Page MenuHomeFreeBSD

riscv: Clear SUM in SSTATUS for supervisor mode exceptions.
ClosedPublic

Authored by jhb on Apr 14 2021, 4:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Mar 23, 6:52 AM
Unknown Object (File)
Thu, Mar 7, 11:49 PM
Unknown Object (File)
Feb 18 2024, 1:56 PM
Unknown Object (File)
Feb 11 2024, 2:26 AM
Unknown Object (File)
Jan 1 2024, 3:52 AM
Unknown Object (File)
Dec 28 2023, 8:04 AM
Unknown Object (File)
Dec 20 2023, 2:20 AM
Unknown Object (File)
Dec 19 2023, 10:41 AM
Subscribers

Details

Summary

Previously, a page fault taken during copyin/out and related functions
would run the entire fault handler while permitting direct access to
user addresses. This could also leak across context switches (e.g. if
the page fault handler was preempted by an interrupt or slept for disk
I/O).

To fix, clear SUM in assembly after saving the original version of
SSTATUS in the supervisor mode trapframe.

Sponsored by: DARPA

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Apr 14 2021, 4:46 PM
sys/riscv/riscv/exception.S
108–111

You should be able to li t0, SSTATUS_SUM; csrc sstatus, t0

Looks good. Just curious, does the issue manifest in practice or was it caught by inspection?

This revision is now accepted and ready to land.Apr 21 2021, 4:12 PM

Looks good. Just curious, does the issue manifest in practice or was it caught by inspection?

No evidence we've ever accidentally accessed a user address. But you do very quickly fall over with the added assertion as you take page faults in copyin/out for init. I was talking on IRC with someone who was discovering a similar issue on Linux (https://github.com/torvalds/linux/commit/285a76bb2cf51b0c74c634f2aaccdb93e1f2a359) and it made me realise this issue in FreeBSD. (If you're wondering, Armv8 doesn't have this issue, since the PAN bit gets saved to SPSR and cleared in PSTATE on traps, and x86 has the code in its trap handler to clear AC, so it's just a RISC-V issue.)