cmse: lint when unions cross the security boundary

When a union passes from secure to non-secure (so, passed as an argument
to an nonsecure call, or returned by a nonsecure entry), warn that there
may be secure information lingering in the unused or uninitialized
parts of a union value.

https://godbolt.org/z/vq9xnrnEs

Author: folkertdev

compiler/rustc_hir_analysis/src/hir_ty_lowering/cmse.rs

@@ -1,4 +1,4 @@
-use rustc_abi::{BackendRepr, ExternAbi, Float, Integer, Primitive, Scalar};
+use rustc_abi::{BackendRepr, ExternAbi, Float, Integer, Primitive};
 use rustc_errors::{DiagCtxtHandle, E0781, struct_span_code_err};
 use rustc_hir::{self as hir, HirId};
 use rustc_middle::bug;
@@ -163,11 +163,7 @@ fn is_valid_cmse_output_layout<'tcx>(layout: TyAndLayout<'tcx>) -> bool {
         return false;
     };
 
-    let Scalar::Initialized { value, .. } = scalar else {
-        return false;
-    };
-
-    matches!(value, Primitive::Int(Integer::I64, _) | Primitive::Float(Float::F64))
+    matches!(scalar.primitive(), Primitive::Int(Integer::I64, _) | Primitive::Float(Float::F64))
 }
 
 fn should_emit_layout_error<'tcx>(abi: ExternAbi, layout_err: &'tcx LayoutError<'tcx>) -> bool {

compiler/rustc_lint/messages.ftl

@@ -187,6 +187,10 @@ lint_closure_returning_async_block = closure returning async block can be made i
     .label = this async block can be removed, and the closure can be turned into an async closure
     .suggestion = turn this into an async closure
 
+lint_cmse_union_may_leak_information =
+    passing a union across the security boundary may leak information
+    .note = the bits not used by the current variant may contain stale secure data
+
 lint_command_line_source = `forbid` lint level was set on command line
 
 lint_confusable_identifier_pair = found both `{$existing_sym}` and `{$sym}` as identifiers, which look alike

compiler/rustc_lint/src/lib.rs

@@ -37,6 +37,7 @@ mod async_closures;
 mod async_fn_in_trait;
 mod autorefs;
 pub mod builtin;
+mod cmse_uninitialized_leak;
 mod context;
 mod dangling;
 mod default_could_be_derived;
@@ -86,6 +87,7 @@ use async_closures::AsyncClosureUsage;
 use async_fn_in_trait::AsyncFnInTrait;
 use autorefs::*;
 use builtin::*;
+use cmse_uninitialized_leak::*;
 use dangling::*;
 use default_could_be_derived::DefaultCouldBeDerived;
 use deref_into_dyn_supertrait::*;
@@ -246,6 +248,7 @@ late_lint_methods!(
             UnqualifiedLocalImports: UnqualifiedLocalImports,
             CheckTransmutes: CheckTransmutes,
             LifetimeSyntax: LifetimeSyntax,
+            CmseUninitializedLeak: CmseUninitializedLeak,
         ]
     ]
 );

compiler/rustc_lint/src/lints.rs

@@ -1460,6 +1460,12 @@ pub(crate) struct NonLocalDefinitionsCargoUpdateNote {
     pub crate_name: Symbol,
 }
 
+// cmse_uninitialized_leak.rs
+#[derive(LintDiagnostic)]
+#[diag(lint_cmse_union_may_leak_information)]
+#[note]
+pub(crate) struct CmseUnionMayLeakInformation;
+
 // precedence.rs
 #[derive(LintDiagnostic)]
 #[diag(lint_ambiguous_negative_literals)]

