As luck would have it, the TSS for the main IA task has
all the information we need, populate an exception stack
frame with it.
The double-fault handler just stashes data and makes the main
hardware thread runnable again, and processing of the
exception continues from there.
We check the first byte before the faulting ESP value to see
if the stack pointer had run up to a non-present page, a sign
that this is a stack overflow and not a double fault for
some other reason.
Stack overflows in kernel mode are now recoverable for non-
essential threads, with the caveat that we hope we weren't in
a critical section updating kernel data structures when it
happened.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Historically, stacks were just character buffers and could be treated
as such if the user wanted to look inside the stack data, and also
declared as an array of the desired stack size.
This is no longer the case. Certain architectures will create a memory
region much larger to account for MPU/MMU guard pages. Unfortunately,
the kernel interfaces treat both the declared stack, and the valid
stack buffer within it as the same char * data type, even though these
absolutely cannot be used interchangeably.
We introduce an opaque k_thread_stack_t which gets instantiated by
K_THREAD_STACK_DECLARE(), this is no longer treated by the compiler
as a character pointer, even though it really is.
To access the real stack buffer within, the result of
K_THREAD_STACK_BUFFER() can be used, which will return a char * type.
This should catch a bunch of programming mistakes at build time:
- Declaring a character array outside of K_THREAD_STACK_DECLARE() and
passing it to K_THREAD_CREATE
- Directly examining the stack created by K_THREAD_STACK_DECLARE()
which is not actually the memory desired and may trigger a CPU
exception
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Change the common "init with 0" + "give" idiom to "init with 1". This
won't change the behavior or performance, but should decrease the size
ever so slightly.
This change has been performed mechanically with the following
Coccinelle script:
@@
expression SEM;
expression LIMIT;
expression TIMEOUT;
@@
- k_sem_init(SEM, 0, LIMIT);
- k_sem_give(SEM);
+ k_sem_init(SEM, 1, LIMIT);
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Show that this mechanism can detect stack overflows with the
guard page. We only do it once since are are in an alternate
IA HW task after it happens.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
As there is no suffix to represent a literal as unsigned short
it is typecasted. It is fix for Jira ZEP-2156
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
The IA32 MMU has no concept of a "no execute" flag, this is
unfortunately only implemented in x86_64.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Upcoming memory protection features will be placing some additional
constraints on kernel objects:
- They need to reside in memory owned by the kernel and not the
application
- Certain kernel object validation schemes will require some run-time
initialization of all kernel objects before they can be used.
Per Ben these initializer macros were never intended to be public. It is
not forbidden to use them, but doing so requires care: the memory being
initialized must reside in kernel space, and extra runtime
initialization steps may need to be peformed before they are fully
usable as kernel objects. In particular, kernel subsystems or drivers
whose objects are already in kernel memory may still need to use these
macros if they define kernel objects as members of a larger data
structure.
It is intended that application developers instead use the
K_<object>_DEFINE macros, which will automatically put the object in the
right memory and add them to a section which can be iterated over at
boot to complete initiailization.
There was no K_WORK_DEFINE() macro for creating struct k_work objects,
this is now added.
k_poll_event and k_poll_signal are intended to be instatiated from
application memory and have not been changed.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Build issues caused by commit fe882f407d
which missed camel case conversion of _TimestampOpen, _TimestampRead,
and _TimestampClose.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Test whichever had Camel case defined for functions and variables have
been replaced.
Following warnings have been fixed in test cases as well.
- line over 80 characters
- Macros with flow control statements should be avoided
- Macros with complex values should be enclosed in parentheses
- break quoted strings at a space character
- do not add new typedefs
- Comparisons should place the constant on the right
side of the test
- suspect code indent for conditional statements
- Missing a blank line after declarations
- macros should not use a trailing semicolon
- Macros with multiple statements should be
enclosed in a do - while loop
- do not use C99 // comments
JIRA: ZEP-2249
Signed-off-by: Punit Vara <punit.vara@intel.com>
Where possible, replace the use of filter with newly added keywords.
This will speed things up and in some cases add more coverage due to bad
filters.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
commit d859295be9 ("tests: protection: convert to testcase.yaml")
removed testcase.ini but did not add an equivalent testcase.yaml.
Add it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a self-protection test suite with a set of tests
to check whether one can overwrite read-only data
and text, and whether one can execute from data,
stack, or heap buffers. These tests are modeled after
a subset of the lkdtm tests in the Linux kernel.
These tests have twice caught bugs in the Zephyr NXP MPU
driver, once during initial testing/review of the code
(in its earliest forms on gerrit, reported to the original
author there) and most recently the regression introduced
by commit bacbea6e21 ("arm: nxp: mpu: Rework handling
of region descriptor 0"), which was fixed by
commit a8aa9d4f3dbbe8 ("arm: nxp: mpu: Fix region descriptor
0 attributes") after being reported.
This is intended to be a testsuite of self-protection features
rather than just a test of MPU functionality. It is envisioned
that these tests will be expanded to cover a wider range of
protection features beyond just memory protection, and the
current tests are independent of any particular enforcement
mechanism (e.g. MPU, MMU, or other).
The tests are intended to be cross-platform, and have been
built and run on both x86- and ARM-based boards. The tests
currently fail on x86-based boards, but this is an accurate
reflection of current protections and should change as MMU
support arrives.
The tests leverage the ztest framework, making them suitable
for incorporation into automated regression testing for Zephyr.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This will prepare test cases and samples with metadata and information
that will be consumed by the sanitycheck script which will be changed to
parse YAML files instead of ini.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This is unmaintained and currently has no known users. It was
added to support a Wind River project. If in the future we need it
again, we should re-introduce it with an exception-based mechanism
for catching out-of-bounds memory queries from the debugger.
The mem_safe subsystem is also removed, it is only used by the
GDB server. If its functionality is needed in the future, it
shoudl be replaced with an exception-based mechanism.
The _image_{ram, rom, text}_{start, end} linker variables have
been left in place, they will be re-purposed and expanded to
support memory protection.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
