1 /*
2  * Copyright (c) 2017, Intel Corporation
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 
7 
8 #ifndef ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_
9 #define ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_
10 
11 #ifdef CONFIG_USERSPACE
12 
13 #ifndef _ASMLANGUAGE
14 #include <kernel.h>
15 #include <sys/arch_interface.h>
16 #include <sys/math_extras.h>
17 #include <stdbool.h>
18 #include <logging/log.h>
19 
20 extern const _k_syscall_handler_t _k_syscall_table[K_SYSCALL_LIMIT];
21 
22 enum _obj_init_check {
23 	_OBJ_INIT_TRUE = 0,
24 	_OBJ_INIT_FALSE = -1,
25 	_OBJ_INIT_ANY = 1
26 };
27 
28 /**
29  * Return true if we are currently handling a system call from user mode
30  *
31  * Inside z_vrfy functions, we always know that we are handling
32  * a system call invoked from user context.
33  *
34  * However, some checks that are only relevant to user mode must
35  * instead be placed deeper within the implementation. This
36  * API is useful to conditionally make these checks.
37  *
38  * For performance reasons, whenever possible, checks should be placed
39  * in the relevant z_vrfy function since these are completely skipped
40  * when a syscall is invoked.
41  *
42  * This will return true only if we are handling a syscall for a
43  * user thread. If the system call was invoked from supervisor mode,
44  * or we are not handling a system call, this will return false.
45  *
46  * @return whether the current context is handling a syscall for a user
47  *         mode thread
48  */
z_is_in_user_syscall(void)49 static inline bool z_is_in_user_syscall(void)
50 {
51 	/* This gets set on entry to the syscall's generasted z_mrsh
52 	 * function and then cleared on exit. This code path is only
53 	 * encountered when a syscall is made from user mode, system
54 	 * calls from supervisor mode bypass everything directly to
55 	 * the implementation function.
56 	 */
57 	return !k_is_in_isr() && _current->syscall_frame != NULL;
58 }
59 
60 /**
61  * Ensure a system object is a valid object of the expected type
62  *
63  * Searches for the object and ensures that it is indeed an object
64  * of the expected type, that the caller has the right permissions on it,
65  * and that the object has been initialized.
66  *
67  * This function is intended to be called on the kernel-side system
68  * call handlers to validate kernel object pointers passed in from
69  * userspace.
70  *
71  * @param ko Kernel object metadata pointer, or NULL
72  * @param otype Expected type of the kernel object, or K_OBJ_ANY if type
73  *	  doesn't matter
74  * @param init Indicate whether the object needs to already be in initialized
75  *             or uninitialized state, or that we don't care
76  * @return 0 If the object is valid
77  *         -EBADF if not a valid object of the specified type
78  *         -EPERM If the caller does not have permissions
79  *         -EINVAL Object is not initialized
80  */
81 int z_object_validate(struct z_object *ko, enum k_objects otype,
82 		      enum _obj_init_check init);
83 
84 /**
85  * Dump out error information on failed z_object_validate() call
86  *
87  * @param retval Return value from z_object_validate()
88  * @param obj Kernel object we were trying to verify
89  * @param ko If retval=-EPERM, struct z_object * that was looked up, or NULL
90  * @param otype Expected type of the kernel object
91  */
92 extern void z_dump_object_error(int retval, const void *obj,
93 				struct z_object *ko, enum k_objects otype);
94 
95 /**
96  * Kernel object validation function
97  *
98  * Retrieve metadata for a kernel object. This function is implemented in
99  * the gperf script footer, see gen_kobject_list.py
100  *
101  * @param obj Address of kernel object to get metadata
102  * @return Kernel object's metadata, or NULL if the parameter wasn't the
103  * memory address of a kernel object
104  */
105 extern struct z_object *z_object_find(const void *obj);
106 
107 typedef void (*_wordlist_cb_func_t)(struct z_object *ko, void *context);
108 
109 /**
110  * Iterate over all the kernel object metadata in the system
111  *
112  * @param func function to run on each struct z_object
113  * @param context Context pointer to pass to each invocation
114  */
115 extern void z_object_wordlist_foreach(_wordlist_cb_func_t func, void *context);
116 
117 /**
118  * Copy all kernel object permissions from the parent to the child
119  *
120  * @param parent Parent thread, to get permissions from
121  * @param child Child thread, to copy permissions to
122  */
123 extern void z_thread_perms_inherit(struct k_thread *parent,
124 				  struct k_thread *child);
125 
126 /**
127  * Grant a thread permission to a kernel object
128  *
129  * @param ko Kernel object metadata to update
130  * @param thread The thread to grant permission
131  */
132 extern void z_thread_perms_set(struct z_object *ko, struct k_thread *thread);
133 
134 /**
135  * Revoke a thread's permission to a kernel object
136  *
137  * @param ko Kernel object metadata to update
138  * @param thread The thread to grant permission
139  */
140 extern void z_thread_perms_clear(struct z_object *ko, struct k_thread *thread);
141 
142 /*
143  * Revoke access to all objects for the provided thread
144  *
145  * NOTE: Unlike z_thread_perms_clear(), this function will not clear
146  * permissions on public objects.
