Skip to content

Commit

Permalink
format: run `rg --files --type c --type cpp --glob '!external/' | xar…
Browse files Browse the repository at this point in the history 
…gs clang-format -i`

A lot of files aren't formatted correctly,
so whenever I edit files and format,
it adds a lot of extra formatting fixes,
which makes PRs much harder to review
with all of this extraneous info.

We should probably add this to CI/pre-commit hook,
but this should be enough for now.

This also adds `AllowShortBlocksOnASingleLine: Always` to `.clang-format`,
as this is needed to keep LLVM `lit` tests still working.
  • Loading branch information
@kkysen
kkysen committed Mar 3, 2025
1 parent 53e5146 commit 9567b6b
Show file tree
Hide file tree
Showing 95 changed files with 1,172 additions and 1,112 deletions.
1 change: 1 addition & 0 deletions .clang-format
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
BasedOnStyle: LLVM

ColumnLimit: 0
AllowShortBlocksOnASingleLine: Always
AlwaysBreakBeforeMultilineStrings: true
BreakStringLiterals: false
CommentPragmas: '^RUN: '
2 changes: 1 addition & 1 deletion examples/video_player/include/video_decoder.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

struct video_decoder;

typedef void (*video_decoder_frame_callback_t)(AVFrame*, void*);
typedef void (*video_decoder_frame_callback_t)(AVFrame *, void *);

struct video_decoder *video_decoder_init(const char *file_data,
size_t file_size);
Expand Down
54 changes: 48 additions & 6 deletions examples/video_player/video_player.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,56 @@ static uint8_t *y_plane, *u_plane, *v_plane;

/* The secrets */
static uint8_t KEY[32] = {
0x45, 0x33, 0xCC, 0xB5, 0xEA, 0xB4, 0x10, 0xCC,
0x03, 0x88, 0xA8, 0x3D, 0x5F, 0x93, 0x82, 0x09,
0x19, 0xC5, 0x6F, 0xF3, 0x30, 0x7C, 0xF6, 0xF6,
0x72, 0x42, 0x69, 0xF1, 0x9A, 0xE5, 0xE7, 0x0C,
0x45,
0x33,
0xCC,
0xB5,
0xEA,
0xB4,
0x10,
0xCC,
0x03,
0x88,
0xA8,
0x3D,
0x5F,
0x93,
0x82,
0x09,
0x19,
0xC5,
0x6F,
0xF3,
0x30,
0x7C,
0xF6,
0xF6,
0x72,
0x42,
0x69,
0xF1,
0x9A,
0xE5,
0xE7,
0x0C,
};
static uint8_t IV[16] = {
0xB9, 0x1D, 0x41, 0xF4, 0xEA, 0xBF, 0xB9, 0xE8,
0x63, 0xC1, 0x6B, 0xAF, 0xE5, 0x14, 0x5C, 0x7E,
0xB9,
0x1D,
0x41,
0xF4,
0xEA,
0xBF,
0xB9,
0xE8,
0x63,
0xC1,
0x6B,
0xAF,
0xE5,
0x14,
0x5C,
0x7E,
};

void init_sdl(void) {
Expand Down
2 changes: 1 addition & 1 deletion misc/test_runner/test_runner.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ int main() {
// Reverse tests, as the `__attribute__((constructor))` approach with a linked list makes them backwards.
size_t i = 0;
for (struct fake_criterion_test *test_info = fake_criterion_tests; test_info; test_info = test_info->next) {
i++;
i++;
}
const size_t num_tests = i;
struct fake_criterion_test tests[num_tests];
Expand Down
3 changes: 1 addition & 2 deletions runtime/libia2/exit.c
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
#include "ia2.h"
#include <dlfcn.h>

__attribute__((used))
static void call_libc_exit(int status) {
__attribute__((used)) static void call_libc_exit(int status) {
void (*exit_ptr)(int) = dlsym(RTLD_NEXT, "exit");
if (!exit_ptr) {
printf("Could not find exit(3) in the next DSO\n");
Expand Down
162 changes: 106 additions & 56 deletions runtime/libia2/ia2.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
#include <stdio.h>
#include <string.h>

#include "ia2_internal.h"
#include "ia2.h"
#include "ia2_internal.h"

#if defined(__x86_64__)

Expand Down Expand Up @@ -84,67 +84,114 @@ size_t ia2_get_tag(void) __attribute__((alias("ia2_get_pkey")));
#elif defined(__aarch64__)

size_t ia2_get_x18(void) {
size_t x18;
asm("mov %0, x18" : "=r"(x18));
return x18 >> 56;
size_t x18;
asm("mov %0, x18" : "=r"(x18));
return x18 >> 56;
}
size_t ia2_get_tag(void) __attribute__((alias("ia2_get_x18")));

// TODO: insert_tag could probably be cleaned up a bit, but I'm not sure if the
// generated code could be simplified since addg encodes the tag as an imm field
#define _addg(out_ptr, in_ptr, tag) \
asm("addg %0, %1, #0, %2" : "=r"(out_ptr) : "r"(in_ptr), "i"(tag)); \
asm("addg %0, %1, #0, %2" : "=r"(out_ptr) : "r"(in_ptr), "i"(tag));

