2006-06-20 12:03:10 +02:00
|
|
|
/* The kernel call implemented in this file:
|
|
|
|
|
* m_type: SYS_SAFECOPYFROM or SYS_SAFECOPYTO
|
|
|
|
|
*
|
|
|
|
|
* The parameters for this kernel call are:
|
|
|
|
|
* SCP_FROM_TO other endpoint
|
|
|
|
|
* SCP_INFO encoded: caller's own src/dst segment
|
|
|
|
|
* SCP_GID grant id
|
|
|
|
|
* SCP_OFFSET offset within granted space
|
|
|
|
|
* SCP_ADDRESS address in own address space
|
|
|
|
|
* SCP_BYTES bytes to be copied
|
2006-06-23 13:54:03 +02:00
|
|
|
*
|
|
|
|
|
* For the vectored variant (do_vsafecopy):
|
|
|
|
|
* VSCP_VEC_ADDR address of vector
|
|
|
|
|
* VSCP_VEC_SIZE number of significant elements in vector
|
2006-06-20 12:03:10 +02:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "../system.h"
|
|
|
|
|
#include <minix/type.h>
|
|
|
|
|
#include <minix/safecopies.h>
|
|
|
|
|
|
|
|
|
|
#define MEM_TOP 0xFFFFFFFFUL
|
|
|
|
|
|
2006-06-23 13:54:03 +02:00
|
|
|
FORWARD _PROTOTYPE(int safecopy, (endpoint_t, endpoint_t, cp_grant_id_t, int, int, size_t, vir_bytes, vir_bytes, int));
|
|
|
|
|
|
2006-06-20 12:03:10 +02:00
|
|
|
/*===========================================================================*
|
|
|
|
|
* verify_grant *
|
|
|
|
|
*===========================================================================*/
|
|
|
|
|
PUBLIC int verify_grant(granter, grantee, grant, bytes, access,
|
|
|
|
|
offset_in, offset_result, e_granter)
|
|
|
|
|
endpoint_t granter, grantee; /* copyee, copyer */
|
|
|
|
|
cp_grant_id_t grant; /* grant id */
|
|
|
|
|
vir_bytes bytes; /* copy size */
|
|
|
|
|
int access; /* direction (read/write) */
|
|
|
|
|
vir_bytes offset_in; /* copy offset within grant */
|
|
|
|
|
vir_bytes *offset_result; /* copy offset within virtual address space */
|
|
|
|
|
endpoint_t *e_granter; /* new granter (magic grants) */
|
|
|
|
|
{
|
|
|
|
|
static cp_grant_t g;
|
|
|
|
|
static int proc_nr;
|
|
|
|
|
static struct proc *granter_proc;
|
|
|
|
|
static phys_bytes phys_grant;
|
|
|
|
|
|
|
|
|
|
/* Get granter process slot (if valid), and check range of
|
|
|
|
|
* grant id.
|
|
|
|
|
*/
|
|
|
|
|
if(!isokendpt(granter, &proc_nr) || !GRANT_VALID(grant)) {
|
|
|
|
|
kprintf("grant verify failed: invalid granter or grant\n");
|
|
|
|
|
return(EINVAL);
|
|
|
|
|
}
|
|
|
|
|
granter_proc = proc_addr(proc_nr);
|
|
|
|
|
|
|
|
|
|
/* If there is no priv. structure, or no grant table in the
|
|
|
|
|
* priv. structure, or the grant table in the priv. structure
|
|
|
|
|
* is too small for the grant,
|
|
|
|
|
*
|
|
|
|
|
* then there exists no such grant, so
|
|
|
|
|
*
|
|
|
|
|
* return EPERM.
|
|
|
|
|
*
|
|
|
|
|
* (Don't leak how big the grant table is by returning
|
|
|
|
|
* EINVAL for grant-out-of-range, in case this turns out to be
|
|
|
|
|
* interesting information.)
