CFI in asm

Author: mohanson

definitions/src/asm.rs

@@ -1,4 +1,4 @@
-use crate::{RISCV_GENERAL_REGISTER_NUMBER, instructions::Instruction};
+use crate::{DEFAULT_SHADOW_STACK_SIZE, RISCV_GENERAL_REGISTER_NUMBER, instructions::Instruction};
 use std::alloc::{Layout, dealloc};
 
 // The number of trace items to keep
@@ -15,6 +15,8 @@ pub const RET_OUT_OF_BOUND: u8 = 7;
 pub const RET_INVALID_PERMISSION: u8 = 8;
 pub const RET_SLOWPATH: u8 = 9;
 pub const RET_PAUSE: u8 = 10;
+pub const RET_SHADOW_STACK_SOFTWARE_CHECK_EXCEPTION: u8 = 11;
+pub const RET_SHADOW_STACK_STACK_OUT_OF_STACK: u8 = 12;
 
 #[inline(always)]
 pub fn calculate_slot(addr: u64) -> usize {
@@ -100,6 +102,11 @@ pub struct AsmCoreMachine {
     pub memory_ptr: u64,
     pub flags_ptr: u64,
     pub frames_ptr: u64,
+
+    pub cfi: u8,
+    pub elp: u32,
+    pub shadow_stack: [u8; DEFAULT_SHADOW_STACK_SIZE],
+    pub ssp: u64,
 }
 
 impl Drop for AsmCoreMachine {

definitions/src/generate_asm_constants.rs

@@ -1,15 +1,16 @@
 use ckb_vm_definitions::{
-    MEMORY_FRAME_PAGE_SHIFTS, MEMORY_FRAME_SHIFTS, MEMORY_FRAMESIZE, RISCV_PAGE_SHIFTS,
-    RISCV_PAGESIZE,
+    DEFAULT_SHADOW_STACK_SIZE, MEMORY_FRAME_PAGE_SHIFTS, MEMORY_FRAME_SHIFTS, MEMORY_FRAMESIZE,
+    RISCV_PAGE_SHIFTS, RISCV_PAGESIZE,
     asm::{
         AsmCoreMachine, FixedTrace, InvokeData, RET_CYCLES_OVERFLOW, RET_DECODE_TRACE,
         RET_DYNAMIC_JUMP, RET_EBREAK, RET_ECALL, RET_INVALID_PERMISSION, RET_MAX_CYCLES_EXCEEDED,
-        RET_OUT_OF_BOUND, RET_PAUSE, RET_SLOWPATH, TRACE_ITEM_LENGTH,
+        RET_OUT_OF_BOUND, RET_PAUSE, RET_SHADOW_STACK_SOFTWARE_CHECK_EXCEPTION,
+        RET_SHADOW_STACK_STACK_OUT_OF_STACK, RET_SLOWPATH, TRACE_ITEM_LENGTH,
     },
     for_each_inst,
     instructions::{MAXIMUM_OPCODE, MINIMAL_OPCODE, instruction_opcode_name},
     memory::{FLAG_DIRTY, FLAG_EXECUTABLE, FLAG_FREEZED, FLAG_WRITABLE, FLAG_WXORX_BIT},
-    registers::{RA, SP},
+    registers::{RA, SP, T2},
 };
 use std::alloc::{Layout, alloc};
 use std::mem::{size_of, zeroed};
@@ -70,10 +71,19 @@ fn main() {
     );
     println!("#define CKB_VM_ASM_RET_SLOWPATH {}", RET_SLOWPATH);
     println!("#define CKB_VM_ASM_RET_PAUSE {}", RET_PAUSE);
+    println!(
+        "#define CKB_VM_ASM_RET_SHADOW_STACK_SOFTWARE_CHECK_EXCEPTION {}",
+        RET_SHADOW_STACK_SOFTWARE_CHECK_EXCEPTION
+    );
+    println!(
+        "#define CKB_VM_ASM_RET_SHADOW_STACK_STACK_OUT_OF_STACK {}",
+        RET_SHADOW_STACK_STACK_OUT_OF_STACK
+    );
     println!();
 