#define insert_tag(ptr, tag) \
({ \
uint64_t _res; \
switch (tag) { \
case 0: { _addg(_res, ptr, 0); break; } \
case 1: { _addg(_res, ptr, 1); break; } \
case 2: { _addg(_res, ptr, 2); break; } \
case 3: { _addg(_res, ptr, 3); break; } \
case 4: { _addg(_res, ptr, 4); break; } \
case 5: { _addg(_res, ptr, 5); break; } \
case 6: { _addg(_res, ptr, 6); break; } \
case 7: { _addg(_res, ptr, 7); break; } \
case 8: { _addg(_res, ptr, 8); break; } \
case 9: { _addg(_res, ptr, 9); break; } \
case 10: { _addg(_res, ptr, 10); break; } \
case 11: { _addg(_res, ptr, 11); break; } \
case 12: { _addg(_res, ptr, 12); break; } \
case 13: { _addg(_res, ptr, 13); break; } \
case 14: { _addg(_res, ptr, 14); break; } \
case 15: { _addg(_res, ptr, 15); break; } \
} \
_res; \
})

({ \
uint64_t _res; \
switch (tag) { \
case 0: { \
_addg(_res, ptr, 0); \
break; \
} \
case 1: { \
_addg(_res, ptr, 1); \
break; \
} \
case 2: { \
_addg(_res, ptr, 2); \
break; \
} \
case 3: { \
_addg(_res, ptr, 3); \
break; \
} \
case 4: { \
_addg(_res, ptr, 4); \
break; \
} \
case 5: { \
_addg(_res, ptr, 5); \
break; \
} \
case 6: { \
_addg(_res, ptr, 6); \
break; \
} \
case 7: { \
_addg(_res, ptr, 7); \
break; \
} \
case 8: { \
_addg(_res, ptr, 8); \
break; \
} \
case 9: { \
_addg(_res, ptr, 9); \
break; \
} \
case 10: { \
_addg(_res, ptr, 10); \
break; \
} \
case 11: { \
_addg(_res, ptr, 11); \
break; \
} \
case 12: { \
_addg(_res, ptr, 12); \
break; \
} \
case 13: { \
_addg(_res, ptr, 13); \
break; \
} \
case 14: { \
_addg(_res, ptr, 14); \
break; \
} \
case 15: { \
_addg(_res, ptr, 15); \
break; \
} \
} \
_res; \
})

#define set_tag(tagged_ptr) \
asm volatile("st2g %0, [%0]" :: "r"(tagged_ptr) : "memory");
asm volatile("st2g %0, [%0]" ::"r"(tagged_ptr) : "memory");

int ia2_mprotect_with_tag(void *addr, size_t len, int prot, int tag) {
int res = mprotect(addr, len, prot | PROT_MTE);
if (res != 0) {
/* Skip memory tagging if mprotect returned an error */
printf("mprotect failed with %d\n", res);
return res;
int res = mprotect(addr, len, prot | PROT_MTE);
if (res != 0) {
/* Skip memory tagging if mprotect returned an error */
printf("mprotect failed with %d\n", res);
return res;
}
/* Protect each page */
assert((len % PAGE_SIZE) == 0);
for (int page = 0; page < len / PAGE_SIZE; page++) {
char *page_base = addr + page * PAGE_SIZE;
/* Assuming we're using st2g. stgm is undefined at EL0 so it's not an option */
const int granule_sz = 32;
const int granules_per_page = PAGE_SIZE / 32;
/* Protect each granule in the page */
for (int granule = 0; granule < granules_per_page; granule++) {
// TODO: It may be possible to simplify this to be more efficient using the addg imm offset
uint64_t tagged_ptr = insert_tag((uint64_t)page_base + (granule * granule_sz), tag);
set_tag(tagged_ptr);
}
/* Protect each page */
assert((len % PAGE_SIZE) == 0);
for(int page = 0; page < len / PAGE_SIZE; page++) {
char* page_base = addr + page * PAGE_SIZE;
/* Assuming we're using st2g. stgm is undefined at EL0 so it's not an option */
const int granule_sz = 32;
const int granules_per_page = PAGE_SIZE / 32;
/* Protect each granule in the page */
for (int granule = 0; granule < granules_per_page; granule++) {
// TODO: It may be possible to simplify this to be more efficient using the addg imm offset
uint64_t tagged_ptr = insert_tag((uint64_t)page_base + (granule * granule_sz), tag);
set_tag(tagged_ptr);
}
}
return 0;
}
return 0;
}
#endif

