1 /*
2 * Copyright (c) 2017, Intel Corporation
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6
7
8 #ifndef ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_
9 #define ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_
10
11 #ifdef CONFIG_USERSPACE
12
13 #ifndef _ASMLANGUAGE
14 #include <zephyr/kernel.h>
15 #include <zephyr/sys/arch_interface.h>
16 #include <zephyr/sys/math_extras.h>
17 #include <stdbool.h>
18 #include <zephyr/logging/log.h>
19
20 extern const _k_syscall_handler_t _k_syscall_table[K_SYSCALL_LIMIT];
21
22 enum _obj_init_check {
23 _OBJ_INIT_TRUE = 0,
24 _OBJ_INIT_FALSE = -1,
25 _OBJ_INIT_ANY = 1
26 };
27
28 /**
29 * Return true if we are currently handling a system call from user mode
30 *
31 * Inside z_vrfy functions, we always know that we are handling
32 * a system call invoked from user context.
33 *
34 * However, some checks that are only relevant to user mode must
35 * instead be placed deeper within the implementation. This
36 * API is useful to conditionally make these checks.
37 *
38 * For performance reasons, whenever possible, checks should be placed
39 * in the relevant z_vrfy function since these are completely skipped
40 * when a syscall is invoked.
41 *
42 * This will return true only if we are handling a syscall for a
43 * user thread. If the system call was invoked from supervisor mode,
44 * or we are not handling a system call, this will return false.
45 *
46 * @return whether the current context is handling a syscall for a user
47 * mode thread
48 */
z_is_in_user_syscall(void)49 static inline bool z_is_in_user_syscall(void)
50 {
51 /* This gets set on entry to the syscall's generasted z_mrsh
52 * function and then cleared on exit. This code path is only
53 * encountered when a syscall is made from user mode, system
54 * calls from supervisor mode bypass everything directly to
55 * the implementation function.
56 */
57 return !k_is_in_isr() && _current->syscall_frame != NULL;
58 }
59
60 /**
61 * Ensure a system object is a valid object of the expected type
62 *
63 * Searches for the object and ensures that it is indeed an object
64 * of the expected type, that the caller has the right permissions on it,
65 * and that the object has been initialized.
66 *
67 * This function is intended to be called on the kernel-side system
68 * call handlers to validate kernel object pointers passed in from
69 * userspace.
70 *
71 * @param ko Kernel object metadata pointer, or NULL
72 * @param otype Expected type of the kernel object, or K_OBJ_ANY if type
73 * doesn't matter
74 * @param init Indicate whether the object needs to already be in initialized
75 * or uninitialized state, or that we don't care
76 * @return 0 If the object is valid
77 * -EBADF if not a valid object of the specified type
78 * -EPERM If the caller does not have permissions
79 * -EINVAL Object is not initialized
80 */
81 int z_object_validate(struct z_object *ko, enum k_objects otype,
82 enum _obj_init_check init);
83
84 /**
85 * Dump out error information on failed z_object_validate() call
86 *
87 * @param retval Return value from z_object_validate()
88 * @param obj Kernel object we were trying to verify
89 * @param ko If retval=-EPERM, struct z_object * that was looked up, or NULL
90 * @param otype Expected type of the kernel object
91 */
92 extern void z_dump_object_error(int retval, const void *obj,
93 struct z_object *ko, enum k_objects otype);
94
95 /**
96 * Kernel object validation function
97 *
98 * Retrieve metadata for a kernel object. This function is implemented in
99 * the gperf script footer, see gen_kobject_list.py
100 *
101 * @param obj Address of kernel object to get metadata
102 * @return Kernel object's metadata, or NULL if the parameter wasn't the
103 * memory address of a kernel object
104 */
105 extern struct z_object *z_object_find(const void *obj);
106
107 typedef void (*_wordlist_cb_func_t)(struct z_object *ko, void *context);
108
109 /**
110 * Iterate over all the kernel object metadata in the system
111 *
112 * @param func function to run on each struct z_object
113 * @param context Context pointer to pass to each invocation
114 */
115 extern void z_object_wordlist_foreach(_wordlist_cb_func_t func, void *context);
116
117 /**
118 * Copy all kernel object permissions from the parent to the child
119 *
120 * @param parent Parent thread, to get permissions from
121 * @param child Child thread, to copy permissions to
122 */
123 extern void z_thread_perms_inherit(struct k_thread *parent,
124 struct k_thread *child);
125
126 /**
127 * Grant a thread permission to a kernel object
128 *
129 * @param ko Kernel object metadata to update
130 * @param thread The thread to grant permission
131 */
132 extern void z_thread_perms_set(struct z_object *ko, struct k_thread *thread);
133
134 /**
135 * Revoke a thread's permission to a kernel object
136 *
137 * @param ko Kernel object metadata to update
138 * @param thread The thread to grant permission
139 */
140 extern void z_thread_perms_clear(struct z_object *ko, struct k_thread *thread);
141
142 /*
143 * Revoke access to all objects for the provided thread
144 *
145 * NOTE: Unlike z_thread_perms_clear(), this function will not clear
146 * permissions on public objects.
