/* * Copyright (c) 2017, Intel Corporation * * SPDX-License-Identifier: Apache-2.0 */ #ifndef _ZEPHYR_SYSCALL_HANDLER_H_ #define _ZEPHYR_SYSCALL_HANDLER_H_ #ifdef CONFIG_USERSPACE #ifndef _ASMLANGUAGE #include #include #include extern const _k_syscall_handler_t _k_syscall_table[K_SYSCALL_LIMIT]; enum _obj_init_check { _OBJ_INIT_TRUE = 0, _OBJ_INIT_FALSE = -1, _OBJ_INIT_ANY = 1 }; /** * Ensure a system object is a valid object of the expected type * * Searches for the object and ensures that it is indeed an object * of the expected type, that the caller has the right permissions on it, * and that the object has been initialized. * * This function is intended to be called on the kernel-side system * call handlers to validate kernel object pointers passed in from * userspace. * * @param ko Kernel object metadata pointer, or NULL * @param otype Expected type of the kernel object, or K_OBJ_ANY if type * doesn't matter * @param init Indicate whether the object needs to already be in initialized * or uninitialized state, or that we don't care * @return 0 If the object is valid * -EBADF if not a valid object of the specified type * -EPERM If the caller does not have permissions * -EINVAL Object is not initialized */ int _k_object_validate(struct _k_object *ko, enum k_objects otype, enum _obj_init_check init); /** * Dump out error information on failed _k_object_validate() call * * @param retval Return value from _k_object_validate() * @param obj Kernel object we were trying to verify * @param ko If retval=-EPERM, struct _k_object * that was looked up, or NULL * @param otype Expected type of the kernel object */ extern void _dump_object_error(int retval, void *obj, struct _k_object *ko, enum k_objects otype); /** * Kernel object validation function * * Retrieve metadata for a kernel object. This function is implemented in * the gperf script footer, see gen_kobject_list.py * * @param obj Address of kernel object to get metadata * @return Kernel object's metadata, or NULL if the parameter wasn't the * memory address of a kernel object */ extern struct _k_object *_k_object_find(void *obj); typedef void (*_wordlist_cb_func_t)(struct _k_object *ko, void *context); /** * Iterate over all the kernel object metadata in the system * * @param func function to run on each struct _k_object * @param context Context pointer to pass to each invocation */ extern void _k_object_wordlist_foreach(_wordlist_cb_func_t func, void *context); /** * Copy all kernel object permissions from the parent to the child * * @param parent Parent thread, to get permissions from * @param child Child thread, to copy permissions to */ extern void _thread_perms_inherit(struct k_thread *parent, struct k_thread *child); /** * Grant a thread permission to a kernel object * * @param ko Kernel object metadata to update * @param thread The thread to grant permission */ extern void _thread_perms_set(struct _k_object *ko, struct k_thread *thread); /** * Revoke a thread's permission to a kernel object * * @param ko Kernel object metadata to update * @param thread The thread to grant permission */ extern void _thread_perms_clear(struct _k_object *ko, struct k_thread *thread); /* * Revoke access to all objects for the provided thread * * NOTE: Unlike _thread_perms_clear(), this function will not clear * permissions on public objects. * * @param thread Thread object to revoke access */ extern void _thread_perms_all_clear(struct k_thread *thread); /** * Clear initialization state of a kernel object * * Intended for thread objects upon thread exit, or for other kernel objects * that were released back to an object pool. * * @param object Address of the kernel object */ void _k_object_uninit(void *obj); #define Z_OOPS(expr) \ do { \ if (expr) { \ _arch_syscall_oops(ssf); \ } \ } while (0) static inline __attribute__((warn_unused_result)) __printf_like(2, 3) bool z_syscall_verify_msg(bool expr, const char *fmt, ...) { va_list ap; if (expr) { va_start(ap, fmt); vprintk(fmt, ap); va_end(ap); } return expr; } /** * @brief Runtime expression check for system call arguments * * Used in handler functions to perform various runtime checks on arguments, * and generate a kernel oops if anything is not expected, printing a custom * message. * * @param expr Boolean expression to verify, a false result will trigger an * oops * @param fmt Printf-style format string (followed by appropriate variadic * arguments) to print on verification failure * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_VERIFY_MSG(expr, fmt, ...) \ z_syscall_verify_msg(!