[all-commits] [llvm/llvm-project] 61f25d: [ARM][CMSE] Clear the secure fp-registers when usi...

Alexandros Lamprineas via All-commits all-commits at lists.llvm.org
Thu Sep 16 05:16:51 PDT 2021 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 61f25daa8d1b69dd5138facd5d57a8e3dfa0c5cc
      https://github.com/llvm/llvm-project/commit/61f25daa8d1b69dd5138facd5d57a8e3dfa0c5cc
  Author: Alexandros Lamprineas <alexandros.lamprineas at arm.com>
  Date:   2021-09-16 (Thu, 16 Sep 2021)

  Changed paths:
    M llvm/lib/Target/ARM/ARMExpandPseudoInsts.cpp
    M llvm/test/CodeGen/ARM/cmse-clear.ll
    M llvm/test/CodeGen/ARM/cmse.ll

  Log Message:
  -----------
  [ARM][CMSE] Clear the secure fp-registers when using softfp abi.

When expanding the non-secure call instruction we are emiting code
to clear the secure floating-point registers only if the targeted
architecture has floating-point support. The potential problem is
when the source code containing non-secure calls are built with
-mfloat-abi=soft but some other part of the system has been built
with -mfloat-abi=softfp (soft and softfp are compatible as they use
the same procedure calling standard). In this case floating-point
registers could leak to non-secure state as the non-secure won't
have cleared them assuming no floating point has been used.

Differential Revision: https://reviews.llvm.org/D109153


  Commit: 1bd5ea968e9262a09512a64bca1624818640bc5b
      https://github.com/llvm/llvm-project/commit/1bd5ea968e9262a09512a64bca1624818640bc5b
  Author: Alexandros Lamprineas <alexandros.lamprineas at arm.com>
  Date:   2021-09-16 (Thu, 16 Sep 2021)

  Changed paths:
    M clang/docs/ClangCommandLineReference.rst
    M clang/include/clang/Driver/Options.td
    M clang/lib/Driver/ToolChains/Arch/ARM.cpp
    A clang/test/Driver/arm-cmse-cve-2021-35465.c
    M llvm/lib/Target/ARM/ARM.td
    M llvm/lib/Target/ARM/ARMExpandPseudoInsts.cpp
    M llvm/lib/Target/ARM/ARMSubtarget.h
    A llvm/test/CodeGen/ARM/cmse-cve-2021-35465-return.ll
    A llvm/test/CodeGen/ARM/cmse-cve-2021-35465.ll
    M llvm/test/CodeGen/ARM/cmse-vlldm-no-reorder.mir

  Log Message:
  -----------
  [ARM] Mitigate the cve-2021-35465 security vulnurability.

Recently a vulnerability issue is found in the implementation of VLLDM
instruction in the Arm Cortex-M33, Cortex-M35P and Cortex-M55. If the
VLLDM instruction is abandoned due to an exception when it is partially
completed, it is possible for subsequent non-secure handler to access
and modify the partial restored register values. This vulnerability is
identified as CVE-2021-35465.

The mitigation sequence varies between v8-m and v8.1-m as follows:

v8-m.main
---------
mrs        r5, control
tst        r5, #8       /* CONTROL_S.SFPA */
it         ne
.inst.w    0xeeb00a40   /* vmovne s0, s0 */
1:
vlldm      sp           /* Lazy restore of d0-d16 and FPSCR. */

v8.1-m.main
-----------
vscclrm    {vpr}        /* Clear VPR. */
vlldm      sp           /* Lazy restore of d0-d16 and FPSCR. */

More details on
developer.arm.com/support/arm-security-updates/vlldm-instruction-security-vulnerability

Differential Revision: https://reviews.llvm.org/D109157


Compare: https://github.com/llvm/llvm-project/compare/054e331d9dbd...1bd5ea968e92

More information about the All-commits mailing list