Expand Down Expand Up @@ -314,18 +361,20 @@ int protect_tls_pages(struct dl_phdr_info *info, size_t size, void *data) {
uint64_t after_untrusted_region_start = untrusted_stackptr_addr + 0x1000;
uint64_t after_untrusted_region_len = end - after_untrusted_region_start;
if (after_untrusted_region_len > 0) {
int mprotect_err = ia2_mprotect_with_tag((void *)after_untrusted_region_start,
after_untrusted_region_len,
PROT_READ | PROT_WRITE, search_args->pkey);
int mprotect_err = ia2_mprotect_with_tag(
(void *)after_untrusted_region_start,
after_untrusted_region_len,
PROT_READ | PROT_WRITE, search_args->pkey);
if (mprotect_err != 0) {
printf("ia2_mprotect_with_tag failed: %s\n", strerror(errno));
exit(-1);
}
}
} else {
int mprotect_err =
ia2_mprotect_with_tag((void *)start_round_down, len_round_up,
PROT_READ | PROT_WRITE, search_args->pkey);
ia2_mprotect_with_tag(
(void *)start_round_down, len_round_up,
PROT_READ | PROT_WRITE, search_args->pkey);
if (mprotect_err != 0) {
printf("ia2_mprotect_with_tag failed: %s\n", strerror(errno));
exit(-1);
Expand Down Expand Up @@ -490,8 +539,9 @@ int protect_pages(struct dl_phdr_info *info, size_t size, void *data) {
}
// TODO: Inline ia2_mprotect_with_tag call and make sure the pkey is in a
// register here so we can disallow calls to the libc function
int mprotect_err = ia2_mprotect_with_tag((void *)start, cur_end - start,
access_flags, (int)cur_pkey);
int mprotect_err = ia2_mprotect_with_tag(
(void *)start, cur_end - start,
access_flags, (int)cur_pkey);
if (mprotect_err != 0) {
printf("ia2_mprotect_with_tag failed: %s\n", strerror(errno));
exit(-1);
Expand Down
19 changes: 10 additions & 9 deletions runtime/libia2/include/ia2.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@
/// Any functions declared between this macro and IA2_END_NO_WRAP will not be
/// wrapped by the rewriter and any calls to these functions and function
/// pointers will execute in the caller's compartment.
#define IA2_BEGIN_NO_WRAP \
_Pragma( \
#define IA2_BEGIN_NO_WRAP \
_Pragma( \
"clang attribute push(__attribute__((annotate(\"ia2_skip_wrap\"))), apply_to = hasType(functionType))");

#define IA2_END_NO_WRAP _Pragma("clang attribute pop");
Expand All @@ -46,7 +46,7 @@
#define IA2_AS_PTR(opaque) opaque
#define IA2_FN(func) func
#define IA2_CALL(opaque, id, ...) opaque(__VA_ARGS__)
#define IA2_CAST(func, ty) (ty) (void *) func
#define IA2_CAST(func, ty) (ty)(void *) func
#else
#define IA2_DEFINE_WRAPPER(func) IA2_DEFINE_WRAPPER_##func
#define IA2_SIGHANDLER(func) ia2_sighandler_##func
Expand All @@ -59,8 +59,8 @@
///
/// Creates a new function with `ia2_sighandler_` prepended to the given
/// function name which should be registered with sigaction().
#define IA2_DEFINE_SIGACTION(function, pkey) \
void ia2_sighandler_##function(int, siginfo_t *, void *); \
#define IA2_DEFINE_SIGACTION(function, pkey) \
void ia2_sighandler_##function(int, siginfo_t *, void *); \
_IA2_DEFINE_SIGNAL_HANDLER(function, pkey)

/// Create a wrapped signal handler for `sa_handler`
Expand All @@ -72,8 +72,8 @@
///
/// Creates a new function with `ia2_sighandler_` prepended to the given
/// function name which should be registered with sigaction().
#define IA2_DEFINE_SIGHANDLER(function, pkey) \
void ia2_sighandler_##function(int); \
#define IA2_DEFINE_SIGHANDLER(function, pkey) \
void ia2_sighandler_##function(int); \
_IA2_DEFINE_SIGNAL_HANDLER(function, pkey)

/// Initialize the IA2 runtime, must only be invoked once per in a process
Expand Down Expand Up @@ -131,7 +131,7 @@
#define IA2_AS_PTR(opaque) (opaque).ptr

/// Get an IA2 opaque function pointer for the wrapped version of `func`
#define IA2_FN(func) \
#define IA2_FN(func) \
(typeof(__ia2_##func)) { (void *)&__ia2_##func }

/// Call an IA2 opaque function pointer, which should be in target compartment
Expand All @@ -144,7 +144,8 @@
/// parameter. Note that it is the user's responsibility to ensure that `ty` and
/// the type of `IA2_FN(func)` are ABI-compatible since no extra type-checking is
/// done.
#define IA2_CAST(func, ty) (ty) { (void *)IA2_FN_ADDR(func) }
#define IA2_CAST(func, ty) \
(ty) { (void *)IA2_FN_ADDR(func) }
#endif // !IA2_ENABLE

/// Convert a compartment pkey to a PKRU register value
Expand Down
Loading

0 comments on commit 9567b6b

Please sign in to comment.