2017-08-30 23:06:30 +02:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2017 Intel Corporation
|
|
|
|
|
*
|
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
*/
|
|
|
|
|
|
2022-05-09 13:56:13 +02:00
|
|
|
#include <zephyr/arch/x86/ia32/asm.h>
|
|
|
|
|
#include <zephyr/arch/cpu.h>
|
2017-08-30 23:06:30 +02:00
|
|
|
#include <offsets_short.h>
|
2022-05-09 13:56:13 +02:00
|
|
|
#include <zephyr/syscall.h>
|
2023-11-14 00:12:45 +01:00
|
|
|
#include <zephyr/kernel/mm.h>
|
2020-12-15 02:18:12 +01:00
|
|
|
#include <x86_mmu.h>
|
2017-08-30 23:06:30 +02:00
|
|
|
|
|
|
|
|
/* Exports */
|
2019-03-14 16:20:46 +01:00
|
|
|
GTEXT(z_x86_syscall_entry_stub)
|
|
|
|
|
GTEXT(z_x86_userspace_enter)
|
2019-11-07 21:43:29 +01:00
|
|
|
GTEXT(arch_user_string_nlen)
|
2019-10-16 22:38:54 +02:00
|
|
|
GTEXT(z_x86_user_string_nlen_fault_start)
|
|
|
|
|
GTEXT(z_x86_user_string_nlen_fault_end)
|
|
|
|
|
GTEXT(z_x86_user_string_nlen_fixup)
|
2017-08-30 23:06:30 +02:00
|
|
|
|
|
|
|
|
/* Imports */
|
2018-08-24 10:35:10 +02:00
|
|
|
GDATA(_k_syscall_table)
|
2017-08-30 23:06:30 +02:00
|
|
|
|
2019-02-07 00:35:24 +01:00
|
|
|
#ifdef CONFIG_X86_KPTI
|
|
|
|
|
/* Switch from the shadow to the kernel page table, switch to the interrupted
|
|
|
|
|
* thread's kernel stack, and copy all context from the trampoline stack.
|
|
|
|
|
*
|
|
|
|
|
* Assumes all registers are callee-saved since this gets called from other
|
|
|
|
|
* ASM code. Assumes a particular stack layout which is correct for
|
|
|
|
|
* _exception_enter and _interrupt_enter when invoked with a call instruction:
|
|
|
|
|
*
|
|
|
|
|
* 28 SS
|
|
|
|
|
* 24 ES
|
|
|
|
|
* 20 EFLAGS
|
|
|
|
|
* 16 CS
|
|
|
|
|
* 12 EIP
|
|
|
|
|
* 8 isr_param or exc code
|
|
|
|
|
* 4 isr or exc handler
|
|
|
|
|
* 0 return address
|
|
|
|
|
*/
|
2021-02-26 01:42:53 +01:00
|
|
|
SECTION_FUNC(PINNED_TEXT, z_x86_trampoline_to_kernel)
|
2019-02-07 00:35:24 +01:00
|
|
|
/* Check interrupted code segment to see if we came from ring 3
|
|
|
|
|
* and hence on the trampoline stack
|
|
|
|
|
*/
|
|
|
|
|
testb $3, 16(%esp) /* Offset of CS */
|
|
|
|
|
jz 1f
|
|
|
|
|
|
|
|
|
|
/* Stash these regs as we need to use them */
|
|
|
|
|
pushl %esi
|
|
|
|
|
pushl %edi
|
|
|
|
|
|
|
|
|
|
/* Switch to kernel page table */
|
2021-03-07 03:48:18 +01:00
|
|
|
movl $Z_MEM_PHYS_ADDR(z_x86_kernel_ptables), %esi
|
2019-02-07 00:35:24 +01:00
|
|
|
movl %esi, %cr3
|
|
|
|
|
|
|
|
|
|
/* Save old trampoline stack pointer in %edi */
|
|
|
|
|
movl %esp, %edi
|
|
|
|
|
|
2019-11-20 00:08:49 +01:00
|
|
|
/* Switch to privilege mode stack */
|
2019-02-07 00:35:24 +01:00
|
|
|
movl $_kernel, %esi
|
|
|
|
|
movl _kernel_offset_to_current(%esi), %esi
|
2019-11-20 00:08:49 +01:00
|
|
|
movl _thread_offset_to_psp(%esi), %esp
|
2019-02-07 00:35:24 +01:00
|
|
|
|
|
|
|
|
/* Transplant stack context and restore ESI/EDI. Taking care to zero
|
|
|
|
|
* or put uninteresting values where we stashed ESI/EDI since the
|
|
|
|
|
* trampoline page is insecure and there might a context switch
|
|
|
|
|
* on the way out instead of returning to the original thread
|
|
|
|
|
* immediately.