147 *
148 * @param thread Thread object to revoke access
149 */
150 extern void z_thread_perms_all_clear(struct k_thread *thread);
151
152 /**
153 * Clear initialization state of a kernel object
154 *
155 * Intended for thread objects upon thread exit, or for other kernel objects
156 * that were released back to an object pool.
157 *
158 * @param object Address of the kernel object
159 */
160 void z_object_uninit(const void *obj);
161
162 /**
163 * Initialize and reset permissions to only access by the caller
164 *
165 * Intended for scenarios where objects are fetched from slab pools
166 * and may have had different permissions set during prior usage.
167 *
168 * This is only intended for pools of objects, where such objects are
169 * acquired and released to the pool. If an object has already been used,
170 * we do not want stale permission information hanging around, the object
171 * should only have permissions on the caller. Objects which are not
172 * managed by a pool-like mechanism should not use this API.
173 *
174 * The object will be marked as initialized and the calling thread
175 * granted access to it.
176 *
177 * @param object Address of the kernel object
178 */
179 void z_object_recycle(const void *obj);
180
181 /**
182 * @brief Obtain the size of a C string passed from user mode
183 *
184 * Given a C string pointer and a maximum size, obtain the true
185 * size of the string (not including the trailing NULL byte) just as
186 * if calling strnlen() on it, with the same semantics of strnlen() with
187 * respect to the return value and the maxlen parameter.
188 *
189 * Any memory protection faults triggered by the examination of the string
190 * will be safely handled and an error code returned.
191 *
192 * NOTE: Doesn't guarantee that user mode has actual access to this
193 * string, you will need to still do a Z_SYSCALL_MEMORY_READ()
194 * with the obtained size value to guarantee this.
195 *
196 * @param src String to measure size of
197 * @param maxlen Maximum number of characters to examine
198 * @param err Pointer to int, filled in with -1 on memory error, 0 on
199 * success
200 * @return undefined on error, or strlen(src) if that is less than maxlen, or
201 * maxlen if there were no NULL terminating characters within the
202 * first maxlen bytes.
203 */
z_user_string_nlen(const char * src,size_t maxlen,int * err)204 static inline size_t z_user_string_nlen(const char *src, size_t maxlen,
205 int *err)
206 {
207 return arch_user_string_nlen(src, maxlen, err);
208 }
209
210 /**
211 * @brief Copy data from userspace into a resource pool allocation
212 *
213 * Given a pointer and a size, allocate a similarly sized buffer in the
214 * caller's resource pool and copy all the data within it to the newly
215 * allocated buffer. This will need to be freed later with k_free().
216 *
217 * Checks are done to ensure that the current thread would have read
218 * access to the provided buffer.
219 *
220 * @param src Source memory address
221 * @param size Size of the memory buffer
222 * @return An allocated buffer with the data copied within it, or NULL
223 * if some error condition occurred
224 */
225 extern void *z_user_alloc_from_copy(const void *src, size_t size);
226
227 /**
228 * @brief Copy data from user mode
229 *
230 * Given a userspace pointer and a size, copies data from it into a provided
231 * destination buffer, performing checks to ensure that the caller would have
232 * appropriate access when in user mode.
