x86_64: add copy{from,to} functions

These are safer variants for read_mut() for userspace memory accesses.
Pretty documented rn but more detail could be done ig :^)

Signed-off-by: Anhad Singh <[email protected]>

Author: Andy-Python-Programmer

src/aero_kernel/src/arch/x86_64/interrupts/exceptions.rs

@@ -18,6 +18,7 @@
 use super::{io, InterruptErrorStack};
 
 use crate::arch::controlregs;
+use crate::arch::tls::get_percpu;
 use crate::mem::paging::PageFaultErrorCode;
 
 use crate::unwind;
@@ -120,6 +121,12 @@ pub fn breakpoint(stack: &mut InterruptErrorStack) {
 }
 
 pub(super) fn page_fault(stack: &mut InterruptErrorStack) {
+    let pf_resume = get_percpu().pf_resume.as_ptr::<u8>();
+    if !pf_resume.is_null() {
+        stack.stack.iret.rip = pf_resume as u64;
+        return;
+    }
+
     let accessed_address = controlregs::read_cr2();
     let reason = PageFaultErrorCode::from_bits_truncate(stack.code);
 

src/aero_kernel/src/arch/x86_64/interrupts/idt.rs

@@ -196,21 +196,21 @@ pub fn init() {
     INTERRUPT_HANDLERS.lock()[7] = IrqHandler::ErrorHandler(exceptions::device_not_available);
     INTERRUPT_HANDLERS.lock()[8] = IrqHandler::ErrorHandler(exceptions::double_fault);
 
-    // INTERRUPT_HANDLERS.lock()[9] is reserved.
+    // INTERRUPT_HANDLERS[9] is reserved.
     INTERRUPT_HANDLERS.lock()[10] = IrqHandler::ErrorHandler(exceptions::invalid_tss);
     INTERRUPT_HANDLERS.lock()[11] = IrqHandler::ErrorHandler(exceptions::segment_not_present);
     INTERRUPT_HANDLERS.lock()[12] = IrqHandler::ErrorHandler(exceptions::stack_segment);
     INTERRUPT_HANDLERS.lock()[13] = IrqHandler::ErrorHandler(exceptions::protection);
     INTERRUPT_HANDLERS.lock()[14] = IrqHandler::ErrorHandler(exceptions::page_fault);
 
-    // INTERRUPT_HANDLERS.lock()[15] is reserved.
+    // INTERRUPT_HANDLERS[15] is reserved.
     INTERRUPT_HANDLERS.lock()[16] = IrqHandler::ErrorHandler(exceptions::fpu_fault);
     INTERRUPT_HANDLERS.lock()[17] = IrqHandler::ErrorHandler(exceptions::alignment_check);
     INTERRUPT_HANDLERS.lock()[18] = IrqHandler::ErrorHandler(exceptions::machine_check);
     INTERRUPT_HANDLERS.lock()[19] = IrqHandler::ErrorHandler(exceptions::simd);
     INTERRUPT_HANDLERS.lock()[20] = IrqHandler::ErrorHandler(exceptions::virtualization);
 
-    // INTERRUPT_HANDLERS.lock()[21..29] are reserved.
+    // INTERRUPT_HANDLERS[21..29] are reserved.
     INTERRUPT_HANDLERS.lock()[30] = IrqHandler::ErrorHandler(exceptions::security);
 
     unsafe {

src/aero_kernel/src/arch/x86_64/mod.rs

@@ -25,6 +25,7 @@ pub mod syscall;
 pub mod task;
 pub mod time;
 pub mod tls;
+pub mod user_copy;
 
 use core::sync::atomic::Ordering;
 

src/aero_kernel/src/arch/x86_64/task.rs

@@ -109,6 +109,12 @@ pub fn userland_last_address() -> VirtAddr {
     })
 }
 
+/// Returns whether the given pointer is within the userland address space.
+pub fn user_access_ok<T>(ptr: *const T) -> bool {
+    let size = core::mem::size_of::<T>();
+    VirtAddr::new(ptr as u64 + size as u64) <= super::task::userland_last_address()
+}
+
 const USERLAND_STACK_SIZE: u64 = 0x64000;
 
