PCuABI specification introduces memory reservation so add a flag VM_PCUABI_RESERVE to represent such memory mappings.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- include/linux/mm.h | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/include/linux/mm.h b/include/linux/mm.h index c1f4996a957f..913b79b204be 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -369,9 +369,11 @@ extern unsigned int kobjsize(const void *objp); #ifdef CONFIG_ARM64_MORELLO # define VM_READ_CAPS VM_HIGH_ARCH_2 /* Permit capability tag loads */ # define VM_WRITE_CAPS VM_HIGH_ARCH_3 /* Permit capability tag stores */ +# define VM_PCUABI_RESERVE VM_HIGH_ARCH_4 /* Permit PCuABI memory reservation */ #else # define VM_READ_CAPS VM_NONE # define VM_WRITE_CAPS VM_NONE +# define VM_PCUABI_RESERVE VM_NONE #endif

#ifndef VM_GROWSUP

Helper functions such as capability_owns_range() and build_owning_capability() are added as per PCuABI specifications.

These may be helpful in adding different PCuABI reservation constraints.

Note: These helper functions do not check for capability permission constraints and full support will be added in subsequent commits.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- include/linux/cap_addr_mgmt.h | 22 +++++++++++++++++++++ mm/cap_addr_mgmt.c | 37 ++++++++++++++++++++++++++++++++++- 2 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/include/linux/cap_addr_mgmt.h b/include/linux/cap_addr_mgmt.h index 00eda91c2fc0..60af5633ef6f 100644 --- a/include/linux/cap_addr_mgmt.h +++ b/include/linux/cap_addr_mgmt.h @@ -113,4 +113,26 @@ bool reserv_vma_match_capability(struct vm_area_struct *vma, user_uintptr_t star * Return: True if two vma's have the same reservation range or false otherwise. */ bool reserv_vma_match_properties(struct vm_area_struct *vma1, struct vm_area_struct *vma2); + +/** + * capability_owns_range() - Check if the address range is within the valid + * capability bound. + * @cap: A Capability value. + * @addr: Address start value. + * @len: Address length. + * + * Return: True if address within the capability bound or false otherwise. + */ +bool capability_owns_range(user_uintptr_t cap, unsigned long addr, unsigned long len); + +/** + * build_owning_capability() - Creates a userspace capability from the + * requested base address, length and memory protection flags. + * @addr: Requested capability address. + * @len: Requested capability length. + * @perm: Requested memory mapping permission flags. + * + * Return: A new capability derived from cheri_user_root_cap. + */ +user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, unsigned long perm); #endif /* _LINUX_CAP_ADDR_MGMT_H */ diff --git a/mm/cap_addr_mgmt.c b/mm/cap_addr_mgmt.c index fe318c92dc7a..a4a85b37d59d 100644 --- a/mm/cap_addr_mgmt.c +++ b/mm/cap_addr_mgmt.c @@ -77,7 +77,7 @@ user_uintptr_t reserv_range_insert_entry(unsigned long start, unsigned long len, WRITE_ONCE(vma->reserv_perm, cheri_perm); } mmap_write_unlock(current->mm); - ret = (user_uintptr_t)uaddr_to_user_ptr_safe(start); + ret = build_owning_capability(start, len, perm);

return ret; } @@ -178,6 +178,31 @@ bool reserv_vma_match_properties(struct vm_area_struct *vma1, struct vm_area_str return false; }

+bool capability_owns_range(user_uintptr_t cap, unsigned long addr, unsigned long len) +{ + unsigned long align_addr = round_down(addr, PAGE_SIZE); + unsigned long align_len = cheri_representable_length(round_up(len, PAGE_SIZE)); + + if (is_compat_task()) + return true; + + return cheri_check_cap((const void * __capability)cheri_address_set(cap, align_addr), + align_len, CHERI_PERM_GLOBAL | CHERI_PERM_SW_VMEM); +} + +user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, + unsigned long perm __maybe_unused) +{ + unsigned long align_start = round_down(addr, PAGE_SIZE); + unsigned long align_len = cheri_representable_length(round_up(len, PAGE_SIZE)); + + /* TODO [PCuABI] - capability permission conversion from memory permission */ + cheri_perms_t perms = CHERI_PERMS_READ | CHERI_PERMS_WRITE | + CHERI_PERMS_EXEC | CHERI_PERMS_ROOTCAP; + + return (user_uintptr_t)cheri_build_user_cap(align_start, align_len, perms); +} + #else

int reserv_vma_insert_entry(struct vm_area_struct *vma, unsigned long start, @@ -219,4 +244,14 @@ bool reserv_vma_match_properties(struct vm_area_struct *vma1, struct vm_area_str return true; }

+bool capability_owns_range(user_uintptr_t cap, unsigned long addr, unsigned long len) +{ + return true; +} + +user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, unsigned long perm) +{ + return addr; +} + #endif /* CONFIG_CHERI_PURECAP_UABI */

Use the recently introduced PCuABI reservation interfaces for mmap/munmap syscall. The capability returned by mmap syscalls are now bounded and also the range is preserved in reservation layer to perform different range constraint checks in subsequent syscalls.

The kernel internal mapping functions vm_mmap and vm_munmap are also modified to accept user pointers. However, the users of vm_mmap/vm_munmap are not modified and hence the reservation interface might not be completely functional.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- include/linux/cheri.h | 3 ++ include/linux/mm.h | 16 ++++---- mm/mmap.c | 90 ++++++++++++++++++++++++++++++++++++------- mm/util.c | 10 +---- 4 files changed, 91 insertions(+), 28 deletions(-)

diff --git a/include/linux/cheri.h b/include/linux/cheri.h index e5f588b056ad..02ef0e911e63 100644 --- a/include/linux/cheri.h +++ b/include/linux/cheri.h @@ -37,6 +37,9 @@ (CHERI_PERM_GLOBAL | CHERI_PERM_SW_VMEM) #endif

+#define cheri_is_null_derived(cap) \ + cheri_is_equal_exact((uintcap_t)cheri_address_get(cap), cap) + /** * cheri_build_user_cap() - Create a userspace capability. * @addr: Requested capability address. diff --git a/include/linux/mm.h b/include/linux/mm.h index 00cb9fd3a5ee..77e3374c65e0 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3139,16 +3139,18 @@ unsigned long randomize_page(unsigned long start, unsigned long range);

extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);