233 *
234 * @param dst Destination memory buffer
235 * @param src Source memory buffer, in userspace
236 * @param size Number of bytes to copy
237 * @retval 0 On success
238 * @retval EFAULT On memory access error
239 */
240 extern int z_user_from_copy(void *dst, const void *src, size_t size);
241
242 /**
243 * @brief Copy data to user mode
244 *
245 * Given a userspace pointer and a size, copies data to it from a provided
246 * source buffer, performing checks to ensure that the caller would have
247 * appropriate access when in user mode.
248 *
249 * @param dst Destination memory buffer, in userspace
250 * @param src Source memory buffer
251 * @param size Number of bytes to copy
252 * @retval 0 On success
253 * @retval EFAULT On memory access error
254 */
255 extern int z_user_to_copy(void *dst, const void *src, size_t size);
256
257 /**
258 * @brief Copy a C string from userspace into a resource pool allocation
259 *
260 * Given a C string and maximum length, duplicate the string using an
261 * allocation from the calling thread's resource pool. This will need to be
262 * freed later with k_free().
263 *
264 * Checks are performed to ensure that the string is valid memory and that
265 * the caller has access to it in user mode.
266 *
267 * @param src Source string pointer, in userspace
268 * @param maxlen Maximum size of the string including trailing NULL
269 * @return The duplicated string, or NULL if an error occurred.
270 */
271 extern char *z_user_string_alloc_copy(const char *src, size_t maxlen);
272
273 /**
274 * @brief Copy a C string from userspace into a provided buffer
275 *
276 * Given a C string and maximum length, copy the string into a buffer.
277 *
278 * Checks are performed to ensure that the string is valid memory and that
279 * the caller has access to it in user mode.
280 *
281 * @param dst Destination buffer
282 * @param src Source string pointer, in userspace
283 * @param maxlen Maximum size of the string including trailing NULL
284 * @retval 0 on success
285 * @retval EINVAL if the source string is too long with respect
286 * to maxlen
287 * @retval EFAULT On memory access error
288 */
289 extern int z_user_string_copy(char *dst, const char *src, size_t maxlen);
290
291 #define Z_OOPS(expr) \
292 do { \
293 if (expr) { \
294 arch_syscall_oops(_current->syscall_frame); \
295 } \
296 } while (false)
297
298 /**
299 * @brief Runtime expression check for system call arguments
300 *
301 * Used in handler functions to perform various runtime checks on arguments,
302 * and generate a kernel oops if anything is not expected, printing a custom
303 * message.
304 *
305 * @param expr Boolean expression to verify, a false result will trigger an
306 * oops
307 * @param fmt Printf-style format string (followed by appropriate variadic
308 * arguments) to print on verification failure
309 * @return False on success, True on failure
310 */
311 #define Z_SYSCALL_VERIFY_MSG(expr, fmt, ...) ({ \
312 bool expr_copy = !(expr); \
313 if (expr_copy) { \
314 TOOLCHAIN_IGNORE_WSHADOW_BEGIN \
315 LOG_MODULE_DECLARE(os, CONFIG_KERNEL_LOG_LEVEL); \
316 TOOLCHAIN_IGNORE_WSHADOW_END \
317 LOG_ERR("syscall %s failed check: " fmt, \
318 __func__, ##__VA_ARGS__); \
319 } \
320 expr_copy; })
321
322 /**
323 * @brief Runtime expression check for system call arguments
324 *
325 * Used in handler functions to perform various runtime checks on arguments,
326 * and generate a kernel oops if anything is not expected.
327 *
328 * @param expr Boolean expression to verify, a false result will trigger an
329 * oops. A stringified version of this expression will be printed.
330 * @return 0 on success, nonzero on failure
331 */
332 #define Z_SYSCALL_VERIFY(expr) Z_SYSCALL_VERIFY_MSG(expr, #expr)
333
334 /**
335 * @brief Runtime check that a user thread has read and/or write permission to
336 * a memory area
337 *
338 * Checks that the particular memory area is readable and/or writeable by the
339 * currently running thread if the CPU was in user mode, and generates a kernel
340 * oops if it wasn't. Prevents userspace from getting the kernel to read and/or
341 * modify memory the thread does not have access to, or passing in garbage
342 * pointers that would crash/pagefault the kernel if dereferenced.
