| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Jan 2023 20:31:26 +0000
From: Conor Dooley <conor@...nel.org>
To: Björn Töpel <bjorn@...nel.org>
Cc: Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
linux-riscv@...ts.infradead.org, Guo Ren <guoren@...nel.org>,
Björn Töpel <bjorn@...osinc.com>,
linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH] riscv, kprobes: Stricter c.jr/c.jalr decoding
Hey Bjorn,
On Mon, Jan 02, 2023 at 05:07:48PM +0100, Björn Töpel wrote:
> From: Björn Töpel <bjorn@...osinc.com>
>
> In the compressed instruction extension, c.jr, c.jalr, c.mv, and c.add
> is encoded the following way (each instruction is 16b):
>
> ---+-+-----------+-----------+--
> 100 0 rs1[4:0]!=0 00000 10 : c.jr
> 100 1 rs1[4:0]!=0 00000 10 : c.jalr
> 100 0 rd[4:0]!=0 rs2[4:0]!=0 10 : c.mv
> 100 1 rd[4:0]!=0 rs2[4:0]!=0 10 : c.add
>
> The following logic is used to decode c.jr and c.jalr:
>
> insn & 0xf007 == 0x8002 => instruction is an c.jr
> insn & 0xf007 == 0x9002 => instruction is an c.jalr
>
> When 0xf007 is used to mask the instruction, c.mv can be incorrectly
> decoded as c.jr, and c.add as c.jalr.
>
> Correct the decoding by changing the mask from 0xf007 to 0xf07f.
>
> Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported")
> Signed-off-by: Björn Töpel <bjorn@...osinc.com>
> ---
> arch/riscv/kernel/probes/simulate-insn.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/kernel/probes/simulate-insn.h b/arch/riscv/kernel/probes/simulate-insn.h
> index cb6ff7dccb92..de8474146a9b 100644
> --- a/arch/riscv/kernel/probes/simulate-insn.h
> +++ b/arch/riscv/kernel/probes/simulate-insn.h
> @@ -31,9 +31,9 @@ __RISCV_INSN_FUNCS(fence, 0x7f, 0x0f);
> } while (0)
>
> __RISCV_INSN_FUNCS(c_j, 0xe003, 0xa001);
> -__RISCV_INSN_FUNCS(c_jr, 0xf007, 0x8002);
Hmm, I wonder where the mask originally came from!
I had a look at the compressed spec, of which the version google gave to
me was v1.9 [1], and Table 1.6 in that (Instruction listing for RVC,
Quadrant 2) seems to list them all together.
Tedious it may be, but future instruction decoding bits probably need
more scrutiny as Drew found another clearly wrong bit a few weeks ago
[2].
Anyways, I checked against the doc and the new versions look good to
me. How'd you spot this, and did you check the other masks?
Reviewed-by: Conor Dooley <conor.dooley@...rochip.com>
[1] - https://riscv.org/wp-content/uploads/2015/11/riscv-compressed-spec-v1.9.pdf
[2] - https://lore.kernel.org/linux-riscv/20221223221332.4127602-2-heiko@sntech.de/
> +__RISCV_INSN_FUNCS(c_jr, 0xf07f, 0x8002);
> __RISCV_INSN_FUNCS(c_jal, 0xe003, 0x2001);
> -__RISCV_INSN_FUNCS(c_jalr, 0xf007, 0x9002);
> +__RISCV_INSN_FUNCS(c_jalr, 0xf07f, 0x9002);
> __RISCV_INSN_FUNCS(c_beqz, 0xe003, 0xc001);
> __RISCV_INSN_FUNCS(c_bnez, 0xe003, 0xe001);
> __RISCV_INSN_FUNCS(c_ebreak, 0xffff, 0x9002);
Worth noting that this code is gone in riscv/for-next thanks to Heiko's
de-duplication:
https://lore.kernel.org/linux-riscv/20221223221332.4127602-7-heiko@sntech.de/
>
> base-commit: 1b929c02afd37871d5afb9d498426f83432e71c2
> --
> 2.37.2
>
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists