/*
* When new threads are forked, by default simply replicate the parent
* thread's CHERI-related signal-handling state.
*
* XXXRW: Is this, in fact, the right thing?
*/
void
cheri_signal_copy(struct pcb *dst, struct pcb *src)
{
cheri_memcpy(&dst->pcb_cherisignal, &src->pcb_cherisignal,
sizeof(dst->pcb_cherisignal));
}
void
cheri_context_copy(struct pcb *dst, struct pcb *src)
{
cheri_memcpy(&dst->pcb_cheriframe, &src->pcb_cheriframe,
sizeof(dst->pcb_cheriframe));
}
static int
cheriabi_set_mcontext(struct thread *td, mcontext_c_t *mcp)
{
struct trapframe *tp;
if (mcp->mc_regs[0] != UCONTEXT_MAGIC) {
printf("mcp->mc_regs[0] != UCONTEXT_MAGIC\n");
return (EINVAL);
}
cheri_memcpy(&td->td_pcb->pcb_cheriframe, &mcp->mc_cheriframe,
sizeof(td->td_pcb->pcb_cheriframe));
tp = td->td_frame;
bcopy((void *)&mcp->mc_regs, (void *)&td->td_frame->zero,
sizeof(mcp->mc_regs));
td->td_md.md_flags = mcp->mc_fpused & MDTD_FPUSED;
if (mcp->mc_fpused)
bcopy((void *)&mcp->mc_fpregs, (void *)&td->td_frame->f0,
sizeof(mcp->mc_fpregs));
td->td_frame->pc = mcp->mc_pc;
td->td_frame->mullo = mcp->mullo;
td->td_frame->mulhi = mcp->mulhi;
#if 0
/* XXX-BD: what actually makes sense here? */
td->td_md.md_tls = mcp->mc_tls;
#endif
/* Dont let user to set any bits in status and cause registers. */
return (0);
}
/*
* On fork(), we exactly reproduce the current thread's CHERI call stack in
* the child, as the address space is exactly reproduced.
*
* XXXRW: Is this the right thing?
*/
void
cheri_stack_copy(struct pcb *pcb2, struct pcb *pcb1)
{
cheri_memcpy(&pcb2->pcb_cheristack, &pcb1->pcb_cheristack,
sizeof(pcb2->pcb_cheristack));
}
static void
cheriabi_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
{
struct proc *p;
struct thread *td;
struct trapframe *regs;
struct cheri_frame *capreg;
struct sigacts *psp;
struct sigframe_c sf, *sfp;
vm_offset_t sp;
int cheri_is_sandboxed;
int sig;
int oonstack;
td = curthread;
p = td->td_proc;
PROC_LOCK_ASSERT(p, MA_OWNED);
sig = ksi->ksi_signo;
psp = p->p_sigacts;
mtx_assert(&psp->ps_mtx, MA_OWNED);
regs = td->td_frame;
capreg = &td->td_pcb->pcb_cheriframe;
oonstack = sigonstack(regs->sp);
/*
* CHERI affects signal delivery in the following ways:
*
* (1) Additional capability-coprocessor state is exposed via
* extensions to the context frame placed on the stack.
*
* (2) If the user $pcc doesn't include CHERI_PERM_SYSCALL, then we
* consider user state to be 'sandboxed' and therefore to require
* special delivery handling which includes a domain-switch to the
* thread's context-switch domain. (This is done by
* cheri_sendsig()).
*
* (3) If an alternative signal stack is not defined, and we are in a
* 'sandboxed' state, then we have two choices: (a) if the signal
* is of type SA_SANDBOX_UNWIND, we will automatically unwind the
* trusted stack by one frame; (b) otherwise, we will terminate
* the process unconditionally.
*/
cheri_is_sandboxed = cheri_signal_sandboxed(td);
/*
* We provide the ability to drop into the sandbox in two different
* circumstances: (1) if the code running is sandboxed; and (2) if the
* fault is a CHERI protection fault. Handle both here for the
* non-unwind case. Do this before we rewrite any general-purpose or
* capability register state for the thread.
*/
#if DDB
if (cheri_is_sandboxed && security_cheri_debugger_on_sandbox_signal)
kdb_enter(KDB_WHY_CHERI, "Signal delivery to CHERI sandbox");
else if (sig == SIGPROT && security_cheri_debugger_on_sigprot)
kdb_enter(KDB_WHY_CHERI,
"SIGPROT delivered outside sandbox");
#endif
/*
* If a thread is running sandboxed, we can't rely on $sp which may
* not point at a valid stack in the ambient context, or even be
* maliciously manipulated. We must therefore always use the
* alternative stack. We are also therefore unable to tell whether we
* are on the alternative stack, so must clear 'oonstack' here.
*
* XXXRW: This requires significant further thinking; however, the net
* upshot is that it is not a good idea to do an object-capability
* invoke() from a signal handler, as with so many other things in
* life.
*/
if (cheri_is_sandboxed != 0)
oonstack = 0;
/* save user context */
bzero(&sf, sizeof(struct sigframe));
sf.sf_uc.uc_sigmask = *mask;
#if 0
/*
* XXX-BD: stack_t type differs and we can't just fake a capabilty.
* We don't restore the value so what purpose does it serve?
