MPU Hal (#1492)

* Furi HAL: memory protection unit
* Core: prohibit NULL dereferencing, even for reads.
* Applications: fix NULL dereference
* Core: stack protection by MPU
* MPU: stack region alignment
* Apps: fix null pointer dereferences
* Threads: fix non-null arg check
* Desktop settings: fix null pointer dereference
* Core: documented null-check hack
* Fix null dereference issues
* Apps: args check
* Core: naming fixes
* format code
* Core: remove NONNULL specifier
* FurHal: move MPU initialization to begining, fix enum naming

Co-authored-by: あく <alleteam@gmail.com>

firmware/targets/f7/Inc/FreeRTOSConfig.h

@@ -32,7 +32,7 @@ extern uint32_t SystemCoreClock;
 #define configUSE_16_BIT_TICKS 0
 #define configUSE_MUTEXES 1
 #define configQUEUE_REGISTRY_SIZE 0
-#define configCHECK_FOR_STACK_OVERFLOW 2
+#define configCHECK_FOR_STACK_OVERFLOW 0
 #define configUSE_RECURSIVE_MUTEXES 1
 #define configUSE_COUNTING_SEMAPHORES 1
 #define configENABLE_BACKWARD_COMPATIBILITY 0
@@ -145,3 +145,7 @@ standard names. */
 #define USE_CUSTOM_SYSTICK_HANDLER_IMPLEMENTATION 1
 #define configOVERRIDE_DEFAULT_TICK_CONFIGURATION \
     1 /* required only for Keil but does not hurt otherwise */
+
+#define traceTASK_SWITCHED_IN()                                     \
+    extern void furi_hal_mpu_set_stack_protection(uint32_t* stack); \
+    furi_hal_mpu_set_stack_protection((uint32_t*)pxCurrentTCB->pxStack)

firmware/targets/f7/furi_hal/furi_hal.c

@@ -1,4 +1,5 @@
 #include <furi_hal.h>
+#include <furi_hal_mpu.h>
 
 #include <stm32wbxx_ll_cortex.h>
 
@@ -35,6 +36,7 @@ void furi_hal_deinit_early() {
 }
 
 void furi_hal_init() {
+    furi_hal_mpu_init();
     furi_hal_clock_init();
     furi_hal_console_init();
     furi_hal_rtc_init();
@@ -80,17 +82,6 @@ void furi_hal_init() {
     // FatFS driver initialization
     MX_FATFS_Init();
     FURI_LOG_I(TAG, "FATFS OK");
-
-    // Partial null pointer dereference protection
-    LL_MPU_Disable();
-    LL_MPU_ConfigRegion(
-        LL_MPU_REGION_NUMBER0,
-        0x00,
-        0x0,
-        LL_MPU_REGION_SIZE_1MB | LL_MPU_REGION_PRIV_RO_URO | LL_MPU_ACCESS_BUFFERABLE |
-            LL_MPU_ACCESS_CACHEABLE | LL_MPU_ACCESS_SHAREABLE | LL_MPU_TEX_LEVEL1 |
-            LL_MPU_INSTRUCTION_ACCESS_ENABLE);
-    LL_MPU_Enable(LL_MPU_CTRL_PRIVILEGED_DEFAULT);
 }
 
 void furi_hal_switch(void* address) {

firmware/targets/f7/furi_hal/furi_hal_interrupt.c

@@ -6,6 +6,7 @@
 #include <stm32wbxx.h>
 #include <stm32wbxx_ll_tim.h>
 #include <stm32wbxx_ll_rcc.h>
+#include <stm32wbxx_ll_cortex.h>
 
 #define TAG "FuriHalInterrupt"
 
@@ -95,6 +96,10 @@ void furi_hal_interrupt_init() {
     LL_SYSCFG_DisableIT_FPU_IDC();
     LL_SYSCFG_DisableIT_FPU_IXC();
 
+    LL_HANDLER_EnableFault(LL_HANDLER_FAULT_USG);
+    LL_HANDLER_EnableFault(LL_HANDLER_FAULT_BUS);
+    LL_HANDLER_EnableFault(LL_HANDLER_FAULT_MEM);
+
     FURI_LOG_I(TAG, "Init OK");
 }
 