tests/ui/cmse-nonsecure/cmse-nonsecure-call/params-uninitialized.rs

@@ -0,0 +1,41 @@
+//@ add-core-stubs
+//@ compile-flags: --target thumbv8m.main-none-eabi --crate-type lib
+//@ needs-llvm-components: arm
+//@ check-pass
+#![feature(abi_cmse_nonsecure_call, no_core, lang_items)]
+#![no_core]
+#![allow(improper_ctypes_definitions)]
+
+extern crate minicore;
+use minicore::*;
+
+#[repr(Rust)]
+pub union ReprRustUnionU64 {
+    _unused: u64,
+}
+
+#[repr(C)]
+pub union ReprCUnionU64 {
+    _unused: u64,
+    _unused1: u32,
+}
+
+#[no_mangle]
+pub fn test_union(
+    f1: extern "cmse-nonsecure-call" fn(ReprRustUnionU64),
+    f2: extern "cmse-nonsecure-call" fn(ReprCUnionU64),
+    f3: extern "cmse-nonsecure-call" fn(MaybeUninit<u32>),
+    f4: extern "cmse-nonsecure-call" fn(MaybeUninit<u64>),
+) {
+    f1(ReprRustUnionU64 { _unused: 1 });
+    //~^ WARN passing a union across the security boundary may leak information
+
+    f2(ReprCUnionU64 { _unused: 1 });
+    //~^ WARN passing a union across the security boundary may leak information
+
+    f3(MaybeUninit::uninit());
+    //~^ WARN passing a union across the security boundary may leak information
+
+    f4(MaybeUninit::uninit());
+    //~^ WARN passing a union across the security boundary may leak information
+}

tests/ui/cmse-nonsecure/cmse-nonsecure-call/params-uninitialized.stderr

@@ -0,0 +1,35 @@
+warning: passing a union across the security boundary may leak information
+  --> $DIR/params-uninitialized.rs:30:8
+   |
+LL |     f1(ReprRustUnionU64 { _unused: 1 });
+   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: the bits not used by the current variant may contain stale secure data
+   = note: `#[warn(cmse_uninitialized_leak)]` on by default
+
+warning: passing a union across the security boundary may leak information
+  --> $DIR/params-uninitialized.rs:33:8
+   |
+LL |     f2(ReprCUnionU64 { _unused: 1 });
+   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: the bits not used by the current variant may contain stale secure data
+
+warning: passing a union across the security boundary may leak information
+  --> $DIR/params-uninitialized.rs:36:8
+   |
+LL |     f3(MaybeUninit::uninit());
+   |        ^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: the bits not used by the current variant may contain stale secure data
+
+warning: passing a union across the security boundary may leak information
+  --> $DIR/params-uninitialized.rs:39:8
+   |
+LL |     f4(MaybeUninit::uninit());
+   |        ^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: the bits not used by the current variant may contain stale secure data
+
+warning: 4 warnings emitted
+

tests/ui/cmse-nonsecure/cmse-nonsecure-call/return-via-stack.rs

@@ -49,7 +49,10 @@ pub union ReprRustUnionU64 {
 
 #[no_mangle]
 pub fn test_union(
-    f1: extern "cmse-nonsecure-call" fn() -> ReprRustUnionU64, //~ ERROR [E0798]
-    f2: extern "cmse-nonsecure-call" fn() -> ReprCUnionU64,    //~ ERROR [E0798]
+    f1: extern "cmse-nonsecure-call" fn() -> ReprRustUnionU64,
+    f2: extern "cmse-nonsecure-call" fn() -> ReprCUnionU64,
+    //~^ ERROR return value of `"cmse-nonsecure-call"` function too large to pass via registers [E0798]
+    f3: extern "cmse-nonsecure-call" fn() -> MaybeUninit<u32>,
+    f4: extern "cmse-nonsecure-call" fn() -> MaybeUninit<u64>,
 ) {
 }

tests/ui/cmse-nonsecure/cmse-nonsecure-call/return-via-stack.stderr

@@ -61,15 +61,6 @@ LL |     f5: extern "cmse-nonsecure-call" fn() -> [u8; 5],
    = note: functions with the `"cmse-nonsecure-call"` ABI must pass their result via the available return registers
    = note: the result must either be a (transparently wrapped) i64, u64 or f64, or be at most 4 bytes in size
 
