433 lines
13 KiB
C
433 lines
13 KiB
C
/*
|
|
* Copyright (c) 2017, Intel Corporation
|
|
*
|
|
* SPDX-License-Identifier: Apache 2.0
|
|
*/
|
|
|
|
|
|
#ifndef _ZEPHYR_SYSCALL_HANDLER_H_
|
|
#define _ZEPHYR_SYSCALL_HANDLER_H_
|
|
|
|
#ifdef CONFIG_USERSPACE
|
|
|
|
#ifndef _ASMLANGUAGE
|
|
#include <kernel.h>
|
|
#include <misc/printk.h>
|
|
#include <nano_internal.h>
|
|
|
|
extern const _k_syscall_handler_t _k_syscall_table[K_SYSCALL_LIMIT];
|
|
|
|
enum _obj_init_check {
|
|
_OBJ_INIT_TRUE = 0,
|
|
_OBJ_INIT_FALSE = -1,
|
|
_OBJ_INIT_ANY = 1
|
|
};
|
|
|
|
/**
|
|
* Ensure a system object is a valid object of the expected type
|
|
*
|
|
* Searches for the object and ensures that it is indeed an object
|
|
* of the expected type, that the caller has the right permissions on it,
|
|
* and that the object has been initialized.
|
|
*
|
|
* This function is intended to be called on the kernel-side system
|
|
* call handlers to validate kernel object pointers passed in from
|
|
* userspace.
|
|
*
|
|
* @param ko Kernel object metadata pointer, or NULL
|
|
* @param otype Expected type of the kernel object, or K_OBJ_ANY if type
|
|
* doesn't matter
|
|
* @param init Indicate whether the object needs to already be in initialized
|
|
* or uninitialized state, or that we don't care
|
|
* @return 0 If the object is valid
|
|
* -EBADF if not a valid object of the specified type
|
|
* -EPERM If the caller does not have permissions
|
|
* -EINVAL Object is not initialized
|
|
*/
|
|
int _k_object_validate(struct _k_object *ko, enum k_objects otype,
|
|
enum _obj_init_check init);
|
|
|
|
/**
|
|
* Dump out error information on failed _k_object_validate() call
|
|
*
|
|
* @param retval Return value from _k_object_validate()
|
|
* @param obj Kernel object we were trying to verify
|
|
* @param ko If retval=-EPERM, struct _k_object * that was looked up, or NULL
|
|
* @param otype Expected type of the kernel object
|
|
*/
|
|
extern void _dump_object_error(int retval, void *obj, struct _k_object *ko,
|
|
enum k_objects otype);
|
|
|
|
/**
|
|
* Kernel object validation function
|
|
*
|
|
* Retrieve metadata for a kernel object. This function is implemented in
|
|
* the gperf script footer, see gen_kobject_list.py
|
|
*
|
|
* @param obj Address of kernel object to get metadata
|
|
* @return Kernel object's metadata, or NULL if the parameter wasn't the
|
|
* memory address of a kernel object
|
|
*/
|
|
extern struct _k_object *_k_object_find(void *obj);
|
|
|
|
typedef void (*_wordlist_cb_func_t)(struct _k_object *ko, void *context);
|
|
|
|
/**
|
|
* Iterate over all the kernel object metadata in the system
|
|
*
|
|
* @param func function to run on each struct _k_object
|
|
* @param context Context pointer to pass to each invocation
|
|
*/
|
|
extern void _k_object_wordlist_foreach(_wordlist_cb_func_t func, void *context);
|
|
|
|
/**
|
|
* Copy all kernel object permissions from the parent to the child
|
|
*
|
|
* @param parent Parent thread, to get permissions from
|
|
* @param child Child thread, to copy permissions to
|
|
*/
|
|
extern void _thread_perms_inherit(struct k_thread *parent,
|
|
struct k_thread *child);
|
|
|
|
/**
|
|
* Grant a thread permission to a kernel object
|
|
*
|
|
* @param ko Kernel object metadata to update
|
|
* @param thread The thread to grant permission
|
|
*/
|
|
extern void _thread_perms_set(struct _k_object *ko, struct k_thread *thread);
|
|
|
|
/**
|
|
* Revoke a thread's permission to a kernel object
|
|
*
|
|
* @param ko Kernel object metadata to update
|
|
* @param thread The thread to grant permission
|
|
*/
|
|
extern void _thread_perms_clear(struct _k_object *ko, struct k_thread *thread);
|
|
|
|
/*
|
|
* Revoke access to all objects for the provided thread
|
|
*
|
|
* NOTE: Unlike _thread_perms_clear(), this function will not clear
|
|
* permissions on public objects.
