Author: kib Date: Sat Oct 17 13:20:42 2015 New Revision: 289454 URL: https://svnweb.freebsd.org/changeset/base/289454
Log: Add checks for kernel VA accesses to the copyin(9) and related functions on arm64. Reviewed by: andrew Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D3907 Modified: head/sys/arm64/arm64/copyinout.S head/sys/arm64/arm64/genassym.c head/sys/arm64/arm64/support.S Modified: head/sys/arm64/arm64/copyinout.S ============================================================================== --- head/sys/arm64/arm64/copyinout.S Sat Oct 17 13:06:52 2015 (r289453) +++ head/sys/arm64/arm64/copyinout.S Sat Oct 17 13:20:42 2015 (r289454) @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); */ ENTRY(copyio_fault) SET_FAULT_HANDLER(xzr, x1) /* Clear the handler */ +copyio_fault_nopcb: mov x0, #EFAULT ret END(copyio_fault) @@ -51,6 +52,10 @@ END(copyio_fault) */ ENTRY(copyout) cbz x2, 2f /* If len == 0 then skip loop */ + add x3, x1, x2 + ldr x4, =VM_MAXUSER_ADDRESS + cmp x3, x4 + b.hi copyio_fault_nopcb adr x6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(x6, x7) /* Set the handler */ @@ -73,6 +78,10 @@ END(copyout) */ ENTRY(copyin) cbz x2, 2f /* If len == 0 then skip loop */ + add x3, x0, x2 + ldr x4, =VM_MAXUSER_ADDRESS + cmp x3, x4 + b.hi copyio_fault_nopcb adr x6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(x6, x7) /* Set the handler */ @@ -97,11 +106,14 @@ ENTRY(copyinstr) mov x5, xzr /* count = 0 */ mov w4, #1 /* If zero return faulure */ cbz x2, 3f /* If len == 0 then skip loop */ + ldr x7, =VM_MAXUSER_ADDRESS adr x6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(x6, x7) /* Set the handler */ -1: ldrb w4, [x0], #1 /* Load from uaddr */ +1: cmp x0, x7 + b.cs copyio_fault + ldrb w4, [x0], #1 /* Load from uaddr */ strb w4, [x1], #1 /* Store in kaddr */ add x5, x5, #1 /* count++ */ cbz w4, 2f /* Break when NUL-terminated */ Modified: head/sys/arm64/arm64/genassym.c ============================================================================== --- head/sys/arm64/arm64/genassym.c Sat Oct 17 13:06:52 2015 (r289453) +++ head/sys/arm64/arm64/genassym.c Sat Oct 17 13:20:42 2015 (r289454) @@ -38,6 +38,8 @@ __FBSDID("$FreeBSD$"); #include <machine/vmparam.h> ASSYM(KERNBASE, KERNBASE); +ASSYM(VM_MAXUSER_ADDRESS, VM_MAXUSER_ADDRESS); + ASSYM(TDF_ASTPENDING, TDF_ASTPENDING); ASSYM(TDF_NEEDRESCHED, TDF_NEEDRESCHED); Modified: head/sys/arm64/arm64/support.S ============================================================================== --- head/sys/arm64/arm64/support.S Sat Oct 17 13:06:52 2015 (r289453) +++ head/sys/arm64/arm64/support.S Sat Oct 17 13:20:42 2015 (r289454) @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); */ ENTRY(fsu_fault) SET_FAULT_HANDLER(xzr, x1) /* Reset the handler function */ +fsu_fault_nopcb: mov x0, #-1 ret END(fsu_fault) @@ -49,6 +50,9 @@ END(fsu_fault) * int casueword32(volatile uint32_t *, uint32_t, uint32_t *, uint32_t) */ ENTRY(casueword32) + ldr x4, =(VM_MAXUSER_ADDRESS-3) + cmp x0, x4 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x4) /* And set it */ 1: ldxr w4, [x0] /* Load-exclusive the data */ @@ -67,6 +71,9 @@ END(casueword32) * int casueword(volatile u_long *, u_long, u_long *, u_long) */ ENTRY(casueword) + ldr x4, =(VM_MAXUSER_ADDRESS-7) + cmp x0, x4 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x4) /* And set it */ 1: ldxr x4, [x0] /* Load-exclusive the data */ @@ -85,6 +92,9 @@ END(casueword) * int fubyte(volatile const void *) */ ENTRY(fubyte) + ldr x1, =VM_MAXUSER_ADDRESS + cmp x0, x1 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x1) /* And set it */ ldrb w0, [x0] /* Try loading the data */ @@ -96,6 +106,9 @@ END(fubyte) * int fuword(volatile const void *) */ ENTRY(fuword16) + ldr x1, =(VM_MAXUSER_ADDRESS-1) + cmp x0, x1 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x1) /* And set it */ ldrh w0, [x0] /* Try loading the data */ @@ -107,6 +120,9 @@ END(fuword16) * int32_t fueword32(volatile const void *, int32_t *) */ ENTRY(fueword32) + ldr x2, =(VM_MAXUSER_ADDRESS-3) + cmp x0, x2 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x2) /* And set it */ ldr w0, [x0] /* Try loading the data */ @@ -122,6 +138,9 @@ END(fueword32) */ ENTRY(fueword) EENTRY(fueword64) + ldr x2, =(VM_MAXUSER_ADDRESS-7) + cmp x0, x2 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x2) /* And set it */ ldr x0, [x0] /* Try loading the data */ @@ -136,6 +155,9 @@ END(fueword) * int subyte(volatile void *, int) */ ENTRY(subyte) + ldr x2, =VM_MAXUSER_ADDRESS + cmp x0, x2 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x2) /* And set it */ strb w1, [x0] /* Try storing the data */ @@ -148,6 +170,9 @@ END(subyte) * int suword16(volatile void *, int) */ ENTRY(suword16) + ldr x2, =(VM_MAXUSER_ADDRESS-1) + cmp x0, x2 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x2) /* And set it */ strh w1, [x0] /* Try storing the data */ @@ -160,6 +185,9 @@ END(suword16) * int suword32(volatile void *, int) */ ENTRY(suword32) + ldr x2, =(VM_MAXUSER_ADDRESS-3) + cmp x0, x2 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x2) /* And set it */ str w1, [x0] /* Try storing the data */ @@ -173,6 +201,9 @@ END(suword32) */ ENTRY(suword) EENTRY(suword64) + ldr x2, =(VM_MAXUSER_ADDRESS-7) + cmp x0, x2 + b.cs fsu_fault_nopcb adr x6, fsu_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x2) /* And set it */ str x1, [x0] /* Try storing the data */ @@ -201,6 +232,9 @@ END(fsu_fault) * int fuswintr(void *) */ ENTRY(fuswintr) + ldr x1, =(VM_MAXUSER_ADDRESS-3) + cmp x0, x1 + b.cs fsu_fault_nopcb adr x6, fsu_intr_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x1) /* And set it */ ldr w0, [x0] /* Try loading the data */ @@ -212,6 +246,9 @@ END(fuswintr) * int suswintr(void *base, int word) */ ENTRY(suswintr) + ldr x2, =(VM_MAXUSER_ADDRESS-3) + cmp x0, x2 + b.cs fsu_fault_nopcb adr x6, fsu_intr_fault /* Load the fault handler */ SET_FAULT_HANDLER(x6, x2) /* And set it */ str w1, [x0] /* Try storing the data */ _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
