diff --git a/sys/riscv/riscv/copyinout.S b/sys/riscv/riscv/copyinout.S index 1f2a44121ecd..5a171f5a5e17 100644 --- a/sys/riscv/riscv/copyinout.S +++ b/sys/riscv/riscv/copyinout.S @@ -1,184 +1,184 @@ /*- * Copyright (c) 2015-2018 Ruslan Bukin * Copyright (c) 2019 Mitchell Horne * All rights reserved. * * Portions of this software were developed by SRI International and the * University of Cambridge Computer Laboratory under DARPA/AFRL contract * FA8750-10-C-0237 ("CTSRD"), as part of the DARPA CRASH research programme. * * Portions of this software were developed by the University of Cambridge * Computer Laboratory as part of the CTSRD Project, with support from the * UK Higher Education Innovation Fund (HEIF). * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include "assym.inc" /* * Fault handler for the copy{in,out} functions below. */ ENTRY(copyio_fault) SET_FAULT_HANDLER(x0, a1) /* Clear the handler */ EXIT_USER_ACCESS(a1) copyio_fault_nopcb: li a0, EFAULT ret END(copyio_fault) /* * copycommon - common copy routine * * a0 - Source address * a1 - Destination address * a2 - Size of copy */ .macro copycommon la a6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(a6, a7) /* Set the handler */ ENTER_USER_ACCESS(a7) li t2, XLEN_BYTES blt a2, t2, 4f /* Byte-copy if len < XLEN_BYTES */ /* * Compare lower bits of src and dest. * If they are aligned with each other, we can do word copy. */ andi t0, a0, (XLEN_BYTES-1) /* Low bits of src */ andi t1, a1, (XLEN_BYTES-1) /* Low bits of dest */ bne t0, t1, 4f /* Misaligned. Go to byte copy */ beqz t0, 2f /* Already word-aligned, skip ahead */ /* Byte copy until the first word-aligned address */ 1: lb a4, 0(a0) /* Load byte from src */ addi a0, a0, 1 sb a4, 0(a1) /* Store byte in dest */ addi a1, a1, 1 addi a2, a2, -1 /* len-- */ andi t0, a0, (XLEN_BYTES-1) bnez t0, 1b j 3f /* Copy words */ 2: ld a4, 0(a0) /* Load word from src */ addi a0, a0, XLEN_BYTES sd a4, 0(a1) /* Store word in dest */ addi a1, a1, XLEN_BYTES addi a2, a2, -XLEN_BYTES /* len -= XLEN_BYTES */ 3: bgeu a2, t2, 2b /* Again if len >= XLEN_BYTES */ /* Check if we're finished */ beqz a2, 5f /* Copy any remaining bytes */ 4: lb a4, 0(a0) /* Load byte from src */ addi a0, a0, 1 sb a4, 0(a1) /* Store byte in dest */ addi a1, a1, 1 addi a2, a2, -1 /* len-- */ bnez a2, 4b 5: EXIT_USER_ACCESS(a7) SET_FAULT_HANDLER(x0, a7) /* Clear the handler */ .endm /* * Copies from a kernel to user address * * int copyout(const void *kaddr, void *udaddr, size_t len) */ ENTRY(copyout) beqz a2, copyout_end /* If len == 0 then skip loop */ add a3, a1, a2 li a4, VM_MAXUSER_ADDRESS - bgt a3, a4, copyio_fault_nopcb + bgeu a3, a4, copyio_fault_nopcb copycommon copyout_end: li a0, 0 /* return 0 */ ret END(copyout) /* * Copies from a user to kernel address * * int copyin(const void *uaddr, void *kaddr, size_t len) */ ENTRY(copyin) beqz a2, copyin_end /* If len == 0 then skip loop */ add a3, a0, a2 li a4, VM_MAXUSER_ADDRESS - bgt a3, a4, copyio_fault_nopcb + bgeu a3, a4, copyio_fault_nopcb copycommon copyin_end: li a0, 0 /* return 0 */ ret END(copyin) /* * Copies a string from a user to kernel address * * int copyinstr(const void *udaddr, void *kaddr, size_t len, size_t *done) */ ENTRY(copyinstr) mv a5, x0 /* count = 0 */ beqz a2, 3f /* If len == 0 then skip loop */ la a6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(a6, a7) /* Set the handler */ ENTER_USER_ACCESS(a7) li