1 // SPDX-License-Identifier: GPL-2.0 2 3 //! Slices to user space memory regions. 4 //! 5 //! C header: [`include/linux/uaccess.h`](srctree/include/linux/uaccess.h) 6 7 use crate::{alloc::Flags, bindings, error::Result, prelude::*}; 8 use alloc::vec::Vec; 9 use core::ffi::{c_ulong, c_void}; 10 use core::mem::MaybeUninit; 11 12 /// The type used for userspace addresses. 13 pub type UserPtr = usize; 14 15 /// A pointer to an area in userspace memory, which can be either read-only or read-write. 16 /// 17 /// All methods on this struct are safe: attempting to read or write on bad addresses (either out of 18 /// the bound of the slice or unmapped addresses) will return [`EFAULT`]. Concurrent access, 19 /// *including data races to/from userspace memory*, is permitted, because fundamentally another 20 /// userspace thread/process could always be modifying memory at the same time (in the same way that 21 /// userspace Rust's [`std::io`] permits data races with the contents of files on disk). In the 22 /// presence of a race, the exact byte values read/written are unspecified but the operation is 23 /// well-defined. Kernelspace code should validate its copy of data after completing a read, and not 24 /// expect that multiple reads of the same address will return the same value. 25 /// 26 /// These APIs are designed to make it difficult to accidentally write TOCTOU (time-of-check to 27 /// time-of-use) bugs. Every time a memory location is read, the reader's position is advanced by 28 /// the read length and the next read will start from there. This helps prevent accidentally reading 29 /// the same location twice and causing a TOCTOU bug. 30 /// 31 /// Creating a [`UserSliceReader`] and/or [`UserSliceWriter`] consumes the `UserSlice`, helping 32 /// ensure that there aren't multiple readers or writers to the same location. 33 /// 34 /// If double-fetching a memory location is necessary for some reason, then that is done by creating 35 /// multiple readers to the same memory location, e.g. using [`clone_reader`]. 36 /// 37 /// # Examples 38 /// 39 /// Takes a region of userspace memory from the current process, and modify it by adding one to 40 /// every byte in the region. 41 /// 42 /// ```no_run 43 /// use alloc::vec::Vec; 44 /// use core::ffi::c_void; 45 /// use kernel::error::Result; 46 /// use kernel::uaccess::{UserPtr, UserSlice}; 47 /// 48 /// fn bytes_add_one(uptr: UserPtr, len: usize) -> Result<()> { 49 /// let (read, mut write) = UserSlice::new(uptr, len).reader_writer(); 50 /// 51 /// let mut buf = Vec::new(); 52 /// read.read_all(&mut buf, GFP_KERNEL)?; 53 /// 54 /// for b in &mut buf { 55 /// *b = b.wrapping_add(1); 56 /// } 57 /// 58 /// write.write_slice(&buf)?; 59 /// Ok(()) 60 /// } 61 /// ``` 62 /// 63 /// Example illustrating a TOCTOU (time-of-check to time-of-use) bug. 64 /// 65 /// ```no_run 66 /// use alloc::vec::Vec; 67 /// use core::ffi::c_void; 68 /// use kernel::error::{code::EINVAL, Result}; 69 /// use kernel::uaccess::{UserPtr, UserSlice}; 70 /// 71 /// /// Returns whether the data in this region is valid. 72 /// fn is_valid(uptr: UserPtr, len: usize) -> Result<bool> { 73 /// let read = UserSlice::new(uptr, len).reader(); 74 /// 75 /// let mut buf = Vec::new(); 76 /// read.read_all(&mut buf, GFP_KERNEL)?; 77 /// 78 /// todo!() 79 /// } 80 /// 81 /// /// Returns the bytes behind this user pointer if they are valid. 82 /// fn get_bytes_if_valid(uptr: UserPtr, len: usize) -> Result<Vec<u8>> { 83 /// if !is_valid(uptr, len)? { 84 /// return Err(EINVAL); 85 /// } 86 /// 87 /// let read = UserSlice::new(uptr, len).reader(); 88 /// 89 /// let mut buf = Vec::new(); 90 /// read.read_all(&mut buf, GFP_KERNEL)?; 91 /// 92 /// // THIS IS A BUG! The bytes could have changed since we checked them. 93 /// // 94 /// // To avoid this kind of bug, don't call `UserSlice::new` multiple 95 /// // times with the same address. 