一些安全性的增强

2023-12-02 09:49:15 +08:00
parent bc9055d784
commit 6f618a296f
12 changed files with 78 additions and 43 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -258,7 +258,8 @@
        "process_manager.h": "c",
        "fs_svr.h": "c",
        "pm_svr.h": "c",
-        "cons_cli.h": "c"
+        "cons_cli.h": "c",
+        "access.h": "c"
    },
    "cortex-debug.showRTOS": false,
    "cortex-debug.variableUseNaturalFormat": false,
--- a/mkrtos_knl/inc/knl/access.h
+++ b/mkrtos_knl/inc/knl/access.h
@@ -2,4 +2,4 @@

 #include <types.h>

-bool_t is_rw_access(void *addr, size_t size, bool_t ignore_null);
+bool_t is_rw_access(task_t *tg_task, void *addr, size_t size, bool_t ignore_null);
--- a/mkrtos_knl/inc/knl/mm_space.h
+++ b/mkrtos_knl/inc/knl/mm_space.h
@@ -2,7 +2,7 @@

 #include "types.h"
 #include "mm_page.h"
-
+#include <assert.h>
 #define REGION_NUM 8 //!< 默认为8
 typedef struct region_info
 {
@@ -20,8 +20,8 @@ typedef struct mm_space
 {
    region_info_t pt_regions[REGION_NUM]; //!< mpu内存保护块
    // mm_pages_t mm_pages;                  //!< 模拟分页内存
-    void *mm_block;                       //!< task 的私有内存块
-    size_t mm_block_size;                 //!< 私有内存块的大小
+    void *mm_block;       //!< task 的私有内存块
+    size_t mm_block_size; //!< 私有内存块的大小
 } mm_space_t;

 enum region_rights
@@ -44,6 +44,8 @@ static inline void mm_space_set_ram_block(mm_space_t *mm_space, void *mem, size_
 }
 static inline void mm_space_get_ram_block(mm_space_t *mm_space, void **mem, size_t *size)
 {
+    assert(mem);
+    assert(size);
    *mem = mm_space->mm_block;
    *size = mm_space->mm_block_size;
 }
--- a/mkrtos_knl/knl/access.c
+++ b/mkrtos_knl/knl/access.c
@@ -11,8 +11,12 @@
 * @param size
 * @return bool_t
 */
-bool_t is_rw_access(void *addr, size_t size, bool_t ignore_null)
+bool_t is_rw_access(task_t *tg_task, void *addr, size_t size, bool_t ignore_null)
 {
+    if (tg_task == NULL)
+    {
+        return FALSE;
+    }
    if (addr == NULL && ignore_null)
    {
        return TRUE;
@@ -20,10 +24,9 @@ bool_t is_rw_access(void *addr, size_t size, bool_t ignore_null)

    void *mem;
    size_t mem_size;
-    task_t *cur_task = thread_get_current_task();

