/*1* Copyright (c) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 20092* The President and Fellows of Harvard College.3*4* Redistribution and use in source and binary forms, with or without5* modification, are permitted provided that the following conditions6* are met:7* 1. Redistributions of source code must retain the above copyright8* notice, this list of conditions and the following disclaimer.9* 2. Redistributions in binary form must reproduce the above copyright10* notice, this list of conditions and the following disclaimer in the11* documentation and/or other materials provided with the distribution.12* 3. Neither the name of the University nor the names of its contributors13* may be used to endorse or promote products derived from this software14* without specific prior written permission.15*16* THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY AND CONTRIBUTORS ``AS IS'' AND17* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE18* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE19* ARE DISCLAIMED. IN NO EVENT SHALL THE UNIVERSITY OR CONTRIBUTORS BE LIABLE20* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL21* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS22* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)23* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT24* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY25* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF26* SUCH DAMAGE.27*/2829#include <types.h>30#include <kern/errno.h>31#include <lib.h>32#include <setjmp.h>33#include <thread.h>34#include <current.h>35#include <vm.h>36#include <copyinout.h>3738/*39* User/kernel memory copying functions.40*41* These are arranged to prevent fatal kernel memory faults if invalid42* addresses are supplied by user-level code. This code is itself43* machine-independent; it uses the machine-dependent C setjmp/longjmp44* facility to perform recovery.45*46* However, it assumes things about the memory subsystem that may not47* be true on all platforms.48*49* (1) It assumes that user memory is mapped into the current address50* space while running in the kernel, and can be accessed by just51* dereferencing a pointer in the ordinary way. (And not, for example,52* with special instructions or via special segment registers.)53*54* (2) It assumes that the user-space region of memory is contiguous55* and extends from 0 to some virtual address USERSPACETOP, and so if56* a user process passes a kernel address the logic in copycheck()57* will trap it.58*59* (3) It assumes that access to user memory from the kernel behaves60* the same way as access to user memory from user space: for61* instance, that the processor honors read-only bits on memory pages62* when in kernel mode.63*64* (4) It assumes that if a proper user-space address that is valid65* but not present, or not valid at all, is touched from the kernel,66* that the correct faults will occur and the VM system will load the67* necessary pages and whatnot.68*69* (5) It assumes that the machine-dependent trap logic provides and70* honors a tm_badfaultfunc field in the thread_machdep structure.71* This feature works as follows: if an otherwise fatal fault occurs72* in kernel mode, and tm_badfaultfunc is set, execution resumes in73* the function pointed to by tm_badfaultfunc.74*75* This code works by setting tm_badfaultfunc and then copying memory76* in an ordinary fashion. If these five assumptions are satisfied,77* which is the case for many ordinary CPU types, this code should78* function correctly. If the assumptions are not satisfied on some79* platform (for instance, certain old 80386 processors violate80* assumption 3), this code cannot be used, and cpu- or platform-81* specific code must be written.82*83* To make use of this code, in addition to tm_badfaultfunc the84* thread_machdep structure should contain a jmp_buf called85* "tm_copyjmp".86*/8788/*89* Recovery function. If a fatal fault occurs during copyin, copyout,90* copyinstr, or copyoutstr, execution resumes here. (This behavior is91* caused by setting t_machdep.tm_badfaultfunc and is implemented in92* machine-dependent code.)93*94* We use the C standard function longjmp() to teleport up the call95* stack to where setjmp() was called. At that point we return EFAULT.96*/97static98void99copyfail(void)100{101longjmp(curthread->t_machdep.tm_copyjmp, 1);102}103104/*105* Memory region check function. This checks to make sure the block of106* user memory provided (an address and a length) falls within the107* proper userspace region. If it does not, EFAULT is returned.108*109* stoplen is set to the actual maximum length that can be copied.110* This differs from len if and only if the region partially overlaps111* the kernel.112*113* Assumes userspace runs from 0 through