96 /// Ok(buf) 97 /// } 98 /// ``` 99 /// 100 /// [`std::io`]: https://doc.rust-lang.org/std/io/index.html 101 /// [`clone_reader`]: UserSliceReader::clone_reader 102 pub struct UserSlice { 103 ptr: UserPtr, 104 length: usize, 105 } 106 107 impl UserSlice { 108 /// Constructs a user slice from a raw pointer and a length in bytes. 109 /// 110 /// Constructing a [`UserSlice`] performs no checks on the provided address and length, it can 111 /// safely be constructed inside a kernel thread with no current userspace process. Reads and 112 /// writes wrap the kernel APIs `copy_from_user` and `copy_to_user`, which check the memory map 113 /// of the current process and enforce that the address range is within the user range (no 114 /// additional calls to `access_ok` are needed). Validity of the pointer is checked when you 115 /// attempt to read or write, not in the call to `UserSlice::new`. 116 /// 117 /// Callers must be careful to avoid time-of-check-time-of-use (TOCTOU) issues. The simplest way 118 /// is to create a single instance of [`UserSlice`] per user memory block as it reads each byte 119 /// at most once. 120 pub fn new(ptr: UserPtr, length: usize) -> Self { 121 UserSlice { ptr, length } 122 } 123 124 /// Reads the entirety of the user slice, appending it to the end of the provided buffer. 125 /// 126 /// Fails with [`EFAULT`] if the read happens on a bad address. 127 pub fn read_all(self, buf: &mut Vec<u8>, flags: Flags) -> Result { 128 self.reader().read_all(buf, flags) 129 } 130 131 /// Constructs a [`UserSliceReader`]. 132 pub fn reader(self) -> UserSliceReader { 133 UserSliceReader { 134 ptr: self.ptr, 135 length: self.length, 136 } 137 } 138 139 /// Constructs a [`UserSliceWriter`]. 140 pub fn writer(self) -> UserSliceWriter { 141 UserSliceWriter { 142 ptr: self.ptr, 143 length: self.length, 144 } 145 } 146 147 /// Constructs both a [`UserSliceReader`] and a [`UserSliceWriter`]. 148 /// 149 /// Usually when this is used, you will first read the data, and then overwrite it afterwards. 150 pub fn reader_writer(self) -> (UserSliceReader, UserSliceWriter) { 151 ( 152 UserSliceReader { 153 ptr: self.ptr, 154 length: self.length, 155 }, 156 UserSliceWriter { 157 ptr: self.ptr, 158 length: self.length, 159 }, 160 ) 161 } 162 } 163 164 /// A reader for [`UserSlice`]. 165 /// 166 /// Used to incrementally read from the user slice. 167 pub struct UserSliceReader { 168 ptr: UserPtr, 169 length: usize, 170 } 171 172 impl UserSliceReader { 173 /// Skip the provided number of bytes. 174 /// 175 /// Returns an error if skipping more than the length of the buffer. 176 pub fn skip(&mut self, num_skip: usize) -> Result { 177 // Update `self.length` first since that's the fallible part of this operation. 178 self.length = self.length.checked_sub(num_skip).ok_or(EFAULT)?; 179 self.ptr = self.ptr.wrapping_add(num_skip); 180 Ok(()) 181 } 182 183 /// Create a reader that can access the same range of data. 184 /// 185 /// Reading from the clone does not advance the current reader. 186 /// 187 /// The caller should take care to not introduce TOCTOU issues, as described in the 188 /// documentation for [`UserSlice`]. 189 pub fn clone_reader(&self) -> UserSliceReader { 190 UserSliceReader { 191 ptr: self.ptr, 192 length: self.length, 193 } 194 } 195 196 /// Returns the number of bytes left to be read from this reader. 197 /// 198 /// Note that even reading less than this number of bytes may fail. 199 pub fn len(&self) -> usize { 200 self.length 201 } 202 203 /// Returns `true` if no data is available in the io buffer. 204 pub fn is_empty(&self) -> bool { 205 self.length == 0 206 } 207 208 /// Reads raw data from the user slice into a kernel buffer. 