| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Adjust ucontext layout for purecap ABI and add make/get/set/swapcontext
implementations accordingly.
Note: mcontext layout follows the linux sigcontext struct, in userspace
*context functions rely on the c registers stored in the extension area
and ignore the mcontext fields for x registers.
|
| |
|
|
|
| |
Similar to lp64 setjmp/longjmp, but handles capability registers.
Save q regs instead of d regs to simplify the offset computation.
|
| |
|
|
|
|
| |
The arena allocator incrementally applies RW mprotect to a PROT_NONE
mapping. Use PROT_MAX to ensure the pointers derived from the original
mapping have RW capability permission.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Such arithmetic invalidates capabilities so this security measure does
not work for CHERI.
Note: the architecture makes it hard to corrupt pointers in malloc
metadata, but not impossible: current allocation bounds include the
metadata and capabilities are not revoked after free. These issues can
be fixed by a capability aware malloc.
|
| |
|
|
|
|
|
|
|
|
| |
This code updates pointers to a reallocated buffer to point to the new
buffer. It is not conforming (does arithmetics with freed pointers),
but it also creates invalid capabilities because the provenance is
derived from the original freed pointers instead of the new buffer.
Change the arithmetics so provenance is derived from the new buffer.
The conformance issue is not fixed.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
USE_MALLOC_LOW_BIT should work for capabilities too, but we need to
ensure that pointer provenance is right: the red/black flag is
computed as uintptr_t, but with uintptr_t | uintptr_t it's not clear
which side provides the provenance.
So use unsigned int type for the flag (which is the type used in case
of !USE_MALLOC_LOW_BIT anyway), then unsigned int | uintptr_t works.
The type of RED is corrected too to match unsigned int.
|
| |
|
|
| |
On capability targets avoid copying pointers via unsigned long.
|
| |
|
|
|
|
|
|
| |
Make wctype_t a pointer so dereferencing it works. wctrans_t is already
a pointer and used the same way.
Existing targets are not affected, only capability targets where this
is necessary.
|
| |
|
|
|
|
|
|
|
|
| |
Using const on the definition does not work for a pure capability ABI:
the capability permissions when accessing the object will be read only.
Use a hack to hide the public declaration in the TU where the const
objects are initialized. (This should work on non-capability targets
too, but to err on the safe side only enable the hack on capability
targets.)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Alignment of the public definition did not match the internal layout.
Ensure that the type is at least pointer aligned.
|
| | |
|
| |
|
|
| |
Arm Morello requires 128-bit atomics.
|
| |
|
|
| |
Derive the start of the relro area from the RW capability of the dso.
|
| |
|
|
|
| |
Use the per module RW capability to access the TLS initimage.
The bounds are not restricted for now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
According to the ELF spec:
"Each element of this array is a pointer to a function to be executed
by the dynamic linker."
"Note that the address of a function need not be the same as a pointer
to a function as defined by the processor supplement."
so these should be accessed via uintptr_t type instead of ElfW(Addr) and
the pointers are derived from the RX pointer of the elf module.
|
| |
|
|
| |
At least tls image access requires RX capability of the main link_map.
|
| |
|
|
| |
To derive pointers within a module from the per module RX and RW caps.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
For each module keep an RX and an RW root capability. Use the existing
l_map_start for RX (covering all load segments) and add l_rw_start for
RW (covering all writable load segments).
For relocation processing, we also need individual RW ranges to decide
which objects need to be derived from RW and RX capabilities. In
practice most modules have exactly one RW segment and it's unlikely
that any module needs more than four distinct ranges to tightly cover
the RW mappings.
Only added on CHERI targets so always has to be used behind ifdef.
|
| |
|
|
|
|
|
|
| |
Use a capability for the load segment start that covers all load
segments so pointers can be derived from it.