343 *
344 * @param ptr Memory area to examine
345 * @param size Size of the memory area
346 * @param write If the thread should be able to write to this memory, not just
347 * read it
348 * @return 0 on success, nonzero on failure
349 */
350 #define Z_SYSCALL_MEMORY(ptr, size, write) \
351 Z_SYSCALL_VERIFY_MSG(arch_buffer_validate((void *)ptr, size, write) \
352 == 0, \
353 "Memory region %p (size %zu) %s access denied", \
354 (void *)(ptr), (size_t)(size), \
355 write ? "write" : "read")
356
357 /**
358 * @brief Runtime check that a user thread has read permission to a memory area
359 *
360 * Checks that the particular memory area is readable by the currently running
361 * thread if the CPU was in user mode, and generates a kernel oops if it
362 * wasn't. Prevents userspace from getting the kernel to read memory the thread
363 * does not have access to, or passing in garbage pointers that would
364 * crash/pagefault the kernel if dereferenced.
365 *
366 * @param ptr Memory area to examine
367 * @param size Size of the memory area
368 * @return 0 on success, nonzero on failure
369 */
370 #define Z_SYSCALL_MEMORY_READ(ptr, size) \
371 Z_SYSCALL_MEMORY(ptr, size, 0)
372
373 /**
374 * @brief Runtime check that a user thread has write permission to a memory area
375 *
376 * Checks that the particular memory area is readable and writable by the
377 * currently running thread if the CPU was in user mode, and generates a kernel
378 * oops if it wasn't. Prevents userspace from getting the kernel to read or
379 * modify memory the thread does not have access to, or passing in garbage
380 * pointers that would crash/pagefault the kernel if dereferenced.
381 *
382 * @param ptr Memory area to examine
383 * @param size Size of the memory area
384 * @param 0 on success, nonzero on failure
385 */
386 #define Z_SYSCALL_MEMORY_WRITE(ptr, size) \
387 Z_SYSCALL_MEMORY(ptr, size, 1)
388
389 #define Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, write) \
390 ({ \
391 size_t product; \
392 Z_SYSCALL_VERIFY_MSG(!size_mul_overflow((size_t)(nmemb), \
393 (size_t)(size), \
394 &product), \
395 "%zux%zu array is too large", \
396 (size_t)(nmemb), (size_t)(size)) || \
397 Z_SYSCALL_MEMORY(ptr, product, write); \
398 })
399
400 /**
401 * @brief Validate user thread has read permission for sized array
402 *
403 * Used when the memory region is expressed in terms of number of elements and
404 * each element size, handles any overflow issues with computing the total
405 * array bounds. Otherwise see _SYSCALL_MEMORY_READ.
406 *
407 * @param ptr Memory area to examine
408 * @param nmemb Number of elements in the array
409 * @param size Size of each array element
410 * @return 0 on success, nonzero on failure
411 */
412 #define Z_SYSCALL_MEMORY_ARRAY_READ(ptr, nmemb, size) \
413 Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 0)
414
415 /**
416 * @brief Validate user thread has read/write permission for sized array
417 *
418 * Used when the memory region is expressed in terms of number of elements and
419 * each element size, handles any overflow issues with computing the total
420 * array bounds. Otherwise see _SYSCALL_MEMORY_WRITE.
421 *
422 * @param ptr Memory area to examine
423 * @param nmemb Number of elements in the array
424 * @param size Size of each array element
425 * @return 0 on success, nonzero on failure
426 */
427 #define Z_SYSCALL_MEMORY_ARRAY_WRITE(ptr, nmemb, size) \
428 Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 1)
429
z_obj_validation_check(struct z_object * ko,const void * obj,enum k_objects otype,enum _obj_init_check init)430 static inline int z_obj_validation_check(struct z_object *ko,
431 const void *obj,
432 enum k_objects otype,
433 enum _obj_init_check init)
434 {
435 int ret;
436
437 ret = z_object_validate(ko, otype, init);
438
439 #ifdef CONFIG_LOG
440 if (ret != 0) {
441 z_dump_object_error(ret, obj, ko, otype);
442 }
443 #else
444 ARG_UNUSED(obj);
445 #endif
446
447 return ret;
448 }
449
450 #define Z_SYSCALL_IS_OBJ(ptr, type, init) \
451 Z_SYSCALL_VERIFY_MSG(z_obj_validation_check( \
452 z_object_find((const void *)ptr), \
453 (const void *)ptr, \
454 type, init) == 0, "access denied")
455
456 /**
457 * @brief Runtime check driver object pointer for presence of operation
458 *
459 * Validates if the driver object is capable of performing a certain operation.
