Thanks to visit codestin.com
Credit goes to github.com

Skip to content

arch: cortex-m: defend against large stack pointer #2723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 5, 2021
Merged

arch: cortex-m: defend against large stack pointer #2723

merged 2 commits into from
Aug 5, 2021

Conversation

bradjc
Copy link
Contributor

@bradjc bradjc commented Aug 3, 2021

If the stack pointer is really large the sp + frame_size arithmetic can overflow, negating the check. Use .saturating_add() instead.

In the print context function rather than returning we now use dummy values so the user still gets the register printout for what is valid.

Also check for 4 byte alignment. I think that is a good idea.

I found this by playing with the new tockloader features: tockloader tbf-delete-tlv 8 and tockloader tbf-modify-tlv 1 init_fn_offset 53. I found that if I corrupted the init fn offset in the right way I got a kernel crash.

Testing Strategy

Running c_hello with a corrupted init fn offset and verifying the printout works as expected. Looks like:

Initialization complete. Entering main loop.
Kernel version: release-2.0-rc1
Welcome to the process console.
Valid commands are: help status list stop start fault process kernel

panicked at 'Process c_hello had a fault', kernel/src/process_standard.rs:323:17
	Kernel version release-2.0-rc1

---| No debug queue found. You can set it with the DebugQueue component.

---| Cortex-M Fault Status |---
Data Access Violation:              true
Memory Management Stacking Fault:   true
Bus Unstacking Fault:               true
Forced Hard Fault:                  true
Faulting Memory Address:            0xFFFFFFF8
Fault Status Register (CFSR):       0x00000892
Hard Fault Status Register (HFSR):  0x40000000

---| App Status |---
𝐀𝐩𝐩: c_hello   -   [Faulted]
 Events Queued: 0   Syscall Count: 3   Dropped Upcall Count: 0
 Restart Count: 5
 Last Syscall: Some(Memop { operand: 11, arg0: 536898052 })


 ╔═══════════╤══════════════════════════════════════════╗
 ║  Address  │ Region Name    Used | Allocated (bytes)  ║
 ╚0x20008000═╪══════════════════════════════════════════╝
             │ ▼ Grant        1120 |   1120
  0x20007BA0 ┼───────────────────────────────────────────
             │ Unused
  0x20006A04 ┼───────────────────────────────────────────
             │ ▲ Heap            0 |   4508               S
  0x20006A04 ┼─────────────────────────────────────────── R
             │ Data              ? |      ?               A
  ?????????? ┼─────────────────────────────────────────── M
             │ ▼ Stack           ? |      ?
  0x20006000 ┼───────────────────────────────────────────
             │ Unused
  0x20006000 ┴───────────────────────────────────────────
             .....
  0x00030800 ┬─────────────────────────────────────────── F
             │ App Flash      1996                        L
  0x00030034 ┼─────────────────────────────────────────── A
             │ Protected        52                        S
  0x00030000 ┴─────────────────────────────────────────── H

  R0 : 0xBAD00BAD    R6 : 0x00030034
  R1 : 0xBAD00BAD    R7 : 0x20006000
  R2 : 0xBAD00BAD    R8 : 0x00000000
  R3 : 0xBAD00BAD    R10: 0x00000000
  R4 : 0x00000000    R11: 0x00000000
  R5 : 0x00000000    R12: 0xBAD00BAD
  R9 : 0x20006800 (Static Base Register)
  SP : 0xFFFFFFE0 (Process Stack Pointer)
  LR : 0xBAD00BAD
  PC : 0xBAD00BAD
 YPC : 0x0003008E

 APSR: N 1 Z 0 C 1 V 1 Q 1
       GE 0 0 0 0
 EPSR: ICI.IT 0x42
       ThumbBit false !!ERROR - Cortex M Thumb only!