147  *
148  * @param thread Thread object to revoke access
149  */
150 extern void z_thread_perms_all_clear(struct k_thread *thread);
151 
152 /**
153  * Clear initialization state of a kernel object
154  *
155  * Intended for thread objects upon thread exit, or for other kernel objects
156  * that were released back to an object pool.
157  *
158  * @param object Address of the kernel object
159  */
160 void z_object_uninit(const void *obj);
161 
162 /**
163  * Initialize and reset permissions to only access by the caller
164  *
165  * Intended for scenarios where objects are fetched from slab pools
166  * and may have had different permissions set during prior usage.
167  *
168  * This is only intended for pools of objects, where such objects are
169  * acquired and released to the pool. If an object has already been used,
170  * we do not want stale permission information hanging around, the object
171  * should only have permissions on the caller. Objects which are not
172  * managed by a pool-like mechanism should not use this API.
173  *
174  * The object will be marked as initialized and the calling thread
175  * granted access to it.
176  *
177  * @param object Address of the kernel object
178  */
179 void z_object_recycle(const void *obj);
180 
181 /**
182  * @brief Obtain the size of a C string passed from user mode
183  *
184  * Given a C string pointer and a maximum size, obtain the true
185  * size of the string (not including the trailing NULL byte) just as
186  * if calling strnlen() on it, with the same semantics of strnlen() with
187  * respect to the return value and the maxlen parameter.
188  *
189  * Any memory protection faults triggered by the examination of the string
190  * will be safely handled and an error code returned.
191  *
192  * NOTE: Doesn't guarantee that user mode has actual access to this
193  * string, you will need to still do a Z_SYSCALL_MEMORY_READ()
194  * with the obtained size value to guarantee this.
195  *
196  * @param src String to measure size of
197  * @param maxlen Maximum number of characters to examine
198  * @param err Pointer to int, filled in with -1 on memory error, 0 on
199  *	success
200  * @return undefined on error, or strlen(src) if that is less than maxlen, or
201  *	maxlen if there were no NULL terminating characters within the
202  *	first maxlen bytes.
203  */
z_user_string_nlen(const char * src,size_t maxlen,int * err)204 static inline size_t z_user_string_nlen(const char *src, size_t maxlen,
205 					int *err)
206 {
207 	return arch_user_string_nlen(src, maxlen, err);
208 }
209 
210 /**
211  * @brief Copy data from userspace into a resource pool allocation
212  *
213  * Given a pointer and a size, allocate a similarly sized buffer in the
214  * caller's resource pool and copy all the data within it to the newly
215  * allocated buffer. This will need to be freed later with k_free().
216  *
217  * Checks are done to ensure that the current thread would have read
218  * access to the provided buffer.
219  *
220  * @param src Source memory address
221  * @param size Size of the memory buffer
222  * @return An allocated buffer with the data copied within it, or NULL
223  *	if some error condition occurred
224  */
225 extern void *z_user_alloc_from_copy(const void *src, size_t size);
226 
227 /**
228  * @brief Copy data from user mode
229  *
230  * Given a userspace pointer and a size, copies data from it into a provided
231  * destination buffer, performing checks to ensure that the caller would have
232  * appropriate access when in user mode.
233  *
234  * @param dst Destination memory buffer
235  * @param src Source memory buffer, in userspace
236  * @param size Number of bytes to copy
237  * @retval 0 On success
238  * @retval EFAULT On memory access error
239  */
240 extern int z_user_from_copy(void *dst, const void *src, size_t size);
241 
242 /**
243  * @brief Copy data to user mode
244  *
245  * Given a userspace pointer and a size, copies data to it from a provided
246  * source buffer, performing checks to ensure that the caller would have
247  * appropriate access when in user mode.
