1*af0ead42SSami Tolvanen // SPDX-License-Identifier: GPL-2.0
2*af0ead42SSami Tolvanen /*
3*af0ead42SSami Tolvanen * Clang Control Flow Integrity (CFI) support.
4*af0ead42SSami Tolvanen *
5*af0ead42SSami Tolvanen * Copyright (C) 2023 Google LLC
6*af0ead42SSami Tolvanen */
7*af0ead42SSami Tolvanen #include <asm/cfi.h>
8*af0ead42SSami Tolvanen #include <asm/insn.h>
9*af0ead42SSami Tolvanen
10*af0ead42SSami Tolvanen /*
11*af0ead42SSami Tolvanen * Returns the target address and the expected type when regs->epc points
12*af0ead42SSami Tolvanen * to a compiler-generated CFI trap.
13*af0ead42SSami Tolvanen */
decode_cfi_insn(struct pt_regs * regs,unsigned long * target,u32 * type)14*af0ead42SSami Tolvanen static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
15*af0ead42SSami Tolvanen u32 *type)
16*af0ead42SSami Tolvanen {
17*af0ead42SSami Tolvanen unsigned long *regs_ptr = (unsigned long *)regs;
18*af0ead42SSami Tolvanen int rs1_num;
19*af0ead42SSami Tolvanen u32 insn;
20*af0ead42SSami Tolvanen
21*af0ead42SSami Tolvanen *target = *type = 0;
22*af0ead42SSami Tolvanen
23*af0ead42SSami Tolvanen /*
24*af0ead42SSami Tolvanen * The compiler generates the following instruction sequence
25*af0ead42SSami Tolvanen * for indirect call checks:
26*af0ead42SSami Tolvanen *
27*af0ead42SSami Tolvanen * lw t1, -4(<reg>)
28*af0ead42SSami Tolvanen * lui t2, <hi20>
29*af0ead42SSami Tolvanen * addiw t2, t2, <lo12>
30*af0ead42SSami Tolvanen * beq t1, t2, .Ltmp1
31*af0ead42SSami Tolvanen * ebreak ; <- regs->epc
32*af0ead42SSami Tolvanen * .Ltmp1:
33*af0ead42SSami Tolvanen * jalr <reg>
34*af0ead42SSami Tolvanen *
35*af0ead42SSami Tolvanen * We can read the expected type and the target address from the
36*af0ead42SSami Tolvanen * registers passed to the beq/jalr instructions.
37*af0ead42SSami Tolvanen */
38*af0ead42SSami Tolvanen if (get_kernel_nofault(insn, (void *)regs->epc - 4))
39*af0ead42SSami Tolvanen return false;
40*af0ead42SSami Tolvanen if (!riscv_insn_is_beq(insn))
41*af0ead42SSami Tolvanen return false;
42*af0ead42SSami Tolvanen
43*af0ead42SSami Tolvanen *type = (u32)regs_ptr[RV_EXTRACT_RS1_REG(insn)];
44*af0ead42SSami Tolvanen
45*af0ead42SSami Tolvanen if (get_kernel_nofault(insn, (void *)regs->epc) ||
46*af0ead42SSami Tolvanen get_kernel_nofault(insn, (void *)regs->epc + GET_INSN_LENGTH(insn)))
47*af0ead42SSami Tolvanen return false;
48*af0ead42SSami Tolvanen
49*af0ead42SSami Tolvanen if (riscv_insn_is_jalr(insn))
50*af0ead42SSami Tolvanen rs1_num = RV_EXTRACT_RS1_REG(insn);
51*af0ead42SSami Tolvanen else if (riscv_insn_is_c_jalr(insn))
52*af0ead42SSami Tolvanen rs1_num = RVC_EXTRACT_C2_RS1_REG(insn);
53*af0ead42SSami Tolvanen else
54*af0ead42SSami Tolvanen return false;
55*af0ead42SSami Tolvanen
56*af0ead42SSami Tolvanen *target = regs_ptr[rs1_num];
57*af0ead42SSami Tolvanen
58*af0ead42SSami Tolvanen return true;
59*af0ead42SSami Tolvanen }
60*af0ead42SSami Tolvanen
61*af0ead42SSami Tolvanen /*
62*af0ead42SSami Tolvanen * Checks if the ebreak trap is because of a CFI failure, and handles the trap
63*af0ead42SSami Tolvanen * if needed. Returns a bug_trap_type value similarly to report_bug.
64*af0ead42SSami Tolvanen */
handle_cfi_failure(struct pt_regs * regs)65*af0ead42SSami Tolvanen enum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
66*af0ead42SSami Tolvanen {
67*af0ead42SSami Tolvanen unsigned long target;
68*af0ead42SSami Tolvanen u32 type;
69*af0ead42SSami Tolvanen
70*af0ead42SSami Tolvanen if (!is_cfi_trap(regs->epc))
71*af0ead42SSami Tolvanen return BUG_TRAP_TYPE_NONE;
72*af0ead42SSami Tolvanen
73*af0ead42SSami Tolvanen if (!decode_cfi_insn(regs, &target, &type))
74*af0ead42SSami Tolvanen return report_cfi_failure_noaddr(regs, regs->epc);
75*af0ead42SSami Tolvanen
76*af0ead42SSami Tolvanen return report_cfi_failure(regs, regs->epc, &target, type);
77*af0ead42SSami Tolvanen }
78