diff options
| author | Dave Martin <Dave.Martin@arm.com> | 2020-03-16 16:50:45 +0000 |
|---|---|---|
| committer | Catalin Marinas <catalin.marinas@arm.com> | 2020-03-16 17:19:48 +0000 |
| commit | 8ef8f360cf30be12382f89ff48a57fbbd9b31c14 (patch) | |
| tree | 6060caf0bfe50a4c370c86625b7325f6199b746a /arch/arm64/kernel/syscall.c | |
| parent | 00e19ceec80b03a43f626f891fcc53e57919f1b3 (diff) | |
| download | linux-8ef8f360cf30be12382f89ff48a57fbbd9b31c14.tar.gz linux-8ef8f360cf30be12382f89ff48a57fbbd9b31c14.tar.bz2 linux-8ef8f360cf30be12382f89ff48a57fbbd9b31c14.zip | |
arm64: Basic Branch Target Identification support
This patch adds the bare minimum required to expose the ARMv8.5
Branch Target Identification feature to userspace.
By itself, this does _not_ automatically enable BTI for any initial
executable pages mapped by execve(). This will come later, but for
now it should be possible to enable BTI manually on those pages by
using mprotect() from within the target process.
Other arches already using the generic mman.h are already using
0x10 for arch-specific prot flags, so we use that for PROT_BTI
here.
For consistency, signal handler entry points in BTI guarded pages
are required to be annotated as such, just like any other function.
This blocks a relatively minor attack vector, but comforming
userspace will have the annotations anyway, so we may as well
enforce them.
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Diffstat (limited to 'arch/arm64/kernel/syscall.c')
| -rw-r--r-- | arch/arm64/kernel/syscall.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c index a12c0c88d345..5f5b868292f5 100644 --- a/arch/arm64/kernel/syscall.c +++ b/arch/arm64/kernel/syscall.c @@ -98,6 +98,24 @@ static void el0_svc_common(struct pt_regs *regs, int scno, int sc_nr, regs->orig_x0 = regs->regs[0]; regs->syscallno = scno; + /* + * BTI note: + * The architecture does not guarantee that SPSR.BTYPE is zero + * on taking an SVC, so we could return to userspace with a + * non-zero BTYPE after the syscall. + * + * This shouldn't matter except when userspace is explicitly + * doing something stupid, such as setting PROT_BTI on a page + * that lacks conforming BTI/PACIxSP instructions, falling + * through from one executable page to another with differing + * PROT_BTI, or messing with BTYPE via ptrace: in such cases, + * userspace should not be surprised if a SIGILL occurs on + * syscall return. + * + * So, don't touch regs->pstate & PSR_BTYPE_MASK here. + * (Similarly for HVC and SMC elsewhere.) + */ + cortex_a76_erratum_1463225_svc_handler(); local_daif_restore(DAIF_PROCCTX); user_exit(); |