Add retguard macros for arm64 asm and apply them in the straightforward

cases in kernel and libc.
ok deraadt@

5 files changed, 88 insertions, 6 deletions

diff --git a/sys/arch/arm64/arm64/copy.S b/sys/arch/arm64/arm64/copy.S
index af9f015ec08..4ced221e81f 100644
--- a/sys/arch/arm64/arm64/copy.S
+++ b/sys/arch/arm64/arm64/copy.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: copy.S,v 1.4 2017/12/30 10:20:34 kettenis Exp $ */
+/* $OpenBSD: copy.S,v 1.5 2018/08/12 17:15:10 mortimer Exp $ */
 /*
  * Copyright (c) 2015 Dale Rahn <drahn@dalerahn.com>
  * Copyright (c) 2014 Patrick Wildt <patrick@blueri.se>
@@ -34,8 +34,10 @@
  * XXX should this assert that address spaces are correct for each address?
  */
 ENTRY(copyin)
+	RETGUARD_SETUP(copy, x15)
 	cbnz	x2, 1f
 	mov	x0, 0
+	RETGUARD_CHECK(copy, x15)
 	ret
 1:
 	mrs	x3, tpidr_el1			// load cpuinfo
@@ -53,11 +55,13 @@ ENTRY(copyin)
 
 	str	x4, [x3, #(PCB_ONFAULT)]	// clear handler
 	mov	x0, xzr
+	RETGUARD_CHECK(copy, x15)
 	ret
 
 .Lcopyfault:
 	mov	x0, #EFAULT
 	ldr	x4, [x3, #(PCB_ONFAULT)]
+	RETGUARD_CHECK(copy, x15)
 	ret
 
 /*
@@ -69,6 +73,7 @@ ENTRY(copyin)
  * XXX should this assert that address spaces are correct for each address?
  */
 ENTRY(copyin32)
+	RETGUARD_SETUP(copy, x15)
 	mrs	x3, tpidr_el1			// load cpuinfo
 	ldr	x3, [x3, #(CI_CURPCB)]
 	ldr	x4, [x3, #(PCB_ONFAULT)]
@@ -80,6 +85,7 @@ ENTRY(copyin32)
 
 	str	x4, [x3, #(PCB_ONFAULT)]	// clear handler
 	mov	x0, xzr
+	RETGUARD_CHECK(copy, x15)
 	ret
 
 /*
@@ -93,8 +99,10 @@ ENTRY(copyin32)
  */
 
 ENTRY(copyout)
+	RETGUARD_SETUP(copy, x15)
 	cbnz	x2, 1f
 	mov	x0, 0
+	RETGUARD_CHECK(copy, x15)
 	ret
 1:
 	mrs	x3, tpidr_el1			// load cpuinfo
@@ -112,6 +120,7 @@ ENTRY(copyout)
 
 	str	x4, [x3, #(PCB_ONFAULT)]	// clear handler
 	mov	x0, xzr
+	RETGUARD_CHECK(copy, x15)
 	ret
 
 /*
@@ -123,8 +132,10 @@ ENTRY(copyout)
  */
 
 ENTRY(kcopy)
+	RETGUARD_SETUP(copy, x15)
 	cbnz	x2, 1f
 	mov	x0, 0
+	RETGUARD_CHECK(copy, x15)
 	ret
 1:
 	mrs	x3, tpidr_el1			// load cpuinfo
@@ -141,4 +152,5 @@ ENTRY(kcopy)
 
 	str	x4, [x3, #(PCB_ONFAULT)]	// clear handler
 	mov	x0, xzr
+	RETGUARD_CHECK(copy, x15)
 	ret
diff --git a/sys/arch/arm64/arm64/copystr.S b/sys/arch/arm64/arm64/copystr.S
index 3c13b3a2a24..6273584b6ef 100644
--- a/sys/arch/arm64/arm64/copystr.S
+++ b/sys/arch/arm64/arm64/copystr.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: copystr.S,v 1.3 2017/02/15 21:39:50 patrick Exp $ */
+/* $OpenBSD: copystr.S,v 1.4 2018/08/12 17:15:10 mortimer Exp $ */
 /*
  * Copyright (c) 2015 Dale Rahn <drahn@dalerahn.com>
  * Copyright (c) 2014 Patrick Wildt <patrick@blueri.se>
@@ -35,6 +35,7 @@
  * Copy string from x0 to x1
  */
 ENTRY(copystr)
+	RETGUARD_SETUP(copystr, x15)
 	mrs	x6, tpidr_el1			// load curcpu
 	ldr	x6, [x6, #(CI_CURPCB)]
 	ldr	x5, [x6, #(PCB_ONFAULT)]
@@ -65,6 +66,7 @@ ENTRY(copystr)
 	str	x8, [x3]
 2:
 	str	x5, [x6, #(PCB_ONFAULT)]
+	RETGUARD_CHECK(copystr, x15)
 	ret
 
