Index: clang/docs/ClangCommandLineReference.rst =================================================================== --- clang/docs/ClangCommandLineReference.rst +++ clang/docs/ClangCommandLineReference.rst @@ -3228,6 +3228,10 @@ Allow use of CMSE (Armv8-M Security Extensions) +.. option:: -mfix-cmse-cve-2021-35465, -mno-fix-cmse-cve-2021-35465 + +Enable the cve-2021-35465 security vulnerability mitigation (ARM only). + .. option:: -mexecute-only, -mno-execute-only, -mpure-code Disallow generation of data access to code sections (ARM only) Index: clang/include/clang/Driver/Options.td =================================================================== --- clang/include/clang/Driver/Options.td +++ clang/include/clang/Driver/Options.td @@ -3274,6 +3274,12 @@ def mgeneral_regs_only : Flag<["-"], "mgeneral-regs-only">, Group, HelpText<"Generate code which only uses the general purpose registers (AArch64/x86 only)">; +def mfix_cmse_cve_2021_35465 : Flag<["-"], "mfix-cmse-cve-2021-35465">, + Group, + HelpText<"Work around VLLDM erratum CVE-2021-35465 (ARM only)">; +def mno_fix_cmse_cve_2021_35465 : Flag<["-"], "mno-fix-cmse-cve-2021-35465">, + Group, + HelpText<"Don't work around VLLDM erratum CVE-2021-35465 (ARM only)">; def mfix_cortex_a53_835769 : Flag<["-"], "mfix-cortex-a53-835769">, Group, HelpText<"Workaround Cortex-A53 erratum 835769 (AArch64 only)">; Index: clang/lib/Driver/ToolChains/Arch/ARM.cpp =================================================================== --- clang/lib/Driver/ToolChains/Arch/ARM.cpp +++ clang/lib/Driver/ToolChains/Arch/ARM.cpp @@ -705,6 +705,18 @@ if (Args.getLastArg(options::OPT_mcmse)) Features.push_back("+8msecext"); + if (Arg *A = Args.getLastArg(options::OPT_mfix_cmse_cve_2021_35465, + options::OPT_mno_fix_cmse_cve_2021_35465)) { + if (!Args.getLastArg(options::OPT_mcmse)) + D.Diag(diag::err_opt_not_valid_without_opt) + << A->getOption().getName() << "-mcmse"; + + if (A->getOption().matches(options::OPT_mfix_cmse_cve_2021_35465)) + Features.push_back("+fix-cmse-cve-2021-35465"); + else + Features.push_back("-fix-cmse-cve-2021-35465"); + } + // Look for the last occurrence of -mlong-calls or -mno-long-calls. If // neither options are specified, see if we are compiling for kernel/kext and // decide whether to pass "+long-calls" based on the OS and its version. Index: clang/test/Driver/arm-cmse-cve-2021-35465.c =================================================================== --- /dev/null +++ clang/test/Driver/arm-cmse-cve-2021-35465.c @@ -0,0 +1,45 @@ +// Disable the fix +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8-m.main %s -### \ +// RUN: -mcmse -mno-fix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-NOFIX +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8.1-m.main %s -### \ +// RUN: -mcmse -mno-fix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-NOFIX +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8-m.main %s -### \ +// RUN: -mcmse -mfix-cmse-cve-2021-35465 -mno-fix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-NOFIX +// +// CHECK-NOFIX: "-target-feature" "-fix-cmse-cve-2021-35465" + + +// Enable the fix +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8-m.main %s -### \ +// RUN: -mcmse -mfix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-FIX +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8.1-m.main %s -### \ +// RUN: -mcmse -mfix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-FIX +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8-m.main %s -### \ +// RUN: -mcmse -mno-fix-cmse-cve-2021-35465 -mfix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-FIX +// +// CHECK-FIX: "-target-feature" "+fix-cmse-cve-2021-35465" + + +// Diagnose the option when used without -mcmse +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8-m.main %s -### \ +// RUN: -mfix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-DIAG +// +// RUN: %clang --target=arm-arm-none-eabi -march=armv8.1-m.main %s -### \ +// RUN: -mno-fix-cmse-cve-2021-35465 2>&1 |\ +// RUN: FileCheck %s --check-prefix=CHECK-DIAG +// +// CHECK-DIAG: error: option 'm{{.