Make validator require read sandboxing on ARM.

src/trusted/validator_arm/inst_classes.cc

 /*
- * Copyright (c) 2011 The Native Client Authors.  All rights reserved.
+ * Copyright (c) 2011 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "native_client/src/trusted/validator_arm/inst_classes.h"
 
 /*
  * Implementations of instruction classes, for those not completely defined in
  * the header.
  */
@@ skipping 195 matching lines @@
   if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;
 
   return MAY_BE_SAFE;
 }
 
 RegisterList AbstractLoad::defs(const Instruction i) const {
   return i.reg(15, 12) + immediate_addressing_defs(i);
 }
 
 
+SafetyLevel LoadRegister::safety(const Instruction i) const {
+  bool pre_index = i.bit(24);
+  if (pre_index) {
+    // If pre_index is set, the address of the load is computed as the sum
+    // of the two register parameters.  We have checked that the first register
+    // is within the sandbox, but this would allow adding an arbitrary value
+    // to it, so it is not safe.
+    return FORBIDDEN;
+  }
+
+  // Don't let addressing writeback alter PC.
+  if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;
+
+  return MAY_BE_SAFE;
+}
+
 RegisterList LoadRegister::defs(const Instruction i) const {
   if (writeback(i)) {
     Register rn(i.bits(19, 16));
     return AbstractLoad::defs(i) + rn;
   } else {
     return AbstractLoad::defs(i);
   }
 }
 
+Register LoadRegister::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
 
 RegisterList LoadImmediate::immediate_addressing_defs(const Instruction i)
     const {
   if (writeback(i)) {
     Register rn(i.bits(19, 16));
     return rn;
   } else {
     return kRegisterNone;
   }
 }
 
+Register LoadImmediate::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
+bool LoadImmediate::offset_is_immediate(Instruction i) const {
+  UNREFERENCED_PARAMETER(i);
+  return true;
+}
+
 
 RegisterList LoadDoubleI::defs(const Instruction i) const {
   return LoadImmediate::defs(i) + Register(i.bits(15, 12) + 1);
 }
 
+Register LoadDoubleI::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
+bool LoadDoubleI::offset_is_immediate(Instruction i) const {
+  UNREFERENCED_PARAMETER(i);
+  return true;
+}
+
+
+SafetyLevel LoadDoubleR::safety(const Instruction i) const {
+  bool pre_index = i.bit(24);
+  if (pre_index) {
+    // If pre_index is set, the address of the load is computed as the sum
+    // of the two register parameters.  We have checked that the first register
+    // is within the sandbox, but this would allow adding an arbitrary value
+    // to it, so it is not safe.
+    return FORBIDDEN;
+  }
+
+  // Don't let addressing writeback alter PC.
+  if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;
+
+  return MAY_BE_SAFE;
+}
 
 RegisterList LoadDoubleR::defs(const Instruction i) const {
   return LoadRegister::defs(i) + Register(i.bits(15, 12) + 1);
 }
 
+Register LoadDoubleR::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
+Register LoadExclusive::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
 RegisterList LoadDoubleExclusive::defs(const Instruction i) const {
   return LoadExclusive::defs(i) + Register(i.bits(15, 12) + 1);
 }
 
+Register LoadDoubleExclusive::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
 
 SafetyLevel LoadMultiple::safety(const Instruction i) const {
   uint32_t rn = i.bits(19, 16);
   if (i.bit(21) && i.bit(rn)) {
     // In ARMv7, cannot update base register both by popping and by indexing.
     // (Pre-v7 this was still a weird thing to do.)
     return UNPREDICTABLE;
   }
 
   if (defs(i)[kRegisterPc]) {
     return FORBIDDEN_OPERANDS;
   }
   return MAY_BE_SAFE;
 }
 
 RegisterList LoadMultiple::defs(const Instruction i) const {
   return RegisterList(i.bits(15, 0)) + immediate_addressing_defs(i);
 }
 
 RegisterList LoadMultiple::immediate_addressing_defs(
     const Instruction i) const {
   return i.bit(21)? i.reg(19, 16) : kRegisterNone;
 }
 
+Register LoadMultiple::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
 
 /*
  * Vector load/stores
  */
 
 SafetyLevel VectorLoad::safety(Instruction i) const {
   if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;
 
   return MAY_BE_SAFE;
 }
@@ skipping 11 matching lines @@
   // Rm == SP indicates automatic update based on size of load.
   if (i.reg(3, 0) == kRegisterStack) {
     // Rn is updated by a small static displacement.
     return i.reg(19, 16);
   }
 
   // Any writeback is not treated as immediate otherwise.
   return kRegisterNone;
 }
 
+Register VectorLoad::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
 
 SafetyLevel VectorStore::safety(Instruction i) const {
   if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;
 
   return MAY_BE_SAFE;
 }
 
 RegisterList VectorStore::defs(Instruction i) const {
   // Rm == PC indicates no address writeback.  Otherwise Rn is affected.
   if (i.reg(3, 0) != kRegisterPc) {
@@ skipping 96 matching lines @@
   return kRegisterPc + (i.bit(24)? kRegisterLink : kRegisterNone);
 }
 
 int32_t Branch::branch_target_offset(const Instruction i) const {
   // Sign extend and shift left 2:
   int32_t offset = (int32_t)(i.bits(23, 0) << 8) >> 6;
   return offset + 8;  // because r15 reads as 8 bytes ahead
 }
 
 }  // namespace