From c905a3680dc1dae044ea6b9aaf9f0482e5ebf63c Mon Sep 17 00:00:00 2001 From: Daniele Buono Date: Fri, 4 Dec 2020 18:06:12 -0500 Subject: cfi: Initial support for cfi-icall in QEMU LLVM/Clang, supports runtime checks for forward-edge Control-Flow Integrity (CFI). CFI on indirect function calls (cfi-icall) ensures that, in indirect function calls, the function called is of the right signature for the pointer type defined at compile time. For this check to work, the code must always respect the function signature when using function pointer, the function must be defined at compile time, and be compiled with link-time optimization. This rules out, for example, shared libraries that are dynamically loaded (given that functions are not known at compile time), and code that is dynamically generated at run-time. This patch: 1) Introduces the CONFIG_CFI flag to support cfi in QEMU 2) Introduces a decorator to allow the definition of "sensitive" functions, where a non-instrumented function may be called at runtime through a pointer. The decorator will take care of disabling cfi-icall checks on such functions, when cfi is enabled. 3) Marks functions currently in QEMU that exhibit such behavior, in particular: - The function in TCG that calls pre-compiled TBs - The function in TCI that interprets instructions - Functions in the plugin infrastructures that jump to callbacks - Functions in util that directly call a signal handler Signed-off-by: Daniele Buono Acked-by: Alex Bennée Signed-off-by: Paolo Bonzini --- include/qemu/compiler.h | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'include') diff --git a/include/qemu/compiler.h b/include/qemu/compiler.h index df9ec08f8a..d620a841e4 100644 --- a/include/qemu/compiler.h +++ b/include/qemu/compiler.h @@ -233,4 +233,15 @@ extern void QEMU_NORETURN QEMU_ERROR("code path is reachable") # define QEMU_FALLTHROUGH do {} while (0) /* fallthrough */ #endif +#ifdef CONFIG_CFI +/* + * If CFI is enabled, use an attribute to disable cfi-icall on the following + * function + */ +#define QEMU_DISABLE_CFI __attribute__((no_sanitize("cfi-icall"))) +#else +/* If CFI is not enabled, use an empty define to not change the behavior */ +#define QEMU_DISABLE_CFI +#endif + #endif /* COMPILER_H */ -- cgit v1.2.3-55-g7522 From 3b9bd3f46b3b92501186acd18e81d3e8510b7b09 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 16 Dec 2020 13:27:58 +0100 Subject: remove TCG includes from common code Enable removing tcg/$tcg_arch from the include path when TCG is disabled. Move translate-all.h to include/exec, since stubs exist for the functions defined therein. Signed-off-by: Paolo Bonzini --- accel/stubs/tcg-stub.c | 1 - accel/tcg/cputlb.c | 2 +- accel/tcg/translate-all.c | 2 +- accel/tcg/translate-all.h | 39 --------------------------------------- accel/tcg/user-exec.c | 2 +- cpu.c | 2 +- hw/i386/kvmvapic.c | 1 - include/exec/translate-all.h | 39 +++++++++++++++++++++++++++++++++++++++ monitor/misc.c | 1 - softmmu/physmem.c | 3 +-- 10 files changed, 44 insertions(+), 48 deletions(-) delete mode 100644 accel/tcg/translate-all.h create mode 100644 include/exec/translate-all.h (limited to 'include') diff --git a/accel/stubs/tcg-stub.c b/accel/stubs/tcg-stub.c index e4bbf997aa..8c18d3eabd 100644 --- a/accel/stubs/tcg-stub.c +++ b/accel/stubs/tcg-stub.c @@ -12,7 +12,6 @@ #include "qemu/osdep.h" #include "cpu.h" -#include "tcg/tcg.h" #include "exec/exec-all.h" void tb_flush(CPUState *cpu) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index 42ab79c1a5..ced3dc077e 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -33,7 +33,7 @@ #include "exec/helper-proto.h" #include "qemu/atomic.h" #include "qemu/atomic128.h" -#include "translate-all.h" +#include "exec/translate-all.h" #include "trace/trace-root.h" #include "trace/mem.h" #ifdef CONFIG_PLUGIN diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c index b7d50a73d4..a1803a1026 100644 --- a/accel/tcg/translate-all.c +++ b/accel/tcg/translate-all.c @@ -49,7 +49,7 @@ #include "exec/cputlb.h" #include "exec/tb-hash.h" -#include "translate-all.h" +#include "exec/translate-all.h" #include "qemu/bitmap.h" #include "qemu/error-report.h" #include "qemu/qemu-print.h" diff --git a/accel/tcg/translate-all.h b/accel/tcg/translate-all.h deleted file mode 100644 index a557b4e2bb..0000000000 --- a/accel/tcg/translate-all.h +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Translated block handling - * - * Copyright (c) 2003 Fabrice Bellard - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, see . - */ -#ifndef TRANSLATE_ALL_H -#define TRANSLATE_ALL_H - -#include "exec/exec-all.h" - - -/* translate-all.c */ -struct page_collection *page_collection_lock(tb_page_addr_t start, - tb_page_addr_t end); -void page_collection_unlock(struct page_collection *set); -void tb_invalidate_phys_page_fast(struct page_collection *pages, - tb_page_addr_t start, int len, - uintptr_t retaddr); -void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end); -void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr); - -#ifdef CONFIG_USER_ONLY -int page_unprotect(target_ulong address, uintptr_t pc); -#endif - -#endif /* TRANSLATE_ALL_H */ diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c index 293ee86ea4..1215b55ca0 100644 --- a/accel/tcg/user-exec.c +++ b/accel/tcg/user-exec.c @@ -23,7 +23,7 @@ #include "tcg/tcg.h" #include "qemu/bitops.h" #include "exec/cpu_ldst.h" -#include "translate-all.h" +#include "exec/translate-all.h" #include "exec/helper-proto.h" #include "qemu/atomic128.h" #include "trace/trace-root.h" diff --git a/cpu.c b/cpu.c index 0c485cdf2d..0b245cda2e 100644 --- a/cpu.c +++ b/cpu.c @@ -34,7 +34,7 @@ #include "sysemu/tcg.h" #include "sysemu/kvm.h" #include "sysemu/replay.h" -#include "translate-all.h" +#include "exec/translate-all.h" #include "exec/log.h" uintptr_t qemu_host_page_size; diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c index 077c3f4866..2c1898032e 100644 --- a/hw/i386/kvmvapic.c +++ b/hw/i386/kvmvapic.c @@ -21,7 +21,6 @@ #include "hw/sysbus.h" #include "hw/boards.h" #include "migration/vmstate.h" -#include "tcg/tcg.h" #include "qom/object.h" #define VAPIC_IO_PORT 0x7e diff --git a/include/exec/translate-all.h b/include/exec/translate-all.h new file mode 100644 index 0000000000..a557b4e2bb --- /dev/null +++ b/include/exec/translate-all.h @@ -0,0 +1,39 @@ +/* + * Translated block handling + * + * Copyright (c) 2003 Fabrice Bellard + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see . + */ +#ifndef TRANSLATE_ALL_H +#define TRANSLATE_ALL_H + +#include "exec/exec-all.h" + + +/* translate-all.c */ +struct page_collection *page_collection_lock(tb_page_addr_t start, + tb_page_addr_t end); +void page_collection_unlock(struct page_collection *set); +void tb_invalidate_phys_page_fast(struct page_collection *pages, + tb_page_addr_t start, int len, + uintptr_t retaddr); +void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end); +void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr); + +#ifdef CONFIG_USER_ONLY +int page_unprotect(target_ulong address, uintptr_t pc); +#endif + +#endif /* TRANSLATE_ALL_H */ diff --git a/monitor/misc.c b/monitor/misc.c index a5d4d4e4f4..a7650ed747 100644 --- a/monitor/misc.c +++ b/monitor/misc.c @@ -77,7 +77,6 @@ #include "qapi/qmp-event.h" #include "sysemu/cpus.h" #include "qemu/cutils.h" -#include "tcg/tcg.h" #if defined(TARGET_S390X) #include "hw/s390x/storage-keys.h" diff --git a/softmmu/physmem.c b/softmmu/physmem.c index 2cd1de4a2c..67b53d39e4 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -25,7 +25,6 @@ #include "cpu.h" #include "exec/exec-all.h" #include "exec/target_page.h" -#include "tcg/tcg.h" #include "hw/qdev-core.h" #include "hw/qdev-properties.h" #include "hw/boards.h" @@ -53,7 +52,7 @@ #include "qemu/rcu_queue.h" #include "qemu/main-loop.h" -#include "translate-all.h" +#include "exec/translate-all.h" #include "sysemu/replay.h" #include "exec/memory-internal.h" -- cgit v1.2.3-55-g7522 From 084cfca143487d9b3ef37e7ee117f30e8e301af1 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Mon, 14 Dec 2020 08:02:33 -0600 Subject: util: Extract flush_icache_range to cacheflush.c This has been a tcg-specific function, but is also in use by hardware accelerators via physmem.c. This can cause link errors when tcg is disabled. Signed-off-by: Richard Henderson Reviewed-by: Joelle van Dyne Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20201214140314.18544-3-richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini --- MAINTAINERS | 2 ++ include/qemu/cacheflush.h | 24 ++++++++++++++++ softmmu/physmem.c | 1 + tcg/aarch64/tcg-target.h | 5 ---- tcg/arm/tcg-target.h | 5 ---- tcg/i386/tcg-target.h | 4 --- tcg/mips/tcg-target.h | 11 -------- tcg/ppc/tcg-target.c.inc | 22 --------------- tcg/ppc/tcg-target.h | 1 - tcg/riscv/tcg-target.h | 5 ---- tcg/s390/tcg-target.h | 4 --- tcg/sparc/tcg-target.h | 8 ------ tcg/tcg.c | 1 + tcg/tci/tcg-target.h | 4 --- util/cacheflush.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++ util/meson.build | 2 +- 16 files changed, 100 insertions(+), 70 deletions(-) create mode 100644 include/qemu/cacheflush.h create mode 100644 util/cacheflush.c (limited to 'include') diff --git a/MAINTAINERS b/MAINTAINERS index 42fedf91e7..478bea667c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -119,6 +119,8 @@ F: softmmu/cpus.c F: cpus-common.c F: accel/tcg/ F: accel/stubs/tcg-stub.c +F: util/cacheinfo.c +F: util/cacheflush.c F: scripts/decodetree.py F: docs/devel/decodetree.rst F: include/exec/cpu*.h diff --git a/include/qemu/cacheflush.h b/include/qemu/cacheflush.h new file mode 100644 index 0000000000..58ae488491 --- /dev/null +++ b/include/qemu/cacheflush.h @@ -0,0 +1,24 @@ +/* + * Flush the host cpu caches. + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#ifndef QEMU_CACHEFLUSH_H +#define QEMU_CACHEFLUSH_H + +#if defined(__i386__) || defined(__x86_64__) || defined(__s390__) + +static inline void flush_icache_range(uintptr_t start, uintptr_t stop) +{ + /* icache is coherent and does not require flushing. */ +} + +#else + +void flush_icache_range(uintptr_t start, uintptr_t stop); + +#endif + +#endif /* QEMU_CACHEFLUSH_H */ diff --git a/softmmu/physmem.c b/softmmu/physmem.c index 67b53d39e4..8b9ffc41c2 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -22,6 +22,7 @@ #include "qapi/error.h" #include "qemu/cutils.h" +#include "qemu/cacheflush.h" #include "cpu.h" #include "exec/exec-all.h" #include "exec/target_page.h" diff --git a/tcg/aarch64/tcg-target.h b/tcg/aarch64/tcg-target.h index 663dd0b95e..8a6b97598e 100644 --- a/tcg/aarch64/tcg-target.h +++ b/tcg/aarch64/tcg-target.h @@ -148,11 +148,6 @@ typedef enum { #define TCG_TARGET_DEFAULT_MO (0) #define TCG_TARGET_HAS_MEMORY_BSWAP 1 -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ - __builtin___clear_cache((char *)start, (char *)stop); -} - void tb_target_set_jmp_target(uintptr_t, uintptr_t, uintptr_t); #ifdef CONFIG_SOFTMMU diff --git a/tcg/arm/tcg-target.h b/tcg/arm/tcg-target.h index 