*}}fix-cmse-cve-2021-35465' cannot be specified without '-mcmse' Index: llvm/lib/Target/ARM/ARM.td =================================================================== --- llvm/lib/Target/ARM/ARM.td +++ llvm/lib/Target/ARM/ARM.td @@ -437,6 +437,11 @@ "Enable Low Overhead Branch " "extensions">; +def FeatureFixCMSE_CVE_2021_35465 : SubtargetFeature<"fix-cmse-cve-2021-35465", + "FixCMSE_CVE_2021_35465", "true", + "Mitigate against the cve-2021-35465 " + "security vulnurability">; + //===----------------------------------------------------------------------===// // ARM architecture class // @@ -1213,7 +1218,8 @@ FeatureHasSlowFPVMLx, FeatureHasSlowFPVFMx, FeatureUseMISched, - FeatureHasNoBranchPredictor]>; + FeatureHasNoBranchPredictor, + FeatureFixCMSE_CVE_2021_35465]>; def : ProcessorModel<"cortex-m35p", CortexM4Model, [ARMv8mMainline, FeatureDSP, @@ -1222,7 +1228,8 @@ FeatureHasSlowFPVMLx, FeatureHasSlowFPVFMx, FeatureUseMISched, - FeatureHasNoBranchPredictor]>; + FeatureHasNoBranchPredictor, + FeatureFixCMSE_CVE_2021_35465]>; def : ProcessorModel<"cortex-m55", CortexM4Model, [ARMv81mMainline, FeatureDSP, @@ -1231,7 +1238,8 @@ FeatureHasNoBranchPredictor, FeaturePrefLoopAlign32, FeatureHasSlowFPVMLx, - HasMVEFloatOps]>; + HasMVEFloatOps, + FeatureFixCMSE_CVE_2021_35465]>; def : ProcNoItin<"cortex-a32", [ARMv8a, FeatureHWDivThumb, Index: llvm/lib/Target/ARM/ARMExpandPseudoInsts.cpp =================================================================== --- llvm/lib/Target/ARM/ARMExpandPseudoInsts.cpp +++ llvm/lib/Target/ARM/ARMExpandPseudoInsts.cpp @@ -1534,6 +1534,11 @@ MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI, DebugLoc &DL, SmallVectorImpl &AvailableRegs) { + // Keep a scratch register for the mitigation sequence. + unsigned ScratchReg = ARM::NoRegister; + if (STI->fixCMSE_CVE_2021_35465()) + ScratchReg = AvailableRegs.pop_back_val(); + // Use AvailableRegs to store the fp regs std::vector> ClearedFPRegs; std::vector NonclearedFPRegs; @@ -1582,12 +1587,14 @@ // Push FP regs that cannot be restored via normal registers on the stack for (unsigned Reg : NonclearedFPRegs) { if (ARM::DPR_VFP2RegClass.contains(Reg)) - BuildMI(MBB, MBBI, DL, TII->get(ARM::VSTRD), Reg) + BuildMI(MBB, MBBI, DL, TII->get(ARM::VSTRD)) + .addReg(Reg) .addReg(ARM::SP) .addImm((Reg - ARM::D0) * 2) .add(predOps(ARMCC::AL)); else if (ARM::SPRRegClass.contains(Reg)) - BuildMI(MBB, MBBI, DL, TII->get(ARM::VSTRS), Reg) + BuildMI(MBB, MBBI, DL, TII->get(ARM::VSTRS)) + .addReg(Reg) .addReg(ARM::SP) .addImm(Reg - ARM::S0) .add(predOps(ARMCC::AL)); @@ -1595,9 +1602,41 @@ // Lazy load fp regs from stack. // This executes as NOP in the absence of floating-point support. - BuildMI(MBB, MBBI, DL, TII->get(ARM::VLLDM)) - .addReg(ARM::SP) - .add(predOps(ARMCC::AL)); + MachineInstrBuilder VLLDM = BuildMI(MBB, MBBI, DL, TII->get(ARM::VLLDM)) + .addReg(ARM::SP) + .add(predOps(ARMCC::AL)); + + if (STI->fixCMSE_CVE_2021_35465()) { + auto Bundler = MIBundleBuilder(MBB, VLLDM); + // Read the CONTROL register. + Bundler.append(BuildMI(*MBB.getParent(), DL, TII->get(ARM::t2MRS_M)) + .addReg(ScratchReg, RegState::Define) + .addImm(20) + .add(predOps(ARMCC::AL))); + // Check bit 3 (SFPA). + Bundler.append(BuildMI(*MBB.getParent(), DL, TII->get(ARM::t2TSTri)) + .addReg(ScratchReg) + .addImm(8) + .add(predOps(ARMCC::AL))); + // Emit the IT block. + Bundler.append(BuildMI(*MBB.getParent(), DL, TII->get(ARM::t2IT)) + .addImm(ARMCC::NE) + .addImm(8)); + // If SFPA is clear jump over to VLLDM, otherwise execute an instruction + // which has no functional effect apart from causing context creation: + // vmovne s0, s0. In the absence of FPU we emit .inst.w 0xeeb00a40, + // which is defined as NOP if not executed. + if (STI->hasFPRegs()) + Bundler.append(BuildMI(*MBB.getParent(), DL, TII->get(ARM::VMOVS)) + .addReg(ARM::S0, RegState::Define) + .addReg(ARM::S0, RegState::Undef) + .add(predOps(ARMCC::NE))); + else + Bundler.append(BuildMI(*MBB.getParent(), DL, TII->get(ARM::INLINEASM)) + .addExternalSymbol(".inst.w 0xeeb00a40") + .addImm(InlineAsm::Extra_HasSideEffects)); + finalizeBundle(MBB, Bundler.begin(), Bundler.end()); + } // Restore all FP registers via normal registers for (const auto &Regs : ClearedFPRegs) { @@ -1638,6 +1677,12 @@ MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI, DebugLoc &DL, SmallVectorImpl &AvailableRegs) { if (!definesOrUsesFPReg(*MBBI)) { + if (STI->fixCMSE_CVE_2021_35465()) { + BuildMI(MBB, MBBI, DL, TII->get(ARM::VSCCLRMS)) + .add(predOps(ARMCC::AL)) + .addReg(ARM::VPR, RegState::Define); + } + // Load FP registers from stack. BuildMI(MBB, MBBI, DL, TII->get(ARM::VLLDM)) .addReg(ARM::SP) Index: llvm/lib/Target/ARM/ARMSubtarget.h =================================================================== --- llvm/lib/Target/ARM/ARMSubtarget.h +++ llvm/lib/Target/ARM/ARMSubtarget.h @@ -468,6 +468,9 @@ /// cannot be encoded. For example, ADD r0, r1, #FFFFFFFF -> SUB r0, r1, #1. bool NegativeImmediates = true; + /// Mitigate against the cve-2021-35465 security vulnurability. + bool FixCMSE_CVE_2021_35465 = false; + /// Harden against Straight Line Speculation for Returns and Indirect /// Branches. bool HardenSlsRetBr = false; @@ -934,6 +937,8 @@ unsigned PhysReg) const override; unsigned getGPRAllocationOrder(const MachineFunction &MF) const; + bool fixCMSE_CVE_2021_35465() const { return FixCMSE_CVE_2021_35465; } + bool hardenSlsRetBr() const { return HardenSlsRetBr; } bool hardenSlsBlr() const { return HardenSlsBlr; } bool hardenSlsNoComdat() const { return HardenSlsNoComdat; } Index: llvm/test/CodeGen/ARM/cmse-cve-2021-35465-return.ll =================================================================== --- /dev/null +++ llvm/test/CodeGen/ARM/cmse-cve-2021-35465-return.ll @@ -0,0 +1,69 @@ +; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py +; +; RUN: llc %s -o - -mtriple=thumbv8m.main -verify-machineinstrs \ +; RUN: -mattr=+fp-armv8d16sp,+fix-cmse-cve-2021-35465 -float-abi=hard | \ +; RUN: FileCheck %s --check-prefix=CHECK-8M-FP-CVE-2021-35465 + +%indirect = type { double, double, double, double, double, double, double, double } + +define %indirect @func(%indirect (float, i32, double, i32, float, i32, float, i32, double, double, double, double, float, float)* %fu, float %a, i32 %b, double %c, i32 %d, float %e, i32 %f, float %g, i32 %h, double %i, double %j, double %k, double %l, float %m, float %n) { +; CHECK-8M-FP-CVE-2021-35465-LABEL: func: +; CHECK-8M-FP-CVE-2021-35465: @ %bb.0: @ %entry +; CHECK-8M-FP-CVE-2021-35465-NEXT: push {r7, lr} +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov lr, r3 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r12, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r0, r1 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r1, r2 +; CHECK-8M-FP-CVE-2021-35465-NEXT: ldr r3, [sp, #8] +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r2, lr +; CHECK-8M-FP-CVE-2021-35465-NEXT: push.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-8M-FP-CVE-2021-35465-NEXT: bic r12, r12, #1 +; CHECK-8M-FP-CVE-2021-35465-NEXT: sub sp, #136 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r4, s5 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r11, s0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r9, r10, d1 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r8, s1 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r7, s4 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r5, r6, d3 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vlstm sp +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov s0, r11 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov d1, r9, r10 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov s1, r8 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov s4, r7 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov d3, r5, r6 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov s5, r4 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vldr d4, [sp, #32] +; CHECK-8M-FP-CVE-2021-35465-NEXT: vldr d5, [sp, #40] +; CHECK-8M-FP-CVE-2021-35465-NEXT: vldr d6, [sp, #48] +; CHECK-8M-FP-CVE-2021-35465-NEXT: vldr s14, [sp, #56] +; CHECK-8M-FP-CVE-2021-35465-NEXT: ldr r4, [sp, #64] +; CHECK-8M-FP-CVE-2021-35465-NEXT: bic r4, r4, #159 +; CHECK-8M-FP-CVE-2021-35465-NEXT: bic r4, r4, #4026531840 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmsr fpscr, r4 +; CHECK-8M-FP-CVE-2021-35465-NEXT: msr apsr_nzcvq, r12 +; CHECK-8M-FP-CVE-2021-35465-NEXT: blxns r12 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r9, r10, d0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vstr d3, [sp, #24] +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r7, r8, d1 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vstr