     println!("#define CKB_VM_ASM_REGISTER_RA {}", RA);
     println!("#define CKB_VM_ASM_REGISTER_SP {}", SP);
+    println!("#define CKB_VM_ASM_REGISTER_T2 {}", T2);
     println!();
 
     println!("#define CKB_VM_ASM_MEMORY_FLAG_FREEZED {}", FLAG_FREEZED);
@@ -209,6 +219,22 @@ fn main() {
         "#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_FRAMES_PTR {}",
         (&m.frames_ptr as *const u64 as usize) - m_address
     );
+    println!(
+        "#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_CFI {}",
+        (&m.cfi as *const u8 as usize) - m_address
+    );
+    println!(
+        "#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_ELP {}",
+        (&m.elp as *const u32 as usize) - m_address
+    );
+    println!(
+        "#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_SHADOW_STACK {}",
+        (&m.shadow_stack as *const [u8; DEFAULT_SHADOW_STACK_SIZE] as usize) - m_address
+    );
+    println!(
+        "#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_SSP {}",
+        (&m.ssp as *const u64 as usize) - m_address
+    );
     println!();
 
     for op in MINIMAL_OPCODE..MAXIMUM_OPCODE {

fuzz/fuzz_targets/isa_a.rs

@@ -86,7 +86,9 @@ fuzz_target!(|data: [u8; 512]| {
         }
 
         let inst = inst | ((rs1 as u32) << 15) | ((rs2 as u32) << 20) | ((rd as u32) << 7);
-        let insn = ckb_vm::instructions::a::factory::<u64>(inst, ckb_vm_version).unwrap();
+        let insn =
+            ckb_vm::instructions::a::factory::<u64>(inst, ckb_vm_version, Default::default())
+                .unwrap();
 
         spike.execute(inst as u64).unwrap();
         ckb_vm::instructions::execute_instruction(insn, &mut ckb_vm_int).unwrap();

fuzz/fuzz_targets/isa_b.rs

@@ -112,7 +112,9 @@ fuzz_target!(|data: [u8; 512]| {
         let mask = insts[choose].1;
 
         let inst = inst | (mask & deque.u32());
-        let insn = ckb_vm::instructions::b::factory::<u64>(inst, ckb_vm_version).unwrap();
+        let insn =
+            ckb_vm::instructions::b::factory::<u64>(inst, ckb_vm_version, Default::default())
+                .unwrap();
 
         spike.execute(inst as u64).unwrap();
         ckb_vm::instructions::execute_instruction(insn, &mut ckb_vm_int).unwrap();

fuzz/fuzz_targets/snapshot2.rs

@@ -112,6 +112,7 @@ fuzz_target!(|data: [u8; 96]| {
     let metadata = ProgramMetadata {
         actions: loading_action_vec.clone(),
         entry: 0,
+        cfi: Default::default(),
     };
 
     let mut machine1 = build_machine();

src/elf.rs

@@ -1,6 +1,6 @@
 // This module maps the data structure of different versions of goblin to the
 // same internal structure.
-use crate::machine::{VERSION1, VERSION3};
+use crate::machine::{VERSION0, VERSION1, VERSION2, VERSION3};
 use crate::memory::{FLAG_EXECUTABLE, FLAG_FREEZED, round_page_down, round_page_up};
 use crate::{Error, Register};
 use bytes::Bytes;
@@ -143,6 +143,24 @@ pub struct CFI {
     pub lp_func_sig: bool,
 }
 