248  *
249  * @param dst Destination memory buffer, in userspace
250  * @param src Source memory buffer
251  * @param size Number of bytes to copy
252  * @retval 0 On success
253  * @retval EFAULT On memory access error
254  */
255 extern int z_user_to_copy(void *dst, const void *src, size_t size);
256 
257 /**
258  * @brief Copy a C string from userspace into a resource pool allocation
259  *
260  * Given a C string and maximum length, duplicate the string using an
261  * allocation from the calling thread's resource pool. This will need to be
262  * freed later with k_free().
263  *
264  * Checks are performed to ensure that the string is valid memory and that
265  * the caller has access to it in user mode.
266  *
267  * @param src Source string pointer, in userspace
268  * @param maxlen Maximum size of the string including trailing NULL
269  * @return The duplicated string, or NULL if an error occurred.
270  */
271 extern char *z_user_string_alloc_copy(const char *src, size_t maxlen);
272 
273 /**
274  * @brief Copy a C string from userspace into a provided buffer
275  *
276  * Given a C string and maximum length, copy the string into a buffer.
277  *
278  * Checks are performed to ensure that the string is valid memory and that
279  * the caller has access to it in user mode.
280  *
281  * @param dst Destination buffer
282  * @param src Source string pointer, in userspace
283  * @param maxlen Maximum size of the string including trailing NULL
284  * @retval 0 on success
285  * @retval EINVAL if the source string is too long with respect
286  *	to maxlen
287  * @retval EFAULT On memory access error
288  */
289 extern int z_user_string_copy(char *dst, const char *src, size_t maxlen);
290 
291 #define Z_OOPS(expr) \
292 	do { \
293 		if (expr) { \
294 			arch_syscall_oops(_current->syscall_frame); \
295 		} \
296 	} while (false)
297 
298 /**
299  * @brief Runtime expression check for system call arguments
300  *
301  * Used in handler functions to perform various runtime checks on arguments,
302  * and generate a kernel oops if anything is not expected, printing a custom
303  * message.
304  *
305  * @param expr Boolean expression to verify, a false result will trigger an
306  *             oops
307  * @param fmt Printf-style format string (followed by appropriate variadic
308  *            arguments) to print on verification failure
309  * @return False on success, True on failure
310  */
311 #define Z_SYSCALL_VERIFY_MSG(expr, fmt, ...) ({ \
312 	bool expr_copy = !(expr); \
313 	if (expr_copy) { \
314 		LOG_MODULE_DECLARE(os, CONFIG_KERNEL_LOG_LEVEL); \
315 		LOG_ERR("syscall %s failed check: " fmt, \
316 			__func__, ##__VA_ARGS__); \
317 	} \
318 	expr_copy; })
319 
320 /**
321  * @brief Runtime expression check for system call arguments
322  *
323  * Used in handler functions to perform various runtime checks on arguments,
324  * and generate a kernel oops if anything is not expected.
325  *
326  * @param expr Boolean expression to verify, a false result will trigger an
327  *             oops. A stringified version of this expression will be printed.
328  * @return 0 on success, nonzero on failure
329  */
330 #define Z_SYSCALL_VERIFY(expr) Z_SYSCALL_VERIFY_MSG(expr, #expr)
331 
332 /**
333  * @brief Macro to check if size is negative
334  *
335  * Z_SYSCALL_MEMORY can be called with signed/unsigned types
336  * and because of that if we check if size is greater or equal to
337  * zero, many static analyzers complain about no effect expression.
338  *
339  * @param ptr Memory area to examine
340  * @param size Size of the memory area
341  * @return true if size is valid, false otherwise
342  * @note This is an internal API. Do not use unless you are extending
343  *       functionality in the Zephyr tree.
344  */
345 #define Z_SYSCALL_MEMORY_SIZE_CHECK(ptr, size) \
346 	(((uintptr_t)ptr + size) >= (uintptr_t)ptr)
347 
348 /**
349  * @brief Runtime check that a user thread has read and/or write permission to
350  *        a memory area
351  *
352  * Checks that the particular memory area is readable and/or writeable by the
353  * currently running thread if the CPU was in user mode, and generates a kernel
354  * oops if it wasn't. Prevents userspace from getting the kernel to read and/or
355  * modify memory the thread does not have access to, or passing in garbage
356  * pointers that would crash/pagefault the kernel if dereferenced.
