Implement kernel stack isolation for U-mode tasks

[HeatCrab]

User mode tasks require kernel stack isolation to prevent malicious or corrupted user stack pointers from compromising kernel memory during interrupt handling. Without this protection, a user task could set its stack pointer to an invalid or controlled address, causing the ISR to write trap frames to arbitrary memory locations.

Stack isolation is implemented by using the mscratch register as a discriminator between machine mode and user mode execution contexts. The ISR entry performs a blind swap with mscratch: for machine mode tasks (mscratch=0), the swap is immediately undone to restore the kernel stack pointer. For user mode tasks, the swap provides the kernel stack while preserving the user stack pointer in mscratch. The interrupt frame structure is extended to 36 words with frame[33] dedicated to stack pointer storage. Task initialization configures mscratch appropriately during the first dispatch by checking the MPP field in mstatus.

[umode] Phase 1: Testing Kernel Stack Isolation

[umode] Test 1a: sys_tid() with normal SP
[umode] PASS: sys_tid() returned 2

[umode] Test 1b: sys_tid() with malicious SP
[umode] PASS: sys_tid() succeeded, ISR correctly used kernel stack

[umode] Test 1c: sys_uptime() with normal SP
[umode] PASS: sys_uptime() returned 4

[umode] Phase 1 Complete: Kernel stack isolation validated

[umode] ========================================

[umode] Phase 2: Testing Security Isolation

[umode] Action: Attempting to read 'mstatus' CSR from U-mode.
[umode] Expect: Kernel Panic with 'Illegal instruction'.

[EXCEPTION] Illegal instruction epc=0x800002F0

Test code and the outputs validates that system calls succeed even when invoked with a malicious stack pointer (0xDEADBEEF), confirming the ISR correctly uses the kernel stack from mscratch rather than the user-controlled stack pointer. All existing tests continue to pass, demonstrating that the isolation mechanism does not affect machine mode task execution.

Related to #53

[cubic-dev-ai]

No issues found across 5 files

[cubic-dev-ai]

1 issue found across 7 files

Prompt for AI agents (all 1 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="arch/riscv/boot.c">

<violation number="1" location="arch/riscv/boot.c:333">
P3: Comment claims `ISR_CONTEXT_SIZE` is &quot;used inline&quot; but the macro is not actually used - the value `144` is hardcoded. Consider either using the macro via extended asm operands (as the original code did) or updating the comment to reflect the actual implementation.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[HeatCrab]

This PR now implements per-task kernel stack allocation for U-mode tasks. Previously, all U-mode tasks shared a single global kernel stack ( _stack ), which caused trap frame corruption when multiple U-mode tasks were scheduled concurrently.

Regarding validation, as umode.c had verified that syscalls work correctly with corrupted user SP, confirming the ISR correctly uses the kernel stack from mscratch. The multi-task isolation scenario will be validated by the PMP test suite in PR #32, which depends on this infrastructure.

[cubic-dev-ai]

2 issues found across 11 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="arch/riscv/hal.c">

<violation number="1" location="arch/riscv/hal.c:84">
P3: The ISR frame size comment is now outdated. With `FRAME_SP = 33` added, the frame contains 34 words (indices 0-33), not 33 as documented.</violation>

<violation number="2" location="arch/riscv/hal.c:866">
P2: U-mode mscratch initialization uses global `_stack` instead of `current_kernel_stack_top`. This means the first trap after initial dispatch will use the global stack rather than the task's per-task kernel stack, which is inconsistent with boot.c's ISR exit path design. Should load from `current_kernel_stack_top` with fallback to `_stack` if NULL.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

3 issues found across 11 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="Documentation/hal-calling-convention.md">

<violation number="1" location="Documentation/hal-calling-convention.md:234">
P2: Trap entry description incorrectly claims the hardware swaps SP with `mscratch`; the swap is performed manually in `_isr` via `csrrw`, so the documentation should describe it as an ISR software operation, not a hardware feature.</violation>
</file>

<file name="kernel/syscall.c">

<violation number="1" location="kernel/syscall.c:400">
P1: `sys_tputs` can block the scheduler indefinitely because it keeps the timer interrupt disabled while emitting an unbounded user-controlled string, allowing a U-mode caller to freeze all other tasks.</violation>
</file>

<file name="arch/riscv/hal.c">

<violation number="1" location="arch/riscv/hal.c:866">
P1: Kernel stack isolation bypassed on initial dispatch. For U-mode tasks, `mscratch` is set to `_stack` (global stack) instead of `current_kernel_stack_top` (per-task kernel stack). This causes the first trap after initial dispatch to use the wrong kernel stack, inconsistent with boot.c's ISR restore path which correctly loads `current_kernel_stack_top`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jserv]

512 bytes with 144-byte ISR frame leaves only 368 bytes for trap handler execution. If do_trap() → syscall_handler() → any function with local variables, stack overflow is possible.

Consider: #define KERNEL_STACK_SIZE 1024 for safety margin.