460 *
461 * @param ptr Untrusted device instance object pointer
462 * @param api_struct Name of the driver API struct (e.g. gpio_driver_api)
463 * @param op Driver operation (e.g. manage_callback)
464 * @return 0 on success, nonzero on failure
465 */
466 #define Z_SYSCALL_DRIVER_OP(ptr, api_name, op) \
467 ({ \
468 struct api_name *__device__ = (struct api_name *) \
469 ((const struct device *)ptr)->api; \
470 Z_SYSCALL_VERIFY_MSG(__device__->op != NULL, \
471 "Operation %s not defined for driver " \
472 "instance %p", \
473 # op, __device__); \
474 })
475
476 /**
477 * @brief Runtime check that device object is of a specific driver type
478 *
479 * Checks that the driver object passed in is initialized, the caller has
480 * correct permissions, and that it belongs to the specified driver
481 * subsystems. Additionally, all devices store a structure pointer of the
482 * driver's API. If this doesn't match the value provided, the check will fail.
483 *
484 * This provides an easy way to determine if a device object not only
485 * belongs to a particular subsystem, but is of a specific device driver
486 * implementation. Useful for defining out-of-subsystem system calls
487 * which are implemented for only one driver.
488 *
489 * @param _device Untrusted device pointer
490 * @param _dtype Expected kernel object type for the provided device pointer
491 * @param _api Expected driver API structure memory address
492 * @return 0 on success, nonzero on failure
493 */
494 #define Z_SYSCALL_SPECIFIC_DRIVER(_device, _dtype, _api) \
495 ({ \
496 const struct device *_dev = (const struct device *)_device; \
497 Z_SYSCALL_OBJ(_dev, _dtype) || \
498 Z_SYSCALL_VERIFY_MSG(_dev->api == _api, \
499 "API structure mismatch"); \
500 })
501
502 /**
503 * @brief Runtime check kernel object pointer for non-init functions
504 *
505 * Calls z_object_validate and triggers a kernel oops if the check fails.
506 * For use in system call handlers which are not init functions; a fatal
507 * error will occur if the object is not initialized.
508 *
509 * @param ptr Untrusted kernel object pointer
510 * @param type Expected kernel object type
511 * @return 0 on success, nonzero on failure
512 */
513 #define Z_SYSCALL_OBJ(ptr, type) \
514 Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_TRUE)
515
516 /**
517 * @brief Runtime check kernel object pointer for non-init functions
518 *
519 * See description of _SYSCALL_IS_OBJ. No initialization checks are done.
520 * Intended for init functions where objects may be re-initialized at will.
521 *
522 * @param ptr Untrusted kernel object pointer
523 * @param type Expected kernel object type
524 * @return 0 on success, nonzero on failure
525 */
526
527 #define Z_SYSCALL_OBJ_INIT(ptr, type) \
528 Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_ANY)
529
530 /**
531 * @brief Runtime check kernel object pointer for non-init functions
532 *
533 * See description of _SYSCALL_IS_OBJ. Triggers a fatal error if the object is
534 * initialized. Intended for init functions where objects, once initialized,
535 * can only be re-used when their initialization state expires due to some
536 * other mechanism.
537 *
538 * @param ptr Untrusted kernel object pointer
539 * @param type Expected kernel object type
540 * @return 0 on success, nonzero on failure
541 */
542
543 #define Z_SYSCALL_OBJ_NEVER_INIT(ptr, type) \
544 Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_FALSE)
545
546 #include <driver-validation.h>
547
548 #endif /* _ASMLANGUAGE */
549
550 #endif /* CONFIG_USERSPACE */
551
552 #endif /* ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_ */
553