a7, VM_MAXUSER_ADDRESS -1: bgt a0, a7, copyio_fault +1: bgeu a0, a7, copyio_fault lb a4, 0(a0) /* Load from uaddr */ addi a0, a0, 1 sb a4, 0(a1) /* Store in kaddr */ addi a1, a1, 1 beqz a4, 2f addi a2, a2, -1 /* len-- */ addi a5, a5, 1 /* count++ */ bnez a2, 1b 2: EXIT_USER_ACCESS(a7) SET_FAULT_HANDLER(x0, a7) /* Clear the handler */ 3: beqz a3, 4f /* Check if done != NULL */ addi a5, a5, 1 /* count++ */ sd a5, 0(a3) /* done = count */ 4: mv a0, x0 /* return 0 */ beqz a4, 5f li a0, ENAMETOOLONG 5: ret END(copyinstr) diff --git a/sys/riscv/riscv/support.S b/sys/riscv/riscv/support.S index 3f0ec08ac768..7fcd6af283b7 100644 --- a/sys/riscv/riscv/support.S +++ b/sys/riscv/riscv/support.S @@ -1,277 +1,277 @@ /*- * Copyright (c) 2015-2020 Ruslan Bukin * All rights reserved. * * Portions of this software were developed by SRI International and the * University of Cambridge Computer Laboratory under DARPA/AFRL contract * FA8750-10-C-0237 ("CTSRD"), as part of the DARPA CRASH research programme. * * Portions of this software were developed by the University of Cambridge * Computer Laboratory as part of the CTSRD Project, with support from the * UK Higher Education Innovation Fund (HEIF). * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include "assym.inc" /* * One of the fu* or su* functions failed, return -1. */ ENTRY(fsu_fault) SET_FAULT_HANDLER(x0, a1) /* Reset the handler function */ EXIT_USER_ACCESS(a1) fsu_fault_nopcb: li a0, -1 ret END(fsu_fault) /* * int casueword32(volatile uint32_t *, uint32_t, uint32_t *, uint32_t) */ ENTRY(casueword32) li a4, (VM_MAXUSER_ADDRESS-3) - bgt a0, a4, fsu_fault_nopcb + bgeu a0, a4, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a4) /* And set it */ ENTER_USER_ACCESS(a4) lr.w a4, 0(a0) /* Load-exclusive the data */ bne a4, a1, 1f /* If not equal then exit */ sc.w a5, a3, 0(a0) /* Store the new data */ beqz a5, 2f /* Success */ 1: li a5, 1 /* Normalize failure result */ 2: EXIT_USER_ACCESS(a6) SET_FAULT_HANDLER(x0, a6) /* Reset the fault handler */ sw a4, 0(a2) /* Store the read data */ mv a0, a5 /* Success indicator */ ret /* Return */ END(casueword32) /* * int casueword(volatile u_long *, u_long, u_long *, u_long) */ ENTRY(casueword) li a4, (VM_MAXUSER_ADDRESS-7) - bgt a0, a4, fsu_fault_nopcb + bgeu a0, a4, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a4) /* And set it */ ENTER_USER_ACCESS(a4) lr.d a4, 0(a0) /* Load-exclusive the data */ bne a4, a1, 1f /* If not equal then exit */ sc.d a5, a3, 0(a0) /* Store the new data */ beqz a5, 2f /* Success */ 1: li a5, 1 /* Normalize failure result */ 2: EXIT_USER_ACCESS(a6) SET_FAULT_HANDLER(x0, a6) /* Reset the fault handler */ sd a4, 0(a2) /* Store the read data */ mv a0, a5 /* Success indicator */ ret /* Return */ END(casueword) /* * int fubyte(volatile const void *) */ ENTRY(fubyte) li a1, VM_MAXUSER_ADDRESS - bgt a0, a1, fsu_fault_nopcb + bgeu a0, a1, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a1) /* And set it */ ENTER_USER_ACCESS(a1) lbu a0, 0(a0) /* Try loading the data */ EXIT_USER_ACCESS(a1) SET_FAULT_HANDLER(x0, a1) /* Reset the fault handler */ ret /* Return */ END(fubyte) /* * int fuword(volatile const void *) */ ENTRY(fuword16) li a1, (VM_MAXUSER_ADDRESS-1) - bgt a0, a1, fsu_fault_nopcb + bgeu a0, a1, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a1) /* And set it */ ENTER_USER_ACCESS(a1) lhu a0, 0(a0) /* Try loading the data */ EXIT_USER_ACCESS(a1) SET_FAULT_HANDLER(x0, a1) /* Reset the fault handler */ ret /* Return */ END(fuword16) /* * int32_t fueword32(volatile const void *, int32_t *) */ ENTRY(fueword32) li a2, (VM_MAXUSER_ADDRESS-3) - bgt a0, a2, fsu_fault_nopcb + bgeu a0, a2, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a2) /* And set it */ ENTER_USER_ACCESS(a2) lw a0, 0(a0) /* Try loading the data */ EXIT_USER_ACCESS(a2) SET_FAULT_HANDLER(x0, a2) /* Reset the fault handler */ sw a0, 0(a1) /* Save the data in kernel space */ li a0, 0 /* Success */ ret /* Return */ END(fueword32) /* * long fueword(volatile const void *, int64_t *) * int64_t fueword64(volatile const void *, int64_t *) */ ENTRY(fueword) EENTRY(fueword64) li a2, (VM_MAXUSER_ADDRESS-7) - bgt a0, a2, fsu_fault_nopcb + bgeu a0, a2, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a2) /* And set it */ ENTER_USER_ACCESS(a2) ld a0, 0(a0) /* Try loading the data */ EXIT_USER_ACCESS(a2) SET_FAULT_HANDLER(x0, a2) /* Reset the fault handler */ sd a0, 0(a1) /* Save the data in kernel space */ li a0, 0 /* Success */ ret /* Return */ EEND(fueword64) END(fueword) /* * int subyte(volatile void *, int) */ ENTRY(subyte) li a2, VM_MAXUSER_ADDRESS - bgt a0, a2, fsu_fault_nopcb + bgeu a0, a2, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a2) /* And set it */ ENTER_USER_ACCESS(a2) sb a1, 0(a0) /* Try storing the data */ EXIT_USER_ACCESS(a2) SET_FAULT_HANDLER(x0, a2) /* Reset the fault handler */ li a0, 0 /* Success */ ret /* Return */ END(subyte) /* * int suword16(volatile void *, int) */ ENTRY(suword16) li a2, (VM_MAXUSER_ADDRESS-1) - bgt a0, a2, fsu_fault_nopcb + bgeu a0, a2, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a2) /* And set it */ ENTER_USER_ACCESS(a2) sh a1, 0(a0) /* Try storing the data */ EXIT_USER_ACCESS(a2) SET_FAULT_HANDLER(x0, a2) /* Reset the fault handler */ li a0, 0 /* Success */ ret /* Return */ END(suword16) /* * int suword32(volatile void *, int) */ ENTRY(suword32) li a2, (VM_MAXUSER_ADDRESS-3) - bgt a0, a2, fsu_fault_nopcb + bgeu a0, a2, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a2) /* And set it */ ENTER_USER_ACCESS(a2) sw a1, 0(a0) /* Try storing the data */ EXIT_USER_ACCESS(a2) SET_FAULT_HANDLER(x0, a2) /* Reset the fault handler */ li a0, 0 /* Success */ ret /* Return */ END(suword32) /* * int suword(volatile void *, long) */ ENTRY(suword) EENTRY(suword64) li a2, (VM_MAXUSER_ADDRESS-7) - bgt a0, a2, fsu_fault_nopcb + bgeu a0, a2, fsu_fault_nopcb la a6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(a6, a2) /* And set it */ ENTER_USER_ACCESS(a2) sd a1, 0(a0) /* Try storing the data */ EXIT_USER_ACCESS(a2) SET_FAULT_HANDLER(x0, a2) /* Reset the fault handler */ li a0, 0 /* Success */ ret /* Return */ EEND(suword64) END(suword) ENTRY(setjmp) /* Store the stack pointer */ sd sp, 0(a0) addi a0, a0, 8 /* Store the general purpose registers and ra */ sd s0, (0 * 8)(a0) sd s1, (1 * 8)(a0) sd s2, (2 * 8)(a0) sd s3, (3 * 8)(a0) sd s4, (4 * 8)(a0) sd s5, (5 * 8)(a0) sd s6, (6 * 8)(a0) sd s7, (7 * 8)(a0) sd s8, (8 * 8)(a0) sd s9, (9 * 8)(a0) sd s10, (10 * 8)(a0) sd s11, (11 * 8)(a0) sd ra, (12 * 8)(a0) /* Return value */ li a0, 0 ret END(setjmp) ENTRY(longjmp) /* Restore the stack pointer */ ld sp, 0(a0) addi a0, a0, 8 /* Restore the general purpose registers and ra */ ld s0, (0 * 8)(a0) ld s1, (1 * 8)(a0) ld s2, (2 * 8)(a0) ld s3, (3 * 8)(a0) ld s4, (4 * 8)(a0) ld s5, (5 * 