@@ -241,6 +246,20 @@ void HardFault_Handler() {
 }
 
 void MemManage_Handler() {
+    if(FURI_BIT(SCB->CFSR, SCB_CFSR_MMARVALID_Pos)) {
+        uint32_t memfault_address = SCB->MMFAR;
+        if(memfault_address < (1024 * 1024)) {
+            // from 0x00 to 1MB, see FuriHalMpuRegionNULL
+            furi_crash("NULL pointer dereference");
+        } else {
+            // write or read of MPU region 1 (FuriHalMpuRegionStack)
+            furi_crash("MPU fault, possibly stack overflow");
+        }
+    } else if(FURI_BIT(SCB->CFSR, SCB_CFSR_MSTKERR_Pos)) {
+        // push to stack on MPU region 1 (FuriHalMpuRegionStack)
+        furi_crash("MemManage fault, possibly stack overflow");
+    }
+
     furi_crash("MemManage");
 }
 

firmware/targets/f7/furi_hal/furi_hal_mpu.c

@@ -0,0 +1,66 @@
+#include <furi_hal_mpu.h>
+#include <stm32wbxx_ll_cortex.h>
+
+#define FURI_HAL_MPU_ATTRIBUTES                                                     \
+    (LL_MPU_ACCESS_BUFFERABLE | LL_MPU_ACCESS_CACHEABLE | LL_MPU_ACCESS_SHAREABLE | \
+     LL_MPU_TEX_LEVEL1 | LL_MPU_INSTRUCTION_ACCESS_ENABLE)
+
+#define FURI_HAL_MPU_STACK_PROTECT_REGION FuriHalMPURegionSize32B
+
+void furi_hal_mpu_init() {
+    furi_hal_mpu_enable();
+
+    // NULL pointer dereference protection
+    furi_hal_mpu_protect_no_access(FuriHalMpuRegionNULL, 0x00, FuriHalMPURegionSize1MB);
+}
+
+void furi_hal_mpu_enable() {
+    LL_MPU_Enable(LL_MPU_CTRL_PRIVILEGED_DEFAULT);
+}
+
+void furi_hal_mpu_disable() {
+    LL_MPU_Disable();
+}
+
+void furi_hal_mpu_protect_no_access(
+    FuriHalMpuRegion region,
+    uint32_t address,
+    FuriHalMPURegionSize size) {
+    uint32_t size_ll = size;
+    size_ll = size_ll << MPU_RASR_SIZE_Pos;
+
+    furi_hal_mpu_disable();
+    LL_MPU_ConfigRegion(
+        region, 0x00, address, FURI_HAL_MPU_ATTRIBUTES | LL_MPU_REGION_NO_ACCESS | size_ll);
+    furi_hal_mpu_enable();
+}
+
+void furi_hal_mpu_protect_read_only(
+    FuriHalMpuRegion region,
+    uint32_t address,
+    FuriHalMPURegionSize size) {
+    uint32_t size_ll = size;
+    size_ll = size_ll << MPU_RASR_SIZE_Pos;
+
+    furi_hal_mpu_disable();
+    LL_MPU_ConfigRegion(
+        region, 0x00, address, FURI_HAL_MPU_ATTRIBUTES | LL_MPU_REGION_PRIV_RO_URO | size_ll);
+    furi_hal_mpu_enable();
+}
+
+void furi_hal_mpu_protect_disable(FuriHalMpuRegion region) {
+    furi_hal_mpu_disable();
+    LL_MPU_DisableRegion(region);
+    furi_hal_mpu_enable();
+}
+
+void furi_hal_mpu_set_stack_protection(uint32_t* stack) {
+    // Protection area address must be aligned to region size
+    uint32_t stack_ptr = (uint32_t)stack;
+    uint32_t mask = ((1 << (FURI_HAL_MPU_STACK_PROTECT_REGION + 2)) - 1);
+    stack_ptr &= ~mask;
+    if(stack_ptr < (uint32_t)stack) stack_ptr += (mask + 1);
+
+    furi_hal_mpu_protect_read_only(
+        FuriHalMpuRegionStack, stack_ptr, FURI_HAL_MPU_STACK_PROTECT_REGION);
+}