|
|
|
|
|
*/
|
|
|
|
|
pushl 36(%edi) /* SS */
|
|
|
|
|
pushl 32(%edi) /* ESP */
|
|
|
|
|
pushl 28(%edi) /* EFLAGS */
|
|
|
|
|
pushl 24(%edi) /* CS */
|
|
|
|
|
pushl 20(%edi) /* EIP */
|
|
|
|
|
pushl 16(%edi) /* error code or isr parameter */
|
|
|
|
|
pushl 12(%edi) /* exception/irq handler */
|
|
|
|
|
pushl 8(%edi) /* return address */
|
|
|
|
|
movl 4(%edi), %esi /* restore ESI */
|
|
|
|
|
movl $0, 4(%edi) /* Zero old esi storage area */
|
|
|
|
|
xchgl %edi, (%edi) /* Exchange old edi to restore it and put
|
|
|
|
|
old sp in the storage area */
|
|
|
|
|
|
|
|
|
|
/* Trampoline stack should have nothing sensitive in it at this point */
|
|
|
|
|
1:
|
|
|
|
|
ret
|
|
|
|
|
|
|
|
|
|
/* Copy interrupt return stack context to the trampoline stack, switch back
|
|
|
|
|
* to the user page table, and only then 'iret'. We jump to this instead
|
|
|
|
|
* of calling 'iret' if KPTI is turned on.
|
|
|
|
|
*
|
|
|
|
|
* Stack layout is expected to be as follows:
|
|
|
|
|
*
|
|
|
|
|
* 16 SS
|
|
|
|
|
* 12 ESP
|
|
|
|
|
* 8 EFLAGS
|
|
|
|
|
* 4 CS
|
|
|
|
|
* 0 EIP
|
|
|
|
|
*
|
|
|
|
|
* This function is conditionally macroed to KPTI_IRET/KPTI_IRET_USER
|
|
|
|
|
*/
|
2021-02-26 01:42:53 +01:00
|
|
|
SECTION_FUNC(PINNED_TEXT, z_x86_trampoline_to_user)
|
2019-02-07 00:35:24 +01:00
|
|
|
/* Check interrupted code segment to see if we came from ring 3
|
|
|
|
|
* and hence on the trampoline stack
|
|
|
|
|
*/
|
|
|
|
|
testb $3, 4(%esp) /* Offset of CS */
|
|
|
|
|
jz 1f
|
|
|
|
|
|
|
|
|
|
/* Otherwise, fall through ... */
|
|
|
|
|
|
2021-02-26 01:42:53 +01:00
|
|
|
SECTION_FUNC(PINNED_TEXT, z_x86_trampoline_to_user_always)
|
2019-02-07 00:35:24 +01:00
|
|
|
/* Stash EDI, need a free register */
|
|
|
|
|
pushl %edi
|
|
|
|
|
|
2020-05-01 01:46:29 +02:00
|
|
|
/* Store old stack pointer and switch to trampoline stack.
|
|
|
|
|
* Lock IRQs before changing stack pointer to the trampoline stack,
|
|
|
|
|
* we don't want any interrupts also using the trampoline stack
|
|
|
|
|
* during this time.