8)(a0) ld s6, (6 * 8)(a0) ld s7, (7 * 8)(a0) ld s8, (8 * 8)(a0) ld s9, (9 * 8)(a0) ld s10, (10 * 8)(a0) ld s11, (11 * 8)(a0) ld ra, (12 * 8)(a0) /* Load the return value */ mv a0, a1 ret END(longjmp) diff --git a/tests/sys/kern/kern_copyin.c b/tests/sys/kern/kern_copyin.c index b77360e928fd..eb1fea315b5a 100644 --- a/tests/sys/kern/kern_copyin.c +++ b/tests/sys/kern/kern_copyin.c @@ -1,132 +1,156 @@ /*- * Copyright (c) 2015, 2020 The FreeBSD Foundation * All rights reserved. * * This software was developed by Konstantin Belousov * under sponsorship from the FreeBSD Foundation. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include +#include #include #include #include #include #include #include #include #include static int scratch_file; static int copyin_checker(uintptr_t uaddr, size_t len) { ssize_t ret; ret = write(scratch_file, (const void *)uaddr, len); return (ret == -1 ? errno : 0); } +#if __SIZEOF_POINTER__ == 8 +/* + * A slightly more direct path to calling copyin(), but without the ability + * to specify a length. + */ +static int +copyin_checker2(uintptr_t uaddr) +{ + int ret; + + ret = fcntl(scratch_file, F_GETLK, (const void *)uaddr); + return (ret == -1 ? errno : 0); +} +#endif + #ifdef __amd64__ static uintptr_t get_maxuser_address(void) { size_t len; uintptr_t psstrings; int error, mib[4]; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PS_STRINGS; mib[3] = getpid(); len = sizeof(psstrings); error = sysctl(mib, nitems(mib), &psstrings, &len, NULL, 0); if (error != 0) return (0); if (psstrings == PS_STRINGS_LA57) return (VM_MAXUSER_ADDRESS_LA57); if (psstrings == PS_STRINGS_LA48) return (VM_MAXUSER_ADDRESS_LA48); /* AMD LA48 with clipped UVA */ if (psstrings == PS_STRINGS_LA48 - PAGE_SIZE) return (VM_MAXUSER_ADDRESS_LA48 - PAGE_SIZE); return (0); } #endif #define FMAX ULONG_MAX +#if __SIZEOF_POINTER__ == 8 +/* PR 257193 */ +#define ADDR_SIGNED 0x800000c000000000 +#endif ATF_TC_WITHOUT_HEAD(kern_copyin); ATF_TC_BODY(kern_copyin, tc) { char template[] = "copyin.XXXXXX"; uintptr_t maxuser; #if defined(__mips__) /* * MIPS has different VM layout: the UVA map on mips ends the * highest mapped entry at the VM_MAXUSER_ADDRESS - PAGE_SIZE, * while all other arches map either stack or shared page up * to the VM_MAXUSER_ADDRESS. */ maxuser = VM_MAXUSER_ADDRESS - PAGE_SIZE; #elif defined(__amd64__) maxuser = get_maxuser_address(); ATF_REQUIRE(maxuser != 0); #else maxuser = VM_MAXUSER_ADDRESS; #endif scratch_file = mkstemp(template); ATF_REQUIRE(scratch_file != -1); unlink(template); ATF_CHECK(copyin_checker(0, 0) == 0); ATF_CHECK(copyin_checker(maxuser - 10, 9) == 0); ATF_CHECK(copyin_checker(maxuser - 10, 10) == 0); ATF_CHECK(copyin_checker(maxuser - 10, 11) == EFAULT); ATF_CHECK(copyin_checker(maxuser - 1, 1) == 0); ATF_CHECK(copyin_checker(maxuser, 0) == 0); ATF_CHECK(copyin_checker(maxuser, 1) == EFAULT); ATF_CHECK(copyin_checker(maxuser, 2) == EFAULT); ATF_CHECK(copyin_checker(maxuser + 1, 0) == 0); ATF_CHECK(copyin_checker(maxuser + 1, 2) == EFAULT); ATF_CHECK(copyin_checker(FMAX - 10, 9) == EFAULT); ATF_CHECK(copyin_checker(FMAX - 10, 10) == EFAULT); ATF_CHECK(copyin_checker(FMAX - 10, 11) == EFAULT); +#if __SIZEOF_POINTER__ == 8 + ATF_CHECK(copyin_checker(ADDR_SIGNED, 1) == EFAULT); + ATF_CHECK(copyin_checker2(ADDR_SIGNED) == EFAULT); +#endif } ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, kern_copyin); return (atf_no_error()); }