1 // SPDX-License-Identifier: GPL-2.0
2
3 //! Slices to user space memory regions.
4 //!
5 //! C header: [`include/linux/uaccess.h`](srctree/include/linux/uaccess.h)
6
7 use crate::{
8 alloc::{Allocator, Flags},
9 bindings,
10 error::Result,
11 ffi::{c_char, c_void},
12 prelude::*,
13 transmute::{AsBytes, FromBytes},
14 };
15 use core::mem::{size_of, MaybeUninit};
16
17 /// A pointer into userspace.
18 ///
19 /// This is the Rust equivalent to C pointers tagged with `__user`.
20 #[repr(transparent)]
21 #[derive(Copy, Clone)]
22 pub struct UserPtr(*mut c_void);
23
24 impl UserPtr {
25 /// Create a `UserPtr` from an integer representing the userspace address.
26 #[inline]
from_addr(addr: usize) -> Self27 pub fn from_addr(addr: usize) -> Self {
28 Self(addr as *mut c_void)
29 }
30
31 /// Create a `UserPtr` from a pointer representing the userspace address.
32 #[inline]
from_ptr(addr: *mut c_void) -> Self33 pub fn from_ptr(addr: *mut c_void) -> Self {
34 Self(addr)
35 }
36
37 /// Cast this userspace pointer to a raw const void pointer.
38 ///
39 /// It is up to the caller to use the returned pointer correctly.
40 #[inline]
as_const_ptr(self) -> *const c_void41 pub fn as_const_ptr(self) -> *const c_void {
42 self.0
43 }
44
45 /// Cast this userspace pointer to a raw mutable void pointer.
46 ///
47 /// It is up to the caller to use the returned pointer correctly.
48 #[inline]
as_mut_ptr(self) -> *mut c_void49 pub fn as_mut_ptr(self) -> *mut c_void {
50 self.0
51 }
52
53 /// Increment this user pointer by `add` bytes.
54 ///
55 /// This addition is wrapping, so wrapping around the address space does not result in a panic
56 /// even if `CONFIG_RUST_OVERFLOW_CHECKS` is enabled.
57 #[inline]
wrapping_byte_add(self, add: usize) -> UserPtr58 pub fn wrapping_byte_add(self, add: usize) -> UserPtr {
59 UserPtr(self.0.wrapping_byte_add(add))
60 }
61 }
62
63 /// A pointer to an area in userspace memory, which can be either read-only or read-write.
64 ///
65 /// All methods on this struct are safe: attempting to read or write on bad addresses (either out of
66 /// the bound of the slice or unmapped addresses) will return [`EFAULT`]. Concurrent access,
67 /// *including data races to/from userspace memory*, is permitted, because fundamentally another
68 /// userspace thread/process could always be modifying memory at the same time (in the same way that
69 /// userspace Rust's [`std::io`] permits data races with the contents of files on disk). In the
70 /// presence of a race, the exact byte values read/written are unspecified but the operation is
71 /// well-defined. Kernelspace code should validate its copy of data after completing a read, and not
72 /// expect that multiple reads of the same address will return the same value.
73 ///
74 /// These APIs are designed to make it difficult to accidentally write TOCTOU (time-of-check to
75 /// time-of-use) bugs. Every time a memory location is read, the reader's position is advanced by
76 /// the read length and the next read will start from there. This helps prevent accidentally reading
77 /// the same location twice and causing a TOCTOU bug.
78 ///
79 /// Creating a [`UserSliceReader`] and/or [`UserSliceWriter`] consumes the `UserSlice`, helping
80 /// ensure that there aren't multiple readers or writers to the same location.
81 ///
82 /// If double-fetching a memory location is necessary for some reason, then that is done by creating
83 /// multiple readers to the same memory location, e.g. using [`clone_reader`].
84 ///
85 /// # Examples
86 ///
87 /// Takes a region of userspace memory from the current process, and modify it by adding one to
88 /// every byte in the region.
89 ///
90 /// ```no_run
91 /// use kernel::ffi::c_void;
92 /// use kernel::uaccess::{UserPtr, UserSlice};
93 ///
94 /// fn bytes_add_one(uptr: UserPtr, len: usize) -> Result {
95 /// let (read, mut write) = UserSlice::new(uptr, len).reader_writer();
96 ///
97 /// let mut buf = KVec::new();
98 /// read.read_all(&mut buf, GFP_KERNEL)?;
99 ///
100 /// for b in &mut buf {
101 /// *b = b.wrapping_add(1);
102 /// }
103 ///
104 /// write.write_slice(&buf)?;
105 /// Ok(())
106 /// }
107 /// ```
108 ///
109 /// Example illustrating a TOCTOU (time-of-check to time-of-use) bug.
