Lib.rs

Embedded development | Development tools
#stack-overflow #memory-layout #stack-memory #cortex-m #arm #memory-region #stack-protection

app flip-link

Flips the memory layout of embedded programs to protect against stack overflows

by knurling-team Owned by Jorge Aparicio, knurling-rs, Johann Hemmann.

9 releases

0.1.8 Mar 6, 2024
0.1.7 Jul 20, 2023
0.1.6 Mar 24, 2022
0.1.5 Aug 27, 2021
0.1.0 Oct 16, 2020

#18 in Embedded development

Download history 857/week @ 2024-01-02 755/week @ 2024-01-09 599/week @ 2024-01-16 479/week @ 2024-01-23 881/week @ 2024-01-30 556/week @ 2024-02-06 818/week @ 2024-02-13 882/week @ 2024-02-20 675/week @ 2024-02-27 1139/week @ 2024-03-05 1256/week @ 2024-03-12 1598/week @ 2024-03-19 688/week @ 2024-03-26 1515/week @ 2024-04-02 1606/week @ 2024-04-09 1404/week @ 2024-04-16

5,291 downloads per month

MIT/Apache

56KB
484 lines

flip-link

adds zero-cost stack overflow protection to your embedded programs

The problem

Bare metal Rust programs may not be memory safe in presence of stack overflows. For example, this is the case for Rust programs based on v0.6.x of the cortex-m-rt crate.

The following program, which contains no unsafe code block, can run into undefined behavior if it reaches a stack overflow condition.

// static variables placed in the .bss / .data sections
static FLAG1: AtomicBool = AtomicU32::new(false); // .bss
static FLAG2: AtomicBool = AtomicU32::new(true);  // .data

fn main() {
    let _x = fib(100);
}

#[inline(never)]
fn fib(n: u32) -> u32 {
    // allocate and initialize 4 kilobytes of stack memory
    let _use_stack = [0xAA; 1024];

    if n < 2 {
        1
    } else {
        fib(n - 1) + fib(n - 2) // recursion
    }
}

#[interrupt]
fn interrupt_handler() {
    // does some operation with `FLAG1` and `FLAG2`
}

The default memory layout of ARM Cortex-M programs in RAM is shown below.

left: default memory layout of ARM Cortex-M programs; right: stack overflow condition

The function call stack, also known as the "stack", grows downwards on function calls and when local variables (e.g. let x) are created (these variables are also placed on the stack).

If the stack grows too large it collides with the .bss + .data region, which contains all the program's static variables. The collision results in the static variables being overwritten with unrelated data. This can result in the program observing the static variables in an invalid state: for example an AtomicBool may hold the value 3 -- this is undefined behavior because the Rust ABI expects this single-byte variable to be either 0 or 1.

The solution

One potential solution is to change the memory layout of the program and place the stack below the .bss+.data region.

With this flipped memory layout (pictured below) the stack cannot collide with the static variables. Instead it will collide with the boundary of the physical RAM memory region. In the ARM Cortex-M architecture, trying to read or write past the boundaries of the RAM region produces a "hardware exception". The cortex-m-rt crate provides an API to handle this condition: a HardFault exception handler can be defined; this "handler" (function) will be executed when the invalid memory operation is attempted.

left: flipped memory layout; right: stack overflow condition

flip-link implements this stack overflow solution. Linking your program with flip-link produces the flipped memory layout, which is memory safe in presence of stack overflows.

Architecture support

flip-link is known to work with ARM Cortex-M programs that link to version 0.6.x of the cortex-m-rt crate and are linked using the linker shipped with the Rust toolchain (LLD). At this time, it hasn't been tested with other architectures or runtime crates.

Installation

flip-link is available on crates.io. To install it, run

$ cargo install flip-link

Usage

Change the linker from rust-lld (the default) to flip-link in .cargo/config.toml

[target.'cfg(all(target_arch = "arm", target_os = "none"))']
# (..)
rustflags = [
  "-C", "linker=flip-link", # <- add this
  # (..)
]

NOTE that if you were using GNU ld or GNU gcc to link your program then this won't work. Support for other linkers is being tracked in issue #1.

Testing

Our CI enforces various checks. You can run them locally to make sure your PR will pass the CI:

  • cargo fmt --all -- --check
  • cargo clippy -- --deny warnings
  • cargo xtest
    • This installs the current revision of flip-link and runs cargo test.

Support

flip-link is part of the Knurling project, Ferrous Systems' effort at improving tooling used to develop for embedded systems.

If you think that our work is useful, consider sponsoring it via GitHub Sponsors.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.

Dependencies

~2.5MB
~45K SLoC