 //(1 << 47) - (Size4KiB::SIZE * 2)

src/aero_kernel/src/arch/x86_64/tls.rs

@@ -31,6 +31,7 @@ use alloc::vec::Vec;
 use super::gdt::*;
 use super::io;
 
+use crate::mem::paging::VirtAddr;
 use crate::utils::sync::Mutex;
 
 use raw_cpuid::FeatureInfo;
@@ -115,6 +116,7 @@ pub struct PerCpuData {
     pub lapic_timer_frequency: u32,
 
     pub(super) gdt: &'static mut [GdtEntry],
+    pub(super) pf_resume: VirtAddr,
 }
 
 /// SAFETY: The GS base should point to the kernel PCR.

src/aero_kernel/src/arch/x86_64/user_copy.rs

@@ -0,0 +1,154 @@
+// Copyright (C) 2021-2023 The Aero Project Developers.
+//
+// This file is part of The Aero Project.
+//
+// Aero is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Aero is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Aero. If not, see <https://www.gnu.org/licenses/>.
+
+use core::mem::MaybeUninit;
+use core::ops::{Deref, DerefMut};
+
+use crate::mem::paging::VirtAddr;
+
+use super::task::user_access_ok;
+use super::tls::get_percpu;
+
+/// Copy to/from a block of data from user space. Returns whether the copy was successful.
+///
+/// # Safety
+/// The caller must ensure that:
+/// * If copying to userspace, the `dest` pointer must be within the userland address space.
+/// * If copying from userspace, the `dest` pointer must be valid for `size` bytes.
+///
+/// ## Concurrent Accesses
+/// Concurrent access, *including potential data races with userspace memory*, are permitted since
+/// other userspace threads or processes may modify the memory concurrently. This behavior is
+/// similar to how [`std::io`] permits data races with file contents on disk.
+///
+/// [`std::io`]: https://doc.rust-lang.org/std/io/index.html
+#[naked]
+unsafe extern "C" fn copy_to_from_user(
+    dest: *mut u8,
+    src: *const u8,
+    size: usize,
+
+    fault_resume: *const u8,
+) -> bool {
+    // Registers used:
+    //
+    // %rax = argument 1, `dest`
+    // %rsi = argument 2, `src`
+    // %rdx = argument 3, `size`
+    // %rcx = argument 4, `fault_resume`
+    asm!(
+        // Copy `fault_resume` out of %rcx because it will be utilized by `rep movsb` latter.
+        "mov r10, rcx",
+        // Setup the page fault resume.
+        "lea rax, 1f",
+        "mov [r10], rax",
+        // XXX: From this point until the fault return is reset, no function calls or stack
+        // manipulations should be performed. We must ensure the ability to restore all callee
+        // registers without any knowledge of the exact location within this code where a fault may
+        // occur.
+        //
+        // Copy 8 bytes at a time and then one byte at a time for the remainder.
+        "mov rcx, rdx",
+        "shr rcx, 3",
+        "rep movsq",
+        "and edx, 7",
+        "je 2f",
+        "mov ecx, edx",
+        "rep movsb",
+        // Set return value to `true`.
+        "2:",
+        "mov eax, 1",
+        // Reset the `fault_resume` pointer and return.
+        "3:",
+        "mov qword ptr [r10], 0",
+        "ret",
+        // `fault_resume` handler - set return value to `false` and return.
+        "1:",
+        "xor eax, eax",
+        "jmp 3b",
+        options(noreturn)
+    )
+}
+
+/// Copy a structure from userspace memory. Returns whether the copy was successful.
+#[must_use]
+fn copy_from_user<T>(dest: &mut MaybeUninit<T>, src: *const T) -> bool {
+    let fault_resume = &get_percpu().pf_resume as *const _ as *const u8;
+    let size = core::mem::size_of::<T>();
+
+    user_access_ok(src);
+
+    // SAFETY: We have verified that the `src` pointer is within the userland address space.
+    unsafe { copy_to_from_user(dest.as_mut_ptr().cast(), src.cast(), size, fault_resume) }
+}
+
+/// Copy a structure from userspace memory. Returns whether the copy was successful.
+#[must_use]
+fn copy_to_user<T>(dest: *mut T, src: &T) -> bool {
+    let fault_resume = &get_percpu().pf_resume as *const _ as *const u8;
+    let size = core::mem::size_of::<T>();
+    let src_ptr = src as *const T;
+
+    user_access_ok(dest);
+
+    // SAFETY: We have verified that the `dest` pointer is within the userland address space.
+    unsafe { copy_to_from_user(dest.cast(), src_ptr.cast(), size, fault_resume) }
+}
+
+/// A reference to a structure in userspace memory, which can be either read-only or read-write.
+///
+/// Concurrent access, *including data races to/from userspace memory*, are permitted. See the
+/// documentation of [`copy_to_from_user`] for more information.
+pub struct UserRef<T> {
+    ptr: *mut T,
+    val: T,
+}
+
+impl<T> UserRef<T> {
+    pub unsafe fn new(address: VirtAddr) -> Self {
+        let mut val = MaybeUninit::<T>::uninit();
+
+        // FIXME: Return an error if the copy fails.
+        assert!(copy_from_user(&mut val, address.as_ptr()));
+
+        Self {
+            ptr: address.as_mut_ptr(),
+            // SAFETY: We have initialized the value via `copy_from_user` above.
+            val: unsafe { val.assume_init() },
+        }
+    }
+}
+
+impl<T> Deref for UserRef<T> {
+    type Target = T;
+
+    fn deref(&self) -> &Self::Target {
+        &self.val
+    }
+}
+
+impl<T> DerefMut for UserRef<T> {
+    fn deref_mut(&mut self) -> &mut Self::Target {
+        &mut self.val
+    }
+}
+
+impl<T> Drop for UserRef<T> {
+    fn drop(&mut self) {
+        assert!(copy_to_user(self.ptr, &self.val));
+    }
+}