[jserv]

The initial dispatch path restores from frame but doesn't handle frame[33] (FRAME_SP) for the first task. Looking at the code:

  "addi   sp, sp, %0\n"  /* Deallocate frame - wrong for U-mode first dispatch */

For U-mode, this sets SP to kernel stack top (wrong).
Should restore SP from frame[FRAME_SP] before mret when MPP=U.

This contradicts _isr's U-mode restore path which correctly loads SP from frame[33].

Impact: First U-mode task starts executing with SP pointing to kernel stack instead of user stack. Security violation and likely crash.

[jserv]

Location: arch/riscv/boot.c, _entry function

Problem: The blind-swap relies on mscratch == 0 to detect M-mode. At reset, mscratch contains undefined garbage. If non-zero, the first M-mode interrupt misidentifies as U-mode entry, causing:

• SP becomes garbage value from mscratch
• Frame allocation corrupts arbitrary memory
• System crash

Fix: Add to _entry before enabling traps:

  "csrw   mideleg, zero\n"
  "csrw   medeleg, zero\n"
  "csrw   mscratch, zero\n"   /* ADD THIS */

[jserv]

Location: kernel/task.c, task_spawn_impl

Problem: Task is added to kcb->tasks list, but kernel_stack is allocated later. If another context (ISR, concurrent task) calls mo_task_cancel() on the new task between these lines:

1. mo_task_cancel frees the TCB
2. task_spawn_impl resumes and writes to freed TCB → Use-After-Free

Current flow:

  CRITICAL_LEAVE();
  // <-- Window: task visible but kernel_stack not allocated
  tcb->kernel_stack = malloc();  // UAF if TCB freed

Fix: Move list_pushback after all allocations complete:

  /* Allocate kernel stack BEFORE adding to task list */
  if (user_mode) {
      tcb->kernel_stack = malloc(KERNEL_STACK_SIZE);
      if (!tcb->kernel_stack) {
          free(tcb->stack);
          free(tcb);
          panic(ERR_STACK_ALLOC);
      }
      tcb->kernel_stack_size = KERNEL_STACK_SIZE;
  }

  CRITICAL_ENTER();
  node = list_pushback(kcb->tasks, tcb);  // Now safe
  // ...
  CRITICAL_LEAVE();

[jserv]

Rebase latest main branch.

[HeatCrab]

The initial dispatch path restores from frame but doesn't handle frame[33] (FRAME_SP) for the first task. Looking at the code:

  "addi   sp, sp, %0\n"  /* Deallocate frame - wrong for U-mode first dispatch */

For U-mode, this sets SP to kernel stack top (wrong). Should restore SP from frame[FRAME_SP] before mret when MPP=U.

This contradicts _isr's U-mode restore path which correctly loads SP from frame[33].

Impact: First U-mode task starts executing with SP pointing to kernel stack instead of user stack. Security violation and likely crash.

Fixed. The initial dispatch now restores SP from frame[33], which contains the correct SP value for both M-mode and U-mode.

[HeatCrab]

Location: kernel/task.c, task_spawn_impl

Problem: Task is added to kcb->tasks list, but kernel_stack is allocated later. If another context (ISR, concurrent task) calls mo_task_cancel() on the new task between these lines:

1. mo_task_cancel frees the TCB
2. task_spawn_impl resumes and writes to freed TCB → Use-After-Free

Current flow:

  CRITICAL_LEAVE();
  // <-- Window: task visible but kernel_stack not allocated
  tcb->kernel_stack = malloc();  // UAF if TCB freed

Fix: Move list_pushback after all allocations complete:

  /* Allocate kernel stack BEFORE adding to task list */
  if (user_mode) {
      tcb->kernel_stack = malloc(KERNEL_STACK_SIZE);
      if (!tcb->kernel_stack) {
          free(tcb->stack);
          free(tcb);
          panic(ERR_STACK_ALLOC);
      }
      tcb->kernel_stack_size = KERNEL_STACK_SIZE;
  }

  CRITICAL_ENTER();
  node = list_pushback(kcb->tasks, tcb);  // Now safe
  // ...
  CRITICAL_LEAVE();

Fixed. Moved kernel_stack allocation before list_pushback to eliminate the UAF race window.

[HeatCrab]

Location: arch/riscv/boot.c, _entry function

Problem: The blind-swap relies on mscratch == 0 to detect M-mode. At reset, mscratch contains undefined garbage. If non-zero, the first M-mode interrupt misidentifies as U-mode entry, causing:

• SP becomes garbage value from mscratch
• Frame allocation corrupts arbitrary memory
• System crash

Fix: Add to _entry before enabling traps:

  "csrw   mideleg, zero\n"
  "csrw   medeleg, zero\n"
  "csrw   mscratch, zero\n"   /* ADD THIS */

Fixed. Added csrw mscratch, zero in _entry before enabling traps.

[HeatCrab]

Rebase latest main branch.

Finished.

[jserv]

Instead of 1a and 1b, use numbers.

[HeatCrab]

Now test 1 is renumbered to test 1-1, 1-2, 1-3.

[jserv]

Now test 1 is renumbered to test 1-1, 1-2, 1-3.

No, simply count Test 1, Test 2, and so on.

[jserv]

Thank @HeatCrab for contributing!