110 ///
111 /// ```no_run
112 /// use kernel::ffi::c_void;
113 /// use kernel::uaccess::{UserPtr, UserSlice};
114 ///
115 /// /// Returns whether the data in this region is valid.
116 /// fn is_valid(uptr: UserPtr, len: usize) -> Result<bool> {
117 /// let read = UserSlice::new(uptr, len).reader();
118 ///
119 /// let mut buf = KVec::new();
120 /// read.read_all(&mut buf, GFP_KERNEL)?;
121 ///
122 /// todo!()
123 /// }
124 ///
125 /// /// Returns the bytes behind this user pointer if they are valid.
126 /// fn get_bytes_if_valid(uptr: UserPtr, len: usize) -> Result<KVec<u8>> {
127 /// if !is_valid(uptr, len)? {
128 /// return Err(EINVAL);
129 /// }
130 ///
131 /// let read = UserSlice::new(uptr, len).reader();
132 ///
133 /// let mut buf = KVec::new();
134 /// read.read_all(&mut buf, GFP_KERNEL)?;
135 ///
136 /// // THIS IS A BUG! The bytes could have changed since we checked them.
137 /// //
138 /// // To avoid this kind of bug, don't call `UserSlice::new` multiple
139 /// // times with the same address.
140 /// Ok(buf)
141 /// }
142 /// ```
143 ///
144 /// [`std::io`]: https://doc.rust-lang.org/std/io/index.html
145 /// [`clone_reader`]: UserSliceReader::clone_reader
146 pub struct UserSlice {
147 ptr: UserPtr,
148 length: usize,
149 }
150
151 impl UserSlice {
152 /// Constructs a user slice from a raw pointer and a length in bytes.
153 ///
154 /// Constructing a [`UserSlice`] performs no checks on the provided address and length, it can
155 /// safely be constructed inside a kernel thread with no current userspace process. Reads and
156 /// writes wrap the kernel APIs `copy_from_user` and `copy_to_user`, which check the memory map
157 /// of the current process and enforce that the address range is within the user range (no
158 /// additional calls to `access_ok` are needed). Validity of the pointer is checked when you
159 /// attempt to read or write, not in the call to `UserSlice::new`.
160 ///
161 /// Callers must be careful to avoid time-of-check-time-of-use (TOCTOU) issues. The simplest way
162 /// is to create a single instance of [`UserSlice`] per user memory block as it reads each byte
163 /// at most once.
new(ptr: UserPtr, length: usize) -> Self164 pub fn new(ptr: UserPtr, length: usize) -> Self {
165 UserSlice { ptr, length }
166 }
167
168 /// Reads the entirety of the user slice, appending it to the end of the provided buffer.
169 ///
170 /// Fails with [`EFAULT`] if the read happens on a bad address.
read_all<A: Allocator>(self, buf: &mut Vec<u8, A>, flags: Flags) -> Result171 pub fn read_all<A: Allocator>(self, buf: &mut Vec<u8, A>, flags: Flags) -> Result {
172 self.reader().read_all(buf, flags)
173 }
174
175 /// Constructs a [`UserSliceReader`].
reader(self) -> UserSliceReader176 pub fn reader(self) -> UserSliceReader {
177 UserSliceReader {
178 ptr: self.ptr,
179 length: self.length,
180 }
181 }
182
183 /// Constructs a [`UserSliceWriter`].
writer(self) -> UserSliceWriter184 pub fn writer(self) -> UserSliceWriter {
185 UserSliceWriter {
186 ptr: self.ptr,
187 length: self.length,
188 }
189 }
190
191 /// Constructs both a [`UserSliceReader`] and a [`UserSliceWriter`].
192 ///
193 /// Usually when this is used, you will first read the data, and then overwrite it afterwards.
reader_writer(self) -> (UserSliceReader, UserSliceWriter)194 pub fn reader_writer(self) -> (UserSliceReader, UserSliceWriter) {
195 (
196 UserSliceReader {
197 ptr: self.ptr,
198 length: self.length,
199 },
200 UserSliceWriter {
201 ptr: self.ptr,
202 length: self.length,
203 },
204 )
205 }
206 }
207
208 /// A reader for [`UserSlice`].