d4, [sp, #32] +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov r5, r6, d2 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vstr d5, [sp, #40] +; CHECK-8M-FP-CVE-2021-35465-NEXT: vstr d6, [sp, #48] +; CHECK-8M-FP-CVE-2021-35465-NEXT: vstr d7, [sp, #56] +; CHECK-8M-FP-CVE-2021-35465-NEXT: mrs r11, control +; CHECK-8M-FP-CVE-2021-35465-NEXT: tst.w r11, #8 +; CHECK-8M-FP-CVE-2021-35465-NEXT: it ne +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmovne.f32 s0, s0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vlldm sp +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov d0, r9, r10 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov d1, r7, r8 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmov d2, r5, r6 +; CHECK-8M-FP-CVE-2021-35465-NEXT: add sp, #136 +; CHECK-8M-FP-CVE-2021-35465-NEXT: pop.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-8M-FP-CVE-2021-35465-NEXT: pop {r7, pc} +entry: + %res = call %indirect %fu(float %a, i32 %b, double %c, i32 %d, float %e, i32 %f, float %g, i32 %h, double %i, double %j, double %k, double %l, float %m, float %n) #0 + ret %indirect %res +} + +attributes #0 = { "cmse_nonsecure_call" } Index: llvm/test/CodeGen/ARM/cmse-cve-2021-35465.ll =================================================================== --- /dev/null +++ llvm/test/CodeGen/ARM/cmse-cve-2021-35465.ll @@ -0,0 +1,119 @@ +; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py +; +; RUN: llc %s -o - -mtriple=thumbv8m.main -verify-machineinstrs \ +; RUN: -mattr=+fp-armv8d16sp,+fix-cmse-cve-2021-35465 | \ +; RUN: FileCheck %s --check-prefix=CHECK-8M-FP-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8m.main -mcpu=cortex-m33 -verify-machineinstrs | \ +; RUN: FileCheck %s --check-prefix=CHECK-8M-FP-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8m.main -mcpu=cortex-m35p -verify-machineinstrs | \ +; RUN: FileCheck %s --check-prefix=CHECK-8M-FP-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8m.main -verify-machineinstrs \ +; RUN: -mattr=-fpregs,+fix-cmse-cve-2021-35465 | \ +; RUN: FileCheck %s --check-prefix=CHECK-8M-NOFP-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8m.main -mcpu=cortex-m33 -mattr=-fpregs -verify-machineinstrs | \ +; RUN: FileCheck %s --check-prefix=CHECK-8M-NOFP-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8m.main -mcpu=cortex-m35p -mattr=-fpregs -verify-machineinstrs | \ +; RUN: FileCheck %s --check-prefix=CHECK-8M-NOFP-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8.1m.main -verify-machineinstrs \ +; RUN: -mattr=+fp-armv8d16sp,+fix-cmse-cve-2021-35465 | \ +; RUN: FileCheck %s --check-prefix=CHECK-81M-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8.1m.main -mcpu=cortex-m55 -verify-machineinstrs | \ +; RUN: FileCheck %s --check-prefix=CHECK-81M-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8.1m.main -verify-machineinstrs \ +; RUN: -mattr=-fpregs,+fix-cmse-cve-2021-35465 | \ +; RUN: FileCheck %s --check-prefix=CHECK-81M-CVE-2021-35465 +; +; RUN: llc %s -o - -mtriple=thumbv8.1m.main -mcpu=cortex-m55 -mattr=-fpregs -verify-machineinstrs | \ +; RUN: FileCheck %s --check-prefix=CHECK-81M-CVE-2021-35465 +; + +define void @non_secure_call(void ()* %fptr) { +; CHECK-8M-FP-CVE-2021-35465-LABEL: non_secure_call: +; CHECK-8M-FP-CVE-2021-35465: @ %bb.0: +; CHECK-8M-FP-CVE-2021-35465-NEXT: push {r7, lr} +; CHECK-8M-FP-CVE-2021-35465-NEXT: push.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-8M-FP-CVE-2021-35465-NEXT: bic r0, r0, #1 +; CHECK-8M-FP-CVE-2021-35465-NEXT: sub sp, #136 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vlstm sp +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r1, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r2, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r3, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r4, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r5, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r6, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r7, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r8, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r9, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r10, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r11, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mov r12, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: msr apsr_nzcvq{{g?