xtensa: userspace: prevent potential privilege escalation

dcpleung · kartben · commit 2abf7ce2f128 · 2025-04-17T00:57:19.000+02:00
When context switching and dealing with non-nested interrupts,
the context to be restored are saved in the thread stack.
When userspace is enabled, this means saving context into
the user stacks for user threads. This allows PS values to be
manipulated externally by setting PS.RING in the saved PS
value to 0, resulting in granting kernel access privilege when
the thread is restored. To prevent this, we store the PS value
into the thread struct instead, where user threads cannot
manipulate that. Note that nested interrupts and syscalls are
not using the user stack but the interrupt stack and thread
privileged stack respectively, where they are not accessible
under user mode.

Signed-off-by: Daniel Leung &lt;daniel.leung@intel.com&gt;
diff --git a/arch/xtensa/core/offsets/offsets.c b/arch/xtensa/core/offsets/offsets.c
@@ -67,6 +67,8 @@ GEN_OFFSET_SYM(_xtensa_irq_bsa_t, hifi);
 
 #ifdef CONFIG_USERSPACE
 GEN_OFFSET_SYM(_thread_arch_t, psp);
+GEN_OFFSET_SYM(_thread_arch_t, return_ps);
+GEN_OFFSET_SYM(_thread_t, switch_handle);
 #ifdef CONFIG_XTENSA_MMU
 GEN_OFFSET_SYM(_thread_arch_t, ptables);
 #endif
diff --git a/arch/xtensa/core/thread.c b/arch/xtensa/core/thread.c
@@ -66,14 +66,19 @@ static void *init_stack(struct k_thread *thread, int *stack_top,
 
 	(void)memset(frame, 0, bsasz);
 
-	frame->bsa.ps = PS_WOE | PS_UM | PS_CALLINC(1);
 #ifdef CONFIG_USERSPACE
+	/* _restore_context uses this instead of frame->bsa.ps to
+	 * restore PS value.
+	 */
+	thread->arch.return_ps = PS_WOE | PS_UM | PS_CALLINC(1);
+
 	if ((thread->base.user_options & K_USER) == K_USER) {
 		frame->bsa.pc = (uintptr_t)arch_user_mode_enter;
 	} else {
 		frame->bsa.pc = (uintptr_t)z_thread_entry;
 	}
 #else
+	frame->bsa.ps = PS_WOE | PS_UM | PS_CALLINC(1);
 	frame->bsa.pc = (uintptr_t)z_thread_entry;
 #endif
 
diff --git a/arch/xtensa/core/xtensa_asm2_util.S b/arch/xtensa/core/xtensa_asm2_util.S
@@ -153,9 +153,34 @@ _restore_context:
 
 	l32i a0, a1, ___xtensa_irq_bsa_t_pc_OFFSET
 	wsr a0, ZSR_EPC
+
+#ifdef CONFIG_USERSPACE
+	/* When restoring context via xtensa_switch and
+	 * returning from non-nested interrupts, we use
+	 * the stashed PS value in the thread struct
+	 * instead of the one in the thread stack.
+	 * Both scenarios will have nested value of 0.
+	 */
+	rsr.ZSR_CPU a2
+	l32i a0, a2, ___cpu_t_nested_OFFSET
+	bnez a0, _restore_ps_from_stack
+
+	l32i a0, a2, ___cpu_t_current_OFFSET
+	l32i a0, a0, _thread_offset_to_return_ps
+	wsr a0, ZSR_EPS
+
+	j _restore_ps_after
+
+_restore_ps_from_stack:
+#endif
+
 	l32i a0, a1, ___xtensa_irq_bsa_t_ps_OFFSET
 	wsr a0, ZSR_EPS
 
+#ifdef CONFIG_USERSPACE
+_restore_ps_after:
+#endif
+
 #if XCHAL_HAVE_FP && defined(CONFIG_CPU_HAS_FPU) && defined(CONFIG_FPU_SHARING)
 	FPU_REG_RESTORE
 #endif
@@ -262,6 +287,18 @@ xtensa_switch:
 	/* Stash our PS register contents and a "restore" PC. */
 	rsr a0, PS
 	s32i a0, a1, ___xtensa_irq_bsa_t_ps_OFFSET
+
+#ifdef CONFIG_USERSPACE
+	/* Backtrack to the head of thread struct and
+	 * then store the PS value to be restored in
+	 * the architecture specific section.
+	 * This will be used to restore PS instead of
+	 * the one stashed inside stack.
+	 */
+	addi a3, a3, -___thread_t_switch_handle_OFFSET
+	s32i a0, a3, _thread_offset_to_return_ps
+#endif
+
 	movi a0, _switch_restore_pc
 	s32i a0, a1, ___xtensa_irq_bsa_t_pc_OFFSET
 
diff --git a/arch/xtensa/include/offsets_short_arch.h b/arch/xtensa/include/offsets_short_arch.h
@@ -12,6 +12,9 @@
 #define _thread_offset_to_psp \
 	(___thread_t_arch_OFFSET + ___thread_arch_t_psp_OFFSET)
 
+#define _thread_offset_to_return_ps \
+	(___thread_t_arch_OFFSET + ___thread_arch_t_return_ps_OFFSET)
+
 #define _thread_offset_to_ptables \
 	(___thread_t_arch_OFFSET + ___thread_arch_t_ptables_OFFSET)
 #endif /* CONFIG_USERSPACE */
diff --git a/arch/xtensa/include/xtensa_asm2_s.h b/arch/xtensa/include/xtensa_asm2_s.h
@@ -11,6 +11,7 @@
 #include "xtensa_asm2_context.h"
 
 #include <zephyr/offsets.h>
+#include <offsets_short.h>
 
 /* Assembler header!  This file contains macros designed to be included
  * only by the assembler.
@@ -686,6 +687,25 @@ _Level\LVL\()Vector:
 	s32i a0, a1, ___xtensa_irq_bsa_t_ps_OFFSET
 .endif
 
+#ifdef CONFIG_USERSPACE
+	/* When restoring context via xtensa_switch and
+	 * returning from non-nested interrupts, we will be
+	 * using the stashed PS value in the thread struct
+	 * instead of the one in the thread stack. Both of
+	 * these scenarios will have nested value of 0.
+	 * So when nested value is zero, we store the PS
+	 * value into thread struct.
+	 */
+	rsr.ZSR_CPU a3
+	l32i a2, a3, ___cpu_t_nested_OFFSET
+	bnez a2, _excint_skip_ps_save_to_thread_\LVL
+
+	l32i a2, a3, ___cpu_t_current_OFFSET
+	s32i a0, a2, _thread_offset_to_return_ps
+
+_excint_skip_ps_save_to_thread_\LVL:
+#endif
+
 	rsr.epc\LVL a0
 	s32i a0, a1, ___xtensa_irq_bsa_t_pc_OFFSET
 
diff --git a/include/zephyr/arch/xtensa/thread.h b/include/zephyr/arch/xtensa/thread.h
@@ -42,6 +42,11 @@ struct _thread_arch {
 	 * Un-set for surpervisor threads.
 	 */
 	uint8_t *psp;
+
+	/* Stashed PS value used to restore PS when restoring from
+	 * context switching or returning from non-nested interrupts.
+	 */
+	uint32_t return_ps;
 #endif
 };
 