|
|
*
|
|
* @param thread Thread object to revoke access
|
|
*/
|
|
extern void _thread_perms_all_clear(struct k_thread *thread);
|
|
|
|
/**
|
|
* Clear initialization state of a kernel object
|
|
*
|
|
* Intended for thread objects upon thread exit, or for other kernel objects
|
|
* that were released back to an object pool.
|
|
*
|
|
* @param object Address of the kernel object
|
|
*/
|
|
void _k_object_uninit(void *obj);
|
|
|
|
/**
|
|
* @brief Runtime expression check for system call arguments
|
|
*
|
|
* Used in handler functions to perform various runtime checks on arguments,
|
|
* and generate a kernel oops if anything is not expected, printing a custom
|
|
* message.
|
|
*
|
|
* @param expr Boolean expression to verify, a false result will trigger an
|
|
* oops
|
|
* @param fmt Printf-style format string (followed by appropriate variadic
|
|
* arguments) to print on verification failure
|
|
*/
|
|
#define _SYSCALL_VERIFY_MSG(expr, fmt, ...) \
|
|
do { \
|
|
if (!(expr)) { \
|
|
printk("FATAL: syscall %s failed check: " fmt "\n", \
|
|
__func__, ##__VA_ARGS__); \
|
|
_arch_syscall_oops(ssf); \
|
|
} \
|
|
} while (0)
|
|
|
|
/**
|
|
* @brief Runtime expression check for system call arguments
|
|
*
|
|
* Used in handler functions to perform various runtime checks on arguments,
|
|
* and generate a kernel oops if anything is not expected.
|
|
*
|
|
* @param expr Boolean expression to verify, a false result will trigger an
|
|
* oops. A stringified version of this expression will be printed.
|
|
*/
|
|
#define _SYSCALL_VERIFY(expr) _SYSCALL_VERIFY_MSG(expr, #expr)
|
|
|
|
#define _SYSCALL_MEMORY(ptr, size, write) \
|
|
_SYSCALL_VERIFY_MSG(!_arch_buffer_validate((void *)ptr, size, write), \
|
|
"Memory region %p (size %u) %s access denied", \
|
|
(void *)(ptr), (u32_t)(size), \
|
|
write ? "write" : "read")
|
|
|
|
/**
|
|
* @brief Runtime check that a user thread has read permission to a memory area
|
|
*
|
|
* Checks that the particular memory area is readable by the currently running
|
|
* thread if the CPU was in user mode, and generates a kernel oops if it
|
|
* wasn't. Prevents userspace from getting the kernel to read memory the thread
|
|
* does not have access to, or passing in garbage pointers that would
|
|
* crash/pagefault the kernel if dereferenced.
|
|
*
|
|
* @param ptr Memory area to examine
|
|
* @param size Size of the memory area
|
|
* @param write If the thread should be able to write to this memory, not just
|
|
* read it
|
|
*/
|
|
#define _SYSCALL_MEMORY_READ(ptr, size) \
|
|
_SYSCALL_MEMORY(ptr, size, 0)
|
|
|
|
/**
|
|
* @brief Runtime check that a user thread has write permission to a memory area
|
|
*
|
|
* Checks that the particular memory area is readable and writable by the
|
|
* currently running thread if the CPU was in user mode, and generates a kernel
|
|
* oops if it wasn't. Prevents userspace from getting the kernel to read or
|
|
* modify memory the thread does not have access to, or passing in garbage
|
|
* pointers that would crash/pagefault the kernel if dereferenced.
