Page MenuHomeFreeBSD

CHERI: declare copy{in,out}ptr{,_nofault}
ClosedPublic

Authored by brooks on Fri, Jun 19, 2:12 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jul 5, 1:05 AM
Unknown Object (File)
Sat, Jul 4, 6:43 AM
Unknown Object (File)
Sat, Jul 4, 4:16 AM
Unknown Object (File)
Sat, Jul 4, 3:47 AM
Unknown Object (File)
Fri, Jul 3, 3:20 PM
Unknown Object (File)
Fri, Jul 3, 5:10 AM
Unknown Object (File)
Fri, Jul 3, 1:00 AM
Unknown Object (File)
Fri, Jul 3, 12:20 AM

Details

Summary

These provenance-preserving functions are to be used when copying
objects that are expected to contain pointers. Data buffers which do
not contain pointers should be copied by the traditional copyin/copyout
functions which *do not* preserve pointer provenance (on CHERI they
clear validity tags).

NOTE: Going forward, this requires changes when adding new syscalls or ioctl that take pointers to objects containing pointers. Fortunatly, the vast majority (>90%) of copyin and copyout statements do not copy pointers and require no change. Failure to make the chance will have no effect on non-CHERI architectures.

Effort: CHERI upstreaming
Sponsored by: DARPA, AFRL, Innovate UK

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Link manpages to the description of pointer provenacne in arch(7)

share/man/man9/copy.9
102

You might clarify here that you're talking about user pointers. It's always a bug to copy out kernel capabilities.

102
116
sys/sys/systm.h
312

Hmm, I didn't realize that __nodiscard and __result_use_check are aliases. Should we prefer one over the other?

327

We might as well add it anyway, no?

brooks retitled this revision from CHERI: declare copy{in,out}ptr and copyoutptr_nofault to CHERI: declare copy{in,out}ptr{,_nofault}.Thu, Jun 25, 10:36 AM

Doc fixes. Add copyinptr_nofault

brooks added inline comments.
share/man/man9/copy.9
102

You might clarify here that you're talking about user pointers. It's always a bug to copy out kernel capabilities.

I've mentioned they are pointers to user-space, though the current implementations don't know the difference. @alfredo.mazzinghi_cl.cam.ac.uk does have patches to use the local-global mechanism to prevent kernel pointer from leaking to userspace so documenting this intent does seem like the right thing to do.

This revision is now accepted and ready to land.Fri, Jun 26, 6:21 PM
This revision was automatically updated to reflect the committed changes.