riscv/cfi: Support ucontext under CFI

This patches only make the ucontext library work while CFI is enabled.
enabled. All security checks are skipped and should be implemented if
correspoding interface are landed into the kernel.
SSP is stored in the unused t3 slot in the sigcontext structure to avoid
breaking the current structure.

Co-authored-by: Nia Su <[email protected]>

Author: jaidTw

sysdeps/unix/sysv/linux/riscv/getcontext.S

@@ -17,11 +17,13 @@
    <https://www.gnu.org/licenses/>.  */
 
 #include "ucontext-macros.h"
+#include <sysdep.h>
 
 /* int getcontext (ucontext_t *ucp) */
 
 	.text
 LEAF (__getcontext)
+	LPAD
 	SAVE_INT_REG (ra,   0, a0)
 	SAVE_INT_REG (ra,   1, a0)
 	SAVE_INT_REG (sp,   2, a0)
@@ -58,6 +60,11 @@ LEAF (__getcontext)
 	sw	a1, MCONTEXT_FSR(a0)
 #endif /* __riscv_float_abi_soft */
 
+#ifdef __riscv_zicfiss
+	ssrdp   t0
+	SAVE_INT_REG (t0,  28, a0)  /* We use t3 slot to store ssp  */
+#endif
+
 /* rt_sigprocmask (SIG_BLOCK, NULL, &ucp->uc_sigmask, _NSIG8) */
 	li	a3, _NSIG8
 	add     a2, a0, UCONTEXT_SIGMASK

sysdeps/unix/sysv/linux/riscv/makecontext.c

@@ -21,6 +21,7 @@
 #include <sys/ucontext.h>
 #include <stdarg.h>
 #include <assert.h>
+#include <sys/mman.h>
 
 void
 __makecontext (ucontext_t *ucp, void (*func) (void), int argc,
@@ -73,6 +74,25 @@ __makecontext (ucontext_t *ucp, void (*func) (void), int argc,
 
       va_end (vl);
     }
+#ifdef __riscv_zicfiss
+  /* Allocate shadow stack for the new context
+     SSP is stored in t3 slot, SS base is stored in t4 slot  */
+  /* FIXME: we use user space as a temporary solution until
+     kernel provides such interface  */
+
+  unsigned long ss_size = ucp->uc_stack.ss_size >>
+			  STACK_SIZE_TO_SHADOW_STACK_SIZE_SHIFT;
+  unsigned long ss_page = (ss_size + 4096 - 1) / 4096 + 2;
+  ss_size = (ss_page - 2) * 4096;
+  void *ssp = __mmap (NULL, ss_page * 4096, PROT_NONE,
+                    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  unsigned long ss_base = (unsigned long) ssp + 4096;
+  ucp->uc_mcontext.__gregs[REG_PC + 29] = ss_base;
+  __mprotect ((void *) ss_base, ss_size,
+           PROT_READ | PROT_WRITE);
+  ucp->uc_mcontext.__gregs[REG_PC + 28] = ss_base + ss_size
+	           - sizeof (unsigned long);
+#endif
 }
 
 weak_alias (__makecontext, makecontext)

sysdeps/unix/sysv/linux/riscv/setcontext.S

@@ -17,6 +17,7 @@
    <https://www.gnu.org/licenses/>.  */
 
 #include "ucontext-macros.h"
+#include <sysdep.h>
 
 /*  int __setcontext (const ucontext_t *ucp)
 
@@ -29,6 +30,7 @@
 
 	.text
 LEAF (__setcontext)
+	LPAD
 
 	mv	t0, a0	/* Save ucp into t0.  */
 
@@ -45,6 +47,17 @@ LEAF (__setcontext)
 
 	cfi_def_cfa (t0, 0)
 
+#ifdef __riscv_zicfiss
+	/* Skip if shadow stack is not enabled  */
+	ssrdp	t2
+	beqz	t2, .Lfin
+	/* We are safe to adjust shadow stack after the sanity check  */
+	RESTORE_INT_REG	   (t1,   28, t0)
+	/* FIXME: We are skipping ANY security check for now  */
+	csrw	ssp, t1
+.Lfin:
+#endif
+
 #ifndef __riscv_float_abi_soft
 	lw	t1, MCONTEXT_FSR(t0)
 
@@ -66,7 +79,11 @@ LEAF (__setcontext)
 