|
|
|
|
|
*/
|
|
|
|
|
if((granter_proc->p_rts_flags & NO_PRIV) || !(priv(granter_proc)) ||
|
|
|
|
|
priv(granter_proc)->s_grant_table < 1) {
|
|
|
|
|
kprintf("grant verify failed in ep %d proc %d: "
|
|
|
|
|
"no priv table, or no grant table\n",
|
|
|
|
|
granter, proc_nr);
|
|
|
|
|
return(EPERM);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(priv(granter_proc)->s_grant_entries <= grant) {
|
|
|
|
|
kprintf("grant verify failed in ep %d proc %d: "
|
|
|
|
|
"grant %d out of range for table size %d\n",
|
|
|
|
|
granter, proc_nr, grant, priv(granter_proc)->s_grant_entries);
|
|
|
|
|
return(EPERM);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Copy the grant entry corresponding to this id to see what it
|
|
|
|
|
* looks like. If it fails, hide the fact that granter has
|
|
|
|
|
* (presumably) set an invalid grant table entry by returning
|
|
|
|
|
* EPERM, just like with an invalid grant id.
|
|
|
|
|
*/
|
|
|
|
|
if(!(phys_grant = umap_local(granter_proc, D,
|
|
|
|
|
priv(granter_proc)->s_grant_table + sizeof(g)*grant, sizeof(g)))) {
|
|
|
|
|
kprintf("grant verify failed: umap failed\n");
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
phys_copy(phys_grant, vir2phys(&g), sizeof(g));
|
|
|
|
|
|
|
|
|
|
/* Check validity. */
|
|
|
|
|
if(!(g.cp_flags & CPF_USED)) {
|
|
|
|
|
kprintf("grant verify failed: invalid\n");
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check access of grant. */
|
|
|
|
|
if(((g.cp_flags & access) != access)) {
|
|
|
|
|
kprintf("grant verify failed: access invalid; want %x, have %x\n",
|
|
|
|
|
access, g.cp_flags);
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if((g.cp_flags & CPF_DIRECT)) {
|
|
|
|
|
/* Don't fiddle around with grants that wrap, arithmetic
|
|
|
|
|
* below may be confused.
|
|
|
|
|
*/
|
|
|
|
|
if(MEM_TOP - g.cp_u.cp_direct.cp_len <
|
|
|
|
|
g.cp_u.cp_direct.cp_start - 1) {
|
|
|
|
|
kprintf("direct grant verify failed: len too long\n");
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Verify actual grantee. */
|
|
|
|
|
if(g.cp_u.cp_direct.cp_who_to != grantee && grantee != ANY) {
|
|
|
|
|
kprintf("direct grant verify failed: bad grantee\n");
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Verify actual copy range. */
|
|
|
|
|
if((offset_in+bytes < offset_in) ||
|
|
|
|
|
offset_in+bytes > g.cp_u.cp_direct.cp_len) {
|
|
|
|
|
kprintf("direct grant verify failed: bad size or range. "
|
|
|
|
|
"granted %d bytes @ 0x%lx; wanted %d bytes @ 0x%lx\n",
|
|
|
|
|
g.cp_u.cp_direct.cp_len, g.cp_u.cp_direct.cp_start,
|
|
|
|
|
bytes, offset_in);
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Verify successful - tell caller what address it is. */
|
|
|
|
|
*offset_result = g.cp_u.cp_direct.cp_start + offset_in;
|
|
|
|
|
*e_granter = granter;
|
|
|
|
|
} else if(g.cp_flags & CPF_MAGIC) {
|
|
|
|
|
/* Currently, it is hardcoded that only FS may do
|
|
|
|
|
* magic grants.
|
|
|
|
|
*/
|
|
|
|
|
if(granter != FS_PROC_NR) {
|
|
|
|
|
kprintf("magic grant verify failed: granter (%d) "
|
|
|
|
|
"is not FS (%d)\n", granter, FS_PROC_NR);
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Don't fiddle around with grants that wrap, arithmetic
|
|
|
|
|
* below may be confused.
