Date: Tue, 4 Dec 2012 18:46:09 GMT From: Brooks Davis <brooks@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 219877 for review Message-ID: <201212041846.qB4Ik96b023580@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@219877?ac=10 Change 219877 by brooks@brooks_zenith on 2012/12/04 18:45:40 Add a mostly working CHERI sandbox to minifile based on the cheripoint sandbox. This correctly identifies files and is generaly usable. However, triggering the BADMAGIC trojan causes a TLB miss exception. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/Makefile#3 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/Makefile#1 add .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/cmemcpy.h#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/execve.S#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/include/lib.h#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/include/mips.h#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/include/stdarg.h#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/malloc.c#1 add .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/minifile-cheri.c#1 add .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/mips64/chsbrt.S#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/mips64/setjmp.S#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/sandbox.ld#1 branch .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/stub.c#1 add .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/subr_prf.c#1 add .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/minifile.c#5 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/minifile.h#2 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/Makefile#3 (text+ko) ==== @@ -2,6 +2,7 @@ # $FreeBSD$ SUBDIR+= capsicum +SUBDIR+= cheri PROG= minifile @@ -9,6 +10,6 @@ WARNS= 0 -LDADD+= -lvuln_magic +LDADD+= -lcheri -lvuln_magic .include <bsd.prog.mk> ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/minifile.c#5 (text+ko) ==== @@ -1,14 +1,19 @@ -#include <sys/types.h> +#include <sys/param.h> #include <sys/capability.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/wait.h> +#include <machine/cheri.h> +#include <machine/cpuregs.h> + #include <err.h> #include <errno.h> #include <fcntl.h> #include <magic.h> +#include <sandbox.h> +#include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -146,6 +151,85 @@ return type; } +static struct chericap file_cap, magic_cap, out_cap; + +const char * +cheri_magic_descriptor(int mfd, int fd) +{ + register_t v; + size_t outsize, magicsize, filesize; + char *filebuf = NULL; + void *magicbuf = NULL; + struct sandbox *sandbox; + struct stat filesb, magicsb; + static char outbuf[4096]; + const char *type; + char *ttype; + + type = "badfile"; + + outsize = 128; + CHERI_CINCBASE(10, 0, outbuf); + CHERI_CSETLEN(10, 10, outsize); + CHERI_CANDPERM(10, 10, CHERI_PERM_STORE); + CHERI_CSC(10, 0, &out_cap, 0); + + if (fstat(mfd, &magicsb) == -1) + err(1, "fstat magic fd"); + magicsize = magicsb.st_size; + if ((magicbuf = mmap(NULL, magicsize, PROT_READ|PROT_WRITE, + MAP_PRIVATE, mfd, 0)) == MAP_FAILED) { + warn("mmap magic fd"); + goto error; + } + CHERI_CINCBASE(10, 0, magicbuf); + CHERI_CSETLEN(10, 10, magicsize); + CHERI_CANDPERM(10, 10, CHERI_PERM_LOAD); + CHERI_CSC(10, 0, &magic_cap, 0); + + if (fstat(fd, &filesb) == -1) + err(1, "fstat input fd"); + filesize = MIN(MINIFILE_BUF_MAX, filesb.st_size); + if ((filebuf = mmap(NULL, filesize, PROT_READ, 0, fd, 0)) == + MAP_FAILED) { + warn("mmap input fd"); + goto error; + } + CHERI_CINCBASE(10, 0, filebuf); + CHERI_CSETLEN(10, 10, filesize); + CHERI_CANDPERM(10, 10, CHERI_PERM_LOAD); + CHERI_CSC(10, 0, &file_cap, 0); + + if (sandbox_setup("/usr/libexec/minifile-cheri.bin", 8*1024*1024, + &sandbox) < 0) + goto error; + + v = sandbox_invoke(sandbox, outsize, magicsize, filesize, 0, + &out_cap, &magic_cap, &file_cap, NULL, NULL, NULL, NULL); + printf("%s: sandbox returned %ju\n", __func__, (uintmax_t)v); + + sandbox_destroy(sandbox); + + outsize = strnlen(outbuf, outsize); + if (v == 0) { + ttype = outbuf + outsize; + strvisx(ttype, outbuf, outsize, 0); + type = ttype; + } else { + ttype = outbuf + outsize; + strvisx(ttype, outbuf, outsize, 0); + type = ttype; + } + +error: + if (munmap(magicbuf, magicsize) == -1) + warn("munmap magicbuf"); + if (munmap(filebuf, filesize) == -1) + warn("munmap filebuf"); + + return type; +} + int main(int argc, char **argv) { @@ -227,10 +311,14 @@ errx(1, "capsicum_magic_descriptor()"); break; case SB_CHERI: - errx(1, "no cheri capability support yet"); + type = cheri_magic_descriptor(mfd, fd); + if (type == NULL) + errx(1, "cheri_magic_descriptor()"); + break; default: errx(1, "invalid sandbox type"); } + close(fd); printf("%s: %s\n", fname, type); } } ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/minifile.h#2 (text+ko) ==== @@ -1,7 +1,9 @@ -#define MAGIC_FILE "/usr/share/misc/magic.mgc" +#define MINIFILE_FILE_FD 3 +#define MINIFILE_MAGIC_FD 4 +#define MINIFILE_OUT_FD 5 + +#define MINIFILE_OUT_CAP 1 +#define MINIFILE_MAGIC_CAP 2 +#define MINIFILE_FILE_CAP 3 -#define MINIFILE_FILE_FD 3 -#define MINIFILE_MAGIC_FD 4 -#define MINIFILE_OUT_FD 5 -#define MINIFILE_MAX_FD MINIFILE_OUT_FD -#define MINIFILE_BUF_MAX 4096 +#define MINIFILE_BUF_MAX 4096
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212041846.qB4Ik96b023580>