}}, r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: blxns r0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: mrs r12, control +; CHECK-8M-FP-CVE-2021-35465-NEXT: tst.w r12, #8 +; CHECK-8M-FP-CVE-2021-35465-NEXT: it ne +; CHECK-8M-FP-CVE-2021-35465-NEXT: vmovne.f32 s0, s0 +; CHECK-8M-FP-CVE-2021-35465-NEXT: vlldm sp +; CHECK-8M-FP-CVE-2021-35465-NEXT: add sp, #136 +; CHECK-8M-FP-CVE-2021-35465-NEXT: pop.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-8M-FP-CVE-2021-35465-NEXT: pop {r7, pc} +; +; CHECK-8M-NOFP-CVE-2021-35465-LABEL: non_secure_call: +; CHECK-8M-NOFP-CVE-2021-35465: @ %bb.0: +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: push {r7, lr} +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: push.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: bic r0, r0, #1 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: sub sp, #136 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: vlstm sp +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r1, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r2, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r3, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r4, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r5, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r6, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r7, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r8, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r9, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r10, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r11, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mov r12, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: msr apsr_nzcvq{{g?}}, r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: blxns r0 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: mrs r12, control +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: tst.w r12, #8 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: it ne +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: @APP +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: .inst.w 0xeeb00a40 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: @NO_APP +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: vlldm sp +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: add sp, #136 +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: pop.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-8M-NOFP-CVE-2021-35465-NEXT: pop {r7, pc} +; +; CHECK-81M-CVE-2021-35465-LABEL: non_secure_call: +; CHECK-81M-CVE-2021-35465: @ %bb.0: +; CHECK-81M-CVE-2021-35465-NEXT: push {r7, lr} +; CHECK-81M-CVE-2021-35465-NEXT: push.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-81M-CVE-2021-35465-NEXT: bic r0, r0, #1 +; CHECK-81M-CVE-2021-35465-NEXT: sub sp, #136 +; CHECK-81M-CVE-2021-35465-NEXT: vlstm sp +; CHECK-81M-CVE-2021-35465-NEXT: clrm {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, apsr} +; CHECK-81M-CVE-2021-35465-NEXT: blxns r0 +; CHECK-81M-CVE-2021-35465-NEXT: vscclrm {vpr} +; CHECK-81M-CVE-2021-35465-NEXT: vlldm sp +; CHECK-81M-CVE-2021-35465-NEXT: add sp, #136 +; CHECK-81M-CVE-2021-35465-NEXT: pop.w {r4, r5, r6, r7, r8, r9, r10, r11} +; CHECK-81M-CVE-2021-35465-NEXT: pop {r7, pc} + call void %fptr() #0 + ret void +} + +attributes #0 = { "cmse_nonsecure_call" } Index: llvm/test/CodeGen/ARM/cmse-vlldm-no-reorder.mir =================================================================== --- llvm/test/CodeGen/ARM/cmse-vlldm-no-reorder.mir +++ llvm/test/CodeGen/ARM/cmse-vlldm-no-reorder.mir @@ -1,4 +1,4 @@ -# RUN: llc -mtriple=thumbv8m.main -mcpu=cortex-m33 --float-abi=hard --run-pass=arm-pseudo %s -o - | \ +# RUN: llc -mtriple=thumbv8m.main -mcpu=cortex-m33 -mattr=-fix-cmse-cve-2021-35465 --float-abi=hard --run-pass=arm-pseudo %s -o - | \ # RUN: FileCheck %s --- | ; ModuleID = 'cmse-vlldm-no-reorder.ll' @@ -109,4 +109,4 @@ # CHECK-NEXT: $s0 = VMOVSR $r12, 14 /* CC::al */, $noreg # CHECK-NEXT: $sp = tADDspi $sp, 34, 14 /* CC::al */, $noreg # CHECK-NEXT: $sp = t2LDMIA_UPD $sp, 14 /* CC::al */, $noreg, def $r4, def $r5, def $r6, def $r7, def $r8, def $r9, def $r10, def $r11 - \ No newline at end of file +