|
2019-02-07 00:35:24 +01:00
|
|
|
*/
|
2020-05-01 01:46:29 +02:00
|
|
|
movl %esp, %edi
|
2019-02-07 00:35:24 +01:00
|
|
|
cli
|
2020-05-01 01:46:29 +02:00
|
|
|
movl $z_trampoline_stack_end, %esp
|
2019-02-07 00:35:24 +01:00
|
|
|
|
|
|
|
|
/* Copy context */
|
|
|
|
|
pushl 20(%edi) /* SS */
|
|
|
|
|
pushl 16(%edi) /* ESP */
|
|
|
|
|
pushl 12(%edi) /* EFLAGS */
|
|
|
|
|
pushl 8(%edi) /* CS */
|
|
|
|
|
pushl 4(%edi) /* EIP */
|
|
|
|
|
xchgl %edi, (%edi) /* Exchange old edi to restore it and put
|
|
|
|
|
trampoline stack address in its old storage
|
|
|
|
|
area */
|
2019-11-20 00:08:49 +01:00
|
|
|
/* Switch to user page table */
|
2019-02-07 00:35:24 +01:00
|
|
|
pushl %eax
|
2019-07-30 03:22:30 +02:00
|
|
|
movl $_kernel, %eax
|
|
|
|
|
movl _kernel_offset_to_current(%eax), %eax
|
2019-11-20 00:08:49 +01:00
|
|
|
movl _thread_offset_to_ptables(%eax), %eax
|
2019-02-07 00:35:24 +01:00
|
|
|
movl %eax, %cr3
|
|
|
|
|
popl %eax
|
|
|
|
|
movl $0, -4(%esp) /* Delete stashed EAX data */
|
|
|
|
|
|
|
|
|
|
/* Trampoline stack should have nothing sensitive in it at this point */
|
|
|
|
|
1:
|
|
|
|
|
iret
|
|
|
|
|
#endif /* CONFIG_X86_KPTI */
|
|
|
|
|
|
2017-08-30 23:06:30 +02:00
|
|
|
/* Landing site for syscall SW IRQ. Marshal arguments and call C function for
|
2019-02-07 00:35:24 +01:00
|
|
|
* further processing. We're on the kernel stack for the invoking thread,
|
|
|
|
|
* unless KPTI is enabled, in which case we're on the trampoline stack and
|
|
|
|
|
* need to get off it before enabling interrupts.
|
2017-08-30 23:06:30 +02:00
|
|
|
*/
|
2019-03-14 16:20:46 +01:00
|
|
|
SECTION_FUNC(TEXT, z_x86_syscall_entry_stub)
|
2019-02-07 00:35:24 +01:00
|
|
|
#ifdef CONFIG_X86_KPTI
|
|
|
|
|
/* Stash these regs as we need to use them */
|
|
|
|
|
pushl %esi
|
|
|
|
|
pushl %edi
|
|
|
|
|
|
|
|
|
|
/* Switch to kernel page table */
|
2021-03-07 03:48:18 +01:00
|
|
|
movl $Z_MEM_PHYS_ADDR(z_x86_kernel_ptables), %esi
|
2019-02-07 00:35:24 +01:00
|
|
|
movl %esi, %cr3
|
|
|
|
|
|
|
|
|
|
/* Save old trampoline stack pointer in %edi */
|
|
|
|
|
movl %esp, %edi
|
|
|
|
|
|
2019-11-20 00:08:49 +01:00
|
|
|
/* Switch to privilege elevation stack */
|
2019-02-07 00:35:24 +01:00
|
|
|
movl $_kernel, %esi
|
|
|
|
|
movl _kernel_offset_to_current(%esi), %esi
|
2019-11-20 00:08:49 +01:00
|
|
|
movl _thread_offset_to_psp(%esi), %esp