+impl From<u8> for CFI {
+    fn from(byte: u8) -> Self {
+        Self {
+            lp_unlabeled: byte & 0b0000_0001 != 0,
+            ss: byte & 0b0000_0010 != 0,
+            lp_func_sig: byte & 0b0000_0100 != 0,
+        }
+    }
+}
+
+impl From<CFI> for u8 {
+    fn from(val: CFI) -> Self {
+        (if val.lp_unlabeled { 0b0000_0001 } else { 0 })
+            | (if val.ss { 0b0000_0010 } else { 0 })
+            | (if val.lp_func_sig { 0b0000_0100 } else { 0 })
+    }
+}
+
 #[derive(Default)]
 pub struct ParseElfPortableData {
     pub entry: u64,
@@ -154,10 +172,7 @@ pub struct ParseElfPortableData {
 impl ParseElfPortableData {
     pub fn from_v0<R: Register>(program: &Bytes) -> Result<Self, Error> {
         use goblin_v023::container::Ctx;
-        use goblin_v023::elf::{
-            Header, program_header::ProgramHeader as GoblinProgramHeader,
-            section_header::SectionHeader as GoblinSectionHeader,
-        };
+        use goblin_v023::elf::{Header, program_header::ProgramHeader as GoblinProgramHeader};
         let header = program.pread::<Header>(0)?;
         let container = header.container().map_err(|_e| Error::ElfBits)?;
         let endianness = header.endianness().map_err(|_e| Error::ElfBits)?;
@@ -174,15 +189,35 @@ impl ParseElfPortableData {
         .iter()
         .map(ProgramHeader::from_v0)
         .collect();
-        let section_headers = GoblinSectionHeader::parse(
+        let section_headers = vec![];
+        Ok(Self {
+            entry: header.e_entry,
+            program_headers,
+            section_headers,
+            shstrtab_offset: header.e_shstrndx as usize,
+        })
+    }
+
+    pub fn from_v1<R: Register>(program: &Bytes) -> Result<Self, Error> {
+        use goblin_v040::container::Ctx;
+        use goblin_v040::elf::{Header, program_header::ProgramHeader as GoblinProgramHeader};
+        let header = program.pread::<Header>(0)?;
+        let container = header.container().map_err(|_e| Error::ElfBits)?;
+        let endianness = header.endianness().map_err(|_e| Error::ElfBits)?;
+        if R::BITS != if container.is_big() { 64 } else { 32 } {
+            return Err(Error::ElfBits);
+        }
+        let ctx = Ctx::new(container, endianness);
+        let program_headers = GoblinProgramHeader::parse(
             program,
-            header.e_shoff as usize,
-            header.e_shnum as usize,
+            header.e_phoff as usize,
+            header.e_phnum as usize,
             ctx,
         )?
         .iter()
-        .map(SectionHeader::from_v0)
+        .map(ProgramHeader::from_v1)
         .collect();
+        let section_headers = vec![];
         Ok(Self {
             entry: header.e_entry,
             program_headers,
@@ -191,7 +226,7 @@ impl ParseElfPortableData {
         })
     }
 
-    pub fn from_v1<R: Register>(program: &Bytes) -> Result<Self, Error> {
+    pub fn from_v3<R: Register>(program: &Bytes) -> Result<Self, Error> {
         use goblin_v040::container::Ctx;
         use goblin_v040::elf::{
             Header, program_header::ProgramHeader as GoblinProgramHeader,
@@ -256,15 +291,15 @@ fn parse_gnu_property_note(note_data: &[u8]) -> Result<CFI, Error> {
             ));
         }
         offset += 8;
-        if pr_type == GNU_PROPERTY_RISCV_FEATURE_1_AND && pr_datasz >= 4 {
-            if offset + 4 <= note_data.len() {
-                buf.copy_from_slice(&note_data[offset..offset + 4]);
-                let feature_flags = u32::from_le_bytes(buf);
-                cfi.lp_unlabeled =
-                    feature_flags & GNU_PROPERTY_RISCV_FEATURE_1_CFI_LP_UNLABELED != 0;
-                cfi.ss = feature_flags & GNU_PROPERTY_RISCV_FEATURE_1_CFI_SS != 0;
-                cfi.lp_func_sig = feature_flags & GNU_PROPERTY_RISCV_FEATURE_1_CFI_LP_FUNC_SIG != 0;
-            }
+        if pr_type == GNU_PROPERTY_RISCV_FEATURE_1_AND
+            && pr_datasz >= 4
+            && offset + 4 <= note_data.len()
+        {
+            buf.copy_from_slice(&note_data[offset..offset + 4]);
+            let feature_flags = u32::from_le_bytes(buf);
+            cfi.lp_unlabeled = feature_flags & GNU_PROPERTY_RISCV_FEATURE_1_CFI_LP_UNLABELED != 0;
+            cfi.ss = feature_flags & GNU_PROPERTY_RISCV_FEATURE_1_CFI_SS != 0;
+            cfi.lp_func_sig = feature_flags & GNU_PROPERTY_RISCV_FEATURE_1_CFI_LP_FUNC_SIG != 0;
         }
         // Align to 8 bytes for next property.
         let aligned_datasz = (pr_datasz + 7) & !7;
@@ -276,10 +311,11 @@ fn parse_gnu_property_note(note_data: &[u8]) -> Result<CFI, Error> {
 pub fn parse_elf<R: Register>(program: &Bytes, version: u32) -> Result<ProgramMetadata, Error> {
     // We did not use Elf::parse here to avoid triggering potential bugs in goblin.
     // * https://github.com/nervosnetwork/ckb-vm/issues/143
-    let pepd = if version < VERSION1 {
-        ParseElfPortableData::from_v0::<R>(program)?
-    } else {
-        ParseElfPortableData::from_v1::<R>(program)?
+    let pepd = match version {
+        VERSION0 => ParseElfPortableData::from_v0::<R>(program)?,
+        VERSION1 | VERSION2 => ParseElfPortableData::from_v1::<R>(program)?,
+        VERSION3 => ParseElfPortableData::from_v3::<R>(program)?,
+        _ => ParseElfPortableData::from_v3::<R>(program)?,
     };
     let mut cfi = CFI::default();
     // CFI will only be parsed when using version 3. This avoids errors in older code from