(expr), "syscall %s failed check: " fmt "\n", \ __func__, ##__VA_ARGS__) /** * @brief Runtime expression check for system call arguments * * Used in handler functions to perform various runtime checks on arguments, * and generate a kernel oops if anything is not expected. * * @param expr Boolean expression to verify, a false result will trigger an * oops. A stringified version of this expression will be printed. * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_VERIFY(expr) Z_SYSCALL_VERIFY_MSG(expr, #expr) #define Z_SYSCALL_MEMORY(ptr, size, write) \ Z_SYSCALL_VERIFY_MSG(!_arch_buffer_validate((void *)ptr, size, write), \ "Memory region %p (size %u) %s access denied", \ (void *)(ptr), (u32_t)(size), \ write ? "write" : "read") /** * @brief Runtime check that a user thread has read permission to a memory area * * Checks that the particular memory area is readable by the currently running * thread if the CPU was in user mode, and generates a kernel oops if it * wasn't. Prevents userspace from getting the kernel to read memory the thread * does not have access to, or passing in garbage pointers that would * crash/pagefault the kernel if dereferenced. * * @param ptr Memory area to examine * @param size Size of the memory area * @param write If the thread should be able to write to this memory, not just * read it * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_MEMORY_READ(ptr, size) \ Z_SYSCALL_MEMORY(ptr, size, 0) /** * @brief Runtime check that a user thread has write permission to a memory area * * Checks that the particular memory area is readable and writable by the * currently running thread if the CPU was in user mode, and generates a kernel * oops if it wasn't. Prevents userspace from getting the kernel to read or * modify memory the thread does not have access to, or passing in garbage * pointers that would crash/pagefault the kernel if dereferenced. * * @param ptr Memory area to examine * @param size Size of the memory area * @param write If the thread should be able to write to this memory, not just * read it * @param 0 on success, nonzero on failure */ #define Z_SYSCALL_MEMORY_WRITE(ptr, size) \ Z_SYSCALL_MEMORY(ptr, size, 1) #define Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, write) \ ({ \ u32_t product; \ Z_SYSCALL_VERIFY_MSG(!__builtin_umul_overflow((u32_t)(nmemb), \ (u32_t)(size), \ &product), \ "%ux%u array is too large", \ (u32_t)(nmemb), (u32_t)(size)) || \ Z_SYSCALL_MEMORY(ptr, product, write); \ }) /** * @brief Validate user thread has read permission for sized array * * Used when the memory region is expressed in terms of number of elements and * each element size, handles any overflow issues with computing the total * array bounds. Otherwise see _SYSCALL_MEMORY_READ. * * @param ptr Memory area to examine * @param nmemb Number of elements in the array * @param size Size of each array element * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_MEMORY_ARRAY_READ(ptr, nmemb, size) \ Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 0) /** * @brief Validate user thread has read/write permission for sized array * * Used when the memory region is expressed in terms of number of elements and * each element size, handles any overflow issues with computing the total * array bounds. Otherwise see _SYSCALL_MEMORY_WRITE. * * @param ptr Memory area to examine * @param nmemb Number of elements in the array * @param size Size of each array element * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_MEMORY_ARRAY_WRITE(ptr, nmemb, size) \ Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 1) static inline int _obj_validation_check(struct _k_object *ko, void *obj, enum k_objects otype, enum _obj_init_check init) { int ret; ret = _k_object_validate(ko, otype, init); #ifdef CONFIG_PRINTK if (ret) { _dump_object_error(ret, obj, ko, otype); } #else ARG_UNUSED(obj); #endif return ret; } #define Z_SYSCALL_IS_OBJ(ptr, type, init) \ Z_SYSCALL_VERIFY_MSG( \ !_obj_validation_check(_k_object_find((void *)ptr), (void *)ptr, \ type, init), "access denied") /** * @brief Runtime check driver object pointer for presence of operation * * Validates if the driver object is capable of performing a certain operation. * * @param ptr Untrusted device instance object pointer * @param api_struct Name of the driver API struct (e.g. gpio_driver_api) * @param op Driver operation (e.g. manage_callback) * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_DRIVER_OP(ptr, api_name, op) \ ({ \ struct api_name *__device__ = (struct api_name *) \ ((struct device *)ptr)->driver_api; \ Z_SYSCALL_VERIFY_MSG(__device__->op != NULL, \ "Operation %s not defined for driver " \ "instance %p", \ # op, __device__); \ }) /** * @brief Runtime check kernel object pointer for non-init functions * * Calls _k_object_validate and triggers a kernel oops if the check files. * For use in system call handlers which are not init functions; a fatal * error