 /*
@@ -76,6 +78,7 @@ ENTRY(copystr)
  * Copy string from user space to kernel space
  */
 ENTRY(copyinstr)
+	RETGUARD_SETUP(copystr, x15)
 	mrs	x6, tpidr_el1			// load curcpu
 	ldr	x6, [x6, #(CI_CURPCB)]
 	ldr	x5, [x6, #(PCB_ONFAULT)]
@@ -104,6 +107,7 @@ ENTRY(copyinstr)
  * Copy string from kernel space to user space
  */
 ENTRY(copyoutstr)
+	RETGUARD_SETUP(copystr, x15)
 	mrs	x6, tpidr_el1			// load curcpu
 	ldr	x6, [x6, #(CI_CURPCB)]
 	ldr	x5, [x6, #(PCB_ONFAULT)]
diff --git a/sys/arch/arm64/arm64/cpufunc_asm.S b/sys/arch/arm64/arm64/cpufunc_asm.S
index 94a127df330..44c5272a48c 100644
--- a/sys/arch/arm64/arm64/cpufunc_asm.S
+++ b/sys/arch/arm64/arm64/cpufunc_asm.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: cpufunc_asm.S,v 1.4 2018/01/10 23:27:18 kettenis Exp $ */
+/* $OpenBSD: cpufunc_asm.S,v 1.5 2018/08/12 17:15:10 mortimer Exp $ */
 /*-
  * Copyright (c) 2014 Robin Randhawa
  * Copyright (c) 2015 The FreeBSD Foundation
@@ -71,7 +71,6 @@
 .if \ic != 0
 	isb
 .endif
-	ret
 .endm
 
 /*
@@ -79,44 +78,54 @@
  */
 
 ENTRY(cpu_setttb)
+	RETGUARD_SETUP(cpu_setttb, x15)
 	mrs	x2, ttbr1_el1
 	bfi	x2, x0, #48, #16
 	msr	ttbr1_el1, x2
 	isb
 	msr	ttbr0_el1, x1
 	isb
+	RETGUARD_CHECK(cpu_setttb, x15)
 	ret
 END(cpu_setttb)
 
 ENTRY(cpu_tlb_flush)
+	RETGUARD_SETUP(cpu_tlb_flush, x15)
 	dsb	ishst
 	tlbi	vmalle1is
 	dsb	ish
 	isb
+	RETGUARD_CHECK(cpu_tlb_flush, x15)
 	ret
 END(cpu_tlb_flush)
 
 ENTRY(cpu_tlb_flush_asid)
+	RETGUARD_SETUP(cpu_tlb_flush_asid, x15)
 	dsb	ishst
 	tlbi	vae1is, x0
 	dsb	ish
 	isb
+	RETGUARD_CHECK(cpu_tlb_flush_asid, x15)
 	ret
 END(cpu_tlb_flush_asid)
 
 ENTRY(cpu_tlb_flush_all_asid)
+	RETGUARD_SETUP(cpu_tlb_flush_all_asid, x15)
 	dsb	ishst
 	tlbi	vaale1is, x0
 	dsb	ish
 	isb
+	RETGUARD_CHECK(cpu_tlb_flush_all_asid, x15)
 	ret
 END(cpu_tlb_flush_all_asid)
 
 ENTRY(cpu_tlb_flush_asid_all)
+	RETGUARD_SETUP(cpu_tlb_flush_asid_all, x15)
 	dsb	ishst
 	tlbi	aside1is, x0
 	dsb	ish
 	isb
+	RETGUARD_CHECK(cpu_tlb_flush_asid_all, x15)
 	ret
 END(cpu_tlb_flush_asid_all)
 
@@ -124,14 +133,20 @@ END(cpu_tlb_flush_asid_all)
  * void cpu_dcache_wb_range(vaddr_t, vsize_t)
  */
 ENTRY(cpu_dcache_wb_range)
+	RETGUARD_SETUP(cpu_dcache_wb_range, x15)
 	cache_handle_range	dcop = cvac
+	RETGUARD_CHECK(cpu_dcache_wb_range, x15)
+	ret
 END(cpu_dcache_wb_range)
 
 /*
  * void cpu_dcache_wbinv_range(vaddr_t, vsize_t)
  */
 ENTRY(cpu_dcache_wbinv_range)
+	RETGUARD_SETUP(cpu_dcache_wbinv_range, x15)
 	cache_handle_range	dcop = civac
+	RETGUARD_CHECK(cpu_dcache_wbinv_range, x15)
+	ret
 END(cpu_dcache_wbinv_range)
 
 /*
@@ -141,19 +156,28 @@ END(cpu_dcache_wbinv_range)
  * must use wb-inv of the entire cache.
  */
 ENTRY(cpu_dcache_inv_range)
+	RETGUARD_SETUP(cpu_dcache_inv_range, x15)
 	cache_handle_range	dcop = ivac
+	RETGUARD_CHECK(cpu_dcache_inv_range, x15)
+	ret
 END(cpu_dcache_inv_range)
 
 /*
  * void cpu_idcache_wbinv_range(vaddr_t, vsize_t)
  */
 ENTRY(cpu_idcache_wbinv_range)
+	RETGUARD_SETUP(cpu_idcache_wbinv_range, x15)
 	cache_handle_range	dcop = civac, ic = 1, icop = ivau
+	RETGUARD_CHECK(cpu_idcache_wbinv_range, x15)
+	ret
 END(cpu_idcache_wbinv_range)
 