src/instructions/execute.rs

@@ -8,7 +8,7 @@ use crate::{instructions::tagged::TaggedInstruction, memory::Memory};
 use ckb_vm_definitions::{
     for_each_inst_array1, for_each_inst_match2,
     instructions::{self as insts, paste},
-    registers::{RA, T0, T2},
+    registers::{RA, T2},
 };
 
 pub fn handle_sub<Mac: Machine>(machine: &mut Mac, inst: Instruction) -> Result<(), Error> {
@@ -555,10 +555,8 @@ pub fn handle_jalr_version1<Mac: Machine>(
     next_pc = next_pc & (!Mac::REG::one());
     update_register(machine, i.rd(), link);
     machine.update_pc(next_pc);
-    if machine.cfi().lp_unlabeled {
-        if i.rs1() != RA && i.rs1() != T0 && i.rs1() != T2 {
-            machine.set_elp(1);
-        }
+    if inst & (1 << 28) != 0 {
+        machine.set_elp(1);
     }
     Ok(())
 }

src/instructions/i.rs

@@ -1,4 +1,5 @@
 use ckb_vm_definitions::instructions as insts;
+use ckb_vm_definitions::registers::{RA, T0, T2};
 
 use super::utils::{
     btype_immediate, funct3, funct7, itype_immediate, jalr, jtype_immediate, lb, lbu, ld, lh, lhu,
@@ -32,7 +33,7 @@ impl FenceType {
     }
 }
 
-pub fn factory<R: Register>(instruction_bits: u32, version: u32, _: CFI) -> Option<Instruction> {
+pub fn factory<R: Register>(instruction_bits: u32, version: u32, cfi: CFI) -> Option<Instruction> {
     let bit_length = R::BITS;
     if bit_length != 32 && bit_length != 64 {
         return None;
@@ -70,13 +71,14 @@ pub fn factory<R: Register>(instruction_bits: u32, version: u32, _: CFI) -> Opti
                 _ => None,
             };
             inst_opt.map(|inst| {
-                Itype::new_s(
-                    inst,
-                    rd(instruction_bits),
-                    rs1(instruction_bits),
-                    itype_immediate(instruction_bits),
-                )
-                .0
+                let rd = rd(instruction_bits);
+                let rs1 = rs1(instruction_bits);
+                let n = Itype::new_s(inst, rd, rs1, itype_immediate(instruction_bits)).0;
+                if cfi.lp_unlabeled && rs1 != RA && rs1 != T0 && rs1 != T2 {
+                    n | (1 << 28) // Mark as a cfi jump for CFI
+                } else {
+                    n
+                }
             })
         }
         0b_0000011 => {

src/machine/asm/cdefinitions_generated.h

@@ -17,9 +17,12 @@
 #define CKB_VM_ASM_RET_INVALID_PERMISSION 8
 #define CKB_VM_ASM_RET_SLOWPATH 9
 #define CKB_VM_ASM_RET_PAUSE 10
+#define CKB_VM_ASM_RET_SHADOW_STACK_SOFTWARE_CHECK_EXCEPTION 11
+#define CKB_VM_ASM_RET_SHADOW_STACK_STACK_OUT_OF_STACK 12
 
