rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

[Bug] riscv64架构下的arch_signal_quit 的实现存在风险

Open eatvector opened this issue 5 months ago • 0 comments

RT-Thread Version

ece19e9

Hardware Type/Architectures

riscv64 qemu

Develop Toolchain

GCC

Describe the bug

components/lwp/arch/risc-v/rv64/lwp_gcc.S 中的arch_signal_quit中将内核栈中的地址保存到用户栈中,之后又从用户栈中的保存值恢复sp,在多核环境下,如果另外一个核心运行的其他线程(属于同一进程)通过修改当前线程用户栈里保存的内核栈地址,可能导致内核崩溃,需要考虑该函数更安全的实现方案。

arch_signal_quit:
    LOAD a0, FRAME_OFF_SP(sp)
    addi a1, sp, CTX_REG_NR * REGBYTES
    call arch_signal_ucontext_restore

    /* reset kernel sp to the stack */
    addi sp, sp, CTX_REG_NR * REGBYTES
    STORE sp, FRAME_OFF_SP(a0)
    /* return value is user sp */
    mv sp, a0

    /* restore user sp before enter trap */
    addi a0, sp, CTX_REG_NR * REGBYTES
    csrw sscratch, a0


    RESTORE_ALL
    SAVE_ALL
    j arch_ret_to_user

Other additional context

No response

eatvector avatar Jul 18 '25 13:07 eatvector