|
|
*
|
|
* @param ptr Memory area to examine
|
|
* @param size Size of the memory area
|
|
* @param write If the thread should be able to write to this memory, not just
|
|
* read it
|
|
*/
|
|
#define _SYSCALL_MEMORY_WRITE(ptr, size) \
|
|
_SYSCALL_MEMORY(ptr, size, 1)
|
|
|
|
#define _SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, write) \
|
|
do { \
|
|
u32_t product; \
|
|
_SYSCALL_VERIFY_MSG(!__builtin_umul_overflow((u32_t)(nmemb), \
|
|
(u32_t)(size), \
|
|
&product), \
|
|
"%ux%u array is too large", \
|
|
(u32_t)(nmemb), (u32_t)(size)); \
|
|
_SYSCALL_MEMORY(ptr, product, write); \
|
|
} while (0)
|
|
|
|
/**
|
|
* @brief Validate user thread has read permission for sized array
|
|
*
|
|
* Used when the memory region is expressed in terms of number of elements and
|
|
* each element size, handles any overflow issues with computing the total
|
|
* array bounds. Otherwise see _SYSCALL_MEMORY_READ.
|
|
*
|
|
* @param ptr Memory area to examine
|
|
* @param nmemb Number of elements in the array
|
|
* @param size Size of each array element
|
|
*/
|
|
#define _SYSCALL_MEMORY_ARRAY_READ(ptr, nmemb, size) \
|
|
_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 0)
|
|
|
|
/**
|
|
* @brief Validate user thread has read/write permission for sized array
|
|
*
|
|
* Used when the memory region is expressed in terms of number of elements and
|
|
* each element size, handles any overflow issues with computing the total
|
|
* array bounds. Otherwise see _SYSCALL_MEMORY_WRITE.
|
|
*
|
|
* @param ptr Memory area to examine
|
|
* @param nmemb Number of elements in the array
|
|
* @param size Size of each array element
|
|
*/
|
|
#define _SYSCALL_MEMORY_ARRAY_WRITE(ptr, nmemb, size) \
|
|
_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 1)
|
|
|
|
static inline int _obj_validation_check(struct _k_object *ko,
|
|
void *obj,
|
|
enum k_objects otype,
|
|
enum _obj_init_check init)
|
|
{
|
|
int ret;
|
|
|
|
ret = _k_object_validate(ko, otype, init);
|
|
|
|
#ifdef CONFIG_PRINTK
|
|
if (ret) {
|
|
_dump_object_error(ret, obj, ko, otype);
|
|
}
|
|
#else
|
|
ARG_UNUSED(obj);
|
|
#endif
|
|
|
|
return ret;
|
|
}
|
|
|
|
#define _SYSCALL_IS_OBJ(ptr, type, init) \
|
|
_SYSCALL_VERIFY_MSG( \
|
|
!_obj_validation_check(_k_object_find((void *)ptr), (void *)ptr, \
|
|
type, init), "access denied")
|
|
|
|
/**
|
|
* @brief Runtime check kernel object pointer for non-init functions
|
|
*
|
|
* Calls _k_object_validate and triggers a kernel oops if the check files.
|
|
* For use in system call handlers which are not init functions; a fatal
|
|
* error will occur if the object is not initialized.
|
|
*
|
|
* @param ptr Untrusted kernel object pointer
|
|
* @param type Expected kernel object type
|
|
*/
|
|
#define _SYSCALL_OBJ(ptr, type) \
|
|
_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_TRUE)
|
|
|
|
/**
|
|
* @brief Runtime check kernel object pointer for non-init functions
|
|
*
|
|
* See description of _SYSCALL_IS_OBJ. No initialization checks are done.