-extern unsigned long mmap_region(struct file *file, unsigned long addr, +extern unsigned long mmap_region(struct file *file, user_uintptr_t addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, - struct list_head *uf); -extern unsigned long do_mmap(struct file *file, unsigned long addr, + struct list_head *uf, unsigned long prot); + +extern user_uintptr_t do_mmap(struct file *file, user_uintptr_t addr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long pgoff, unsigned long *populate, struct list_head *uf); + extern int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, - unsigned long start, size_t len, struct list_head *uf, + user_uintptr_t start, size_t len, struct list_head *uf, bool downgrade); -extern int do_munmap(struct mm_struct *, unsigned long, size_t, +extern int do_munmap(struct mm_struct *, user_uintptr_t, size_t, struct list_head *uf); extern int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior);

@@ -3170,8 +3172,8 @@ static inline void mm_populate(unsigned long addr, unsigned long len) {} /* These take the mm semaphore themselves */ extern int __must_check vm_brk(unsigned long, unsigned long); extern int __must_check vm_brk_flags(unsigned long, unsigned long, unsigned long); -extern int vm_munmap(unsigned long, size_t); -extern unsigned long __must_check vm_mmap(struct file *, unsigned long, +extern int vm_munmap(user_uintptr_t, size_t); +extern user_uintptr_t __must_check vm_mmap(struct file *, user_uintptr_t, unsigned long, unsigned long, unsigned long, unsigned long);

diff --git a/mm/mmap.c b/mm/mmap.c index 74e52dc512fa..173fb75f7122 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -47,7 +47,9 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/cap_addr_mgmt.h>

+#include <linux/cheri.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> #include <asm/tlb.h> @@ -56,7 +58,6 @@ #define CREATE_TRACE_POINTS #include <trace/events/mmap.h>

-#include "cap_addr_mgmt.h" #include "internal.h"

#ifndef arch_mmap_check @@ -1225,7 +1226,7 @@ static inline bool file_mmap_ok(struct file *file, struct inode *inode, /* * The caller must write-lock current->mm->mmap_lock. */ -unsigned long do_mmap(struct file *file, unsigned long addr, +user_uintptr_t do_mmap(struct file *file, user_uintptr_t user_addr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long pgoff, unsigned long *populate, struct list_head *uf) @@ -1233,6 +1234,14 @@ unsigned long do_mmap(struct file *file, unsigned long addr, struct mm_struct *mm = current->mm; vm_flags_t vm_flags; int pkey = 0; + unsigned long addr = (ptraddr_t)user_addr; + bool new_caps = true; +#ifdef CONFIG_CHERI_PURECAP_UABI + bool ignore_reserv = false; + VMA_ITERATOR(vmi, mm, addr); +#else + bool ignore_reserv = true; +#endif

validate_mm(mm); *populate = 0; @@ -1240,6 +1249,23 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (!len) return -EINVAL;

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (is_compat_task()) { + ignore_reserv = true; + goto skip_pcuabi_checks; + } + if (cheri_tag_get(user_addr)) { + if (!capability_owns_range(user_addr, addr, len) || !(flags & MAP_FIXED)) + return -EINVAL; + if (!reserv_vmi_range_fully_mapped(&vmi, addr, len)) + return -ERESERVATION; + new_caps = false; + } else { + if (user_addr && !cheri_is_null_derived(user_addr)) + return -EINVAL; + } +skip_pcuabi_checks: +#endif /* * Does the application expect PROT_READ to imply PROT_EXEC? * @@ -1397,11 +1423,26 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_NORESERVE; }

- addr = mmap_region(file, addr, len, vm_flags, pgoff, uf); + if (!ignore_reserv) + vm_flags |= VM_PCUABI_RESERVE; + if (new_caps) + user_addr = addr; + + addr = mmap_region(file, user_addr, len, vm_flags, pgoff, uf, prot); if (!IS_ERR_VALUE(addr) && ((vm_flags & VM_LOCKED) || (flags & (MAP_POPULATE | MAP_NONBLOCK)) == MAP_POPULATE)) *populate = len; + if (!IS_ERR_VALUE(addr)) { + if (!ignore_reserv) { + if (new_caps) + user_addr = build_owning_capability(addr, len, prot); + } else { + user_addr = (user_uintptr_t)uaddr_to_user_ptr_safe(addr); + } + return user_addr; + } + return addr; }

@@ -2559,11 +2600,13 @@ do_vmi_align_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma, * Returns: -EINVAL on failure, 1 on success and unlock, 0 otherwise. */ int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, - unsigned long start, size_t len, struct list_head *uf, + user_uintptr_t user_start, size_t len, struct list_head *uf, bool downgrade) { unsigned long end; struct vm_area_struct *vma; + int ret; + unsigned long start = (ptraddr_t)user_start;

if ((offset_in_page(start)) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; @@ -2580,7 +2623,16 @@ int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, if (!vma) return 0;

- return do_vmi_align_munmap(vmi, vma, mm, start, end, uf, downgrade); + if (vma->vm_flags & VM_PCUABI_RESERVE) { + if (!capability_owns_range(user_start, start, len)) + return -EINVAL; + if (!reserv_vma_match_capability(vma, user_start)) + return -ERESERVATION; + } + + ret = do_vmi_align_munmap(vmi, vma, mm, start, end, uf, downgrade); + + return ret; }

/* do_munmap() - Wrapper function for non-maple tree aware do_munmap() calls. @@ -2589,7 +2641,7 @@ int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, * @len: The length to be munmapped. * @uf: The userfaultfd list_head */ -int do_munmap(struct mm_struct *mm, unsigned long start, size_t len, +int do_munmap(struct mm_struct *mm, user_uintptr_t start, size_t len, struct list_head *uf) { VMA_ITERATOR(vmi, mm, start); @@ -2597,15 +2649,16 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len, return do_vmi_munmap(&vmi, mm, start, len, uf, false); }

-unsigned long mmap_region(struct file *file, unsigned long addr, +unsigned long mmap_region(struct file *file, user_uintptr_t user_addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, - struct list_head *uf) + struct list_head *uf, unsigned long prot) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; struct vm_area_struct *next, *prev, *merge; pgoff_t pglen = len >> PAGE_SHIFT; unsigned long charged = 0; + unsigned long addr = (ptraddr_t)user_addr; unsigned long end = addr + len; unsigned long merge_start = addr, merge_end = end; pgoff_t vm_pgoff; @@ -2628,7 +2681,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, }

