x86 validator: Rewrite non-temporal stores into cached memory accesses

src/trusted/validator_ragel/dfa_validate_common.c

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 /* Implement the functions common for ia32 and x86-64 architectures.  */
 #include "native_client/src/trusted/validator_ragel/dfa_validate_common.h"
 
 #include <string.h>
 
+#include "native_client/src/include/build_config.h"
 #include "native_client/src/shared/platform/nacl_check.h"
 #include "native_client/src/trusted/service_runtime/nacl_config.h"
 #include "native_client/src/trusted/validator_ragel/validator.h"
 
 /* Used as an argument to copy_func when unsupported instruction must be
    replaced with HLTs.  */
 static const uint8_t kStubOutMem[MAX_INSTRUCTION_LENGTH] = {
   NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE,
   NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE,
   NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE,
   NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE, NACL_HALT_OPCODE,
   NACL_HALT_OPCODE
 };
 
 Bool NaClDfaProcessValidationError(const uint8_t *begin, const uint8_t *end,
                                    uint32_t info, void *callback_data) {
   UNREFERENCED_PARAMETER(begin);
   UNREFERENCED_PARAMETER(end);
   UNREFERENCED_PARAMETER(info);
   UNREFERENCED_PARAMETER(callback_data);
 
   return FALSE;
 }
 
 /*
  * Returns whether a validation error should be ignored by
  * RewriteAndRevalidateBundle()'s two validation passes, which
  * validate individual instruction bundles.
  */
-static Bool AllowErrorDuringBundleValidation(
-    uint32_t info, struct StubOutCallbackData *data) {
+static Bool AllowErrorDuringBundleValidation(uint32_t info) {
   if ((info & VALIDATION_ERRORS_MASK) == DIRECT_JUMP_OUT_OF_RANGE) {
     /*
      * This error can occur on valid jumps because we are validating
      * an instruction bundle that is a subset of a code chunk.
      */
     return TRUE;
   }
-  if ((info & VALIDATION_ERRORS_MASK) == UNSUPPORTED_INSTRUCTION) {
-    return (data->flags & NACL_DISABLE_NONTEMPORALS_X86) == 0;
-  }
   return FALSE;
 }
 
+#if NACL_BUILD_SUBARCH == 64
+static Bool IsREXPrefix(uint8_t byte) {
+  return byte >= 0x40 && byte <= 0x4f;
+}
+#endif
+
+static Bool RewriteNonTemporal(uint8_t *ptr, uint8_t *end, uint32_t info) {
+  /*
+   * Instruction rewriting.  Note that we only rewrite non-temporal
+   * instructions found in nexes and DSOs that are currently found in the
+   * Chrome Web Store.  If future nexes use other non-temporal
+   * instructions, they will fail validation.
+   *
+   * We usually only check and rewrite the first few bytes without
+   * examining further because this function is only called when the
+   * validator tells us that it is an 'unsupported instruction' and there
+   * are no other validation failures.
+   */
+  ptrdiff_t size = end - ptr;
+#if NACL_BUILD_SUBARCH == 32
+  UNREFERENCED_PARAMETER(end);
+  UNREFERENCED_PARAMETER(info);
+
+  if (size >= 2 && memcmp(ptr, "\x0f\xe7", 2) == 0) {
+    /* movntq => movq */
+    ptr[1] = 0x7f;
+    return TRUE;
+  } else if (size >= 3 && memcmp(ptr, "\x66\x0f\xe7", 3) == 0) {
+    /* movntdq => movdqa */
+    ptr[2] = 0x7f;
+    return TRUE;
+  }
+#elif NACL_BUILD_SUBARCH == 64
+  if (size >= 3 && IsREXPrefix(ptr[0]) && ptr[1] == 0x0f) {
+    uint8_t opcode_byte2 = ptr[2];
+    switch (opcode_byte2) {
+      case 0x2b:
+        /* movntps => movaps */
+        ptr[2] = 0x29;
+        return TRUE;
+      case 0xc3:
+        /* movnti => mov, nop */
+        if ((info & RESTRICTED_REGISTER_USED) != 0) {
+          /*
+           * The rewriting for movnti is special because it changes
+           * instruction boundary: movnti is replaced by a mov and a nop so
+           * that the total size does not change.  Therefore, special care
+           * needs to be taken: if restricted register is used in this
+           * instruction, we have to put nop at the end so that the
+           * rewritten restricted register consuming instruction follows
+           * closely with the restricted register producing instruction (if
+           * there is one).
+           */
+          ptr[1] = 0x89;
+          memmove(ptr + 2, ptr + 3, size - 3);
+          ptr[size - 1] = 0x90; /* NOP */
+        } else {
+          /*
+           * There are cases where we need to preserve instruction end
+           * position, for example, when RIP-relative address is used.
+           * Fortunately, RIP-relative addressing cannot use an index
+           * register, and therefore RESTRICTED_REGISTER_USED cannot be
+           * set.  Therefore, no matter whether RIP-relative addressing is
+           * used, as long as restricted register is not used, we are safe
+           * to put nop in the beginning and preserve instruction end
+           * position.
+           */
+          ptr[2] = 0x89;
+          ptr[1] = ptr[0];
+          ptr[0] = 0x90; /* NOP */
+        }
+        return TRUE;
+      case 0x18:
+        /* prefetchnta => nop...nop */
+        memset(ptr, 0x90, size);
+        return TRUE;
+      default:
+        return FALSE;
+    }
+  } else if (size >= 4 &&
+             ptr[0] == 0x66 &&
+             IsREXPrefix(ptr[1]) &&
+             memcmp(ptr + 2, "\x0f\xe7", 2) == 0) {
+    /* movntdq => movdqa */
+    ptr[3] = 0x7f;
+    return TRUE;
+  }
+#else
+# error "Unknown architecture"
+#endif
+  return FALSE;
+}
+
 /*
  * First pass of RewriteAndRevalidateBundle(): Rewrite any
  * instructions that need rewriting.
  */
 static Bool BundleValidationApplyRewrite(const uint8_t *begin,
                                          const uint8_t *end,
                                          uint32_t info,
                                          void *callback_data) {
   struct StubOutCallbackData *data = callback_data;
 
