Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit explicit bounds enforcement for mbufs. #1980

Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

Audit explicit bounds enforcement for mbufs. #1980

wants to merge 7 commits into from
+61 −12

Commits on Feb 15, 2024

  1. Add KASSERT_SUBOBJECT_BOUNDS to check compiler-generated bounds. 

    Asserts that the length of a capability matches the expected length.
    @qwattash
    qwattash committed Feb 15, 2024
    Configuration menu
    Copy the full SHA
    1ba2d16 View commit details
    Browse the repository at this point in the history

  2. Rely on the compiler to produce sub-object bounds for mbuf m_pktdat. 

    When the mbuf m_data is set to m_pktdat we rely on sub-object bounds to ensure
that the resulting capability has length == MHLEN. The pure-capability kernel
without sub-object bounds will ignore these cases.
    @qwattash
    qwattash committed Feb 15, 2024
    Configuration menu
    Copy the full SHA
    11dd8eb View commit details
    Browse the repository at this point in the history

  3. Rely on compiler sub-object bounds for mbuf m_dat bounds. 

    When mbuf m_data is set to m_dat, rely on the compiler-generated sub-object
bounds to ensure that the resulting capability has length == MLEN.
The pure-capability kernel without sub-object bounds will ignore these cases.
    @qwattash
    qwattash committed Feb 15, 2024
    Configuration menu
    Copy the full SHA
    460a55d View commit details
    Browse the repository at this point in the history

  4. Use the PHYS_TO_DMAP_LEN macro in uipc_mbuf. 

    Use the PHYS_TO_DMAP_LEN macro in m_apply_extpg_one() instead of explicitly
setting bounds on the direct map capability.
    @qwattash
    qwattash committed Feb 15, 2024
    Configuration menu
    Copy the full SHA
    6cb61fd View commit details
    Browse the repository at this point in the history

  5. Audit exact bounds for mbuf m_ext.ext_buf. 

    In most cases, it is not possible to ensure exact bounds for m_ext.
    @qwattash
    qwattash committed Feb 15, 2024
    Configuration menu
    Copy the full SHA
    7668396 View commit details
    Browse the repository at this point in the history

  6. Fix mbuf m_dat sub-object bounds opt-out annotation. 

    This is required by the compiler for now.
    @qwattash
    qwattash committed Feb 15, 2024
    Configuration menu
    Copy the full SHA
    04ed233 View commit details
    Browse the repository at this point in the history

  7. Add counter and associated sysctl to detect imprecise mbuf buffers. 

    The sysctl security.cheri.mbuf_imprecise_extbuf counts the number of times a
non-representable capability is used as the buffer for an mbuf.m_ext.ext_buf.
    @qwattash
    qwattash committed Feb 15, 2024
    Configuration menu
    Copy the full SHA
    b1602b6 View commit details
    Browse the repository at this point in the history