|
|
|
|
|
*/
|
|
|
|
|
if(MEM_TOP - g.cp_u.cp_magic.cp_len <
|
|
|
|
|
g.cp_u.cp_magic.cp_start - 1) {
|
|
|
|
|
kprintf("magic grant verify failed: len too long\n");
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Verify actual grantee. */
|
|
|
|
|
if(g.cp_u.cp_magic.cp_who_to != grantee && grantee != ANY) {
|
|
|
|
|
kprintf("magic grant verify failed: bad grantee\n");
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Verify actual copy range. */
|
|
|
|
|
if((offset_in+bytes < offset_in) ||
|
|
|
|
|
offset_in+bytes > g.cp_u.cp_magic.cp_len) {
|
|
|
|
|
kprintf("magic grant verify failed: bad size or range. "
|
|
|
|
|
"granted %d bytes @ 0x%lx; wanted %d bytes @ 0x%lx\n",
|
|
|
|
|
g.cp_u.cp_magic.cp_len, g.cp_u.cp_magic.cp_start,
|
|
|
|
|
bytes, offset_in);
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Verify successful - tell caller what address it is. */
|
|
|
|
|
*offset_result = g.cp_u.cp_magic.cp_start + offset_in;
|
|
|
|
|
*e_granter = g.cp_u.cp_magic.cp_who_from;
|
|
|
|
|
} else {
|
|
|
|
|
kprintf("grant verify failed: unknown grant type\n");
|
|
|
|
|
return EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*===========================================================================*
|
2006-06-23 13:54:03 +02:00
|
|
|
* safecopy *
|
2006-06-20 12:03:10 +02:00
|
|
|
*===========================================================================*/
|
2006-06-23 13:54:03 +02:00
|
|
|
PRIVATE int safecopy(granter, grantee, grantid, src_seg, dst_seg, bytes,
|
|
|
|
|
g_offset, addr, access)
|
|
|
|
|
endpoint_t granter, grantee;
|
|
|
|
|
cp_grant_id_t grantid;
|
|
|
|
|
int src_seg, dst_seg;
|
|
|
|
|
size_t bytes;
|
|
|
|
|
vir_bytes g_offset, addr;
|
|
|
|
|
int access; /* CPF_READ for a copy from granter to grantee, CPF_WRITE
|
|
|
|
|
* for a copy from grantee to granter.
|
|
|
|
|
*/
|
2006-06-20 12:03:10 +02:00
|
|
|
{
|
|
|
|
|
static struct vir_addr v_src, v_dst;
|
2006-06-23 13:54:03 +02:00
|
|
|
static vir_bytes v_offset;
|
|
|
|
|
int r;
|
|
|
|
|
endpoint_t new_granter, *src, *dst;
|
2006-06-20 12:03:10 +02:00
|
|
|
|
2006-06-23 13:54:03 +02:00
|
|
|
/* Decide who is src and who is dst. */
|
|
|
|
|
if(access & CPF_READ) {
|
2006-06-20 12:03:10 +02:00
|
|
|
src = &granter;
|
|
|
|
|
dst = &grantee;
|
2006-06-23 13:54:03 +02:00
|
|
|
} else {
|
2006-06-20 12:03:10 +02:00
|
|
|
src = &grantee;
|
|
|
|
|
dst = &granter;
|
2006-06-23 13:54:03 +02:00
|
|
|
}
|
2006-06-20 12:03:10 +02:00
|
|
|
|
|
|
|
|
/* Verify permission exists. */
|
2006-06-23 13:54:03 +02:00
|
|
|
if((r=verify_grant(granter, grantee, grantid, bytes, access,
|
|
|
|
|
g_offset, &v_offset, &new_granter)) != OK) {
|
2006-06-20 12:03:10 +02:00
|
|
|
kprintf("grant %d verify to copy %d->%d by %d failed: err %d\n",
|
2006-06-23 13:54:03 +02:00
|
|
|
grantid, *src, *dst, grantee, r);
|
2006-06-20 12:03:10 +02:00
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* verify_grant() can redirect the grantee to someone else,
|
|
|
|
|
* meaning the source or destination changes.
|
|
|
|
|
*/
|
|
|
|
|
granter = new_granter;
|
|
|
|
|
|
|
|
|
|
/* Now it's a regular copy. */
|
|
|
|
|
v_src.segment = src_seg;
|
|
|
|
|
v_dst.segment = dst_seg;
|
|
|
|
|
v_src.proc_nr_e = *src;
|
|
|
|
|
v_dst.proc_nr_e = *dst;
|
|
|
|
|
|
|
|
|
|
/* Now the offset in virtual addressing is known in 'offset'.
|
2006-06-23 13:54:03 +02:00
|
|
|
* Depending on the access, this is the source or destination
|
2006-06-20 12:03:10 +02:00
|
|
|
* address.
