arch: arm: userspace: set PSPLIM to guard default stack in SVCall

Thread will be in privileged mode after returning from SCVall. It
will use the default (user) stack before switching to the privileged
stack to execute the system call. We need to protect the user stack
against stack overflows until this stack transition. We update the
note in z_arm_do_syscall(), stating clearly that it executing with
stack protection when building with stack limit checking support
(ARMv8-M only).

Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit is contained in:
Ioannis Glaropoulos 2020-02-12 15:35:20 +01:00 committed by Andrew Boie
commit f00dfce891
2 changed files with 18 additions and 3 deletions

View file

@ -549,6 +549,16 @@ valid_syscall_id:
*/
isb
#if defined(CONFIG_BUILTIN_STACK_GUARD)
/* Thread is now in privileged mode; after returning from SCVall it
* will use the default (user) stack before switching to the privileged
* stack to execute the system call. We need to protect the user stack
* against stack overflows until this stack transition.
*/
ldr r1, [r0, #_thread_offset_to_stack_info_start] /* stack_info.start */
msr PSPLIM, r1
#endif /* CONFIG_BUILTIN_STACK_GUARD */
/* return from SVC to the modified LR - z_arm_do_syscall */
bx lr
#endif /* CONFIG_USERSPACE */

View file

@ -250,13 +250,18 @@ SECTION_FUNC(TEXT,z_arm_userspace_enter)
*/
SECTION_FUNC(TEXT, z_arm_do_syscall)
/* The function is executing in privileged mode. This implies that we
/* Note [when using MPU-based stack guarding]:
* The function is executing in privileged mode. This implies that we
* shall not be allowed to use the thread's default unprivileged stack,
* (i.e push to or pop from it), to avoid a possible stack corruption.
*
* Rationale: since we execute in PRIV mode and no MPU guard or PSPLIM
* register is guarding the end of the default stack, we won't be able
* Rationale: since we execute in PRIV mode and no MPU guard
* is guarding the end of the default stack, we won't be able
* to detect any stack overflows.
*
* Note [when using built-in stack limit checking on ARMv8-M]:
* At this point PSPLIM is already configured to guard the default (user)
* stack, so pushing to the default thread's stack is safe.
*/
#if defined(CONFIG_BUILTIN_STACK_GUARD)