 /*
  * void cpu_icache_sync_range(vaddr_t, vsize_t)
  */
 ENTRY(cpu_icache_sync_range)
+	RETGUARD_SETUP(cpu_icache_sync_range, x15)
 	cache_handle_range	dcop = cvau, ic = 1, icop = ivau
+	RETGUARD_CHECK(cpu_icache_sync_range, x15)
+	ret
 END(cpu_icache_sync_range)
diff --git a/sys/arch/arm64/arm64/support.S b/sys/arch/arm64/arm64/support.S
index ea0212b59ae..765327627ba 100644
--- a/sys/arch/arm64/arm64/support.S
+++ b/sys/arch/arm64/arm64/support.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: support.S,v 1.6 2017/08/09 03:06:55 jsg Exp $ */
+/* $OpenBSD: support.S,v 1.7 2018/08/12 17:15:10 mortimer Exp $ */
 /*-
  * Copyright (c) 2014 Andrew Turner
  * Copyright (c) 2014-2015 The FreeBSD Foundation
@@ -83,6 +83,7 @@ END(longjmp)
  * pagezero, simple implementation
  */
 ENTRY(pagezero_simple)
+	RETGUARD_SETUP(pagezero_simple, x15)
 	add	x1, x0, #PAGE_SIZE
 
 1:
@@ -92,6 +93,7 @@ ENTRY(pagezero_simple)
 	stp	xzr, xzr, [x0], #0x10
 	cmp	x0, x1
 	b.ne	1b
+	RETGUARD_CHECK(pagezero_simple, x15)
 	ret
 
 END(pagezero_simple)
@@ -100,6 +102,7 @@ END(pagezero_simple)
  * pagezero, cache assisted
  */
 ENTRY(pagezero_cache)
+	RETGUARD_SETUP(pagezero_cache, x15)
 	add	x1, x0, #PAGE_SIZE
 
 	ldr	x2, =dczva_line_size
@@ -110,6 +113,7 @@ ENTRY(pagezero_cache)
 	add	x0, x0, x2
 	cmp	x0, x1
 	b.ne	1b
+	RETGUARD_CHECK(pagezero_cache, x15)
 	ret
 
 END(pagezero_cache)
diff --git a/sys/arch/arm64/include/asm.h b/sys/arch/arm64/include/asm.h
index 35c911f7cf5..f31386ea4d1 100644
--- a/sys/arch/arm64/include/asm.h
+++ b/sys/arch/arm64/include/asm.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: asm.h,v 1.3 2017/06/29 17:36:16 deraadt Exp $	*/
+/*	$OpenBSD: asm.h,v 1.4 2018/08/12 17:15:10 mortimer Exp $	*/
 /*	$NetBSD: asm.h,v 1.4 2001/07/16 05:43:32 matt Exp $	*/
 
 /*
@@ -82,6 +82,44 @@
 # define _PROF_PROLOGUE
 #endif
 
+#if defined(_RET_PROTECTOR)
+# define RETGUARD_SETUP(x, reg) \
+	RETGUARD_SYMBOL(x); \
+	adrp    reg, __CONCAT(__retguard_, x); \
+	ldr     reg, [reg, :lo12:__CONCAT(__retguard_, x)]; \
+	eor     reg, reg, x30
+# define RETGUARD_CHECK(x, reg) \
+	eor     reg, reg, x30; \
+	adrp    x9, __CONCAT(__retguard_, x); \
+	ldr     x9, [x9, :lo12:__CONCAT(__retguard_, x)]; \
+	subs    reg, reg, x9; \
+	cbz     reg, 66f; \
+	brk     #0x1; \
+66:
+# define RETGUARD_PUSH(reg) \
+	str     reg, [sp, #-16]!
+# define RETGUARD_POP(reg) \
+	ldr     reg, [sp, #16]!
+# define RETGUARD_SYMBOL(x) \
+	.ifndef __CONCAT(__retguard_, x); \
+	.hidden __CONCAT(__retguard_, x); \
+	.type   __CONCAT(__retguard_, x),@object; \
+	.pushsection .openbsd.randomdata.retguard,"aw",@progbits; \
+	.weak   __CONCAT(__retguard_, x); \
+	.p2align 3; \
+	__CONCAT(__retguard_, x): ; \
+	.xword 0; \
+	.size __CONCAT(__retguard_, x), 8; \
+	.popsection; \
+	.endif
+#else
+# define RETGUARD_SETUP(x, reg)
+# define RETGUARD_CHECK(x, reg)
+# define RETGUARD_PUSH(reg)
+# define RETGUARD_POP(reg)
+# define RETGUARD_SYMBOL(x)
+#endif
+
 #define	ENTRY(y)	_ENTRY(_C_LABEL(y)); _PROF_PROLOGUE
 #define	ENTRY_NP(y)	_ENTRY(_C_LABEL(y))
 #define	ASENTRY(y)	_ENTRY(_ASM_LABEL(y)); _PROF_PROLOGUE