/* Unmap any existing mapping in the area */ - if (do_vmi_munmap(&vmi, mm, addr, len, uf, false)) + if (do_vmi_munmap(&vmi, mm, user_addr, len, uf, false)) return -ENOMEM;

/* @@ -2643,7 +2696,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,

next = vma_next(&vmi); prev = vma_prev(&vmi); - if (vm_flags & VM_SPECIAL) + if (vm_flags & (VM_SPECIAL | VM_PCUABI_RESERVE)) goto cannot_expand;

/* Attempt to expand an old mapping */ @@ -2693,6 +2746,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vm_flags_init(vma, vm_flags); vma->vm_page_prot = vm_get_page_prot(vm_flags); vma->vm_pgoff = pgoff; + if (vm_flags & VM_PCUABI_RESERVE) { + error = reserv_vma_insert_entry(vma, addr, len, prot); + if (error) + goto free_vma; + }

if (file) { if (vm_flags & VM_SHARED) { @@ -2845,17 +2903,18 @@ unsigned long mmap_region(struct file *file, unsigned long addr, return error; }

-static int __vm_munmap(unsigned long start, size_t len, bool downgrade) +static int __vm_munmap(user_uintptr_t user_start, size_t len, bool downgrade) { int ret; struct mm_struct *mm = current->mm; + unsigned long start = (ptraddr_t)user_start; LIST_HEAD(uf); VMA_ITERATOR(vmi, mm, start);

if (mmap_write_lock_killable(mm)) return -EINTR;

- ret = do_vmi_munmap(&vmi, mm, start, len, &uf, downgrade); + ret = do_vmi_munmap(&vmi, mm, user_start, len, &uf, downgrade); /* * Returning 1 indicates mmap_lock is downgraded. * But 1 is not legal return value of vm_munmap() and munmap(), reset @@ -2871,7 +2930,8 @@ static int __vm_munmap(unsigned long start, size_t len, bool downgrade) return ret; }

-int vm_munmap(unsigned long start, size_t len) +/* TODO [PCuABI] - Update the users of vm_munmap */ +int vm_munmap(user_uintptr_t start, size_t len) { return __vm_munmap(start, len, false); } @@ -2879,7 +2939,11 @@ EXPORT_SYMBOL(vm_munmap);

SYSCALL_DEFINE2(munmap, user_uintptr_t, addr, size_t, len) { +#ifdef CONFIG_CHERI_PURECAP_UABI + addr = cheri_address_set(addr, untagged_addr(cheri_address_get(addr))); +#else addr = untagged_addr(addr); +#endif return __vm_munmap(addr, len, true); }

diff --git a/mm/util.c b/mm/util.c index 61de3bf7712b..6f5d9d864643 100644 --- a/mm/util.c +++ b/mm/util.c @@ -540,24 +540,18 @@ user_uintptr_t vm_mmap_pgoff(struct file *file, user_uintptr_t addr, if (!ret) { if (mmap_write_lock_killable(mm)) return -EINTR; - /* - * TODO [PCuABI] - might need propagating uintcap further down - * to do_mmap to properly handle capabilities - */ ret = do_mmap(file, addr, len, prot, flag, pgoff, &populate, &uf); mmap_write_unlock(mm); userfaultfd_unmap_complete(mm, &uf); if (populate) mm_populate(ret, populate); - /* TODO [PCuABI] - derive proper capability */ - if (!IS_ERR_VALUE(ret)) - ret = (user_uintptr_t)uaddr_to_user_ptr_safe((ptraddr_t)ret); } return ret; }

-unsigned long vm_mmap(struct file *file, unsigned long addr, +/* TODO [PCuABI] - Update the users of vm_mmap */ +user_uintptr_t vm_mmap(struct file *file, user_uintptr_t addr, unsigned long len, unsigned long prot, unsigned long flag, unsigned long offset) {

Use the recently introduced PCuABI reservation interfaces for mremap syscall. The mremap PCuABI specification does not allow expanding the existing mappings so they are moved if MREMAP_MAYMOVE flag is present. Use the relevant capability constraint checks in the input user memory addresses.

Modify vma_merge() to check for similar reservation properties before merging the vma.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- mm/mmap.c | 10 ++++- mm/mremap.c | 106 +++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 93 insertions(+), 23 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c index 173fb75f7122..803b18c7d746 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -954,7 +954,9 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, /* Can we merge the predecessor? */ if (addr == prev->vm_end && mpol_equal(vma_policy(prev), policy) && can_vma_merge_after(prev, vm_flags, anon_vma, file, - pgoff, vm_userfaultfd_ctx, anon_name)) { + pgoff, vm_userfaultfd_ctx, anon_name) + && ((vm_flags & VM_PCUABI_RESERVE) ? + reserv_vma_match_properties(prev, curr) : 1)) { merge_prev = true; vma_prev(vmi); } @@ -963,7 +965,9 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, /* Can we merge the successor? */ if (next && mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen, - vm_userfaultfd_ctx, anon_name)) { + vm_userfaultfd_ctx, anon_name) + && ((vm_flags & VM_PCUABI_RESERVE) ? + reserv_vma_match_properties(prev, curr) : 1)) { merge_next = true; }

@@ -3362,6 +3366,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, new_vma->vm_start = addr; new_vma->vm_end = addr + len; new_vma->vm_pgoff = pgoff; + if (vma->vm_flags & VM_PCUABI_RESERVE) + reserv_vma_insert_entry(new_vma, addr, len, 0); if (vma_dup_policy(vma, new_vma)) goto out_free_vma; if (anon_vma_clone(new_vma, vma)) diff --git a/mm/mremap.c b/mm/mremap.c index b52592303e8b..6d92b233f0e6 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -25,6 +25,7 @@ #include <linux/uaccess.h> #include <linux/userfaultfd_k.h> #include <linux/mempolicy.h> +#include <linux/cap_addr_mgmt.h>