 #define CKB_VM_ASM_REGISTER_RA 1
 #define CKB_VM_ASM_REGISTER_SP 2
+#define CKB_VM_ASM_REGISTER_T2 7
 
 #define CKB_VM_ASM_MEMORY_FLAG_FREEZED 1
 #define CKB_VM_ASM_MEMORY_FLAG_EXECUTABLE 2
@@ -54,6 +57,10 @@
 #define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_MEMORY_PTR 368
 #define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_FLAGS_PTR 376
 #define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_FRAMES_PTR 384
+#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_CFI 392
+#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_ELP 396
+#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_SHADOW_STACK 400
+#define CKB_VM_ASM_ASM_CORE_MACHINE_OFFSET_SSP 65936
 
 #define CKB_VM_ASM_OP_UNLOADED 16
 #define CKB_VM_ASM_OP_ADD 17
@@ -211,7 +218,13 @@
 #define CKB_VM_ASM_OP_JALR_VERSION1 169
 #define CKB_VM_ASM_OP_FAR_JUMP_REL 170
 #define CKB_VM_ASM_OP_FAR_JUMP_ABS 171
-#define CKB_VM_ASM_OP_CUSTOM_ASM_TRACE_JUMP 172
+#define CKB_VM_ASM_OP_LPAD 172
+#define CKB_VM_ASM_OP_SSPUSH 173
+#define CKB_VM_ASM_OP_SSPOPCHK 174
+#define CKB_VM_ASM_OP_SSRDP 175
+#define CKB_VM_ASM_OP_SSAMOSWAP_W 176
+#define CKB_VM_ASM_OP_SSAMOSWAP_D 177
+#define CKB_VM_ASM_OP_CUSTOM_ASM_TRACE_JUMP 178
 
 #ifdef CKB_VM_ASM_GENERATE_LABEL_TABLES
 #ifdef __APPLE__
@@ -394,6 +407,12 @@
 	.long	.CKB_VM_ASM_LABEL_OP_JALR_VERSION1 - .CKB_VM_ASM_LABEL_TABLE
 	.long	.CKB_VM_ASM_LABEL_OP_FAR_JUMP_REL - .CKB_VM_ASM_LABEL_TABLE
 	.long	.CKB_VM_ASM_LABEL_OP_FAR_JUMP_ABS - .CKB_VM_ASM_LABEL_TABLE
+	.long	.CKB_VM_ASM_LABEL_OP_LPAD - .CKB_VM_ASM_LABEL_TABLE
+	.long	.CKB_VM_ASM_LABEL_OP_SSPUSH - .CKB_VM_ASM_LABEL_TABLE
+	.long	.CKB_VM_ASM_LABEL_OP_SSPOPCHK - .CKB_VM_ASM_LABEL_TABLE
+	.long	.CKB_VM_ASM_LABEL_OP_SSRDP - .CKB_VM_ASM_LABEL_TABLE
+	.long	.CKB_VM_ASM_LABEL_OP_SSAMOSWAP_W - .CKB_VM_ASM_LABEL_TABLE
+	.long	.CKB_VM_ASM_LABEL_OP_SSAMOSWAP_D - .CKB_VM_ASM_LABEL_TABLE
 	.long	.CKB_VM_ASM_LABEL_OP_CUSTOM_ASM_TRACE_JUMP - .CKB_VM_ASM_LABEL_TABLE
 	.long	.CKB_VM_ASM_LABEL_OP_CUSTOM_TRACE_END - .CKB_VM_ASM_LABEL_TABLE
 #endif /* CKB_VM_ASM_GENERATE_LABEL_TABLES */