4378a7d4be
To minimize the risk of userspace-controlled values being used under speculation, this patch adds pt_regs based syscall wrappers for arm64, which pass the minimum set of required userspace values to syscall implementations. For each syscall, a wrapper which takes a pt_regs argument is automatically generated, and this extracts the arguments before calling the "real" syscall implementation. Each syscall has three functions generated: * __do_<compat_>sys_<name> is the "real" syscall implementation, with the expected prototype. * __se_<compat_>sys_<name> is the sign-extension/narrowing wrapper, inherited from common code. This takes a series of long parameters, casting each to the requisite types required by the "real" syscall implementation in __do_<compat_>sys_<name>. This wrapper *may* not be necessary on arm64 given the AAPCS rules on unused register bits, but it seemed safer to keep the wrapper for now. * __arm64_<compat_>_sys_<name> takes a struct pt_regs pointer, and extracts *only* the relevant register values, passing these on to the __se_<compat_>sys_<name> wrapper. The syscall invocation code is updated to handle the calling convention required by __arm64_<compat_>_sys_<name>, and passes a single struct pt_regs pointer. The compiler can fold the syscall implementation and its wrappers, such that the overhead of this approach is minimized. Note that we play games with sys_ni_syscall(). It can't be defined with SYSCALL_DEFINE0() because we must avoid the possibility of error injection. Additionally, there are a couple of locations where we need to call it from C code, and we don't (currently) have a ksys_ni_syscall(). While it has no wrapper, passing in a redundant pt_regs pointer is benign per the AAPCS. When ARCH_HAS_SYSCALL_WRAPPER is selected, no prototype is defines for sys_ni_syscall(). Since we need to treat it differently for in-kernel calls and the syscall tables, the prototype is defined as-required. The wrappers are largely the same as their x86 counterparts, but simplified as we don't have a variety of compat calling conventions that require separate stubs. Unlike x86, we have some zero-argument compat syscalls, and must define COMPAT_SYSCALL_DEFINE0() to ensure that these are also given an __arm64_compat_sys_ prefix. Signed-off-by: Mark Rutland <mark.rutland@arm.com> Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Will Deacon <will.deacon@arm.com>
129 lines
3.0 KiB
C
129 lines
3.0 KiB
C
/*
|
|
* Copyright (C) 2012 ARM Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
#ifndef __ASM_SYSCALL_H
|
|
#define __ASM_SYSCALL_H
|
|
|
|
#include <uapi/linux/audit.h>
|
|
#include <linux/compat.h>
|
|
#include <linux/err.h>
|
|
|
|
typedef long (*syscall_fn_t)(struct pt_regs *regs);
|
|
|
|
extern const syscall_fn_t sys_call_table[];
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
extern const syscall_fn_t compat_sys_call_table[];
|
|
#endif
|
|
|
|
static inline int syscall_get_nr(struct task_struct *task,
|
|
struct pt_regs *regs)
|
|
{
|
|
return regs->syscallno;
|
|
}
|
|
|
|
static inline void syscall_rollback(struct task_struct *task,
|
|
struct pt_regs *regs)
|
|
{
|
|
regs->regs[0] = regs->orig_x0;
|
|
}
|
|
|
|
|
|
static inline long syscall_get_error(struct task_struct *task,
|
|
struct pt_regs *regs)
|
|
{
|
|
unsigned long error = regs->regs[0];
|
|
return IS_ERR_VALUE(error) ? error : 0;
|
|
}
|
|
|
|
static inline long syscall_get_return_value(struct task_struct *task,
|
|
struct pt_regs *regs)
|
|
{
|
|
return regs->regs[0];
|
|
}
|
|
|
|
static inline void syscall_set_return_value(struct task_struct *task,
|
|
struct pt_regs *regs,
|
|
int error, long val)
|
|
{
|
|
regs->regs[0] = (long) error ? error : val;
|
|
}
|
|
|
|
#define SYSCALL_MAX_ARGS 6
|
|
|
|
static inline void syscall_get_arguments(struct task_struct *task,
|
|
struct pt_regs *regs,
|
|
unsigned int i, unsigned int n,
|
|
unsigned long *args)
|
|
{
|
|
if (n == 0)
|
|
return;
|
|
|
|
if (i + n > SYSCALL_MAX_ARGS) {
|
|
unsigned long *args_bad = args + SYSCALL_MAX_ARGS - i;
|
|
unsigned int n_bad = n + i - SYSCALL_MAX_ARGS;
|
|
pr_warning("%s called with max args %d, handling only %d\n",
|
|
__func__, i + n, SYSCALL_MAX_ARGS);
|
|
memset(args_bad, 0, n_bad * sizeof(args[0]));
|
|
}
|
|
|
|
if (i == 0) {
|
|
args[0] = regs->orig_x0;
|
|
args++;
|
|
i++;
|
|
n--;
|
|
}
|
|
|
|
memcpy(args, ®s->regs[i], n * sizeof(args[0]));
|
|
}
|
|
|
|
static inline void syscall_set_arguments(struct task_struct *task,
|
|
struct pt_regs *regs,
|
|
unsigned int i, unsigned int n,
|
|
const unsigned long *args)
|
|
{
|
|
if (n == 0)
|
|
return;
|
|
|
|
if (i + n > SYSCALL_MAX_ARGS) {
|
|
pr_warning("%s called with max args %d, handling only %d\n",
|
|
__func__, i + n, SYSCALL_MAX_ARGS);
|
|
n = SYSCALL_MAX_ARGS - i;
|
|
}
|
|
|
|
if (i == 0) {
|
|
regs->orig_x0 = args[0];
|
|
args++;
|
|
i++;
|
|
n--;
|
|
}
|
|
|
|
memcpy(®s->regs[i], args, n * sizeof(args[0]));
|
|
}
|
|
|
|
/*
|
|
* We don't care about endianness (__AUDIT_ARCH_LE bit) here because
|
|
* AArch64 has the same system calls both on little- and big- endian.
|
|
*/
|
|
static inline int syscall_get_arch(void)
|
|
{
|
|
if (is_compat_task())
|
|
return AUDIT_ARCH_ARM;
|
|
|
|
return AUDIT_ARCH_AARCH64;
|
|
}
|
|
|
|
#endif /* __ASM_SYSCALL_H */
|