#include <asm/cacheflush.h> #include <asm/tlb.h> @@ -569,7 +570,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma, }

static unsigned long move_vma(struct vm_area_struct *vma, - unsigned long old_addr, unsigned long old_len, + user_uintptr_t user_old_addr, unsigned long old_len, unsigned long new_len, unsigned long new_addr, bool *locked, unsigned long flags, struct vm_userfaultfd_ctx *uf, struct list_head *uf_unmap) @@ -586,6 +587,7 @@ static unsigned long move_vma(struct vm_area_struct *vma, int err = 0; bool need_rmap_locks; struct vma_iterator vmi; + unsigned long old_addr = (ptraddr_t)user_old_addr;

/* * We'd prefer to avoid failure later on in do_munmap: @@ -703,7 +705,7 @@ static unsigned long move_vma(struct vm_area_struct *vma, }

vma_iter_init(&vmi, mm, old_addr); - if (do_vmi_munmap(&vmi, mm, old_addr, old_len, uf_unmap, false) < 0) { + if (do_vmi_munmap(&vmi, mm, user_old_addr, old_len, uf_unmap, false) < 0) { /* OOM: unable to split vma, just get accounts right */ if (vm_flags & VM_ACCOUNT && !(flags & MREMAP_DONTUNMAP)) vm_acct_memory(old_len >> PAGE_SHIFT); @@ -785,16 +787,19 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, return vma; }

-static unsigned long mremap_to(unsigned long addr, unsigned long old_len, - unsigned long new_addr, unsigned long new_len, bool *locked, +static user_uintptr_t mremap_to(user_uintptr_t user_addr, unsigned long old_len, + user_uintptr_t user_new_addr, unsigned long new_len, bool *locked, unsigned long flags, struct vm_userfaultfd_ctx *uf, struct list_head *uf_unmap_early, struct list_head *uf_unmap) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; - unsigned long ret = -EINVAL; + user_uintptr_t ret = -EINVAL; unsigned long map_flags = 0; + unsigned long addr = (ptraddr_t)user_addr; + unsigned long new_addr = (ptraddr_t)user_new_addr; + unsigned long old_perm = 0;

if (offset_in_page(new_addr)) goto out; @@ -824,13 +829,13 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, return -ENOMEM;

if (flags & MREMAP_FIXED) { - ret = do_munmap(mm, new_addr, new_len, uf_unmap_early); + ret = do_munmap(mm, user_new_addr, new_len, uf_unmap_early); if (ret) goto out; }

if (old_len > new_len) { - ret = do_munmap(mm, addr+new_len, old_len - new_len, uf_unmap); + ret = do_munmap(mm, user_addr + new_len, old_len - new_len, uf_unmap); if (ret) goto out; old_len = new_len; @@ -865,9 +870,18 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, if (!(flags & MREMAP_FIXED)) new_addr = ret;

- ret = move_vma(vma, addr, old_len, new_len, new_addr, locked, flags, uf, +#ifdef CONFIG_CHERI_PURECAP_UABI + old_perm = vma->reserv_perm; +#endif + ret = move_vma(vma, user_addr, old_len, new_len, new_addr, locked, flags, uf, uf_unmap);

+ if (!IS_ERR_VALUE(ret)) { + if (vma->vm_flags & VM_PCUABI_RESERVE) + ret = build_owning_capability(new_addr, new_len, old_perm); + else + ret = (user_uintptr_t)uaddr_to_user_ptr_safe(new_addr); + } out: return ret; } @@ -893,9 +907,9 @@ static int vma_expandable(struct vm_area_struct *vma, unsigned long delta) * MREMAP_FIXED option added 5-Dec-1999 by Benjamin LaHaise * This option implies MREMAP_MAYMOVE. */ -SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len, +SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, user_addr, unsigned long, old_len, unsigned long, new_len, unsigned long, flags, - user_uintptr_t, new_addr) + user_uintptr_t, user_new_addr) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -903,10 +917,15 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len bool locked = false; bool downgraded = false; struct vm_userfaultfd_ctx uf = NULL_VM_UFFD_CTX; + unsigned long addr = (ptraddr_t)user_addr; + unsigned long new_addr = (ptraddr_t)user_new_addr; + unsigned long old_perm = 0; LIST_HEAD(uf_unmap_early); LIST_HEAD(uf_unmap); +#ifdef CONFIG_CHERI_PURECAP_UABI + struct vm_area_struct *vma_new; +#endif

- /* @TODO [PCuABI] - capability validation */ /* * There is a deliberate asymmetry here: we strip the pointer tag * from the old address but leave the new address alone. This is @@ -918,6 +937,9 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len * See Documentation/arm64/tagged-address-abi.rst for more information. */ addr = untagged_addr(addr); +#ifdef CONFIG_CHERI_PURECAP_UABI + user_addr = cheri_address_set(user_addr, addr); +#endif

if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP)) return ret; @@ -956,6 +978,40 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len goto out; }

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (!(vma->vm_flags & VM_PCUABI_RESERVE)) + goto skip_pcuabi_checks; + if (!capability_owns_range(user_addr, addr, old_len ? old_len : new_len)) + goto out; + if (!reserv_vma_range_fully_mapped(vma, addr, old_len ? old_len : new_len)) { + ret = -ERESERVATION; + goto out; + } + if (cheri_tag_get(user_new_addr)) { + if (!capability_owns_range(user_new_addr, new_addr, new_len) || + !(flags & MREMAP_FIXED)) + goto out; + vma_new = vma_lookup(mm, new_addr); + if (!reserv_vma_range_fully_mapped(vma_new, new_addr, new_len)) { + ret = -ERESERVATION; + goto out; + } + } else { + if (!cheri_is_null_derived(user_new_addr)) + goto out; + } + /* + * If new_len > old_len and flags does not contain MREMAP_MAYMOVE + * then this fails as PCuABI does not allow increasing reservation. + */ + if (new_len > old_len && !(flags & MREMAP_MAYMOVE)) { + ret = -ERESERVATION; + goto out; + } + old_perm = vma->reserv_perm; +skip_pcuabi_checks: +#endif + if (is_vm_hugetlb_page(vma)) { struct hstate *h __maybe_unused = hstate_vma(vma);

@@ -977,7 +1033,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len }

if (flags & (MREMAP_FIXED | MREMAP_DONTUNMAP)) { - ret = mremap_to(addr, old_len, new_addr, new_len, + ret = mremap_to(user_addr, old_len, user_new_addr, new_len, &locked, flags, &uf, &uf_unmap_early, &uf_unmap); goto out; @@ -993,7 +1049,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len int retval; VMA_ITERATOR(vmi, mm, addr + new_len);