|
2019-02-07 00:35:24 +01:00
|
|
|
|
|
|
|
|
/* Transplant context according to layout above. Variant of logic
|
|
|
|
|
* in x86_trampoline_to_kernel */
|
|
|
|
|
pushl 24(%edi) /* SS */
|
|
|
|
|
pushl 20(%edi) /* ESP */
|
|
|
|
|
pushl 16(%edi) /* EFLAGS */
|
|
|
|
|
pushl 12(%edi) /* CS */
|
|
|
|
|
pushl 8(%edi) /* EIP */
|
|
|
|
|
movl 4(%edi), %esi /* restore ESI */
|
|
|
|
|
movl $0, 4(%edi) /* Zero old esi storage area */
|
|
|
|
|
xchgl %edi, (%edi) /* Exchange old edi to restore it and put
|
|
|
|
|
old sp in the storage area */
|
|
|
|
|
|
|
|
|
|
/* Trampoline stack should have nothing sensitive in it at this point */
|
|
|
|
|
#endif /* CONFIG_X86_KPTI */
|
|
|
|
|
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
sti /* re-enable interrupts */
|
|
|
|
|
cld /* clear direction flag, restored on 'iret' */
|
|
|
|
|
|
|
|
|
|
/* call_id is in ESI. bounds-check it, must be less than
|
|
|
|
|
* K_SYSCALL_LIMIT
|
|
|
|
|
*/
|
2018-08-10 15:43:31 +02:00
|
|
|
cmp $K_SYSCALL_LIMIT, %esi
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
jae _bad_syscall
|
|
|
|
|
|
|
|
|
|
_id_ok:
|
2019-06-30 05:52:44 +02:00
|
|
|
#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
|
2019-03-08 01:07:48 +01:00
|
|
|
/* Prevent speculation with bogus system call IDs */
|
|
|
|
|
lfence
|
|
|
|
|
#endif
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
/* Marshal arguments per calling convention to match what is expected
|
|
|
|
|
* for _k_syscall_handler_t functions
|
|
|
|
|
*/
|
|
|
|
|
push %esp /* ssf */
|
2017-09-19 18:59:42 +02:00
|
|
|
push %ebp /* arg6 */
|
2017-08-30 23:06:30 +02:00
|
|
|
push %edi /* arg5 */
|
|
|
|
|
push %ebx /* arg4 */
|
|
|
|
|
push %ecx /* arg3 */
|
|
|
|
|
push %edx /* arg2 */
|
|
|
|
|
push %eax /* arg1 */
|
|
|
|
|
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
/* from the call ID in ESI, load EBX with the actual function pointer
|
|
|
|
|
* to call by looking it up in the system call dispatch table
|
|
|
|
|
*/
|
|
|
|
|
xor %edi, %edi
|
|
|
|
|
mov _k_syscall_table(%edi, %esi, 4), %ebx
|
|
|
|
|
|
|
|
|
|
/* Run the handler, which is some entry in _k_syscall_table */
|
2019-12-19 00:11:59 +01:00
|
|
|
call *%ebx
|
2017-08-30 23:06:30 +02:00
|
|
|
|
|
|
|
|
/* EAX now contains return value. Pop or xor everything else to prevent
|
|
|
|
|
* information leak from kernel mode.
