Page MenuHomeFreeBSD

libsysdecode: report invalid cap_rights_t
ClosedPublic

Authored by emaste on Sep 16 2017, 1:31 AM.
Tags
None
Referenced Files
F107284345: D12391.diff
Sat, Jan 11, 11:30 PM
Unknown Object (File)
Sun, Jan 5, 4:04 AM
Unknown Object (File)
Sep 27 2024, 1:59 PM
Unknown Object (File)
Sep 23 2024, 8:36 PM
Unknown Object (File)
Sep 20 2024, 2:22 PM
Unknown Object (File)
Sep 19 2024, 9:19 PM
Unknown Object (File)
Sep 18 2024, 7:34 PM
Unknown Object (File)
Sep 7 2024, 9:15 AM
Subscribers

Details

Summary

Previously we'd have an assertion failure in cap_rights_is_set if sysdecode_cap_rights is called with an invalid cap_rights_t, so test for validity first.

Found during investigation of PR 222258

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

I don't have any confidence I understand what the layout of bits in cr_rights[foo] is supposed to be, but assuming that CAPIDXBIT == 1 << i part is correct, LGTM.

This revision is now accepted and ready to land.Sep 16 2017, 2:00 AM

From sys/sys/caprights.h:

/*
 * The top two bits in the first element of the cr_rights[] array contain
 * total number of elements in the array - 2. This means if those two bits are
 * equal to 0, we have 2 array elements.
 * The top two bits in all remaining array elements should be 0.
 * The next five bits contain array index. Only one bit is used and bit position
 * in this five-bits range defines array index. This means there can be at most
 * five array elements.
 */

and sys/kern/subr_capability.c:

static __inline int
right_to_index(uint64_t right)
{
        static const int bit2idx[] = {
                -1, 0, 1, -1, 2, -1, -1, -1, 3, -1, -1, -1, -1, -1, -1, -1,    
                4, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1  
        };
        int idx;

        idx = CAPIDXBIT(right);
        assert(idx >= 0 && idx < sizeof(bit2idx) / sizeof(bit2idx[0]));
        return (bit2idx[idx]);
}

This could be better documented, but basically an individual capability right consists of two bits of version/size, five bits of index (where only one bit is set), and 57 bits corresponding to individual capabilities. A set of rights consists of an array of up to five elements (depending on version).

This revision was automatically updated to reflect the committed changes.

I see. I was looking at the C file subr_capability.c and didn't know to look in that header.

In D12391#257162, @cem wrote:

I see. I was looking at the C file subr_capability.c and didn't know to look in that header.

Yes - in fact I knew I read this description at one point but couldn't find it again just now -- which is why I added the file links and quoted the comment itself :-)