Date: Wed, 14 Nov 2012 06:51:17 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 219780 for review Message-ID: <201211140651.qAE6pH3s068293@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@219780?ac=10 Change 219780 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2012/11/14 06:50:51 Implement a very simple sandbox abort() function that effectively does a longjmp() back to the capability return code. Add exercise case to cheritest. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#11 edit .. //depot/projects/ctsrd/cheribsd/src/libexec/cheritest-helper/cheritest-helper.c#6 edit .. //depot/projects/ctsrd/cheribsd/src/libexec/cheritest-helper/mips64/chsbrt.S#4 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#11 (text+ko) ==== @@ -70,7 +70,8 @@ fprintf(stderr, "cheritest listregs\n"); fprintf(stderr, "cheritest overrun\n"); fprintf(stderr, "cheritest sandbox\n"); - fprintf(stderr, "cheritest sandbox_invoke\n"); + fprintf(stderr, "cheritest sandbox_invoke_abort\n"); + fprintf(stderr, "cheritest sandbox_invoke_md5\n"); fprintf(stderr, "cheritest sleep\n"); fprintf(stderr, "cheritest unsandbox\n"); fprintf(stderr, "cheritest syscalltest\n"); @@ -152,6 +153,22 @@ CHERI_CSETLEN(0, 1, CHERI_CAP_USER_LENGTH - 1); } +static void +cheritest_sandbox_invoke_abort(void) +{ + struct sandbox *sb; + register_t v; + + if (sandbox_setup("/usr/libexec/cheritest-helper.bin", 1024 * 1024, + &sb) < 0) + err(1, "sandbox_setup"); + + v = sandbox_invoke(sb, 0, 1, 0, 0, NULL, NULL, NULL, NULL, NULL, + NULL, NULL); + printf("%s: sandbox returned %ju\n", __func__, (uintmax_t)v); + sandbox_destroy(sb); +} + /* * XXXRW: c1 and c2 were not getting properly aligned when placed in the * stack. Odd. @@ -160,7 +177,7 @@ static struct chericap c1, c2; static void -cheritest_sandbox_invoke(void) +cheritest_sandbox_invoke_md5(void) { struct sandbox *sb; char buf[33]; @@ -241,8 +258,10 @@ cheritest_overrun(); else if (strcmp(argv[i], "sandbox") == 0) cheritest_sandbox(); - else if (strcmp(argv[i], "sandbox_invoke") == 0) - cheritest_sandbox_invoke(); + else if (strcmp(argv[i], "sandbox_invoke_abort") == 0) + cheritest_sandbox_invoke_abort(); + else if (strcmp(argv[i], "sandbox_invoke_md5") == 0) + cheritest_sandbox_invoke_md5(); else if (strcmp(argv[i], "sleep") == 0) sleep(10); else if (strcmp(argv[i], "unsandbox") == 0) ==== //depot/projects/ctsrd/cheribsd/src/libexec/cheritest-helper/cheritest-helper.c#6 (text+ko) ==== @@ -33,6 +33,7 @@ #include <machine/cheri.h> #include <md5.h> +#include <stdlib.h> #include "cmemcpy.h" @@ -42,15 +43,20 @@ * Sample sandboxed code. Calculate an MD5 checksum of the data arriving via * c1, and place the checksum in c2. a0 will hold input data length. c2 * must be (at least) 33 bytes. + * + * ... unless a1 is set, in which case immediately abort() to test that case. */ int -invoke(register_t a0, register_t a1 __unused, register_t a2 __unused, +invoke(register_t a0, register_t a1, register_t a2 __unused, register_t a3 __unused) { MD5_CTX md5context; char buf[33], ch; u_int count; + if (a1) + abort(); + MD5Init(&md5context); for (count = 0; count < a0; count++) { memcpy_fromcap(&ch, 1, count, sizeof(ch)); ==== //depot/projects/ctsrd/cheribsd/src/libexec/cheritest-helper/mips64/chsbrt.S#4 (text+ko) ==== @@ -137,6 +137,13 @@ sd $a5, 0($at) # + # If abort() is called, we effectively longjmp back to just after the + # call to invoke(). Save a stack pointer for that unwind. + # + dla $at, abort_stack + sd $sp, 0($at) + + # # Invoke MIPS ABI C "invoke" function. # dla $25, invoke @@ -148,6 +155,7 @@ # # XXXRW: To move to caller context once using CCALL. # +abort_target: ld $t0, 0($sp) ld $t1, 8($sp) daddiu $sp, 16 @@ -195,5 +203,23 @@ # cjr $31($c24) # Jump to return capability register nop # Branch-delay slot? + .end __start + + .global abort + .ent abort +abort: + # + # If abort() is called, unwind the stack and jump into the return + # code. Set $v0 to -2 so that it's somewhat recognisable, even if + # non-ideal. + # + dla $at, abort_stack + ld $sp, 0($at) + dli $v0, -2 + b abort_target + nop + .end abort - .end __start + .data +abort_stack: + .dword 0x0000000000000000 # What to restore sp to on abort
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211140651.qAE6pH3s068293>