|
|
|
|
|
*/
|
2006-06-23 13:54:03 +02:00
|
|
|
if(access & CPF_READ) {
|
|
|
|
|
v_src.offset = v_offset;
|
|
|
|
|
v_dst.offset = (vir_bytes) addr;
|
2006-06-20 12:03:10 +02:00
|
|
|
} else {
|
2006-06-23 13:54:03 +02:00
|
|
|
v_src.offset = (vir_bytes) addr;
|
|
|
|
|
v_dst.offset = v_offset;
|
2006-06-20 12:03:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Do the regular copy. */
|
|
|
|
|
return virtual_copy(&v_src, &v_dst, bytes);
|
2006-06-23 13:54:03 +02:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*===========================================================================*
|
|
|
|
|
* do_safecopy *
|
|
|
|
|
*===========================================================================*/
|
|
|
|
|
PUBLIC int do_safecopy(m_ptr)
|
|
|
|
|
register message *m_ptr; /* pointer to request message */
|
|
|
|
|
{
|
|
|
|
|
static endpoint_t new_granter;
|
|
|
|
|
static int access, src_seg, dst_seg;
|
|
|
|
|
|
|
|
|
|
/* Set src and dst parameters.
|
|
|
|
|
* The caller's seg is encoded in the SCP_INFO field.
|
|
|
|
|
*/
|
|
|
|
|
if(sys_call_code == SYS_SAFECOPYFROM) {
|
|
|
|
|
src_seg = D;
|
|
|
|
|
dst_seg = SCP_INFO2SEG(m_ptr->SCP_INFO);
|
|
|
|
|
access = CPF_READ;
|
|
|
|
|
} else if(sys_call_code == SYS_SAFECOPYTO) {
|
|
|
|
|
src_seg = SCP_INFO2SEG(m_ptr->SCP_INFO);
|
|
|
|
|
dst_seg = D;
|
|
|
|
|
access = CPF_WRITE;
|
|
|
|
|
} else panic("Impossible system call nr. ", sys_call_code);
|
|
|
|
|
|
|
|
|
|
return safecopy(m_ptr->SCP_FROM_TO, who_e, m_ptr->SCP_GID,
|
|
|
|
|
src_seg, dst_seg, m_ptr->SCP_BYTES, m_ptr->SCP_OFFSET,
|
|
|
|
|
(vir_bytes) m_ptr->SCP_ADDRESS, access);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*===========================================================================*
|
|
|
|
|
* do_vsafecopy *
|
|
|
|
|
*===========================================================================*/
|
|
|
|
|
PUBLIC int do_vsafecopy(m_ptr)
|
|
|
|
|
register message *m_ptr; /* pointer to request message */
|
|
|
|
|
{
|
|
|
|
|
static struct vscp_vec vec[SCPVEC_NR];
|
|
|
|
|
static struct vir_addr src, dst;
|
|
|
|
|
int r, i, els;
|
|
|
|
|
|
|
|
|
|
/* Set vector copy parameters. */
|
|
|
|
|
src.proc_nr_e = who_e;
|
|
|
|
|
src.offset = (vir_bytes) m_ptr->VSCP_VEC_ADDR;
|
|
|
|
|
src.segment = dst.segment = D;
|
|
|
|
|
dst.proc_nr_e = SYSTEM;
|
|
|
|
|
dst.offset = (vir_bytes) vec;
|
|
|
|
|
|
|
|
|
|
/* No. of vector elements. */
|
|
|
|
|
els = m_ptr->VSCP_VEC_SIZE;
|
|
|
|
|
|
|
|
|
|
/* Obtain vector of copies. */
|
|
|
|
|
if((r=virtual_copy(&src, &dst, els * sizeof(struct vscp_vec))) != OK)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
/* Perform safecopies. */
|
|
|
|
|
for(i = 0; i < els; i++) {
|
|
|
|
|
int access;
|
|
|
|
|
endpoint_t granter;
|
|
|
|
|
if(vec[i].v_from == SELF) {
|
|
|
|
|
access = CPF_WRITE;
|
|
|
|
|
granter = vec[i].v_to;
|
|
|
|
|
} else if(vec[i].v_to == SELF) {
|
|
|
|
|
access = CPF_READ;
|
|
|
|
|
granter = vec[i].v_from;
|
|
|
|
|
} else {
|
|
|
|
|
kprintf("vsafecopy: %d: element %d/%d: no SELF found\n",
|
|
|
|
|
who_e, i, els);
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Do safecopy for this element. */
|
|
|
|
|
if((r=safecopy(granter, who_e, vec[i].v_gid, D, D,
|
|
|
|
|
vec[i].v_bytes, vec[i].v_offset,
|
|
|
|
|
vec[i].v_addr, access)) != OK) {
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return OK;
|
2006-06-20 12:03:10 +02:00
|
|
|
}
|
|
|
|
|
|
