From 415e14e9c363904d340d7f1ddc99a74dce578268 Mon Sep 17 00:00:00 2001 From: laokengwt <143977175+laokengwt@users.noreply.github.com> Date: Fri, 31 May 2024 10:20:51 +0800 Subject: [PATCH] fix(driver): fix memory security problem in tty device ioctl (#833) * add soft link to musl-gcc * fix the tty_ioctl * modified * modified --- kernel/src/driver/tty/tty_device.rs | 45 +++++++++++++++++++---------- kernel/src/filesystem/vfs/file.rs | 6 +--- kernel/src/filesystem/vfs/mod.rs | 8 +++++ kernel/src/net/event_poll/mod.rs | 6 ++++ 4 files changed, 45 insertions(+), 20 deletions(-) diff --git a/kernel/src/driver/tty/tty_device.rs b/kernel/src/driver/tty/tty_device.rs index e2458607..56a053b4 100644 --- a/kernel/src/driver/tty/tty_device.rs +++ b/kernel/src/driver/tty/tty_device.rs @@ -34,7 +34,7 @@ use crate::{ spinlock::SpinLockGuard, }, mm::VirtAddr, - net::event_poll::{EPollItem, EventPoll}, + net::event_poll::{EPollItem, KernelIoctlData}, process::ProcessManager, syscall::user_access::{UserBufferReader, UserBufferWriter}, }; @@ -308,6 +308,35 @@ impl IndexNode for TtyDevice { Ok(()) } + fn kernel_ioctl( + &self, + arg: Arc, + data: &FilePrivateData, + ) -> Result { + let epitem = arg + .arc_any() + .downcast::() + .map_err(|_| SystemError::EFAULT)?; + + let _ = UserBufferReader::new( + &epitem as *const Arc, + core::mem::size_of::>(), + false, + )?; + + let (tty, _) = if let FilePrivateData::Tty(tty_priv) = data { + (tty_priv.tty(), tty_priv.mode) + } else { + return Err(SystemError::EIO); + }; + + let core = tty.core(); + + core.add_epitem(epitem.clone()); + + return Ok(0); + } + fn ioctl(&self, cmd: u32, arg: usize, data: &FilePrivateData) -> Result { let (tty, _) = if let FilePrivateData::Tty(tty_priv) = data { (tty_priv.tty(), tty_priv.mode) @@ -326,20 +355,6 @@ impl IndexNode for TtyDevice { todo!() } } - EventPoll::ADD_EPOLLITEM => { - let _ = UserBufferReader::new( - arg as *const Arc, - core::mem::size_of::>(), - false, - )?; - let epitem = unsafe { &*(arg as *const Arc) }; - - let core = tty.core(); - - core.add_epitem(epitem.clone()); - - return Ok(0); - } _ => {} } diff --git a/kernel/src/filesystem/vfs/file.rs b/kernel/src/filesystem/vfs/file.rs index 318035f0..d0e8f471 100644 --- a/kernel/src/filesystem/vfs/file.rs +++ b/kernel/src/filesystem/vfs/file.rs @@ -492,11 +492,7 @@ impl File { return inode.inner().lock().add_epoll(epitem); } _ => { - let r = self.inode.ioctl( - EventPoll::ADD_EPOLLITEM, - &epitem as *const Arc as usize, - &self.private_data.lock(), - ); + let r = self.inode.kernel_ioctl(epitem, &self.private_data.lock()); if r.is_err() { return Err(SystemError::ENOSYS); } diff --git a/kernel/src/filesystem/vfs/mod.rs b/kernel/src/filesystem/vfs/mod.rs index 7bdbe47b..c8b4a3ae 100644 --- a/kernel/src/filesystem/vfs/mod.rs +++ b/kernel/src/filesystem/vfs/mod.rs @@ -350,6 +350,14 @@ pub trait IndexNode: Any + Sync + Send + Debug + CastFromSync { return Err(SystemError::ENOSYS); } + fn kernel_ioctl( + &self, + _arg: Arc, + _data: &FilePrivateData, + ) -> Result { + return Err(SystemError::ENOSYS); + } + /// @brief 获取inode所在的文件系统的指针 fn fs(&self) -> Arc; diff --git a/kernel/src/net/event_poll/mod.rs b/kernel/src/net/event_poll/mod.rs index de80368e..89d3bca7 100644 --- a/kernel/src/net/event_poll/mod.rs +++ b/kernel/src/net/event_poll/mod.rs @@ -1,4 +1,5 @@ use core::{ + any::Any, fmt::Debug, sync::atomic::{AtomicBool, Ordering}, }; @@ -8,6 +9,7 @@ use alloc::{ sync::{Arc, Weak}, vec::Vec, }; +use intertrait::CastFromSync; use system_error::SystemError; use crate::{ @@ -130,6 +132,10 @@ impl EPollItem { } } +pub trait KernelIoctlData: Send + Sync + Any + Debug + CastFromSync {} + +impl KernelIoctlData for EPollItem {} + /// ### Epoll文件的私有信息 #[derive(Debug, Clone)] pub struct EPollPrivateData {