|
|
|
|
|
*/
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
pop %edx /* old arg1 value, discard it */
|
2017-08-30 23:06:30 +02:00
|
|
|
pop %edx
|
|
|
|
|
pop %ecx
|
|
|
|
|
pop %ebx
|
|
|
|
|
pop %edi
|
2017-09-19 18:59:42 +02:00
|
|
|
/* Discard ssf and arg6 */
|
|
|
|
|
add $8, %esp
|
2019-02-07 00:35:24 +01:00
|
|
|
KPTI_IRET_USER
|
2017-08-30 23:06:30 +02:00
|
|
|
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
_bad_syscall:
|
|
|
|
|
/* ESI had a bogus syscall value in it, replace with the bad syscall
|
|
|
|
|
* handler's ID, and put the bad ID as its first argument. This
|
|
|
|
|
* clobbers ESI but the bad syscall handler never returns
|
|
|
|
|
* anyway, it's going to generate a kernel oops
|
|
|
|
|
*/
|
|
|
|
|
mov %esi, %eax
|
2018-08-10 15:43:31 +02:00
|
|
|
mov $K_SYSCALL_BAD, %esi
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
jmp _id_ok
|
|
|
|
|
|
2017-08-30 23:06:30 +02:00
|
|
|
|
2018-06-22 23:29:57 +02:00
|
|
|
/*
|
2019-11-07 21:43:29 +01:00
|
|
|
* size_t arch_user_string_nlen(const char *s, size_t maxsize, int *err_arg)
|
2018-06-22 23:29:57 +02:00
|
|
|
*/
|
2019-11-07 21:43:29 +01:00
|
|
|
SECTION_FUNC(TEXT, arch_user_string_nlen)
|
2018-06-22 23:29:57 +02:00
|
|
|
push %ebp
|
|
|
|
|
mov %esp, %ebp
|
|
|
|
|
|
|
|
|
|
/* error value, set to -1 initially. This location is -4(%ebp) */
|
|
|
|
|
push $-1
|
|
|
|
|
|
|
|
|
|
/* Do the strlen operation, based on disassembly of minimal libc */
|
|
|
|
|
xor %eax, %eax /* EAX = 0, length count */
|
|
|
|
|
mov 0x8(%ebp), %edx /* EDX base of string */
|
|
|
|
|
|
|
|
|
|
/* This code might page fault */
|
|
|
|
|
strlen_loop:
|
2019-10-16 22:38:54 +02:00
|
|
|
z_x86_user_string_nlen_fault_start:
|
2018-06-22 23:29:57 +02:00
|
|
|
cmpb $0x0, (%edx, %eax, 1) /* *(EDX + EAX) == 0? Could fault. */
|
|
|
|
|
|
2019-10-16 22:38:54 +02:00
|
|
|
z_x86_user_string_nlen_fault_end:
|
2018-06-22 23:29:57 +02:00
|
|
|
je strlen_done
|
|
|
|
|
cmp 0xc(%ebp), %eax /* Max length reached? */
|
|
|
|
|
je strlen_done
|
|
|
|
|
inc %eax /* EAX++ and loop again */
|
|
|
|
|
jmp strlen_loop
|
|
|
|
|
|
|
|
|
|
strlen_done:
|
|
|
|
|
/* Set error value to 0 since we succeeded */
|
|
|
|
|
movl $0, -4(%ebp)
|
|
|
|
|
|
2019-10-16 22:38:54 +02:00
|
|
|
z_x86_user_string_nlen_fixup:
|
2018-06-22 23:29:57 +02:00
|
|
|
/* Write error value to err pointer parameter */
|
|
|
|
|
movl 0x10(%ebp), %ecx
|
|
|
|
|
pop %edx
|
|
|
|
|
movl %edx, (%ecx)
|
|
|
|
|
|
|
|
|
|
pop %ebp
|
|
|
|
|
ret
|
|
|
|
|
|
|
|
|
|
|
2019-03-14 16:20:46 +01:00
|
|
|
/* FUNC_NORETURN void z_x86_userspace_enter(k_thread_entry_t user_entry,
|
2017-08-30 23:06:30 +02:00
|
|
|
* void *p1, void *p2, void *p3,
|
2020-05-27 18:26:57 +02:00
|
|
|
* uint32_t stack_end,
|
|
|
|
|
* uint32_t stack_start)
|
2017-08-30 23:06:30 +02:00
|
|
|
*
|
|
|
|
|
* A one-way trip to userspace.
