +17,7 @@ #include <linux/perf_event.h> #include <linux/hw_breakpoint.h> #include <linux/smp.h> +#include <linux/cfi.h> #include <linux/cpu_pm.h> #include <linux/coresight.h> @@ -903,6 +904,32 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs) watchpoint_single_step_handler(addr); } +#ifdef CONFIG_CFI_CLANG +static void hw_breakpoint_cfi_handler(struct pt_regs *regs) +{ + /* TODO: implementing target and type requires compiler work */ + unsigned long target = 0; + u32 type = 0; + + switch (report_cfi_failure(regs, instruction_pointer(regs), &target, type)) { + case BUG_TRAP_TYPE_BUG: + die("Oops - CFI", regs, 0); + break; + case BUG_TRAP_TYPE_WARN: + /* Skip the breaking instruction */ + instruction_pointer(regs) += 4; + break; + default: + pr_crit("Unknown CFI error\n"); + break; + } +} +#else +static void hw_breakpoint_cfi_handler(struct pt_regs *regs) +{ +} +#endif + /* * Called from either the Data Abort Handler [watchpoint] or the * Prefetch Abort Handler [breakpoint] with interrupts disabled. @@ -932,6 +959,9 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr, case ARM_ENTRY_SYNC_WATCHPOINT: watchpoint_handler(addr, fsr, regs); break; + case ARM_ENTRY_CFI_BREAKPOINT: + hw_breakpoint_cfi_handler(regs); + break; default: ret = 1; /* Unhandled fault. */ }