- retval = do_vmi_munmap(&vmi, mm, addr + new_len, + retval = do_vmi_munmap(&vmi, mm, user_addr + new_len, old_len - new_len, &uf_unmap, true); /* Returning 1 indicates mmap_lock is downgraded to read. */ if (retval == 1) { @@ -1003,7 +1059,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len goto out; }

- ret = addr; + ret = user_addr; goto out; }

@@ -1019,8 +1075,13 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len /* old_len exactly to the end of the area.. */ if (old_len == vma->vm_end - addr) { - /* can we just expand the current mapping? */ - if (vma_expandable(vma, new_len - old_len)) { + /* + * can we just expand the current mapping? + * PCuABI specification does not allow increasing reservation + * size so just skip this path. + */ + if (!(vma->vm_flags & VM_PCUABI_RESERVE) && + vma_expandable(vma, new_len - old_len)) { long pages = (new_len - old_len) >> PAGE_SHIFT; unsigned long extension_start = addr + old_len; unsigned long extension_end = addr + new_len; @@ -1083,8 +1144,14 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len goto out; }

- ret = move_vma(vma, addr, old_len, new_len, new_addr, + ret = move_vma(vma, user_addr, old_len, new_len, new_addr, &locked, flags, &uf, &uf_unmap); + if (!IS_ERR_VALUE(ret)) { + if (vma->vm_flags & VM_PCUABI_RESERVE) + ret = build_owning_capability(new_addr, new_len, old_perm); + else + ret = (user_uintptr_t)uaddr_to_user_ptr_safe(new_addr); + } } out: if (offset_in_page(ret)) @@ -1098,8 +1165,5 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len userfaultfd_unmap_complete(mm, &uf_unmap_early); mremap_userfaultfd_complete(&uf, addr, ret, old_len); userfaultfd_unmap_complete(mm, &uf_unmap); - /* TODO [PCuABI] - derive proper capability */ - return IS_ERR_VALUE(ret) ? - ret : - (user_intptr_t)uaddr_to_user_ptr_safe((ptraddr_t)ret); + return ret; }

Use the recently introduced PCuABI reservation interfaces to verify the address range for madvise syscall.

do_madvise() function is used by virtual address monitoring damon and this may not satisfy the reservation range criteria so add a parameter to skip the reservation checks.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- include/linux/mm.h | 3 ++- io_uring/advise.c | 2 +- mm/damon/vaddr.c | 2 +- mm/madvise.c | 27 +++++++++++++++++++++++---- 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h index 77e3374c65e0..c75c12d54fc7 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3152,7 +3152,8 @@ extern int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, bool downgrade); extern int do_munmap(struct mm_struct *, user_uintptr_t, size_t, struct list_head *uf); -extern int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior); +extern int do_madvise(struct mm_struct *mm, user_uintptr_t start, size_t len_in, + int behavior, bool reserv_ignore);

#ifdef CONFIG_MMU extern int do_vma_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma, diff --git a/io_uring/advise.c b/io_uring/advise.c index 952d9289a311..2e43142cf4df 100644 --- a/io_uring/advise.c +++ b/io_uring/advise.c @@ -55,7 +55,7 @@ int io_madvise(struct io_kiocb *req, unsigned int issue_flags) WARN_ON_ONCE(issue_flags & IO_URING_F_NONBLOCK);

/* TODO [PCuABI] - capability checks for uaccess */ - ret = do_madvise(current->mm, user_ptr_addr(ma->addr), ma->len, ma->advice); + ret = do_madvise(current->mm, (user_uintptr_t)ma->addr, ma->len, ma->advice, false); io_req_set_res(req, ret, 0); return IOU_OK; #else diff --git a/mm/damon/vaddr.c b/mm/damon/vaddr.c index 1fec16d7263e..fcdd3f4f608f 100644 --- a/mm/damon/vaddr.c +++ b/mm/damon/vaddr.c @@ -623,7 +623,7 @@ static unsigned long damos_madvise(struct damon_target *target, if (!mm) return 0;

- applied = do_madvise(mm, start, len, behavior) ? 0 : len; + applied = do_madvise(mm, start, len, behavior, true) ? 0 : len; mmput(mm);

return applied; diff --git a/mm/madvise.c b/mm/madvise.c index ad59e1e07ec9..d815f5647678 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -31,6 +31,7 @@ #include <linux/swapops.h> #include <linux/shmem_fs.h> #include <linux/mmu_notifier.h> +#include <linux/cap_addr_mgmt.h>

#include <asm/tlb.h>

@@ -1382,13 +1383,16 @@ int madvise_set_anon_name(struct mm_struct *mm, unsigned long start, * -EBADF - map exists, but area maps something that isn't a file. * -EAGAIN - a kernel resource was temporarily unavailable. */ -int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior) +int do_madvise(struct mm_struct *mm, user_uintptr_t user_start, size_t len_in, + int behavior, bool reserv_ignore) { unsigned long end; int error; int write; size_t len; struct blk_plug plug; + unsigned long start = (ptraddr_t)user_start; + struct vma_iterator vmi;

if (!madvise_behavior_valid(behavior)) return -EINVAL; @@ -1421,14 +1425,29 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh mmap_read_lock(mm); }

- /* TODO [PCuABI] - capability checks for uaccess */ start = untagged_addr_remote(mm, start); end = start + len;

+#ifdef CONFIG_CHERI_PURECAP_UABI + user_start = cheri_address_set(user_start, start); +#endif + if (!reserv_ignore) { + vma_iter_init(&vmi, current->mm, start); + if (!capability_owns_range(user_start, start, len)) { + error = -EINVAL; + goto out; + } + /* Check if the range exists within the reservation with mmap lock. */ + if (!reserv_vmi_match_capability(&vmi, user_start)) { + error = -ERESERVATION; + goto out; + } + } blk_start_plug(&plug); error = madvise_walk_vmas(mm, start, end, behavior, madvise_vma_behavior); blk_finish_plug(&plug); +out: if (write) mmap_write_unlock(mm); else @@ -1439,7 +1458,7 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh

SYSCALL_DEFINE3(madvise, user_uintptr_t, start, size_t, len_in, int, behavior) { - return do_madvise(current->mm, start, len_in, behavior); + return do_madvise(current->mm, start, len_in, behavior, false); }

SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, @@ -1494,7 +1513,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,

while (iov_iter_count(&iter)) { ret = do_madvise(mm, user_ptr_addr(iter_iov_addr(&iter)), - iter_iov_len(&iter), behavior); + iter_iov_len(&iter), behavior, false); if (ret < 0) break; iov_iter_advance(&iter, iter_iov_len(&iter));

Use the recently introduced PCuABI reservation interfaces to verify the address range for msync syscall.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- mm/msync.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/mm/msync.c b/mm/msync.c index ac4c9bfea2e7..d0181c07524f 100644 --- a/mm/msync.c +++ b/mm/msync.c @@ -14,6 +14,7 @@ #include <linux/file.h> #include <linux/syscalls.h> #include <linux/sched.h> +#include <linux/cap_addr_mgmt.h>

/* * MS_SYNC syncs the entire file - including mappings. @@ -29,15 +30,20 @@ * So by _not_ starting I/O in MS_ASYNC we provide complete flexibility to * applications. */ -SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags) +SYSCALL_DEFINE3(msync, user_uintptr_t, user_start, size_t, len, int, flags) { unsigned long end; struct mm_struct *mm = current->mm; struct vm_area_struct *vma; int unmapped_error = 0; int error = -EINVAL; + unsigned long start = untagged_addr((ptraddr_t)user_start);

- start = untagged_addr(start); +#ifdef CONFIG_CHERI_PURECAP_UABI + user_start = cheri_address_set(user_start, start); + if (!capability_owns_range(user_start, start, len)) + return -EINVAL; +#endif

if (flags & ~(MS_ASYNC | MS_INVALIDATE | MS_SYNC)) goto out; @@ -61,6 +67,11 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags) */ mmap_read_lock(mm); vma = find_vma(mm, start); + /* Check if the range exists within the reservation with mmap lock. */ + if (vma && !reserv_vma_match_capability(vma, user_start)) { + error = -ERESERVATION; + goto out_unlock; + } for (;;) { struct file *file; loff_t fstart, fend;

Helper functions capability_may_set_prot(), mapping_to_capability_perm() and build_owning_capability() are added/modified to manage capability permissions in address space management syscalls as per PCuABI specifications.

Also a arch specific hook arch_map_to_cap_perm() is added to manage arch specific capability permissions.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- arch/arm64/include/asm/cap_addr_mgmt.h | 22 +++++++ include/linux/cap_addr_mgmt.h | 42 ++++++++++-- mm/cap_addr_mgmt.c | 88 ++++++++++++++++++++------ mm/mmap.c | 8 ++- 4 files changed, 133 insertions(+), 27 deletions(-) create mode 100644 arch/arm64/include/asm/cap_addr_mgmt.h

diff --git a/arch/arm64/include/asm/cap_addr_mgmt.h b/arch/arm64/include/asm/cap_addr_mgmt.h new file mode 100644 index 000000000000..aadb4768d2fd --- /dev/null +++ b/arch/arm64/include/asm/cap_addr_mgmt.h @@ -0,0 +1,22 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef __ASM_CAP_ADDR_MGMT_H +#define __ASM_CAP_ADDR_MGMT_H + +#include <linux/cheri.h> +#include <linux/mman.h> + +static __always_inline cheri_perms_t arch_map_to_cap_perm(int prot, bool has_tag_access) +{ + cheri_perms_t perms = 0; + + if ((prot & PROT_READ) && has_tag_access) + perms |= ARM_CAP_PERMISSION_MUTABLE_LOAD; + + if ((prot & PROT_EXEC) && + (cheri_perms_get(cheri_pcc_get()) & ARM_CAP_PERMISSION_EXECUTIVE)) + perms |= ARM_CAP_PERMISSION_EXECUTIVE; + + return perms; +} +#define arch_map_to_cap_perm arch_map_to_cap_perm +#endif /* __ASM_CAP_ADDR_MGMT_H */ diff --git a/include/linux/cap_addr_mgmt.h b/include/linux/cap_addr_mgmt.h index 60af5633ef6f..717f51008bc0 100644 --- a/include/linux/cap_addr_mgmt.h +++ b/include/linux/cap_addr_mgmt.h @@ -7,6 +7,7 @@ #include <linux/list.h> #include <linux/mm_types.h> #include <linux/types.h> +#include <asm/cap_addr_mgmt.h>

#ifdef CONFIG_CHERI_PURECAP_UABI #define CHERI_REPRESENTABLE_ALIGNMENT(len) \ @@ -26,13 +27,13 @@ * @vma: VMA pointer to insert the reservation entry. * @start: Reservation start value. * @len: Reservation length. - * @perm: Memory mapping permission for the reserved range. + * @perm: Capability permission for the reserved range. * * Return: 0 if reservation entry added successfully or -ERESERVATION * otherwise. */ int reserv_vma_insert_entry(struct vm_area_struct *vma, unsigned long start, - unsigned long len, unsigned long perm); + unsigned long len, cheri_perms_t perm);

/** * reserv_range_insert_entry() - Adds the reservation details across the VMA's @@ -42,13 +43,13 @@ int reserv_vma_insert_entry(struct vm_area_struct *vma, unsigned long start, * This function internally uses mmap_lock to synchronize the vma updates. * @start: Reservation start value. * @len: Reservation length. - * @perm: Memory mapping permission for the reserved range. + * @perm: Capability permission for the reserved range. * * Return: valid capability with bounded range and requested permission or * negative errorcode otherwise. */ user_uintptr_t reserv_range_insert_entry(unsigned long start, unsigned long len, - unsigned long perm); + cheri_perms_t perm);

