arch: arm: userspace: set PSPLIM to guard default stack in SVCall

Thread will be in privileged mode after returning from SCVall. It will use the default (user) stack before switching to the privileged stack to execute the system call. We need to protect the user stack against stack overflows until this stack transition. We update the note in z_arm_do_syscall(), stating clearly that it executing with stack protection when building with stack limit checking support (ARMv8-M only). Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
2020-02-12 15:35:20 +01:00 · 2020-02-12 15:35:20 +01:00 · f00dfce891
commit f00dfce891
parent a5ecd71163
2 changed files with 18 additions and 3 deletions
--- a/arch/arm/core/aarch32/swap_helper.S
+++ b/arch/arm/core/aarch32/swap_helper.S
@ -549,6 +549,16 @@ valid_syscall_id:
     */
    isb

+#if defined(CONFIG_BUILTIN_STACK_GUARD)
+    /* Thread is now in privileged mode; after returning from SCVall it
+     * will use the default (user) stack before switching to the privileged
+     * stack to execute the system call. We need to protect the user stack
+     * against stack overflows until this stack transition.
+     */
+    ldr r1, [r0, #_thread_offset_to_stack_info_start]    /* stack_info.start */
+    msr PSPLIM, r1
+#endif /* CONFIG_BUILTIN_STACK_GUARD */
+
    /* return from SVC to the modified LR - z_arm_do_syscall */
    bx lr
 #endif /* CONFIG_USERSPACE */
--- a/arch/arm/core/aarch32/userspace.S
+++ b/arch/arm/core/aarch32/userspace.S
@ -250,13 +250,18 @@ SECTION_FUNC(TEXT,z_arm_userspace_enter)
 */
 SECTION_FUNC(TEXT, z_arm_do_syscall)

-    /* The function is executing in privileged mode. This implies that we
+    /* Note [when using MPU-based stack guarding]:
+     * The function is executing in privileged mode. This implies that we
     * shall not be allowed to use the thread's default unprivileged stack,
     * (i.e push to or pop from it), to avoid a possible stack corruption.
     *
-     * Rationale: since we execute in PRIV mode and no MPU guard or PSPLIM
-     * register is guarding the end of the default stack, we won't be able
+     * Rationale: since we execute in PRIV mode and no MPU guard
+     * is guarding the end of the default stack, we won't be able
     * to detect any stack overflows.
+     *
+     * Note [when using built-in stack limit checking on ARMv8-M]:
+     * At this point PSPLIM is already configured to guard the default (user)
+     * stack, so pushing to the default thread's stack is safe.
     */

 #if defined(CONFIG_BUILTIN_STACK_GUARD)