USERSPACETOP-1.114*/115static116int117copycheck(const_userptr_t userptr, size_t len, size_t *stoplen)118{119vaddr_t bot, top;120121*stoplen = len;122123bot = (vaddr_t) userptr;124top = bot+len-1;125126if (top < bot) {127/* addresses wrapped around */128return EFAULT;129}130131if (bot >= USERSPACETOP) {132/* region is within the kernel */133return EFAULT;134}135136if (top >= USERSPACETOP) {137/* region overlaps the kernel. adjust the max length. */138*stoplen = USERSPACETOP - bot;139}140141return 0;142}143144/*145* copyin146*147* Copy a block of memory of length LEN from user-level address USERSRC148* to kernel address DEST. We can use memcpy because it's protected by149* the tm_badfaultfunc/copyfail logic.150*/151int152copyin(const_userptr_t usersrc, void *dest, size_t len)153{154int result;155size_t stoplen;156157result = copycheck(usersrc, len, &stoplen);158if (result) {159return result;160}161if (stoplen != len) {162/* Single block, can't legally truncate it. */163return EFAULT;164}165166curthread->t_machdep.tm_badfaultfunc = copyfail;167168result = setjmp(curthread->t_machdep.tm_copyjmp);169if (result) {170curthread->t_machdep.tm_badfaultfunc = NULL;171return EFAULT;172}173174memcpy(dest, (const void *)usersrc, len);175176curthread->t_machdep.tm_badfaultfunc = NULL;177return 0;178}179180/*181* copyout182*183* Copy a block of memory of length LEN from kernel address SRC to184* user-level address USERDEST. We can use memcpy because it's185* protected by the tm_badfaultfunc/copyfail logic.186*/187int188copyout(const void *src, userptr_t userdest, size_t len)189{190int result;191size_t stoplen;192193result = copycheck(userdest, len, &stoplen);194if (result) {195return result;196}197if (stoplen != len) {198/* Single block, can't legally truncate it. */199return EFAULT;200}201202curthread->t_machdep.tm_badfaultfunc = copyfail;203204result = setjmp(curthread->t_machdep.tm_copyjmp);205if (result) {206curthread->t_machdep.tm_badfaultfunc = NULL;207return EFAULT;208}209210memcpy((void *)userdest, src, len);211212curthread->t_machdep.tm_badfaultfunc = NULL;213return 0;214}215216/*217* Common string copying function that behaves the way that's desired218* for copyinstr and copyoutstr.219*220* Copies a null-terminated string of maximum length MAXLEN from SRC221* to DEST. If GOTLEN is not null, store the actual length found222* there. Both lengths include the null-terminator. If the string223* exceeds the available length, the call fails and returns224* ENAMETOOLONG.225*226* STOPLEN is like MAXLEN but is assumed to have come from copycheck.227* If we hit MAXLEN it's because the string is too long to fit; if we228* hit STOPLEN it's because the string has run into the end of229* userspace. Thus in the latter case we return EFAULT, not230* ENAMETOOLONG.231*/232static233int234copystr(char *dest, const char *src, size_t maxlen, size_t stoplen,235size_t *gotlen)236{237size_t i;238239for (i=0; i<maxlen && i<stoplen; i++) {240dest[i] = src[i];241if (src[i] == 0) {242if (gotlen != NULL) {243*gotlen = i+1;244}245return 0;246}247}248if (stoplen < maxlen) {249/* ran into user-kernel boundary */250return EFAULT;251}252/* otherwise just ran out of space */253return ENAMETOOLONG;254}255256/*257* copyinstr258*259* Copy a string from user-level address USERSRC to kernel address260* DEST, as per copystr above. Uses the tm_badfaultfunc/copyfail261* logic to protect against invalid addresses supplied by a user262* process.263*/264int265copyinstr(const_userptr_t usersrc, char *dest, size_t len, size_t *actual)266{267int result;268size_t stoplen;269270result = copycheck(usersrc, len, &stoplen);271if (result) {272return result;273}274275curthread->t_machdep.tm_badfaultfunc = copyfail;276277result = setjmp(curthread->t_machdep.tm_copyjmp);278if (result) {279curthread->t_machdep.tm_badfaultfunc = NULL;280return EFAULT;281}282283result = copystr(dest, (const char *)usersrc, len, stoplen, actual);284285curthread->t_machdep.tm_badfaultfunc = NULL;286return result;287}288289/*290* copyoutstr291*292* Copy a string from kernel address SRC to user-level address293* USERDEST, as per copystr above. Uses the tm_badfaultfunc/copyfail294* logic to protect against invalid addresses supplied by a user295* process.296*/297int298copyoutstr(const char *src, userptr_t userdest, size_t len, size_t *actual)299{300int result;301size_t stoplen;302303result = copycheck(userdest, len, &stoplen);304if (result) {305return result;306}307308curthread->t_machdep.tm_badfaultfunc = copyfail;309310result = setjmp(curthread->t_machdep.tm_copyjmp);311if (result) {312curthread->t_machdep.tm_badfaultfunc = NULL;313return EFAULT;314}315316result = copystr((char *)userdest, src, len, stoplen, actual);317318curthread->t_machdep.tm_badfaultfunc = NULL;319return result;320}321322323