will occur if the object is not initialized. * * @param ptr Untrusted kernel object pointer * @param type Expected kernel object type * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_OBJ(ptr, type) \ Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_TRUE) /** * @brief Runtime check kernel object pointer for non-init functions * * See description of _SYSCALL_IS_OBJ. No initialization checks are done. * Intended for init functions where objects may be re-initialized at will. * * @param ptr Untrusted kernel object pointer * @param type Expected kernel object type * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_OBJ_INIT(ptr, type) \ Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_ANY) /** * @brief Runtime check kernel object pointer for non-init functions * * See description of _SYSCALL_IS_OBJ. Triggers a fatal error if the object is * initialized. Intended for init functions where objects, once initialized, * can only be re-used when their initialization state expires due to some * other mechanism. * * @param ptr Untrusted kernel object pointer * @param type Expected kernel object type * @return 0 on success, nonzero on failure */ #define Z_SYSCALL_OBJ_NEVER_INIT(ptr, type) \ Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_FALSE) /* * Handler definition macros * * All handlers have the same prototype: * * u32_t _handler_APINAME(u32_t arg1, u32_t arg2, u32_t arg3, * u32_t arg4, u32_t arg5, u32_t arg6, void *ssf); * * These make it much simpler to define handlers instead of typing out * the bolierplate. The macros ensure that the seventh argument is named * "ssf" as this is now referenced by various other _SYSCALL macros. * * Use the _SYSCALL_HANDLER(name_, arg0, ..., arg6) variant, as it will * automatically deduce the correct version of __SYSCALL_HANDLERn() to * use depending on the number of arguments. */ #define __SYSCALL_HANDLER0(name_) \ u32_t _handler_ ## name_(u32_t arg1 __unused, \ u32_t arg2 __unused, \ u32_t arg3 __unused, \ u32_t arg4 __unused, \ u32_t arg5 __unused, \ u32_t arg6 __unused, \ void *ssf) #define __SYSCALL_HANDLER1(name_, arg1_) \ u32_t _handler_ ## name_(u32_t arg1_, \ u32_t arg2 __unused, \ u32_t arg3 __unused, \ u32_t arg4 __unused, \ u32_t arg5 __unused, \ u32_t arg6 __unused, \ void *ssf) #define __SYSCALL_HANDLER2(name_, arg1_, arg2_) \ u32_t _handler_ ## name_(u32_t arg1_, \ u32_t arg2_, \ u32_t arg3 __unused, \ u32_t arg4 __unused, \ u32_t arg5 __unused, \ u32_t arg6 __unused, \ void *ssf) #define __SYSCALL_HANDLER3(name_, arg1_, arg2_, arg3_) \ u32_t _handler_ ## name_(u32_t arg1_, \ u32_t arg2_, \ u32_t arg3_, \ u32_t arg4 __unused, \ u32_t arg5 __unused, \ u32_t arg6 __unused, \ void *ssf) #define __SYSCALL_HANDLER4(name_, arg1_, arg2_, arg3_, arg4_) \ u32_t _handler_ ## name_(u32_t arg1_, \ u32_t arg2_, \ u32_t arg3_, \ u32_t arg4_, \ u32_t arg5 __unused, \ u32_t arg6 __unused, \ void *ssf) #define __SYSCALL_HANDLER5(name_, arg1_, arg2_, arg3_, arg4_, arg5_) \ u32_t _handler_ ## name_(u32_t arg1_, \ u32_t arg2_, \ u32_t arg3_, \ u32_t arg4_, \ u32_t arg5_, \ u32_t arg6 __unused, \ void *ssf) #define __SYSCALL_HANDLER6(name_, arg1_, arg2_, arg3_, arg4_, arg5_, arg6_) \ u32_t _handler_ ## name_(u32_t arg1_, \ u32_t arg2_, \ u32_t arg3_, \ u32_t arg4_, \ u32_t arg5_, \ u32_t arg6_, \ void *ssf) #define _SYSCALL_CONCAT(arg1, arg2) __SYSCALL_CONCAT(arg1, arg2) #define __SYSCALL_CONCAT(arg1, arg2) ___SYSCALL_CONCAT(arg1, arg2) #define ___SYSCALL_CONCAT(arg1, arg2) arg1##arg2 #define _SYSCALL_NARG(...) __SYSCALL_NARG(__VA_ARGS__, __SYSCALL_RSEQ_N()) #define __SYSCALL_NARG(...) __SYSCALL_ARG_N(__VA_ARGS__) #define __SYSCALL_ARG_N(_1, _2, _3, _4, _5, _6, _7, N, ...) N #define __SYSCALL_RSEQ_N() 6, 5, 4, 3, 2, 1, 0 #define Z_SYSCALL_HANDLER(...) \ _SYSCALL_CONCAT(__SYSCALL_HANDLER, \ _SYSCALL_NARG(__VA_ARGS__))(__VA_ARGS__) /* * Helper macros for a very common case: calls which just take one argument * which is an initialized kernel object of a specific type. Verify the object * and call the implementation. */ #define Z_SYSCALL_HANDLER1_SIMPLE(name_, obj_enum_, obj_type_) \ __SYSCALL_HANDLER1(name_, arg1) { \ Z_OOPS(Z_SYSCALL_OBJ(arg1, obj_enum_)); \ return (u32_t)_impl_ ## name_((obj_type_)arg1); \ } #define Z_SYSCALL_HANDLER1_SIMPLE_VOID(name_, obj_enum_, obj_type_) \ __SYSCALL_HANDLER1(name_, arg1) { \ Z_OOPS(Z_SYSCALL_OBJ(arg1, obj_enum_)); \ _impl_ ## name_((obj_type_)arg1); \ return 0; \ } #define Z_SYSCALL_HANDLER0_SIMPLE(name_) \ __SYSCALL_HANDLER0(name_) { \ return (u32_t)_impl_ ## name_(); \ } #define Z_SYSCALL_HANDLER0_SIMPLE_VOID(name_) \ __SYSCALL_HANDLER0(name_) { \ _impl_ ## name_(); \ return 0; \ } #include #endif /* _ASMLANGUAGE */ #endif /* CONFIG_USERSPACE */ #endif /* _ZEPHYR_SYSCALL_H_ */