209 ///
210 /// Used to incrementally read from the user slice.
211 pub struct UserSliceReader {
212 ptr: UserPtr,
213 length: usize,
214 }
215
216 impl UserSliceReader {
217 /// Skip the provided number of bytes.
218 ///
219 /// Returns an error if skipping more than the length of the buffer.
skip(&mut self, num_skip: usize) -> Result220 pub fn skip(&mut self, num_skip: usize) -> Result {
221 // Update `self.length` first since that's the fallible part of this operation.
222 self.length = self.length.checked_sub(num_skip).ok_or(EFAULT)?;
223 self.ptr = self.ptr.wrapping_byte_add(num_skip);
224 Ok(())
225 }
226
227 /// Create a reader that can access the same range of data.
228 ///
229 /// Reading from the clone does not advance the current reader.
230 ///
231 /// The caller should take care to not introduce TOCTOU issues, as described in the
232 /// documentation for [`UserSlice`].
clone_reader(&self) -> UserSliceReader233 pub fn clone_reader(&self) -> UserSliceReader {
234 UserSliceReader {
235 ptr: self.ptr,
236 length: self.length,
237 }
238 }
239
240 /// Returns the number of bytes left to be read from this reader.
241 ///
242 /// Note that even reading less than this number of bytes may fail.
len(&self) -> usize243 pub fn len(&self) -> usize {
244 self.length
245 }
246
247 /// Returns `true` if no data is available in the io buffer.
is_empty(&self) -> bool248 pub fn is_empty(&self) -> bool {
249 self.length == 0
250 }
251
252 /// Reads raw data from the user slice into a kernel buffer.
253 ///
254 /// For a version that uses `&mut [u8]`, please see [`UserSliceReader::read_slice`].
255 ///
256 /// Fails with [`EFAULT`] if the read happens on a bad address, or if the read goes out of
257 /// bounds of this [`UserSliceReader`]. This call may modify `out` even if it returns an error.
258 ///
259 /// # Guarantees
260 ///
261 /// After a successful call to this method, all bytes in `out` are initialized.
read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result262 pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result {
263 let len = out.len();
264 let out_ptr = out.as_mut_ptr().cast::<c_void>();
265 if len > self.length {
266 return Err(EFAULT);
267 }
268 // SAFETY: `out_ptr` points into a mutable slice of length `len`, so we may write
269 // that many bytes to it.
270 let res = unsafe { bindings::copy_from_user(out_ptr, self.ptr.as_const_ptr(), len) };
271 if res != 0 {
272 return Err(EFAULT);
273 }
274 self.ptr = self.ptr.wrapping_byte_add(len);
275 self.length -= len;
276 Ok(())
277 }
278
279 /// Reads raw data from the user slice into a kernel buffer.
280 ///
281 /// Fails with [`EFAULT`] if the read happens on a bad address, or if the read goes out of
282 /// bounds of this [`UserSliceReader`]. This call may modify `out` even if it returns an error.
read_slice(&mut self, out: &mut [u8]) -> Result283 pub fn read_slice(&mut self, out: &mut [u8]) -> Result {
284 // SAFETY: The types are compatible and `read_raw` doesn't write uninitialized bytes to
285 // `out`.
286 let out = unsafe { &mut *(core::ptr::from_mut(out) as *mut [MaybeUninit<u8>]) };
287 self.read_raw(out)
288 }
289
290 /// Reads a value of the specified type.
291 ///
292 /// Fails with [`EFAULT`] if the read happens on a bad address, or if the read goes out of
293 /// bounds of this [`UserSliceReader`].
read<T: FromBytes>(&mut self) -> Result<T>294 pub fn read<T: FromBytes>(&mut self) -> Result<T> {
295 let len = size_of::<T>();
296 if len > self.length {
297 return Err(EFAULT);
298 }
299 let mut out: MaybeUninit<T> = MaybeUninit::uninit();
300 // SAFETY: The local variable `out` is valid for writing `size_of::<T>()` bytes.
301 //
302 // By using the _copy_from_user variant, we skip the check_object_size check that verifies
303 // the kernel pointer. This mirrors the logic on the C side that skips the check when the
304 // length is a compile-time constant.