209 /// 210 /// For a version that uses `&mut [u8]`, please see [`UserSliceReader::read_slice`]. 211 /// 212 /// Fails with [`EFAULT`] if the read happens on a bad address, or if the read goes out of 213 /// bounds of this [`UserSliceReader`]. This call may modify `out` even if it returns an error. 214 /// 215 /// # Guarantees 216 /// 217 /// After a successful call to this method, all bytes in `out` are initialized. 218 pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result { 219 let len = out.len(); 220 let out_ptr = out.as_mut_ptr().cast::<c_void>(); 221 if len > self.length { 222 return Err(EFAULT); 223 } 224 let Ok(len_ulong) = c_ulong::try_from(len) else { 225 return Err(EFAULT); 226 }; 227 // SAFETY: `out_ptr` points into a mutable slice of length `len_ulong`, so we may write 228 // that many bytes to it. 229 let res = 230 unsafe { bindings::copy_from_user(out_ptr, self.ptr as *const c_void, len_ulong) }; 231 if res != 0 { 232 return Err(EFAULT); 233 } 234 self.ptr = self.ptr.wrapping_add(len); 235 self.length -= len; 236 Ok(()) 237 } 238 239 /// Reads raw data from the user slice into a kernel buffer. 240 /// 241 /// Fails with [`EFAULT`] if the read happens on a bad address, or if the read goes out of 242 /// bounds of this [`UserSliceReader`]. This call may modify `out` even if it returns an error. 243 pub fn read_slice(&mut self, out: &mut [u8]) -> Result { 244 // SAFETY: The types are compatible and `read_raw` doesn't write uninitialized bytes to 245 // `out`. 246 let out = unsafe { &mut *(out as *mut [u8] as *mut [MaybeUninit<u8>]) }; 247 self.read_raw(out) 248 } 249 250 /// Reads the entirety of the user slice, appending it to the end of the provided buffer. 251 /// 252 /// Fails with [`EFAULT`] if the read happens on a bad address. 253 pub fn read_all(mut self, buf: &mut Vec<u8>, flags: Flags) -> Result { 254 let len = self.length; 255 VecExt::<u8>::reserve(buf, len, flags)?; 256 257 // The call to `try_reserve` was successful, so the spare capacity is at least `len` bytes 258 // long. 259 self.read_raw(&mut buf.spare_capacity_mut()[..len])?; 260 261 // SAFETY: Since the call to `read_raw` was successful, so the next `len` bytes of the 262 // vector have been initialized. 263 unsafe { buf.set_len(buf.len() + len) }; 264 Ok(()) 265 } 266 } 267 268 /// A writer for [`UserSlice`]. 269 /// 270 /// Used to incrementally write into the user slice. 271 pub struct UserSliceWriter { 272 ptr: UserPtr, 273 length: usize, 274 } 275 276 impl UserSliceWriter { 277 /// Returns the amount of space remaining in this buffer. 278 /// 279 /// Note that even writing less than this number of bytes may fail. 280 pub fn len(&self) -> usize { 281 self.length 282 } 283 284 /// Returns `true` if no more data can be written to this buffer. 285 pub fn is_empty(&self) -> bool { 286 self.length == 0 287 } 288 289 /// Writes raw data to this user pointer from a kernel buffer. 290 /// 291 /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of 292 /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even 293 /// if it returns an error. 294 pub fn write_slice(&mut self, data: &[u8]) -> Result { 295 let len = data.len(); 296 let data_ptr = data.as_ptr().cast::<c_void>(); 297 if len > self.length { 298 return Err(EFAULT); 299 } 300 let Ok(len_ulong) = c_ulong::try_from(len) else { 301 return Err(EFAULT); 302 }; 303 // SAFETY: `data_ptr` points into an immutable slice of length `len_ulong`, so we may read 304 // that many bytes from it. 305 let res = unsafe { bindings::copy_to_user(self.ptr as *mut c_void, data_ptr, len_ulong) }; 306 if res != 0 { 307 return Err(EFAULT); 308 } 309 self.ptr = self.ptr.wrapping_add(len); 310 self.length -= len; 311 Ok(()) 312 } 313 } 314