/** * reserv_vmi_range_fully_mapped() - Searches the reservation interface for the @@ -130,9 +131,38 @@ bool capability_owns_range(user_uintptr_t cap, unsigned long addr, unsigned long * requested base address, length and memory protection flags. * @addr: Requested capability address. * @len: Requested capability length. - * @perm: Requested memory mapping permission flags. + * @perm: Requested capability permission flags. * * Return: A new capability derived from cheri_user_root_cap. */ -user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, unsigned long perm); +user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, cheri_perms_t perm); + +/** + * capability_may_set_prot() - Verify if the mapping protection flags confirms + * with the capability permission flags. + * @cap: Capability value. + * @prot: Memory protection flags. + * + * Return: True if the capability permissions includes the protection flags + * or false otherwise. + */ +bool capability_may_set_prot(user_uintptr_t cap, int prot); + +/** + * mapping_to_capability_perm() - Converts memory mapping protection flags to + * capability permission flags. + * @prot: Memory protection flags. + * @has_tag_access: Capability permissions to have tag check flags. + * + * Return: Capability permission flags + */ +cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access); + +#ifndef arch_map_to_cap_perm +static __always_inline cheri_perms_t arch_map_to_cap_perm(int prot, + bool has_tag_access) +{ + return 0; +} +#endif /* arch_map_to_cap_perm */ #endif /* _LINUX_CAP_ADDR_MGMT_H */ diff --git a/mm/cap_addr_mgmt.c b/mm/cap_addr_mgmt.c index a4a85b37d59d..b451fa279a48 100644 --- a/mm/cap_addr_mgmt.c +++ b/mm/cap_addr_mgmt.c @@ -9,12 +9,8 @@ #ifdef CONFIG_CHERI_PURECAP_UABI

int reserv_vma_insert_entry(struct vm_area_struct *vma, unsigned long start, - unsigned long len, unsigned long perm) + unsigned long len, cheri_perms_t perm) { - /* TODO [PCuABI] - capability permission conversion from memory permission */ - cheri_perms_t cheri_perms = CHERI_PERMS_READ | CHERI_PERMS_WRITE | - CHERI_PERMS_EXEC | CHERI_PERMS_ROOTCAP; - if (is_compat_task() || !(vma->vm_flags & VM_PCUABI_RESERVE)) return 0;

@@ -34,17 +30,13 @@ int reserv_vma_insert_entry(struct vm_area_struct *vma, unsigned long start, vma->reserv_start = start; vma->reserv_len = cheri_representable_length(len); if (perm) - vma->reserv_perm = cheri_perms; + vma->reserv_perm = perm;

return 0; }

-user_uintptr_t reserv_range_insert_entry(unsigned long start, unsigned long len, - unsigned long perm __maybe_unused) +user_uintptr_t reserv_range_insert_entry(unsigned long start, unsigned long len, cheri_perms_t perm) { - /* TODO [PCuABI] - capability permission conversion from memory permission */ - cheri_perms_t cheri_perm = CHERI_PERMS_READ | CHERI_PERMS_WRITE | - CHERI_PERMS_EXEC | CHERI_PERMS_ROOTCAP; struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long end = start + len; @@ -74,7 +66,7 @@ user_uintptr_t reserv_range_insert_entry(unsigned long start, unsigned long len, vm_flags_set(vma, VM_PCUABI_RESERVE); WRITE_ONCE(vma->reserv_start, start); WRITE_ONCE(vma->reserv_len, len); - WRITE_ONCE(vma->reserv_perm, cheri_perm); + WRITE_ONCE(vma->reserv_perm, perm); } mmap_write_unlock(current->mm); ret = build_owning_capability(start, len, perm); @@ -190,19 +182,67 @@ bool capability_owns_range(user_uintptr_t cap, unsigned long addr, unsigned long align_len, CHERI_PERM_GLOBAL | CHERI_PERM_SW_VMEM); }

-user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, - unsigned long perm __maybe_unused) +user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, cheri_perms_t perm) { unsigned long align_start = round_down(addr, PAGE_SIZE); unsigned long align_len = cheri_representable_length(round_up(len, PAGE_SIZE));

- /* TODO [PCuABI] - capability permission conversion from memory permission */ - cheri_perms_t perms = CHERI_PERMS_READ | CHERI_PERMS_WRITE | - CHERI_PERMS_EXEC | CHERI_PERMS_ROOTCAP; + return (user_uintptr_t)cheri_build_user_cap(align_start, align_len, perm); +} + +static bool mapping_may_have_prot_flag(int prot, int map_val) +{ + int prot_max = PROT_MAX_EXTRACT(prot); + + if (prot_max) + return !!(prot_max & map_val); + else + return !!(prot & map_val); +} + +bool capability_may_set_prot(user_uintptr_t cap, int prot) +{ + cheri_perms_t perms = cheri_perms_get(cap); + + if (is_compat_task()) + return true; + + if (((prot & PROT_READ) && !(perms & CHERI_PERM_LOAD)) || + ((prot & PROT_WRITE) && !(perms & CHERI_PERM_STORE)) || + ((prot & PROT_EXEC) && !(perms & CHERI_PERM_EXECUTE))) + return false;

- return (user_uintptr_t)cheri_build_user_cap(align_start, align_len, perms); + return true; }

+cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access) +{ + cheri_perms_t perms = 0; + + if (mapping_may_have_prot_flag(prot, PROT_READ)) { + perms |= CHERI_PERM_LOAD; + if (has_tag_access) + perms |= CHERI_PERM_LOAD_CAP; + } + if (mapping_may_have_prot_flag(prot, PROT_WRITE)) { + perms |= CHERI_PERM_STORE; + if (has_tag_access) + perms |= (CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP); + } + if (mapping_may_have_prot_flag(prot, PROT_EXEC)) { + perms |= CHERI_PERM_EXECUTE; + if (cheri_perms_get(cheri_pcc_get()) & CHERI_PERM_SYSTEM_REGS) + perms |= CHERI_PERM_SYSTEM_REGS; + } + /* Fetch any extra architecture specific permissions */ + perms |= arch_map_to_cap_perm(PROT_MAX_EXTRACT(prot) ? PROT_MAX_EXTRACT(prot) : prot, + has_tag_access); + perms |= CHERI_PERMS_ROOTCAP; + + return perms; +} + + #else

int reserv_vma_insert_entry(struct vm_area_struct *vma, unsigned long start, @@ -249,9 +289,19 @@ bool capability_owns_range(user_uintptr_t cap, unsigned long addr, unsigned long return true; }

-user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, unsigned long perm) +user_uintptr_t build_owning_capability(unsigned long addr, unsigned long len, cheri_perms_t perm) { return addr; }