 Total number of grant regions defined: 14
  Grant  0 : --          Grant  5 : --          Grant 10 : --
  Grant  1 : --          Grant  6 : --          Grant 11 : --
  Grant  2 : --          Grant  7 : --          Grant 12 : --
  Grant  3 : --          Grant  8 : --          Grant 13 : --
  Grant  4 : --          Grant  9 : --

 Cortex-M MPU
  Region 0: [0x20006000:0x20008000], length: 8192 bytes; ReadWrite (0x3)
    Sub-region 0: [0x20006000:0x20006400], Enabled
    Sub-region 1: [0x20006400:0x20006800], Enabled
    Sub-region 2: [0x20006800:0x20006C00], Enabled
    Sub-region 3: [0x20006C00:0x20007000], Disabled
    Sub-region 4: [0x20007000:0x20007400], Disabled
    Sub-region 5: [0x20007400:0x20007800], Disabled
    Sub-region 6: [0x20007800:0x20007C00], Disabled
    Sub-region 7: [0x20007C00:0x20008000], Disabled
  Region 1: [0x00030000:0x00030800], length: 2048 bytes; UnprivilegedReadOnly (0x2)
    Sub-region 0: [0x00030000:0x00030100], Enabled
    Sub-region 1: [0x00030100:0x00030200], Enabled
    Sub-region 2: [0x00030200:0x00030300], Enabled
    Sub-region 3: [0x00030300:0x00030400], Enabled
    Sub-region 4: [0x00030400:0x00030500], Enabled
    Sub-region 5: [0x00030500:0x00030600], Enabled
    Sub-region 6: [0x00030600:0x00030700], Enabled
    Sub-region 7: [0x00030700:0x00030800], Enabled
  Region 2: Unused
  Region 3: Unused
  Region 4: Unused
  Region 5: Unused
  Region 6: Unused
  Region 7: Unused

To debug, run `make debug RAM_START=0x20006000 FLASH_INIT=0x30069`
in the app's folder and open the .lst file.

TODO or Help Wanted

Should we check for 4 byte alignment?

Documentation Updated

  • Updated the relevant files in /docs, or no updates are required.

Formatting

  • Ran make prepush.

@bradjc
arch: cortex-m: defend against large stack pointer
0466d74 
If the stack pointer is really large the sp + frame_size arithmetic can
overflow, negating the check. Use .saturating_add() instead.

In the print context function rather than returning we now use dummy
values so the user still gets the register printout for what _is_ valid.

Also check for 4 byte alignment. I think that is a good idea.
alistair23
alistair23 previously approved these changes Aug 4, 2021
View reviewed changes
hudson-ayers
hudson-ayers previously approved these changes Aug 4, 2021
View reviewed changes
Copy link
Contributor

@hudson-ayers hudson-ayers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes look good, though I seem to recall us concluding that there was no need to check stack pointer alignment last time we looked at this: #2478

@bradjc bradjc added the tock-2.0 Issues and PRs related to Tock version 2.0. label Aug 4, 2021
lschuermann
lschuermann previously approved these changes Aug 4, 2021
View reviewed changes
@bradjc
arch: cortex-m: don't check sp alignment
1089413 
We do not need to check the stack pointer alignment because the cortex-m
hardware guarantees it will ensure the stack pointer is aligned on any
exception or svc call. See #2478 for
more detail.
@bradjc bradjc dismissed stale reviews from lschuermann, hudson-ayers, and alistair23 via 1089413 August 5, 2021 14:10
@bradjc
Copy link
Contributor Author

bradjc commented Aug 5, 2021

I removed the alignment check since hardware guarantees alignment.

@hudson-ayers
Copy link
Contributor

bors r+

@bors
Copy link
Contributor

bors bot commented Aug 5, 2021

Build succeeded:

@bors bors bot merged commit aebd950 into master Aug 5, 2021
@bors bors bot deleted the cortex-m-LARGE-stack-pointer-bug branch August 5, 2021 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hudson-ayers hudson-ayers hudson-ayers approved these changes

@lschuermann lschuermann lschuermann left review comments

+1 more reviewer

@alistair23 alistair23 alistair23 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
tock-2.0 Issues and PRs related to Tock version 2.0.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bradjc @hudson-ayers @alistair23 @lschuermann