[PATCH 002/120] MIPS: R5900: Trap the RDHWR instruction as an SQ address exception
Fredrik Noring
noring@nocrew.org
Sat Dec 12 10:58:38 GMT 2020
Hi Maciej,
On Thu, Nov 19, 2020 at 01:28:00PM +0000, Maciej W. Rozycki wrote:
> The use of RDHWR, actual or emulated, is a part of the MIPS TLS psABI,
> see: <https://www.linux-mips.org/wiki/NPTL>, in particular starting from:
> <https://www.linux-mips.org/wiki/NPTL#Design_Choices> and throughout (the
> expired certificate of the web site is a known issue, but there is
> currently no way to get it fixed as nobody knows where Ralf Baechle has
> gone).
Can the site be wrapped up and published elsewhere?
> While there indeed is an unfortunate opcode overlap between RDHWR and SQ,
> the encoding of the specific operands chosen for TLS pointer access is
> luckily guaranteed to always trap in the user mode, because the address
> requested when the encoding is interpreted as SQ rather than RDHWR is
> within the kernel KSEG2 segment:
>
> $ cat rdhwr.s
> rdhwr $3, $29
> $ gcc -march=mips32r2 -c rdhwr.s
> $ objdump -d rdhwr.o
> rdhwr.o: file format elf32-tradlittlemips
>
>
> Disassembly of section .text:
>
> 00000000 <.text>:
> 0: 7c03e83b rdhwr v1,$29
> ...
> $ objdump -m mips:5900 -d rdhwr.o
>
> rdhwr.o: file format elf32-tradlittlemips
>
>
> Disassembly of section .text:
>
> 00000000 <.text>:
> 0: 7c03e83b sq v1,-6085(zero)
> ...
> $
>
> This is because the HWR read is encoded in bits 15:11 of the instruction
> word and $29 has the highest bit set, which lands in bit 15 of the
> instruction word, meaning that the offset encoded in bits 15:0 used where
> the instruction word is interpreted as SQ is negative. And then bits
> 25:21 are hardwired to 0 in the encoding of RDHWR and they correspond to
> the base register encoding with SQ, meaning that it will be interpreted as
> $zero. So the address ultimately requested is -6085 => 0xffffffffffffe83b
> (the R5900 uses 32-bit addressing and ignores address bits 63:32, but that
> does not matter here; this is KSEG2 either way).
>
> Consequently an AdES exception is triggered which we can trap and handle,
> reinterpreting the encoding according to our needs and return the TLS
> pointer in $v1 rather than issuing a SIGBUS. So you are not expected to
> see any issue unless there is a security erratum in the R5900 as well and
> the encoding does not cause an exception for some reason.
>
> This of course disagrees with what Fredrik wrote in the quotation above,
> as it's the last page rather than the zeroth that is accessed, but the net
> effect is the same, or even better.
The first page could be mapped by the application itself, but what about
RDHWR registers $0-$3 having mnemonics CPUNum, SYNC1_Step, CC and CCRes[1],
or in Linux
/* RDHWR register numbers */
#define MIPS_HWR_CPUNUM 0 /* CPU number */
#define MIPS_HWR_SYNCISTEP 1 /* SYNCI step size */
#define MIPS_HWR_CC 2 /* Cycle counter */
#define MIPS_HWR_CCRES 3 /* Cycle counter resolution */
#define MIPS_HWR_ULR 29 /* UserLocal */
#define MIPS_HWR_IMPL1 30 /* Implementation dependent */
#define MIPS_HWR_IMPL2 31 /* Implementation dependent */
in arch/mips/include/asm/mipsregs.h? They land on the first page, no?
Fredrik
References:
[1] "MIPS Architecture for programmers Volume II-A: The MIPS32 Instruction
Set", revision 5.04, 11 December 2013, p. 248.
More information about the Libc-help
mailing list