|
|
* Intended for init functions where objects may be re-initialized at will.
|
|
*
|
|
* @param ptr Untrusted kernel object pointer
|
|
* @param type Expected kernel object type
|
|
*/
|
|
|
|
#define _SYSCALL_OBJ_INIT(ptr, type) \
|
|
_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_ANY)
|
|
|
|
/**
|
|
* @brief Runtime check kernel object pointer for non-init functions
|
|
*
|
|
* See description of _SYSCALL_IS_OBJ. Triggers a fatal error if the object is
|
|
* initialized. Intended for init functions where objects, once initialized,
|
|
* can only be re-used when their initialization state expires due to some
|
|
* other mechanism.
|
|
*
|
|
* @param ptr Untrusted kernel object pointer
|
|
* @param type Expected kernel object type
|
|
*/
|
|
|
|
#define _SYSCALL_OBJ_NEVER_INIT(ptr, type) \
|
|
_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_FALSE)
|
|
|
|
/*
|
|
* Handler definition macros
|
|
*
|
|
* All handlers have the same prototype:
|
|
*
|
|
* u32_t _handler_APINAME(u32_t arg1, u32_t arg2, u32_t arg3,
|
|
* u32_t arg4, u32_t arg5, u32_t arg6, void *ssf);
|
|
*
|
|
* These make it much simpler to define handlers instead of typing out
|
|
* the bolierplate. The macros ensure that the seventh argument is named
|
|
* "ssf" as this is now referenced by various other _SYSCALL macros.
|
|
*
|
|
* Use the _SYSCALL_HANDLER(name_, arg0, ..., arg6) variant, as it will
|
|
* automatically deduce the correct version of __SYSCALL_HANDLERn() to
|
|
* use depending on the number of arguments.
|
|
*/
|
|
|
|
#define __SYSCALL_HANDLER0(name_) \
|
|
u32_t _handler_ ## name_(u32_t arg1 __unused, \
|
|
u32_t arg2 __unused, \
|
|
u32_t arg3 __unused, \
|
|
u32_t arg4 __unused, \
|
|
u32_t arg5 __unused, \
|
|
u32_t arg6 __unused, \
|
|
void *ssf)
|
|
|
|
#define __SYSCALL_HANDLER1(name_, arg1_) \
|
|
u32_t _handler_ ## name_(u32_t arg1_, \
|
|
u32_t arg2 __unused, \
|
|
u32_t arg3 __unused, \
|
|
u32_t arg4 __unused, \
|
|
u32_t arg5 __unused, \
|
|
u32_t arg6 __unused, \
|
|
void *ssf)
|
|
|
|
#define __SYSCALL_HANDLER2(name_, arg1_, arg2_) \
|
|
u32_t _handler_ ## name_(u32_t arg1_, \
|
|
u32_t arg2_, \
|
|
u32_t arg3 __unused, \
|
|
u32_t arg4 __unused, \
|
|
u32_t arg5 __unused, \
|
|
u32_t arg6 __unused, \
|
|
void *ssf)
|
|
|
|
#define __SYSCALL_HANDLER3(name_, arg1_, arg2_, arg3_) \
|
|
u32_t _handler_ ## name_(u32_t arg1_, \
|
|
u32_t arg2_, \
|
|
u32_t arg3_, \
|