 	/* Note the contents of argument registers will be random
 	   unless makecontext() has been called.  */
+#ifdef __riscv_zicfilp
+	RESTORE_INT_REG     (t2,   0, t0)
+#else
 	RESTORE_INT_REG     (t1,   0, t0)
+#endif
 	RESTORE_INT_REG_CFI (ra,   1, t0)
 	RESTORE_INT_REG     (sp,   2, t0)
 	RESTORE_INT_REG_CFI (s0,   8, t0)
@@ -90,7 +107,12 @@ LEAF (__setcontext)
 	RESTORE_INT_REG_CFI (s10, 26, t0)
 	RESTORE_INT_REG_CFI (s11, 27, t0)
 
+#ifdef __riscv_zicfilp
+	/* We need to use software-guared jump */
+	jr	t2
+#else
 	jr	t1
+#endif
 
 99:	tail	__syscall_error
 
@@ -99,12 +121,19 @@ libc_hidden_def (__setcontext)
 weak_alias (__setcontext, setcontext)
 
 LEAF (__start_context)
+	LPAD
 
 	/* Terminate call stack by noting ra == 0.  Happily, s0 == 0 here.  */
 	cfi_register (ra, s0)
 
 	/* Call the function passed to makecontext.  */
+#ifdef __riscv_zicfilp
+	/* We need to use software-guared jump */
+	mv	t2, s1
+	jalr	t2
+#else
 	jalr	s1
+#endif
 
 	/* Invoke subsequent context if present, else exit(0).  */
 	mv	a0, s2

sysdeps/unix/sysv/linux/riscv/swapcontext.S

@@ -17,10 +17,12 @@
    <https://www.gnu.org/licenses/>.  */
 
 #include "ucontext-macros.h"
+#include <sysdep.h>
 
 /* int swapcontext (ucontext_t *oucp, const ucontext_t *ucp) */
 
 LEAF (__swapcontext)
+	LPAD
 	mv	t0, a1			/* Save ucp into t0.  */
 
 	SAVE_INT_REG (ra,   0, a0)
@@ -59,6 +61,11 @@ LEAF (__swapcontext)
 	sw	a1, MCONTEXT_FSR(a0)
 #endif /* __riscv_float_abi_soft */
 
+#ifdef __riscv_zicfiss
+	ssrdp   t1
+	SAVE_INT_REG (t1,  28, a0)
+#endif
+
 /* rt_sigprocmask (SIG_SETMASK, &ucp->uc_sigmask, &oucp->uc_sigmask, _NSIG8) */
 	li	a3, _NSIG8
 	add	a2, a0, UCONTEXT_SIGMASK
@@ -70,6 +77,17 @@ LEAF (__swapcontext)
 
 	bltz	a0, 99f
 
+#ifdef __riscv_zicfiss
+	/* Skip if shadow stack is not enabled  */
+	ssrdp	t2
+	beqz	t2, .Lfin
+	/* We are safe to adjust shadow stack after the sanity check  */
+	RESTORE_INT_REG (t1,   28, t0)
+	/* FIXME: We are skipping ANY security check for now  */
+	csrw	ssp, t1
+.Lfin:
+#endif
+
 #ifndef __riscv_float_abi_soft
 	lw	t1, MCONTEXT_FSR(t0)
 
@@ -91,7 +109,11 @@ LEAF (__swapcontext)
 
 	/* Note the contents of argument registers will be random
 	   unless makecontext() has been called.  */
+#ifdef __riscv_zicfilp
+	RESTORE_INT_REG (t2,   0, t0)
+#else
 	RESTORE_INT_REG (t1,   0, t0)
+#endif
 	RESTORE_INT_REG (ra,   1, t0)
 	RESTORE_INT_REG (sp,   2, t0)
 	RESTORE_INT_REG (s0,   8, t0)
@@ -115,8 +137,12 @@ LEAF (__swapcontext)
 	RESTORE_INT_REG (s10, 26, t0)
 	RESTORE_INT_REG (s11, 27, t0)
 
+#ifdef __riscv_zicfilp
+	/* We need to use software-guared jump */
+	jr	t2
+#else
 	jr	t1
-
+#endif
 
 99:	tail	__syscall_error
 

sysdeps/unix/sysv/linux/riscv/sysdep.h

@@ -201,6 +201,8 @@ GNU_PROPERTY (FEATURE_1_AND, __VALUE_FOR_FEATURE_1_AND)
 
 #else /* !__ASSEMBLER__ */
 
+# define STACK_SIZE_TO_SHADOW_STACK_SIZE_SHIFT 5
+
 # if __WORDSIZE == 64
 #  define VDSO_NAME	"LINUX_4.15"
 #  define VDSO_HASH	182943605