17e771374d..f1955ce4ac 100644 --- a/tcg/arm/tcg-target.h +++ b/tcg/arm/tcg-target.h @@ -134,11 +134,6 @@ enum { #define TCG_TARGET_DEFAULT_MO (0) #define TCG_TARGET_HAS_MEMORY_BSWAP 1 -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ - __builtin___clear_cache((char *) start, (char *) stop); -} - /* not defined -- call should be eliminated at compile time */ void tb_target_set_jmp_target(uintptr_t, uintptr_t, uintptr_t); diff --git a/tcg/i386/tcg-target.h b/tcg/i386/tcg-target.h index abd4ac7fc0..cd067e0b30 100644 --- a/tcg/i386/tcg-target.h +++ b/tcg/i386/tcg-target.h @@ -206,10 +206,6 @@ extern bool have_avx2; #define TCG_TARGET_extract_i64_valid(ofs, len) \ (((ofs) == 8 && (len) == 8) || ((ofs) + (len)) == 32) -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ -} - static inline void tb_target_set_jmp_target(uintptr_t tc_ptr, uintptr_t jmp_addr, uintptr_t addr) { diff --git a/tcg/mips/tcg-target.h b/tcg/mips/tcg-target.h index c6b091d849..92c1d63da3 100644 --- a/tcg/mips/tcg-target.h +++ b/tcg/mips/tcg-target.h @@ -198,20 +198,9 @@ extern bool use_mips32r2_instructions; #define TCG_TARGET_HAS_ext16u_i64 0 /* andi rt, rs, 0xffff */ #endif -#ifdef __OpenBSD__ -#include -#else -#include -#endif - #define TCG_TARGET_DEFAULT_MO (0) #define TCG_TARGET_HAS_MEMORY_BSWAP 1 -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ - cacheflush ((void *)start, stop-start, ICACHE); -} - void tb_target_set_jmp_target(uintptr_t, uintptr_t, uintptr_t); #ifdef CONFIG_SOFTMMU diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc index 18ee989f95..0d068ec8ab 100644 --- a/tcg/ppc/tcg-target.c.inc +++ b/tcg/ppc/tcg-target.c.inc @@ -3863,25 +3863,3 @@ void tcg_register_jit(void *buf, size_t buf_size) tcg_register_jit_int(buf, buf_size, &debug_frame, sizeof(debug_frame)); } #endif /* __ELF__ */ - -void flush_icache_range(uintptr_t start, uintptr_t stop) -{ - uintptr_t p, start1, stop1; - size_t dsize = qemu_dcache_linesize; - size_t isize = qemu_icache_linesize; - - start1 = start & ~(dsize - 1); - stop1 = (stop + dsize - 1) & ~(dsize - 1); - for (p = start1; p < stop1; p += dsize) { - asm volatile ("dcbst 0,%0" : : "r"(p) : "memory"); - } - asm volatile ("sync" : : : "memory"); - - start &= start & ~(isize - 1); - stop1 = (stop + isize - 1) & ~(isize - 1); - for (p = start1; p < stop1; p += isize) { - asm volatile ("icbi 0,%0" : : "r"(p) : "memory"); - } - asm volatile ("sync" : : : "memory"); - asm volatile ("isync" : : : "memory"); -} diff --git a/tcg/ppc/tcg-target.h b/tcg/ppc/tcg-target.h index be10363956..a509a19628 100644 --- a/tcg/ppc/tcg-target.h +++ b/tcg/ppc/tcg-target.h @@ -175,7 +175,6 @@ extern bool have_vsx; #define TCG_TARGET_HAS_bitsel_vec have_vsx #define TCG_TARGET_HAS_cmpsel_vec 0 -void flush_icache_range(uintptr_t start, uintptr_t stop); void tb_target_set_jmp_target(uintptr_t, uintptr_t, uintptr_t); #define TCG_TARGET_DEFAULT_MO (0) diff --git a/tcg/riscv/tcg-target.h b/tcg/riscv/tcg-target.h index 032439d806..c1bd52bb9a 100644 --- a/tcg/riscv/tcg-target.h +++ b/tcg/riscv/tcg-target.h @@ -159,11 +159,6 @@ typedef enum { #define TCG_TARGET_HAS_mulsh_i64 1 #endif -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ - __builtin___clear_cache((char *)start, (char *)stop); -} - /* not defined -- call should be eliminated at compile time */ void tb_target_set_jmp_target(uintptr_t, uintptr_t, uintptr_t); diff --git a/tcg/s390/tcg-target.h b/tcg/s390/tcg-target.h index 63c8797bd3..b4feb2f55a 100644 --- a/tcg/s390/tcg-target.h +++ b/tcg/s390/tcg-target.h @@ -145,10 +145,6 @@ enum { TCG_AREG0 = TCG_REG_R10, }; -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ -} - static inline void tb_target_set_jmp_target(uintptr_t