+bool capability_may_set_prot(user_uintptr_t cap, int prot) +{ + return true; +} + +cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access) +{ + return 0; +} + #endif /* CONFIG_CHERI_PURECAP_UABI */ diff --git a/mm/mmap.c b/mm/mmap.c index 803b18c7d746..cb7a4b71ad82 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1440,7 +1440,9 @@ user_uintptr_t do_mmap(struct file *file, user_uintptr_t user_addr, if (!IS_ERR_VALUE(addr)) { if (!ignore_reserv) { if (new_caps) - user_addr = build_owning_capability(addr, len, prot); + user_addr = build_owning_capability(addr, len, + mapping_to_capability_perm(prot, + (flags & MAP_SHARED) ? false : true)); } else { user_addr = (user_uintptr_t)uaddr_to_user_ptr_safe(addr); } @@ -2751,7 +2753,9 @@ unsigned long mmap_region(struct file *file, user_uintptr_t user_addr, vma->vm_page_prot = vm_get_page_prot(vm_flags); vma->vm_pgoff = pgoff; if (vm_flags & VM_PCUABI_RESERVE) { - error = reserv_vma_insert_entry(vma, addr, len, prot); + error = reserv_vma_insert_entry(vma, addr, len, + mapping_to_capability_perm(prot, + (vm_flags & (VM_SHARED | VM_MAYSHARE)) ? false : true)); if (error) goto free_vma; }

MAP_GROWSDOWN flag is not supported by PCuABI specification. Hence reject such requests with -EOPNOTSUPP error.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- mm/mmap.c | 7 +++++++ 1 file changed, 7 insertions(+)

diff --git a/mm/mmap.c b/mm/mmap.c index cb7a4b71ad82..e8e9190f26cb 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1258,6 +1258,13 @@ user_uintptr_t do_mmap(struct file *file, user_uintptr_t user_addr, ignore_reserv = true; goto skip_pcuabi_checks; } + /* + * Introduce checks for PCuABI: + * - MAP_GROWSDOWN flag do not have fixed bounds and hence not + * supported in PCuABI reservation model. + */ + if (flags & MAP_GROWSDOWN) + return -EOPNOTSUPP; if (cheri_tag_get(user_addr)) { if (!capability_owns_range(user_addr, addr, len) || !(flags & MAP_FIXED)) return -EINVAL;

Check that the permission of new user address does not exceed the permission of old user address for mremap syscall.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- mm/mremap.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/mm/mremap.c b/mm/mremap.c index 6d92b233f0e6..fc0e5fb2508d 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -991,6 +991,9 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, user_addr, unsigned long, ol if (!capability_owns_range(user_new_addr, new_addr, new_len) || !(flags & MREMAP_FIXED)) goto out; + if ((cheri_perms_get(user_addr) | cheri_perms_get(user_new_addr)) + != cheri_perms_get(user_addr)) + goto out; vma_new = vma_lookup(mm, new_addr); if (!reserv_vma_range_fully_mapped(vma_new, new_addr, new_len)) { ret = -ERESERVATION;

Different capability permission and bound constraints are added as per PCuABI specification. mincore syscall does not need VMem permission and any of RWX memory permission so standard capability_owns_range() interface is not used here.

Also as mincore() allows the address range to not span whole pages so checking only a single byte at the page intersection is sufficient.

Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- mm/mincore.c | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-)

diff --git a/mm/mincore.c b/mm/mincore.c index 3a307bfa91c4..dfa6b5b9c3d3 100644 --- a/mm/mincore.c +++ b/mm/mincore.c @@ -19,6 +19,7 @@ #include <linux/hugetlb.h> #include <linux/pgtable.h>

+#include <linux/cap_addr_mgmt.h> #include <linux/uaccess.h> #include "swap.h"

@@ -184,15 +185,19 @@ static const struct mm_walk_ops mincore_walk_ops = { * all the arguments, we hold the mmap semaphore: we should * just return the amount of info we're asked for. */ -static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *vec) +static long do_mincore(user_uintptr_t user_addr, unsigned long pages, unsigned char *vec) { struct vm_area_struct *vma; unsigned long end; + unsigned long addr = (ptraddr_t)user_addr; int err;

vma = vma_lookup(current->mm, addr); if (!vma) return -ENOMEM; + /* Check if the capability range is valid with mmap lock. */ + if (!reserv_vma_match_capability(vma, user_addr)) + return -ERESERVATION; end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); if (!can_do_mincore(vma)) { unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); @@ -229,14 +234,16 @@ static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *v * mapped * -EAGAIN - A kernel resource was temporarily unavailable. */ -SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len, +SYSCALL_DEFINE3(mincore, user_uintptr_t, user_start, size_t, len, unsigned char __user *, vec) { long retval; unsigned long pages; unsigned char *tmp; - - start = untagged_addr(start); + unsigned long start = untagged_addr((ptraddr_t)user_start); +#ifdef CONFIG_CHERI_PURECAP_UABI + unsigned long cap_start, cap_len; +#endif

/* Check the start address: needs to be page-aligned.. */ if (start & ~PAGE_MASK) @@ -253,6 +260,35 @@ SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len, if (!access_ok(vec, pages)) return -EFAULT;

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (is_compat_task()) + goto skip_pcuabi_checks; + /* + * mincore syscall does not need VMem permission so as to allow ordinary pages. + * Also at least one of the standard memory permissions RWX will help to reject + * non memory capabilities. + */ + user_start = cheri_address_set(user_start, start); + if (cheri_is_invalid(user_start) || cheri_is_sealed(user_start) || + !(CHERI_PERM_GLOBAL & cheri_perms_get(user_start)) || + !((CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_EXECUTE) + & cheri_perms_get(user_start))) + return -EINVAL; + /* + * mincore syscall can be invoked as: + * mincore(align_down(p, PAGE_SIZE), sz + (p.addr % PAGE_SIZE), vec) + * Hence, the capability might not consider the increased range due to + * alignment. In this scenario, check only the single byte at the page + * intersection. + */ + cap_start = cheri_base_get(user_start); + cap_len = cheri_length_get(user_start); + if ((start + PAGE_SIZE <= cap_start) || + (cap_start + cap_len < start + len - offset_in_page(len))) + return -EINVAL; +skip_pcuabi_checks: +#endif + tmp = (void *) __get_free_page(GFP_USER); if (!tmp) return -EAGAIN; @@ -264,7 +300,7 @@ SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len, * the temporary buffer size. */ mmap_read_lock(current->mm); - retval = do_mincore(start, min(pages, PAGE_SIZE), tmp); + retval = do_mincore(user_start, min(pages, PAGE_SIZE), tmp); mmap_read_unlock(current->mm);

if (retval <= 0)