357  *
358  * @param ptr Memory area to examine
359  * @param size Size of the memory area
360  * @param write If the thread should be able to write to this memory, not just
361  *		read it
362  * @return 0 on success, nonzero on failure
363  */
364 #define Z_SYSCALL_MEMORY(ptr, size, write) \
365 	Z_SYSCALL_VERIFY_MSG(Z_SYSCALL_MEMORY_SIZE_CHECK(ptr, size) \
366 			     && !Z_DETECT_POINTER_OVERFLOW(ptr, size) \
367 			     && (arch_buffer_validate((void *)ptr, size, write) \
368 			     == 0), \
369 			     "Memory region %p (size %zu) %s access denied", \
370 			     (void *)(ptr), (size_t)(size), \
371 			     write ? "write" : "read")
372 
373 /**
374  * @brief Runtime check that a user thread has read permission to a memory area
375  *
376  * Checks that the particular memory area is readable by the currently running
377  * thread if the CPU was in user mode, and generates a kernel oops if it
378  * wasn't. Prevents userspace from getting the kernel to read memory the thread
379  * does not have access to, or passing in garbage pointers that would
380  * crash/pagefault the kernel if dereferenced.
381  *
382  * @param ptr Memory area to examine
383  * @param size Size of the memory area
384  * @return 0 on success, nonzero on failure
385  */
386 #define Z_SYSCALL_MEMORY_READ(ptr, size) \
387 	Z_SYSCALL_MEMORY(ptr, size, 0)
388 
389 /**
390  * @brief Runtime check that a user thread has write permission to a memory area
391  *
392  * Checks that the particular memory area is readable and writable by the
393  * currently running thread if the CPU was in user mode, and generates a kernel
394  * oops if it wasn't. Prevents userspace from getting the kernel to read or
395  * modify memory the thread does not have access to, or passing in garbage
396  * pointers that would crash/pagefault the kernel if dereferenced.
397  *
398  * @param ptr Memory area to examine
399  * @param size Size of the memory area
400  * @param 0 on success, nonzero on failure
401  */
402 #define Z_SYSCALL_MEMORY_WRITE(ptr, size) \
403 	Z_SYSCALL_MEMORY(ptr, size, 1)
404 
405 #define Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, write) \
406 	({ \
407 		size_t product; \
408 		Z_SYSCALL_VERIFY_MSG(!size_mul_overflow((size_t)(nmemb), \
409 							(size_t)(size), \
410 							&product), \
411 				     "%zux%zu array is too large", \
412 				     (size_t)(nmemb), (size_t)(size)) ||  \
413 			Z_SYSCALL_MEMORY(ptr, product, write); \
414 	})
415 
416 /**
417  * @brief Validate user thread has read permission for sized array
418  *
419  * Used when the memory region is expressed in terms of number of elements and
420  * each element size, handles any overflow issues with computing the total
421  * array bounds. Otherwise see _SYSCALL_MEMORY_READ.
422  *
423  * @param ptr Memory area to examine
424  * @param nmemb Number of elements in the array
425  * @param size Size of each array element
426  * @return 0 on success, nonzero on failure
427  */
428 #define Z_SYSCALL_MEMORY_ARRAY_READ(ptr, nmemb, size) \
429 	Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 0)
430 
431 /**
432  * @brief Validate user thread has read/write permission for sized array
433  *
434  * Used when the memory region is expressed in terms of number of elements and
435  * each element size, handles any overflow issues with computing the total
436  * array bounds. Otherwise see _SYSCALL_MEMORY_WRITE.
437  *
438  * @param ptr Memory area to examine
439  * @param nmemb Number of elements in the array
440  * @param size Size of each array element
441  * @return 0 on success, nonzero on failure
442  */
443 #define Z_SYSCALL_MEMORY_ARRAY_WRITE(ptr, nmemb, size) \
444 	Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 1)
445 
z_obj_validation_check(struct z_object * ko,const void * obj,enum k_objects otype,enum _obj_init_check init)446 static inline int z_obj_validation_check(struct z_object *ko,
447 					 const void *obj,
448 					 enum k_objects otype,
449 					 enum _obj_init_check init)
450 {
451 	int ret;
452 
453 	ret = z_object_validate(ko, otype, init);
454 
455 #ifdef CONFIG_LOG
456 	if (ret != 0) {
457 		z_dump_object_error(ret, obj, ko, otype);
458 	}
459 #else
460 	ARG_UNUSED(obj);
461 #endif
462 
463 	return ret;
464 }
465 
466 #define Z_SYSCALL_IS_OBJ(ptr, type, init) \
467 	Z_SYSCALL_VERIFY_MSG(z_obj_validation_check(			\
468 				     z_object_find((const void *)ptr),	\
469 				     (const void *)ptr,			\
470 				     type, init) == 0, "access denied")
471 
472 /**
473  * @brief Runtime check driver object pointer for presence of operation
474  *
475  * Validates if the driver object is capable of performing a certain operation.
