Fix for #62: don't rely on zero_stack setting \base to \top.

ronorton · ronorton · commit ba9b79c9cd68 · 2023-04-21T12:46:22.000Z
The zero_stack macro in the switcher did not meet the claim in the
comment that the base register would end up pointing to the top (it
was not true if the top was not 32-byte aligned).

Rather than fix this I've removed the claim in the comment and
adjusted the places that call it not rely on this property.
diff --git a/sdk/core/loader/boot.cc b/sdk/core/loader/boot.cc
@@ -811,7 +811,7 @@ namespace
 			Debug::log("New thread's trusted stack is {}", threadTStack);
 			threadTStack->mepcc = pcc;
 			threadTStack->cgp   = cgp;
-			auto stack = allocateStack(config.stackSize);
+			auto stack          = allocateStack(config.stackSize);
 			threadTStack->csp   = stack;
 			Debug::log("New thread's stack is {}", stack);
 			// Enable previous level interrupts and set the previous exception
@@ -820,7 +820,7 @@ namespace
 			  (priv::MSTATUS_MPIE |
 			   (priv::MSTATUS_PRV_M << priv::MSTATUS_MPP_SHIFT));
 #ifdef CONFIG_MSLWM
-			threadTStack->mslwm = stack.top();
+			threadTStack->mslwm  = stack.top();
 			threadTStack->mslwmb = stack.base();
 #endif
 			threadTStack->frameoffset = offsetof(TrustedStack, frames[1]);
diff --git a/sdk/core/switcher/entry.S b/sdk/core/switcher/entry.S
@@ -105,11 +105,10 @@ switcher_scheduler_entry_csp:
 .endm
 
 /**
- * Zero the stack.  The three operands are the base address (modified during
- * this call, will point at the top at the end), the top address, and a scratch
- * register to use.  The base must be a capability but it must be provided
- * without the c prefix because it is used as both a capability and integer
- * register.  Top and scratch are both clobbered.
+ * Zero the stack.  The three operands are the base address, the top address,
+ * and a scratch register to use.  The base must be a capability but it must
+ * be provided without the c prefix because it is used as both a capability
+ * and integer register.  All three registers are clobbered.
  */
 .macro zero_stack base top scratch
 	addi               \scratch, \top, -32
@@ -181,24 +180,20 @@ compartment_switcher_entry:
 	cgetbase           s1, csp
 	csetaddr           csp, csp, s1
 	sub                s1, s0, s1
-	csetboundsexact    csp, csp, s1
+	csetboundsexact    ct2, csp, s1
+	csetaddr           csp, ct2, s0
 #ifdef CONFIG_MSLWM
 	// read and align the stack low water mark
 	csrr               gp, 0xbc1 // mslwm
 	and                gp, gp, ~0xf
+	// skip zeroing if low water mark >= stack poitner
+	bge                t2, sp, after_zero
 	// use stack low water mark as base address for zeroing
 	// XXX could be out of bounds / unrepresentable if bad csp?
-	csetaddr           csp, csp, gp
-	// go to zeroing if the stack low water mark is less than current stack pointer
-	blt                sp, s0, zeroing
-	// otherwise reset address of csp
-	// the zeroing loop assumes sp <= s0, so make this true
-	// we want csp to end up pointing at stack top
-	csetaddr           csp, csp, s0
-	// now fall through to zeroing, which will have nothing to do
+	csetaddr           ct2, csp, gp
 #endif
-zeroing:
-	zero_stack         sp, s0, gp
+	zero_stack         t2, s0, gp
+after_zero:
 #ifdef CONFIG_MSLWM
 	// store new stack top as stack low water mark
 	csrw               0xbc1, sp // mslwm
@@ -740,7 +735,7 @@ exception_entry_asm:
 	csetaddr           ct2, csp, tp
 	zero_stack         t2, t1, tp
 #ifdef CONFIG_MSLWM
-	csrw               0xbc1, t2 // mslwm
+	csrw               0xbc1, sp // mslwm
 #endif
 #endif // CONFIG_NO_SWITCHER_SAFETY
 	cret
diff --git a/sdk/core/switcher/tstack.h b/sdk/core/switcher/tstack.h
@@ -44,24 +44,24 @@ struct TrustedStackFrame
 template<size_t NFrames>
 struct TrustedStackGeneric
 {
-	void    *mepcc;
-	void    *c1;
-	void    *csp;
-	void    *cgp;
-	void    *c4;
-	void    *c5;
-	void    *c6;
-	void    *c7;
-	void    *c8;
-	void    *c9;
-	void    *c10;
-	void    *c11;
-	void    *c12;
-	void    *c13;
-	void    *c14;
-	void    *c15;
-	size_t   mstatus;
-	size_t   mcause;
+	void  *mepcc;
+	void  *c1;
+	void  *csp;
+	void  *cgp;
+	void  *c4;
+	void  *c5;
+	void  *c6;
+	void  *c7;
+	void  *c8;
+	void  *c9;
+	void  *c10;
+	void  *c11;
+	void  *c12;
+	void  *c13;
+	void  *c14;
+	void  *c15;
+	size_t mstatus;
+	size_t mcause;
 #ifdef CONFIG_MSLWM
 	uint32_t mslwm;
 	uint32_t mslwmb;
@@ -74,9 +74,9 @@ struct TrustedStackGeneric
 	uint8_t inForcedUnwind;
 	// Padding up to multiple of 16-bytes.
 #ifdef CONFIG_MSLWM
-#define TRUSTED_STACK_PADDING 13
+#	define TRUSTED_STACK_PADDING 13
 #else
-#define TRUSTED_STACK_PADDING 5
+#	define TRUSTED_STACK_PADDING 5
 #endif
 	uint8_t padding[TRUSTED_STACK_PADDING];
 	/**
