Switcher fixes from #320 #326
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add some static assertions to check the switcher's requirement that these structures have sufficiently compatible layout.
It's important to check the right register when deciding not to zero the stack. Co-authored-by: Robert Norton <[email protected]>
Partially addresses #321 , but is not the end of it. Co-authored-by: Robert Norton <[email protected]>
We were not installing the correct thing into ct0 (which would then get moved into csp) prior to reaching .Linvoke_error_handler when the thread was in its initial compartment invocation. FIXES: #321
Don't forcibly unwind if the invoker has exhausted its stack, just return an error. Certain other "unlikely to work well" scenarios (such as stripping store permission from csp before invoking the switcher) can also trigger this "just an error" logic. However, the defenses against invoking the callee with a bad stack remain and will catch things like "stripping capability handling permission from csp". Add a test to ensure that this is what happens. In terms of implementation, this causes the trap handler (exception_entry_asm) to `mret` to a `cjalr ra` (`cret`) instruction at the end of the switcher function while clobbering only caller-ignored registers (t2 in __Z26compartment_switcher_entryz) and the return registers (a0, a1) to signal the error code. Thanks to Murali for brainstorming and pointing out deficiencies in other approaches. Co-authored-by: Murali Vijayaraghavan <[email protected]>
Ever since #297 landed, we have code that relies on the stack top being bounded per invocation. Rather than make CONFIG_NO_SWITCHER_SAFETY work again, it's probably better to just remove it.
Don't let the stack go out of bounds before we check whether there is enough room.
davidchisnall
approved these changes
Oct 29, 2024
nwf
added a commit
that referenced
this pull request
Oct 30, 2024
GitHub makes it easy to erase useful information. Attempt to partially compensate for my mistake by recovering the commit history of #326 as one parent of this merge; both parents have identical associated trees.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#320 is taking a while since it's a sizable amount of prose. Pull the end-user visible changes off the bottom and make them their own PR.