It should have RX permission and a separate capability used for
writable pointers.
|
| |
|
|
|
| |
Use elfptr_t when ElfW(Addr) represents a runtime pointer (may be
dereferenced or pointers may be derived from it).
|
| |
|
|
|
| |
The linker created _end symbol does not have the right bounds, so
don't try to reuse leftover memory at the end of the .data section.
|
| |
|
|
| |
Store mmap result to intptr_t instead of long.
|
| |
|
|
|
|
|
|
| |
Pointer mangling cannot be supported on capability architectures.
And there is not enough bytes in dl_random for 128 bit pointers.
Stack guard is still loaded from dl_random: stack protection is
unlikely to be useful on a capability architecture, but it works.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Written in C so the self relocation code in crt1.o is easier to
maintain.
The purecap ELF entry is special: passes separate argc, argv, envp,
auxv in registers instead of on the stack.
For each module there will be separate RW and RX capabilities that
cover the writable and all load segments respectively. The relative
reloc processing code is prepared for such separate capabilities.
The static link detection (for self relocation) is not ideal, it
relies on relocations that don't work in PIC, so it is ifdefed out
for Scrt1.o. (Currently adrp of undefined weak symbol is not fixed
up by the linker to be 0 so we use movz to detect the presence of
__rela_dyn_start.)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The prototype of __libc_start_main is changed to
void
__libc_start_main (int main (int, char **, char **, void *),
int argc, char **argv, char **envp, void *auxv,
void rtld_fini (void), void *sp);
so envp is passed down separately and the unused init, fini args are
dropped.
|
| |
|
|
| |
Purecap ABI versions of crti.S and crtn.S.
|
| |
|
|
|
|
|
|
|
| |
New file containing the capability permission bits.
The capability permission bits are defined in the Arm Architecture
Reference Manual Suplement- Morello for A-Profile Architecture:
https://developer.arm.com/documentation/ddi0606/latest
|
| | |
|
| |
|
|
| |
The Elf64_auxv_t needs to be adjusted for the new capability size.
|
| |
|
|
| |
Follows the morello pure capability user ABI of linux.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The signal mask argument is passed as a struct with a pointer and size
in the linux syscall abi, but the types used in glibc were wrong for
CHERI due to an x32 specific hack.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a temporary workaround.
length is rounded up to pagesize and don't use exact bound (bounds
will be larger if exact value is not representable).
capability permissions are roughly emulated too.
TODO: kernel should do this
|
| |
|
|
| |
TODO: this is the value in the 5.18 kernel, will change later.
|
| |
|
|
| |
TODO: Remove this once morello has vdso gettimeofday.
|
| |
|
|
| |
TODO: drop this once linux brk always fails.
|
| |
|
|
|
|
|
| |
Current clone_args does not support 128 bit pointers.
TODO: the fix is incomplete (missing clone3 abi checks) and has to be
aligned with purecap clone3 struct layout.
|
| |
|
|
|
|
| |
Specifies the prot flags a mapping may gain via mprotect or MAP_FIXED.
On CHERI targets this is used to get capability with more permissions
than the original mmap protection would imply.
|
| |
|
|
|
|
|
|
|
|
| |
In fcntl va_arg is currently used even if the caller did not pass
any variadic arguments. This is undefined behaviour and does not
work with the Morello purecap ABI, so use a helper macro.
When the argument is missing, the result of the helper macro is
arbitrary as it will be ignored by the kernel, we just have to
ensure it does not cause a runtime crash.
|
| |
|
|
|
| |
prctl is a variadic function and on morello args that were not passed
cannot be accessed so the generic code does not work.
|
| |
|
|
|
| |
No need to set the child stack to sp, 0 means the parent stack is used.
This avoids purecap specific ifdefs in vfork.
|
| |
|
|
|
|
| |
Support the Morello Linux purecap syscall ABI. The macro definitions
are moved to a morello specific sysdep.h to avoid cluttering the
aarch64 one.
|
| |
|
|
| |
New syscall ABI requires different VDSO support code.
|