   if ((info & VALIDATION_ERRORS_MASK) == CPUID_UNSUPPORTED_INSTRUCTION) {
     /* Stub-out instructions unsupported on this CPU, but valid on other CPUs.*/
     data->did_rewrite = 1;
     memset((uint8_t *) begin, NACL_HALT_OPCODE, end - begin);
     return TRUE;
   }
-  return AllowErrorDuringBundleValidation(info, data);
+  if ((info & VALIDATION_ERRORS_MASK) == UNSUPPORTED_INSTRUCTION &&
+      (data->flags & NACL_DISABLE_NONTEMPORALS_X86) == 0) {
+    if (RewriteNonTemporal((uint8_t *) begin, (uint8_t *) end, info)) {
+      data->did_rewrite = 1;
+      return TRUE;
+    }
+    return FALSE;
+  }
+  return AllowErrorDuringBundleValidation(info);
 }
 
 /*
  * Second pass of RewriteAndRevalidateBundle(): Revalidate, checking
  * that no further instruction rewrites are needed.
  */
 static Bool BundleValidationCheckAfterRewrite(const uint8_t *begin,
                                               const uint8_t *end,
                                               uint32_t info,
                                               void *callback_data) {
-  struct StubOutCallbackData *data = callback_data;
   UNREFERENCED_PARAMETER(begin);
   UNREFERENCED_PARAMETER(end);
+  UNREFERENCED_PARAMETER(callback_data);
 
-  return AllowErrorDuringBundleValidation(info, data);
+  return AllowErrorDuringBundleValidation(info);
 }
 
 /*
  * As an extra safety check, when the validator modifies an
  * instruction, we want to revalidate the rewritten code.
  *
  * For performance, we don't want to revalidate the whole code chunk,
  * because that would double the overall validation time.  However,
  * it's not practical to revalidate the individual rewritten
  * instruction, because for x86-64 we need to account for previous
@@ skipping 38 matching lines @@
 }
 
 Bool NaClDfaStubOutUnsupportedInstruction(const uint8_t *begin,
                                           const uint8_t *end,
                                           uint32_t info,
                                           void *callback_data) {
   struct StubOutCallbackData *data = callback_data;
   /* Stub-out instructions unsupported on this CPU, but valid on other CPUs.  */
   if ((info & VALIDATION_ERRORS_MASK) == CPUID_UNSUPPORTED_INSTRUCTION) {
     return RewriteAndRevalidateBundle(begin, end, data);
-  } else if ((info & VALIDATION_ERRORS_MASK) == UNSUPPORTED_INSTRUCTION) {
-    if (data->flags & NACL_DISABLE_NONTEMPORALS_X86) {
-      return FALSE;
-    } else {
-      /* TODO(ruiq): rewrite instruction. For now, we keep the original
-       * instruction and indicate validation success, which is consistent
-       * with current validation results. */
-      return TRUE;
-    }
-  } else {
-    return FALSE;
   }
+  if ((info & VALIDATION_ERRORS_MASK) == UNSUPPORTED_INSTRUCTION &&
+      (data->flags & NACL_DISABLE_NONTEMPORALS_X86) == 0) {
+    return RewriteAndRevalidateBundle(begin, end, data);
+  }
+  return FALSE;
 }
 
 Bool NaClDfaProcessCodeCopyInstruction(const uint8_t *begin_new,
                                        const uint8_t *end_new,
                                        uint32_t info_new,
                                        void *callback_data) {
   struct CodeCopyCallbackData *data = callback_data;
   size_t instruction_length = end_new - begin_new;
 
   /* Sanity check: instruction must be no longer than 17 bytes.  */
   CHECK(instruction_length <= MAX_INSTRUCTION_LENGTH);
 
   return data->copy_func(
       (uint8_t *)begin_new + data->existing_minus_new, /* begin_existing */
       (info_new & VALIDATION_ERRORS_MASK) == CPUID_UNSUPPORTED_INSTRUCTION ?
         (uint8_t *)kStubOutMem :
         (uint8_t *)begin_new,
       (uint8_t)instruction_length);
 }
 
 Bool NaClDfaCodeReplacementIsStubouted(const uint8_t *begin_existing,
                                        size_t instruction_length) {
 
   /* Unsupported instruction must have been replaced with HLTs.  */
   if (memcmp(kStubOutMem, begin_existing, instruction_length) == 0)
     return TRUE;
   else
     return FALSE;
 }