|
|
|
|
|
*/
|
2019-03-14 16:20:46 +01:00
|
|
|
SECTION_FUNC(TEXT, z_x86_userspace_enter)
|
2017-08-30 23:06:30 +02:00
|
|
|
pop %esi /* Discard return address on stack */
|
|
|
|
|
|
|
|
|
|
/* Fetch parameters on the stack */
|
|
|
|
|
pop %eax /* user_entry */
|
|
|
|
|
pop %edx /* p1 */
|
|
|
|
|
pop %ecx /* p2 */
|
|
|
|
|
pop %esi /* p3 */
|
|
|
|
|
pop %ebx /* stack_end (high address) */
|
|
|
|
|
pop %edi /* stack_start (low address) */
|
|
|
|
|
|
|
|
|
|
/* Move to the kernel stack for this thread, so we can erase the
|
|
|
|
|
* user stack. The kernel stack is the page immediately before
|
|
|
|
|
* the user stack.
|
|
|
|
|
*
|
|
|
|
|
* For security reasons, we must erase the entire user stack.
|
|
|
|
|
* We don't know what previous contexts it was used and do not
|
|
|
|
|
* want to leak any information.
|
|
|
|
|
*/
|
|
|
|
|
mov %edi, %esp
|
|
|
|
|
|
2020-10-20 22:28:50 +02:00
|
|
|
/* Erase and enable US bit in page tables for the stack buffer */
|
2017-08-30 23:06:30 +02:00
|
|
|
push %ecx
|
|
|
|
|
push %eax
|
2020-10-20 22:28:50 +02:00
|
|
|
push %edx
|
|
|
|
|
call z_x86_current_stack_perms
|
|
|
|
|
pop %edx
|
2017-08-30 23:06:30 +02:00
|
|
|
pop %eax
|
|
|
|
|
pop %ecx
|
|
|
|
|
|
2020-10-20 22:28:50 +02:00
|
|
|
/* Set stack pointer to the base of the freshly-erased user stack.
|
|
|
|
|
* Now that this is set we won't need EBX any more.
|
2017-08-30 23:06:30 +02:00
|
|
|
*/
|
|
|
|
|
mov %ebx, %esp
|
|
|
|
|
|
|
|
|
|
/* Set segment registers (except CS and SS which are done in
|
|
|
|
|
* a special way by 'iret' below)
|
|
|
|
|
*/
|
|
|
|
|
mov $USER_DATA_SEG, %bx
|
|
|
|
|
mov %bx, %ds
|
|
|
|
|
mov %bx, %es
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
/* Push arguments to z_thread_entry() */
|
2017-08-30 23:06:30 +02:00
|
|
|
push %esi /* p3 */
|
|
|
|
|
push %ecx /* p2 */
|
|
|
|
|
push %edx /* p1 */
|
|
|
|
|
push %eax /* user_entry */
|
|
|
|
|
/* NULL return address */
|
|
|
|
|
push $0
|
|
|
|
|
|
|
|
|
|
/* Save stack pointer at this position, this is where it will be
|
2019-03-08 22:19:05 +01:00
|
|
|
* when we land in z_thread_entry()
|
2017-08-30 23:06:30 +02:00
|
|
|
*/
|
|
|
|
|
mov %esp, %edi
|
|
|
|
|
|
|
|
|
|
/* Inter-privilege 'iret' pops all of these. Need to fake an interrupt
|
|
|
|
|
* return to enter user mode as far calls cannot change privilege
|
|
|
|
|
* level
|
|
|
|
|
*/
|
|
|
|
|
push $USER_DATA_SEG /* SS */
|
|
|
|
|
push %edi /* ESP */
|
|
|
|
|
pushfl /* EFLAGS */
|
|
|
|
|
push $USER_CODE_SEG /* CS */
|
2019-03-08 22:19:05 +01:00
|
|
|
push $z_thread_entry /* EIP */
|
2017-08-30 23:06:30 +02:00
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
/* We will land in z_thread_entry() in user mode after this */
|
2019-02-07 00:35:24 +01:00
|
|
|
KPTI_IRET_USER
|