src/aero_kernel/src/drivers/drm/mod.rs

@@ -24,6 +24,7 @@ use alloc::vec::Vec;
 use bit_field::BitField;
 use hashbrown::HashMap;
 
+use crate::arch::user_copy::UserRef;
 use crate::fs;
 use crate::fs::inode::INodeInterface;
 use crate::fs::{devfs, FileSystemError};
@@ -405,7 +406,7 @@ impl INodeInterface for Drm {
     fn ioctl(&self, command: usize, arg: usize) -> fs::Result<usize> {
         match command {
             DRM_IOCTL_VERSION => {
-                let struc = VirtAddr::new(arg as u64).read_mut::<DrmVersion>().unwrap();
+                let mut struc = unsafe { UserRef::<DrmVersion>::new(VirtAddr::new(arg as u64)) };
 
                 let (major, minor, patch_level) = self.device.driver_version();
                 let (name, desc, date) = self.device.driver_info();
@@ -422,7 +423,7 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_GET_CAP => {
-                let struc = VirtAddr::new(arg as u64).read_mut::<DrmGetCap>().unwrap();
+                let mut struc = unsafe { UserRef::<DrmGetCap>::new(VirtAddr::new(arg as u64)) };
 
                 // NOTE: The user is responsible for zeroing out the structure.
                 match struc.capability {
@@ -442,9 +443,8 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_MODE_GETRESOURCES => {
-                let struc = VirtAddr::new(arg as u64)
-                    .read_mut::<DrmModeCardRes>()
-                    .unwrap();
+                let mut struc =
+                    unsafe { UserRef::<DrmModeCardRes>::new(VirtAddr::new(arg as u64)) };
 