305 let res = unsafe {
306 bindings::_copy_from_user(
307 out.as_mut_ptr().cast::<c_void>(),
308 self.ptr.as_const_ptr(),
309 len,
310 )
311 };
312 if res != 0 {
313 return Err(EFAULT);
314 }
315 self.ptr = self.ptr.wrapping_byte_add(len);
316 self.length -= len;
317 // SAFETY: The read above has initialized all bytes in `out`, and since `T` implements
318 // `FromBytes`, any bit-pattern is a valid value for this type.
319 Ok(unsafe { out.assume_init() })
320 }
321
322 /// Reads the entirety of the user slice, appending it to the end of the provided buffer.
323 ///
324 /// Fails with [`EFAULT`] if the read happens on a bad address.
read_all<A: Allocator>(mut self, buf: &mut Vec<u8, A>, flags: Flags) -> Result325 pub fn read_all<A: Allocator>(mut self, buf: &mut Vec<u8, A>, flags: Flags) -> Result {
326 let len = self.length;
327 buf.reserve(len, flags)?;
328
329 // The call to `reserve` was successful, so the spare capacity is at least `len` bytes long.
330 self.read_raw(&mut buf.spare_capacity_mut()[..len])?;
331
332 // SAFETY: Since the call to `read_raw` was successful, so the next `len` bytes of the
333 // vector have been initialized.
334 unsafe { buf.inc_len(len) };
335 Ok(())
336 }
337
338 /// Read a NUL-terminated string from userspace and return it.
339 ///
340 /// The string is read into `buf` and a NUL-terminator is added if the end of `buf` is reached.
341 /// Since there must be space to add a NUL-terminator, the buffer must not be empty. The
342 /// returned `&CStr` points into `buf`.
343 ///
344 /// Fails with [`EFAULT`] if the read happens on a bad address (some data may have been
345 /// copied).
346 #[doc(alias = "strncpy_from_user")]
strcpy_into_buf<'buf>(self, buf: &'buf mut [u8]) -> Result<&'buf CStr>347 pub fn strcpy_into_buf<'buf>(self, buf: &'buf mut [u8]) -> Result<&'buf CStr> {
348 if buf.is_empty() {
349 return Err(EINVAL);
350 }
351
352 // SAFETY: The types are compatible and `strncpy_from_user` doesn't write uninitialized
353 // bytes to `buf`.
354 let mut dst = unsafe { &mut *(core::ptr::from_mut(buf) as *mut [MaybeUninit<u8>]) };
355
356 // We never read more than `self.length` bytes.
357 if dst.len() > self.length {
358 dst = &mut dst[..self.length];
359 }
360
361 let mut len = raw_strncpy_from_user(dst, self.ptr)?;
362 if len < dst.len() {
363 // Add one to include the NUL-terminator.
364 len += 1;
365 } else if len < buf.len() {
366 // This implies that `len == dst.len() < buf.len()`.
367 //
368 // This means that we could not fill the entire buffer, but we had to stop reading
369 // because we hit the `self.length` limit of this `UserSliceReader`. Since we did not
370 // fill the buffer, we treat this case as if we tried to read past the `self.length`
371 // limit and received a page fault, which is consistent with other `UserSliceReader`
372 // methods that also return page faults when you exceed `self.length`.
373 return Err(EFAULT);
374 } else {
375 // This implies that `len == buf.len()`.
376 //
377 // This means that we filled the buffer exactly. In this case, we add a NUL-terminator
378 // and return it. Unlike the `len < dst.len()` branch, don't modify `len` because it
379 // already represents the length including the NUL-terminator.
380 //
381 // SAFETY: Due to the check at the beginning, the buffer is not empty.
382 unsafe { *buf.last_mut().unwrap_unchecked() = 0 };
383 }
384
385 // This method consumes `self`, so it can only be called once, thus we do not need to
386 // update `self.length`. This sidesteps concerns such as whether `self.length` should be
387 // incremented by `len` or `len-1` in the `len == buf.len()` case.
388
389 // SAFETY: There are two cases:
390 // * If we hit the `len < dst.len()` case, then `raw_strncpy_from_user` guarantees that
391 // this slice contains exactly one NUL byte at the end of the string.
392 // * Otherwise, `raw_strncpy_from_user` guarantees that the string contained no NUL bytes,
393 // and we have since added a NUL byte at the end.
394 Ok(unsafe { CStr::from_bytes_with_nul_unchecked(&buf[..len]) })
395 }
396 }
397
398 /// A writer for [`UserSlice`].
