From c0195ba3b463206823557aedca1c21c3700d5c16 Mon Sep 17 00:00:00 2001 From: Ved Shanbhogue Date: Wed, 1 Nov 2023 19:47:36 -0500 Subject: [PATCH] exception caused when SS instructions access non-SS pages --- cfi_backward.adoc | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/cfi_backward.adoc b/cfi_backward.adoc index e442fa6..5ed4c5c 100644 --- a/cfi_backward.adoc +++ b/cfi_backward.adoc @@ -791,10 +791,13 @@ The following faults may occur: access-fault exception. .. Implicit accesses cause an access-fault exception corresponding to the original access type. -. If the accessed page is not a shadow stack page or if the page is in +. If the accessed page has write or execute permission or if the page is in non-idempotent memory: .. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO access-fault. .. `C.SSPOPCHK` and `SSPOPCHK` cause a load access-fault. +. If the accessed page has read-only permissions: +.. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO page-fault. +.. `C.SSPOPCHK` and `SSPOPCHK` cause a load page-fault. [NOTE] ==== @@ -818,9 +821,15 @@ On implementations where address-misaligned exception is prioritized higher than access-fault exception, a trap handler that emulates misaligned stores must cause an access-fault exception if store is being made to a shadow stack page. -Shadow stack instructions cause an access-fault if the accessed page is not a -shadow stack page or if the page is in non-idempotent memory to similarly -indicate fatality. +Shadow stack instructions cause an access-fault if the accessed page is writeable +or executable or if the page is in non-idempotent memory to similarly indicate +fatality. + +Shadow stack instructions cause a page-fault if the accessed page is read-only +to support copy-on-write (COW) of a shadow stack page. If the page had been +marked as read-only due to the page being tracked for COW, the page fault +handler, in response to the page fault, creates a copy of the page and updates +the `pte.xwr` to `010b` to designate the each copy as a shadow stack page. While the specification mandates that an access-fault exception shall be generated when either single-stage or VS-stage address translation is invoked @@ -847,14 +856,14 @@ cite:[PRIV] is modified as follows: PAGESIZE` and go to step 2. 5. A leaf PTE has been found. If the memory access is by a shadow stack - instruction and `pte.xwr != 010b`, then cause an access-fault exception - corresponding to the access type. If the memory access is either a + instruction and `pte.x == 1b` or `pte.w == 1b`, then cause an access-fault + exception corresponding to the access type. If the memory access is either a non-shadow-stack store/AMO or an implicit access, and `pte.xwr == 010b`, then - an access-fault exception is raised, corresponding to the original access type. - If the requested memory access is not allowed by the `pte.r`, `pte.w`, `pte.x`, - and `pte.u` bits, given the current privilege mode and the value of the `SUM` - and `MXR` fields of the `mstatus` register, stop and raise a page-fault - exception corresponding to the original access type. + cause an access-fault exception corresponding to the original access type. + If the requested memory access is not allowed by the `pte.r`, `pte.w`, + `pte.x`, and `pte.u` bits, given the current privilege mode and the value of + the `SUM` and `MXR` fields of the `mstatus` register, stop and raise a + page-fault exception corresponding to the original access type. The PMA checks are extended to require memory referenced by `SSAMOSWAP`, `SSPUSH`, `C.SSPUSH`, `C.SSPOPCHK`, and `SSPOPCHK` to be idempotent. @@ -881,10 +890,7 @@ Shadow stacks are expected to be bounded on each end using guard pages, so that no two shadow stacks are adjacent to each other. This guards against accidentally underflowing or overflowing from one shadow stack to another. Traditionally, a guard page for a stack is a page that is inaccessible to the process owning -the stack. For shadow stacks, the guard page may also be a non-shadow-stack -page that is otherwise accessible to the process owning the shadow stack -because shadow stack loads and stores to non-shadow-stack pages cause an -access-fault exception. +the stack. ==== The G-stage address translation and protections remain unaffected by the Zicfiss