Skip to content

Commit

Permalink
caprevoke: Avoid crashing if the revoker encounters a kernel capability
Browse files Browse the repository at this point in the history 
Kernel bugs, especially in ioctl handlers, can lead to a kernel capability being
leaked to userspace.  When the revoker encounters such a capability it ends up
accessing memory beyond the end of the bitmap, which may trigger a panic, e.g.,
if the vm_cheri_revoke_tlb_fault() fault handler is invoked in FAST_COPYIN mode.

Such bugs ought to be fixed, of course, but panicking the system is not really
desireable, especially since the resulting crash dump doesn't help much in
determining how the capability was leaked in the first place.

Explicitly check for out-of-bounds capabilities before accessing the shadow
bitmap and print a warning to the console instead.
  • Loading branch information
@markjdb
markjdb committed Feb 6, 2025
1 parent 8e84bc4 commit 08f323e
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
10 changes: 10 additions & 0 deletions sys/arm64/arm64/cheri_revoke_machdep_tests.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ vm_cheri_revoke_test_mem_map(const uint8_t * __capability crshadow,
const uint8_t * __capability bmloc;

ptraddr_t va = cheri_getbase(cut);
if (__predict_false(va >= VM_MAX_USER_ADDRESS)) {
printf("%s: kernel capability leaked to userspace: %#lp\n",
__func__, (void * __capability)cut);
return (0);
}

bmloc = crshadow - VM_CHERI_REVOKE_BSZ_OTYPE -
(va / VM_CHERI_REVOKE_GSZ_MEM_MAP / 8);
Expand Down Expand Up @@ -90,6 +95,11 @@ vm_cheri_revoke_test_mem_nomap(const uint8_t * __capability crshadow,
const uint8_t * __capability bmloc;

ptraddr_t va = cheri_getbase(cut);
if (__predict_false(va >= VM_MAX_USER_ADDRESS)) {
printf("%s: kernel capability leaked to userspace: %#lp\n",
__func__, (void * __capability)cut);
return (0);
}

bmloc = crshadow + (va / VM_CHERI_REVOKE_GSZ_MEM_NOMAP / 8);

Expand Down
10 changes: 10 additions & 0 deletions sys/riscv/riscv/cheri_revoke_machdep_tests.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ vm_cheri_revoke_test_mem_map(const uint8_t * __capability crshadow,
const uint8_t * __capability bmloc;

ptraddr_t va = cheri_getbase(cut);
if (__predict_false(va >= VM_MAX_USER_ADDRESS)) {
printf("%s: kernel capability leaked to userspace: %#lp\n",
__func__, (void * __capability)cut);
return (0);
}

bmloc = crshadow - VM_CHERI_REVOKE_BSZ_OTYPE -
(va / VM_CHERI_REVOKE_GSZ_MEM_MAP / 8);
Expand Down Expand Up @@ -91,6 +96,11 @@ vm_cheri_revoke_test_mem_nomap(const uint8_t * __capability crshadow,
const uint8_t * __capability bmloc;

ptraddr_t va = cheri_getbase(cut);
if (__predict_false(va >= VM_MAX_USER_ADDRESS)) {
printf("%s: kernel capability leaked to userspace: %#lp\n",
__func__, (void * __capability)cut);
return (0);
}

bmloc = crshadow + (va / VM_CHERI_REVOKE_GSZ_MEM_NOMAP / 8);

Check warning on line 106 in sys/riscv/riscv/cheri_revoke_machdep_tests.c

View workflow job for this annotation

GitHub Actions / Style Checker 

Missing Signed-off-by: line
Expand Down

0 comments on commit 08f323e

Please sign in to comment.