399 ///
400 /// Used to incrementally write into the user slice.
401 pub struct UserSliceWriter {
402 ptr: UserPtr,
403 length: usize,
404 }
405
406 impl UserSliceWriter {
407 /// Returns the amount of space remaining in this buffer.
408 ///
409 /// Note that even writing less than this number of bytes may fail.
len(&self) -> usize410 pub fn len(&self) -> usize {
411 self.length
412 }
413
414 /// Returns `true` if no more data can be written to this buffer.
is_empty(&self) -> bool415 pub fn is_empty(&self) -> bool {
416 self.length == 0
417 }
418
419 /// Writes raw data to this user pointer from a kernel buffer.
420 ///
421 /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
422 /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
423 /// if it returns an error.
write_slice(&mut self, data: &[u8]) -> Result424 pub fn write_slice(&mut self, data: &[u8]) -> Result {
425 let len = data.len();
426 let data_ptr = data.as_ptr().cast::<c_void>();
427 if len > self.length {
428 return Err(EFAULT);
429 }
430 // SAFETY: `data_ptr` points into an immutable slice of length `len`, so we may read
431 // that many bytes from it.
432 let res = unsafe { bindings::copy_to_user(self.ptr.as_mut_ptr(), data_ptr, len) };
433 if res != 0 {
434 return Err(EFAULT);
435 }
436 self.ptr = self.ptr.wrapping_byte_add(len);
437 self.length -= len;
438 Ok(())
439 }
440
441 /// Writes the provided Rust value to this userspace pointer.
442 ///
443 /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
444 /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
445 /// if it returns an error.
write<T: AsBytes>(&mut self, value: &T) -> Result446 pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
447 let len = size_of::<T>();
448 if len > self.length {
449 return Err(EFAULT);
450 }
451 // SAFETY: The reference points to a value of type `T`, so it is valid for reading
452 // `size_of::<T>()` bytes.
453 //
454 // By using the _copy_to_user variant, we skip the check_object_size check that verifies the
455 // kernel pointer. This mirrors the logic on the C side that skips the check when the length
456 // is a compile-time constant.
457 let res = unsafe {
458 bindings::_copy_to_user(
459 self.ptr.as_mut_ptr(),
460 core::ptr::from_ref(value).cast::<c_void>(),
461 len,
462 )
463 };
464 if res != 0 {
465 return Err(EFAULT);
466 }
467 self.ptr = self.ptr.wrapping_byte_add(len);
468 self.length -= len;
469 Ok(())
470 }
471 }
472
473 /// Reads a nul-terminated string into `dst` and returns the length.
474 ///
475 /// This reads from userspace until a NUL byte is encountered, or until `dst.len()` bytes have been
476 /// read. Fails with [`EFAULT`] if a read happens on a bad address (some data may have been
477 /// copied). When the end of the buffer is encountered, no NUL byte is added, so the string is
478 /// *not* guaranteed to be NUL-terminated when `Ok(dst.len())` is returned.
479 ///
480 /// # Guarantees
481 ///
482 /// When this function returns `Ok(len)`, it is guaranteed that the first `len` bytes of `dst` are
483 /// initialized and non-zero. Furthermore, if `len < dst.len()`, then `dst[len]` is a NUL byte.
484 #[inline]
raw_strncpy_from_user(dst: &mut [MaybeUninit<u8>], src: UserPtr) -> Result<usize>485 fn raw_strncpy_from_user(dst: &mut [MaybeUninit<u8>], src: UserPtr) -> Result<usize> {
486 // CAST: Slice lengths are guaranteed to be `<= isize::MAX`.
487 let len = dst.len() as isize;
488
489 // SAFETY: `dst` is valid for writing `dst.len()` bytes.
490 let res = unsafe {
491 bindings::strncpy_from_user(
492 dst.as_mut_ptr().cast::<c_char>(),
493 src.as_const_ptr().cast::<c_char>(),
494 len,
495 )
496 };
497
498 if res < 0 {
499 return Err(Error::from_errno(res as i32));
500 }
501
502 #[cfg(CONFIG_RUST_OVERFLOW_CHECKS)]
503 assert!(res <= len);
504
505 // GUARANTEES: `strncpy_from_user` was successful, so `dst` has contents in accordance with the
506 // guarantees of this function.
507 Ok(res as usize)
508 }
509