[PATCH 3/4] arm64: efi: Add return address protection to runtime wrapper

[Ard Biesheuvel]

Add return address protection to the EFI runtime wrapper so that this
code is less likely to be taken advantage for ROP/JOP style attacks.

Signed-off-by: Ard Biesheuvel <ardb at kernel.org>
---
 arch/arm64/kernel/efi-rt-wrapper.S | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/kernel/efi-rt-wrapper.S b/arch/arm64/kernel/efi-rt-wrapper.S
index afd3e81e1b627b87..874da02f3a1664c3 100644
--- a/arch/arm64/kernel/efi-rt-wrapper.S
+++ b/arch/arm64/kernel/efi-rt-wrapper.S
@@ -6,6 +6,7 @@
 #include <linux/linkage.h>
 
 SYM_FUNC_START(__efi_rt_asm_wrapper)
+	protect_return_address
 	stp	x29, x30, [sp, #-112]!
 	mov	x29, sp
 
@@ -46,9 +47,7 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 	ldp	x1, x2, [sp, #16]
 	cmp	x2, x18
 	ldp	x29, x30, [sp], #112
-	b.ne	0f
-	ret
-0:
+
 	/*
 	 * With CONFIG_SHADOW_CALL_STACK, the kernel uses x18 to store a
 	 * shadow stack pointer, which we need to restore before returning to
@@ -59,7 +58,10 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 #ifdef CONFIG_SHADOW_CALL_STACK
 	ldr_this_cpu	x18, __efi_rt_asm_recover_sp + 8, x9
 #endif
-
+	b.ne	0f
+	restore_return_address
+	ret
+0:
 	b	efi_handle_corrupted_x18	// tail call
 SYM_FUNC_END(__efi_rt_asm_wrapper)
 
@@ -74,5 +76,7 @@ SYM_CODE_START(__efi_rt_asm_recover)
 	ldp	x27, x28, [sp, #96]
 	ldp	x29, x30, [sp], #112
 
+	restore_return_address
+
 	b	efi_handle_runtime_exception
 SYM_CODE_END(__efi_rt_asm_recover)
-- 
2.35.1