476  *
477  * @param ptr Untrusted device instance object pointer
478  * @param api_struct Name of the driver API struct (e.g. gpio_driver_api)
479  * @param op Driver operation (e.g. manage_callback)
480  * @return 0 on success, nonzero on failure
481  */
482 #define Z_SYSCALL_DRIVER_OP(ptr, api_name, op) \
483 	({ \
484 		struct api_name *__device__ = (struct api_name *) \
485 			((const struct device *)ptr)->api; \
486 		Z_SYSCALL_VERIFY_MSG(__device__->op != NULL, \
487 				    "Operation %s not defined for driver " \
488 				    "instance %p", \
489 				    # op, __device__); \
490 	})
491 
492 /**
493  * @brief Runtime check that device object is of a specific driver type
494  *
495  * Checks that the driver object passed in is initialized, the caller has
496  * correct permissions, and that it belongs to the specified driver
497  * subsystems. Additionally, all devices store a structure pointer of the
498  * driver's API. If this doesn't match the value provided, the check will fail.
499  *
500  * This provides an easy way to determine if a device object not only
501  * belongs to a particular subsystem, but is of a specific device driver
502  * implementation. Useful for defining out-of-subsystem system calls
503  * which are implemented for only one driver.
504  *
505  * @param _device Untrusted device pointer
506  * @param _dtype Expected kernel object type for the provided device pointer
507  * @param _api Expected driver API structure memory address
508  * @return 0 on success, nonzero on failure
509  */
510 #define Z_SYSCALL_SPECIFIC_DRIVER(_device, _dtype, _api) \
511 	({ \
512 		const struct device *_dev = (const struct device *)_device; \
513 		Z_SYSCALL_OBJ(_dev, _dtype) || \
514 			Z_SYSCALL_VERIFY_MSG(_dev->api == _api, \
515 					     "API structure mismatch"); \
516 	})
517 
518 /**
519  * @brief Runtime check kernel object pointer for non-init functions
520  *
521  * Calls z_object_validate and triggers a kernel oops if the check fails.
522  * For use in system call handlers which are not init functions; a fatal
523  * error will occur if the object is not initialized.
524  *
525  * @param ptr Untrusted kernel object pointer
526  * @param type Expected kernel object type
527  * @return 0 on success, nonzero on failure
528  */
529 #define Z_SYSCALL_OBJ(ptr, type) \
530 	Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_TRUE)
531 
532 /**
533  * @brief Runtime check kernel object pointer for non-init functions
534  *
535  * See description of _SYSCALL_IS_OBJ. No initialization checks are done.
536  * Intended for init functions where objects may be re-initialized at will.
537  *
538  * @param ptr Untrusted kernel object pointer
539  * @param type Expected kernel object type
540  * @return 0 on success, nonzero on failure
541  */
542 
543 #define Z_SYSCALL_OBJ_INIT(ptr, type) \
544 	Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_ANY)
545 
546 /**
547  * @brief Runtime check kernel object pointer for non-init functions
548  *
549  * See description of _SYSCALL_IS_OBJ. Triggers a fatal error if the object is
550  * initialized. Intended for init functions where objects, once initialized,
551  * can only be re-used when their initialization state expires due to some
552  * other mechanism.
553  *
554  * @param ptr Untrusted kernel object pointer
555  * @param type Expected kernel object type
556  * @return 0 on success, nonzero on failure
557  */
558 
559 #define Z_SYSCALL_OBJ_NEVER_INIT(ptr, type) \
560 	Z_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_FALSE)
561 
562 #include <driver-validation.h>
563 
564 #endif /* _ASMLANGUAGE */
565 
566 #endif /* CONFIG_USERSPACE */
567 
568 #endif /* ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_ */
569