tc_ptr, uintptr_t jmp_addr, uintptr_t addr) { diff --git a/tcg/sparc/tcg-target.h b/tcg/sparc/tcg-target.h index 633841ebf2..d8b0e32e2e 100644 --- a/tcg/sparc/tcg-target.h +++ b/tcg/sparc/tcg-target.h @@ -168,14 +168,6 @@ extern bool use_vis3_instructions; #define TCG_TARGET_DEFAULT_MO (0) #define TCG_TARGET_HAS_MEMORY_BSWAP 1 -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ - uintptr_t p; - for (p = start & -8; p < ((stop + 7) & -8); p += 8) { - __asm__ __volatile__("flush\t%0" : : "r" (p)); - } -} - void tb_target_set_jmp_target(uintptr_t, uintptr_t, uintptr_t); #define TCG_TARGET_NEED_POOL_LABELS diff --git a/tcg/tcg.c b/tcg/tcg.c index 43c6cf8f52..ebb9466ffc 100644 --- a/tcg/tcg.c +++ b/tcg/tcg.c @@ -35,6 +35,7 @@ #include "qemu/host-utils.h" #include "qemu/qemu-print.h" #include "qemu/timer.h" +#include "qemu/cacheflush.h" /* Note: the long term plan is to reduce the dependencies on the QEMU CPU definitions. Currently they are used for qemu_ld/st diff --git a/tcg/tci/tcg-target.h b/tcg/tci/tcg-target.h index 8c1c1d265d..b84480f989 100644 --- a/tcg/tci/tcg-target.h +++ b/tcg/tci/tcg-target.h @@ -191,10 +191,6 @@ void tci_disas(uint8_t opc); #define HAVE_TCG_QEMU_TB_EXEC -static inline void flush_icache_range(uintptr_t start, uintptr_t stop) -{ -} - /* We could notice __i386__ or __s390x__ and reduce the barriers depending on the host. But if you want performance, you use the normal backend. We prefer consistency across hosts on this. */ diff --git a/util/cacheflush.c b/util/cacheflush.c new file mode 100644 index 0000000000..2881832a38 --- /dev/null +++ b/util/cacheflush.c @@ -0,0 +1,71 @@ +/* + * Flush the host cpu caches. + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "qemu/cacheflush.h" + + +#if defined(__i386__) || defined(__x86_64__) || defined(__s390__) + +/* Caches are coherent and do not require flushing; symbol inline. */ + +#elif defined(__mips__) + +#ifdef __OpenBSD__ +#include +#else +#include +#endif + +void flush_icache_range(uintptr_t start, uintptr_t stop) +{ + cacheflush((void *)start, stop - start, ICACHE); +} + +#elif defined(__powerpc__) + +void flush_icache_range(uintptr_t start, uintptr_t stop) +{ + uintptr_t p, start1, stop1; + size_t dsize = qemu_dcache_linesize; + size_t isize = qemu_icache_linesize; + + start1 = start & ~(dsize - 1); + stop1 = (stop + dsize - 1) & ~(dsize - 1); + for (p = start1; p < stop1; p += dsize) { + asm volatile ("dcbst 0,%0" : : "r"(p) : "memory"); + } + asm volatile ("sync" : : : "memory"); + + start &= start & ~(isize - 1); + stop1 = (stop + isize - 1) & ~(isize - 1); + for (p = start1; p < stop1; p += isize) { + asm volatile ("icbi 0,%0" : : "r"(p) : "memory"); + } + asm volatile ("sync" : : : "memory"); + asm volatile ("isync" : : : "memory"); +} + +#elif defined(__sparc__) + +void flush_icache_range(uintptr_t start, uintptr_t stop) +{ + uintptr_t p; + + for (p = start & -8; p < ((stop + 7) & -8); p += 8) { + __asm__ __volatile__("flush\t%0" : : "r" (p)); + } +} + +#else + +void flush_icache_range(uintptr_t start, uintptr_t stop) +{ + __builtin___clear_cache((char *)start, (char *)stop); +} + +#endif diff --git a/util/meson.build b/util/meson.build index f359af0d46..a3dfc0f966 100644 --- a/util/meson.build +++ b/util/meson.build @@ -21,7 +21,7 @@ util_ss.add(files('envlist.c', 'path.c', 'module.c')) util_ss.add(files('host-utils.c')) util_ss.add(files('bitmap.c', 'bitops.c')) util_ss.add(files('fifo8.c')) -util_ss.add(files('cacheinfo.c')) +util_ss.add(files('cacheinfo.c', 'cacheflush.c')) util_ss.add(files('error.c', 'qemu-error.c')) util_ss.add(files('qemu-print.c')) util_ss.add(files('id.c')) -- cgit v1.2.3-55-g7522