-error[E0798]: return value of `"cmse-nonsecure-call"` function too large to pass via registers
-  --> $DIR/return-via-stack.rs:52:46
-   |
-LL |     f1: extern "cmse-nonsecure-call" fn() -> ReprRustUnionU64,
-   |                                              ^^^^^^^^^^^^^^^^ this type doesn't fit in the available registers
-   |
-   = note: functions with the `"cmse-nonsecure-call"` ABI must pass their result via the available return registers
-   = note: the result must either be a (transparently wrapped) i64, u64 or f64, or be at most 4 bytes in size
-
 error[E0798]: return value of `"cmse-nonsecure-call"` function too large to pass via registers
   --> $DIR/return-via-stack.rs:53:46
    |
@@ -79,6 +70,6 @@ LL |     f2: extern "cmse-nonsecure-call" fn() -> ReprCUnionU64,
    = note: functions with the `"cmse-nonsecure-call"` ABI must pass their result via the available return registers
    = note: the result must either be a (transparently wrapped) i64, u64 or f64, or be at most 4 bytes in size
 
-error: aborting due to 9 previous errors
+error: aborting due to 8 previous errors
 
 For more information about this error, try `rustc --explain E0798`.

tests/ui/cmse-nonsecure/cmse-nonsecure-entry/params-via-stack.rs

@@ -23,3 +23,26 @@ pub extern "cmse-nonsecure-entry" fn f4(_: AlignRelevant, _: u32) {} //~ ERROR [
 #[no_mangle]
 #[allow(improper_ctypes_definitions)]
 pub extern "cmse-nonsecure-entry" fn f5(_: [u32; 5]) {} //~ ERROR [E0798]
+//
+#[repr(Rust)]
+pub union ReprRustUnionU64 {
+    _unused: u64,
+}
+
+#[repr(C)]
+pub union ReprCUnionU64 {
+    _unused: u64,
+}
+
+#[no_mangle]
+#[allow(improper_ctypes_definitions)]
+pub extern "cmse-nonsecure-entry" fn union_rust(_: ReprRustUnionU64) {}
+
+#[no_mangle]
+pub extern "cmse-nonsecure-entry" fn union_c(_: ReprCUnionU64) {}
+
+#[no_mangle]
+pub extern "cmse-nonsecure-entry" fn maybe_uninit_32bit(_: MaybeUninit<u32>) {}
+
+#[no_mangle]
+pub extern "cmse-nonsecure-entry" fn maybe_uninit_64bit(_: MaybeUninit<f64>) {}

tests/ui/cmse-nonsecure/cmse-nonsecure-entry/return-uninitialized.rs

@@ -0,0 +1,43 @@
+//@ add-core-stubs
+//@ compile-flags: --target thumbv8m.main-none-eabi --crate-type lib
+//@ needs-llvm-components: arm
+//@ check-pass
+
+#![feature(cmse_nonsecure_entry, no_core, lang_items)]
+#![no_core]
+
+extern crate minicore;
+use minicore::*;
+
+#[repr(Rust)]
+pub union ReprRustUnionU64 {
+    _unused: u64,
+}
+
+#[repr(C)]
+pub union ReprCUnionU64 {
+    _unused: u64,
+}
+
+#[no_mangle]
+#[allow(improper_ctypes_definitions)]
+pub extern "cmse-nonsecure-entry" fn union_rust() -> ReprRustUnionU64 {
+    ReprRustUnionU64 { _unused: 1 }
+    //~^ WARN passing a union across the security boundary may leak information
+}
+
+#[no_mangle]
+pub extern "cmse-nonsecure-entry" fn maybe_uninit_32bit() -> MaybeUninit<u32> {
+    MaybeUninit::uninit()
+    //~^ WARN passing a union across the security boundary may leak information
+}
+
+#[no_mangle]
+pub extern "cmse-nonsecure-entry" fn maybe_uninit_64bit() -> MaybeUninit<f64> {
+    if true {
+        return MaybeUninit::new(6.28);
+        //~^ WARN passing a union across the security boundary may leak information
+    }
+    MaybeUninit::new(3.14)
+    //~^ WARN passing a union across the security boundary may leak information
+}