|
u32_t arg4 __unused, \
|
|
u32_t arg5 __unused, \
|
|
u32_t arg6 __unused, \
|
|
void *ssf)
|
|
|
|
#define __SYSCALL_HANDLER4(name_, arg1_, arg2_, arg3_, arg4_) \
|
|
u32_t _handler_ ## name_(u32_t arg1_, \
|
|
u32_t arg2_, \
|
|
u32_t arg3_, \
|
|
u32_t arg4_, \
|
|
u32_t arg5 __unused, \
|
|
u32_t arg6 __unused, \
|
|
void *ssf)
|
|
|
|
#define __SYSCALL_HANDLER5(name_, arg1_, arg2_, arg3_, arg4_, arg5_) \
|
|
u32_t _handler_ ## name_(u32_t arg1_, \
|
|
u32_t arg2_, \
|
|
u32_t arg3_, \
|
|
u32_t arg4_, \
|
|
u32_t arg5_, \
|
|
u32_t arg6 __unused, \
|
|
void *ssf)
|
|
|
|
#define __SYSCALL_HANDLER6(name_, arg1_, arg2_, arg3_, arg4_, arg5_, arg6_) \
|
|
u32_t _handler_ ## name_(u32_t arg1_, \
|
|
u32_t arg2_, \
|
|
u32_t arg3_, \
|
|
u32_t arg4_, \
|
|
u32_t arg5_, \
|
|
u32_t arg6_, \
|
|
void *ssf)
|
|
|
|
#define _SYSCALL_CONCAT(arg1, arg2) __SYSCALL_CONCAT(arg1, arg2)
|
|
#define __SYSCALL_CONCAT(arg1, arg2) ___SYSCALL_CONCAT(arg1, arg2)
|
|
#define ___SYSCALL_CONCAT(arg1, arg2) arg1##arg2
|
|
|
|
#define _SYSCALL_NARG(...) __SYSCALL_NARG(__VA_ARGS__, __SYSCALL_RSEQ_N())
|
|
#define __SYSCALL_NARG(...) __SYSCALL_ARG_N(__VA_ARGS__)
|
|
#define __SYSCALL_ARG_N(_1, _2, _3, _4, _5, _6, _7, N, ...) N
|
|
#define __SYSCALL_RSEQ_N() 6, 5, 4, 3, 2, 1, 0
|
|
|
|
#define _SYSCALL_HANDLER(...) \
|
|
_SYSCALL_CONCAT(__SYSCALL_HANDLER, \
|
|
_SYSCALL_NARG(__VA_ARGS__))(__VA_ARGS__)
|
|
|
|
/*
|
|
* Helper macros for a very common case: calls which just take one argument
|
|
* which is an initialized kernel object of a specific type. Verify the object
|
|
* and call the implementation.
|
|
*/
|
|
|
|
#define _SYSCALL_HANDLER1_SIMPLE(name_, obj_enum_, obj_type_) \
|
|
__SYSCALL_HANDLER1(name_, arg1) { \
|
|
_SYSCALL_OBJ(arg1, obj_enum_); \
|
|
return (u32_t)_impl_ ## name_((obj_type_)arg1); \
|
|
}
|
|
|
|
#define _SYSCALL_HANDLER1_SIMPLE_VOID(name_, obj_enum_, obj_type_) \
|
|
__SYSCALL_HANDLER1(name_, arg1) { \
|
|
_SYSCALL_OBJ(arg1, obj_enum_); \
|
|
_impl_ ## name_((obj_type_)arg1); \
|
|
return 0; \
|
|
}
|
|
|
|
#define _SYSCALL_HANDLER0_SIMPLE(name_) \
|
|
__SYSCALL_HANDLER0(name_) { \
|
|
return (u32_t)_impl_ ## name_(); \
|
|
}
|
|
|
|
#define _SYSCALL_HANDLER0_SIMPLE_VOID(name_) \
|
|
__SYSCALL_HANDLER0(name_) { \
|
|
_impl_ ## name_(); \
|
|
return 0; \
|
|
}
|
|
|
|
#endif /* _ASMLANGUAGE */
|
|
|
|
#endif /* CONFIG_USERSPACE */
|
|
|
|
#endif /* _ZEPHYR_SYSCALL_H_ */
|