                 /// Copies the mode object IDs into the user provided buffer. For safety, checkout
                 /// the [`copy_field`] function.
@@ -489,15 +489,15 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_GET_CRTC => {
-                let struc = VirtAddr::new(arg as u64).read_mut::<DrmModeCrtc>().unwrap();
+                let struc = unsafe { UserRef::<DrmModeCrtc>::new(VirtAddr::new(arg as u64)) };
                 let _object = self.find_object(struc.crtc_id).unwrap().as_crtc().unwrap();
 
                 log::warn!("drm::get_crtc: is a stub!");
                 Ok(0)
             }
 
             DRM_IOCTL_SET_CRTC => {
-                let struc = VirtAddr::new(arg as u64).read_mut::<DrmModeCrtc>().unwrap();
+                let struc = unsafe { UserRef::<DrmModeCrtc>::new(VirtAddr::new(arg as u64)) };
                 let _object = self.find_object(struc.crtc_id).unwrap().as_crtc().unwrap();
 
                 let object = self
@@ -513,9 +513,8 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_GET_ENCODER => {
-                let struc = VirtAddr::new(arg as u64)
-                    .read_mut::<DrmModeGetEncoder>()
-                    .unwrap();
+                let mut struc =
+                    unsafe { UserRef::<DrmModeGetEncoder>::new(VirtAddr::new(arg as u64)) };
 
                 let object = self
                     .find_object(struc.encoder_id)
@@ -544,9 +543,8 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_GET_CONNECTOR => {
-                let struc = VirtAddr::new(arg as u64)
-                    .read_mut::<DrmModeGetConnector>()
-                    .unwrap();
+                let mut struc =
+                    unsafe { UserRef::<DrmModeGetConnector>::new(VirtAddr::new(arg as u64)) };
 
                 let object = self
                     .find_object(struc.connector_id)
@@ -592,9 +590,8 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_MODE_CREATE_DUMB => {
-                let struc = VirtAddr::new(arg as u64)
-                    .read_mut::<DrmModeCreateDumb>()
-                    .unwrap();
+                let mut struc =
+                    unsafe { UserRef::<DrmModeCreateDumb>::new(VirtAddr::new(arg as u64)) };
 
                 let (mut buffer, pitch) =
                     self.device
@@ -612,9 +609,7 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_MODE_ADDFB => {
-                let struc = VirtAddr::new(arg as u64)
-                    .read_mut::<DrmModeFbCmd>()
-                    .unwrap();
+                let mut struc = unsafe { UserRef::<DrmModeFbCmd>::new(VirtAddr::new(arg as u64)) };
 
                 let handle = self.find_handle(struc.handle).unwrap();
                 self.device
@@ -628,9 +623,8 @@ impl INodeInterface for Drm {
             }
 
             DRM_IOCTL_MODE_MAP_DUMB => {
-                let struc = VirtAddr::new(arg as u64)
-                    .read_mut::<DrmModeMapDumb>()
-                    .unwrap();
+                let mut struc =
+                    unsafe { UserRef::<DrmModeMapDumb>::new(VirtAddr::new(arg as u64)) };
 
                 let handle = self.find_handle(struc.handle).unwrap();
                 struc.offset = handle.mapping as _;

src/aero_kernel/src/main.rs

@@ -46,6 +46,7 @@
     int_roundings, // https://github.com/rust-lang/rust/issues/88581
     const_ptr_is_null, // https://github.com/rust-lang/rust/issues/74939
     trait_upcasting, // https://github.com/rust-lang/rust/issues/65991
+    naked_functions, // https://github.com/rust-lang/rust/issues/32408
 )]
 #![deny(trivial_numeric_casts, unused_allocation)]
 #![test_runner(crate::tests::test_runner)]