*/
sf.sf_uc.uc_stack = td->td_sigstk;
#endif
sf.sf_uc.uc_mcontext.mc_onstack = (oonstack) ? 1 : 0;
sf.sf_uc.uc_mcontext.mc_pc = regs->pc;
sf.sf_uc.uc_mcontext.mullo = regs->mullo;
sf.sf_uc.uc_mcontext.mulhi = regs->mulhi;
#if 0
/* XXX-BD: what actually makes sense here? */
sf.sf_uc.uc_mcontext.mc_tls = td->td_md.md_tls;
#endif
sf.sf_uc.uc_mcontext.mc_regs[0] = UCONTEXT_MAGIC; /* magic number */
bcopy((void *)®s->ast, (void *)&sf.sf_uc.uc_mcontext.mc_regs[1],
sizeof(sf.sf_uc.uc_mcontext.mc_regs) - sizeof(register_t));
sf.sf_uc.uc_mcontext.mc_fpused = td->td_md.md_flags & MDTD_FPUSED;
if (sf.sf_uc.uc_mcontext.mc_fpused) {
/* if FPU has current state, save it first */
if (td == PCPU_GET(fpcurthread))
MipsSaveCurFPState(td);
bcopy((void *)&td->td_frame->f0,
(void *)sf.sf_uc.uc_mcontext.mc_fpregs,
sizeof(sf.sf_uc.uc_mcontext.mc_fpregs));
}
/* XXXRW: sf.sf_uc.uc_mcontext.sr seems never to be set? */
sf.sf_uc.uc_mcontext.cause = regs->cause;
cheri_memcpy(&sf.sf_uc.uc_mcontext.mc_cheriframe,
&td->td_pcb->pcb_cheriframe,
sizeof(struct cheri_frame));
/* Allocate and validate space for the signal handler context. */
if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack &&
SIGISMEMBER(psp->ps_sigonstack, sig)) {
sp = (vm_offset_t)(td->td_sigstk.ss_sp +
td->td_sigstk.ss_size);
} else {
/*
* Signals delivered when a CHERI sandbox is present must be
* delivered on the alternative stack rather than a local one.
* If an alternative stack isn't present, then terminate or
* risk leaking capabilities (and control) to the sandbox (or
* just crashing the sandbox).
*/
if (cheri_is_sandboxed) {
mtx_unlock(&psp->ps_mtx);
printf("pid %d, tid %d: signal in sandbox without "
"alternative stack defined\n", td->td_proc->p_pid,
td->td_tid);
sigexit(td, SIGILL);
/* NOTREACHED */
}
sp = (vm_offset_t)regs->sp;
}
sp -= sizeof(struct sigframe_c);
/* For CHERI, keep the stack pointer capability aligned. */
sp &= ~(CHERICAP_SIZE - 1);
sfp = (void *)sp;
/* Build the argument list for the signal handler. */
regs->a0 = sig;
if (SIGISMEMBER(psp->ps_siginfo, sig)) {
/* Signal handler installed with SA_SIGINFO. */
cheri_capability_set(&capreg->cf_c3, CHERI_CAP_USER_DATA_PERMS,
CHERI_CAP_USER_DATA_OTYPE, (void *)(intptr_t)&sfp->sf_si,
sizeof(sfp->sf_si), 0);
cheri_capability_set(&capreg->cf_c4, CHERI_CAP_USER_DATA_PERMS,
CHERI_CAP_USER_DATA_OTYPE, (void *)(intptr_t)&sfp->sf_uc,
sizeof(sfp->sf_uc), 0);
/* sf.sf_ahu.sf_action = (__siginfohandler_t *)catcher; */
/* fill siginfo structure */
sf.sf_si.si_signo = sig;
sf.sf_si.si_code = ksi->ksi_code;
/*
* Write out badvaddr, but don't create a valid capability
* since that might allow privlege amplification.
*
* XXX-BD: This probably isn't the right method.
* XXX-BD: Do we want to set base or offset?
*/
*((uintptr_t *)&sf.sf_si.si_addr) =
(uintptr_t)(void *)regs->badvaddr;
}
/*
* XXX: No support for undocumented arguments to old style handlers.
*/
mtx_unlock(&psp->ps_mtx);
PROC_UNLOCK(p);
/*
* Copy the sigframe out to the user's stack.
*/
if (copyoutcap(&sf, sfp, sizeof(sf)) != 0) {
/*
* Something is wrong with the stack pointer.
* ...Kill the process.
*/
PROC_LOCK(p);
sigexit(td, SIGILL);
/* NOTREACHED */
}
/*
* Install CHERI signal-delivery register state for handler to run
* in. As we don't install this in the CHERI frame on the user stack,
* it will be (generally) be removed automatically on sigreturn().
*/
/* XXX-BD: this isn't quite right */
cheri_sendsig(td);
regs->pc = (register_t)(intptr_t)catcher;
regs->sp = (register_t)(intptr_t)sfp;
cheri_capability_copy(&capreg->cf_c12, &psp->ps_sigcap[_SIG_IDX(sig)]);
cheri_capability_copy(&capreg->cf_c17,
&td->td_pcb->pcb_cherisignal.csig_sigcode);
PROC_LOCK(p);
mtx_lock(&psp->ps_mtx);
}