-    mm_space_get_ram_block(&cur_task->mm_space, &mem, &mem_size);
-    if (mem <= addr && ((char *)addr + size) < (char *)mem + mem_size)
+    mm_space_get_ram_block(&tg_task->mm_space, &mem, &mem_size);
+    if (mem <= addr && (((char *)addr + size) <= ((char *)mem + mem_size)))
    {
        return TRUE;
    }
--- a/mkrtos_knl/knl/futex.c
+++ b/mkrtos_knl/knl/futex.c
@@ -221,7 +221,7 @@ static int futex_dispose(futex_t *fst, uint32_t *uaddr, int futex_op, uint32_t v
    {
    case FUTEX_REQUEUE:
    {
-        if (!is_rw_access(uaddr, sizeof(*uaddr), FALSE))
+        if (!is_rw_access(thread_get_bind_task(cur_th), uaddr, sizeof(*uaddr), FALSE))
        {
            spinlock_set(&fst->kobj.lock, status);
            return -EACCES;
@@ -281,7 +281,7 @@ static int futex_dispose(futex_t *fst, uint32_t *uaddr, int futex_op, uint32_t v
    break;
    case FUTEX_WAIT:
    {
-        if (!is_rw_access(uaddr, sizeof(*uaddr), FALSE))
+        if (!is_rw_access(thread_get_bind_task(cur_th),uaddr, sizeof(*uaddr), FALSE))
        {
            spinlock_set(&fst->kobj.lock, status);
            return -EACCES;
@@ -373,7 +373,7 @@ static int futex_dispose(futex_t *fst, uint32_t *uaddr, int futex_op, uint32_t v
    case FUTEX_UNLOCK_PI:
    case FUTEX_WAKE_CLEAR:
    {
-        if (!is_rw_access(uaddr, sizeof(*uaddr), FALSE))
+        if (!is_rw_access(thread_get_bind_task(cur_th),uaddr, sizeof(*uaddr), FALSE))
        {
            spinlock_set(&fst->kobj.lock, status);
            return -EACCES;
@@ -406,7 +406,7 @@ static int futex_dispose(futex_t *fst, uint32_t *uaddr, int futex_op, uint32_t v
    }
    case FUTEX_LOCK_PI:
    {
-        if (!is_rw_access(uaddr, sizeof(*uaddr), FALSE))
+        if (!is_rw_access(thread_get_bind_task(cur_th),uaddr, sizeof(*uaddr), FALSE))
        {
            spinlock_set(&fst->kobj.lock, status);
            return -EACCES;
--- a/mkrtos_knl/knl/mm_man.c
+++ b/mkrtos_knl/knl/mm_man.c
@@ -55,25 +55,31 @@ static void mm_man_syscall(kobject_t *kobj, syscall_prot_t sys_p, msg_tag_t in_t
    {
    case MM_ALLOC:
    {
-        // addr_t ret_addr;
-        // int ret = mm_pages_alloc_page(&cur_task->mm_space.mm_pages, cur_task->lim, f->r[1], &ret_addr, f->r[2]);
-        // if (ret < 0)
-        // {
-        //     tag = msg_tag_init4(0, 0, 0, ret);
-        // }
-        // else
-        // {
-        //     tag = msg_tag_init4(0, 0, 0, 0);
-        //     f->r[1] = ret_addr;
-        // }
+#if 0
+        addr_t ret_addr;
+        int ret = mm_pages_alloc_page(&cur_task->mm_space.mm_pages, cur_task->lim, f->r[1], &ret_addr, f->r[2]);
+        if (ret < 0)
+        {
+            tag = msg_tag_init4(0, 0, 0, ret);
+        }
+        else
+        {
+            tag = msg_tag_init4(0, 0, 0, 0);
+            f->r[1] = ret_addr;
+        }
+#else
        tag = msg_tag_init4(0, 0, 0, -ENOSYS);
+#endif
    }
    break;
    case MM_FREE:
    {
-        // mm_pages_free_page(&cur_task->mm_space.mm_pages, cur_task->lim, f->r[1], f->r[2]);
-        // tag = msg_tag_init4(0, 0, 0, 0);
+#if 0
+        mm_pages_free_page(&cur_task->mm_space.mm_pages, cur_task->lim, f->r[1], f->r[2]);
+        tag = msg_tag_init4(0, 0, 0, 0);
+#else
        tag = msg_tag_init4(0, 0, 0, -ENOSYS);
+#endif
    }
    break;
    case MM_ALIGN_ALLOC:
--- a/mkrtos_knl/knl/task.c
+++ b/mkrtos_knl/knl/task.c
@@ -225,7 +225,7 @@ void task_init(task_t *task, ram_limit_t *ram, int is_knl)
    mm_space_init(&task->mm_space, is_knl);
    ref_counter_init(&task->ref_cn);
    ref_counter_inc(&task->ref_cn);
-    task->pid = 0;
+    task->pid = -1;
    task->lim = ram;
    task->kobj.invoke_func = task_syscall_func;
    task->kobj.put_func = task_put;
--- a/mkrtos_knl/knl/thread.c
+++ b/mkrtos_knl/knl/thread.c
@@ -24,6 +24,8 @@
 #include "assert.h"
 #include "err.h"
 #include "map.h"
+#include "access.h"
+
 enum thread_op
 {
    SET_EXEC_REGS,
@@ -751,9 +753,16 @@ static void thread_syscall(kobject_t *kobj, syscall_prot_t sys_p, msg_tag_t in_t
    break;
    case MSG_BUG_SET:
    {
-        /*TODO:检查内存的可访问性*/
-        thread_set_msg_bug(tag_th, (void *)(f->r[1]));
-        tag = msg_tag_init4(0, 0, 0, 0);
+        if (is_rw_access(thread_get_bind_task(tag_th), (void *)(f->r[1]), THREAD_MSG_BUG_LEN, FALSE))
+        {
+            thread_set_msg_bug(tag_th, (void *)(f->r[1]));
+            tag = msg_tag_init4(0, 0, 0, 0);
+        }
+        else
+        {
+            //!< 内存不可访问
+            tag = msg_tag_init4(0, 0, 0, -EACCES);
+        }
    }
    case MSG_BUG_GET:
    {
@@ -771,11 +780,18 @@ static void thread_syscall(kobject_t *kobj, syscall_prot_t sys_p, msg_tag_t in_t
    break;
    case RUN_THREAD:
    {
-        if (thread_get_bind_task(tag_th) == NULL)
+        task_t *tag_tsk = thread_get_bind_task(tag_th);
+        if (tag_tsk == NULL)
        {
            tag = msg_tag_init4(0, 0, 0, -EACCES);
            break;
        }
+        if (task_pid_get(tag_tsk) == -1)
+        {
+            //!< 只有设置了pid才能启动，pid只有init进程能够设置，这就使得只有pid能够启动应用程序
+            tag = msg_tag_init4(0, 0, 0, -EACCES);
+            break;
+        }
        umword_t status = cpulock_lock();
        if (!slist_in_list(&tag_th->sche.node))
        {
--- a/mkrtos_knl/knl/thread_knl.c
+++ b/mkrtos_knl/knl/thread_knl.c
@@ -85,7 +85,7 @@ static void knl_init_2(void)
        }
    }
    init_thread->sche.prio = 2;
-    task_set_pid(init_task, 0);
+    init_task->pid = 0;
    thread_ready(init_thread, FALSE);
 }
 INIT_STAGE2(knl_init_2);
--- a/mkrtos_user/lib/sys_util/src/u_app_loader.c
+++ b/mkrtos_user/lib/sys_util/src/u_app_loader.c
@@ -130,12 +130,12 @@ int app_load(const char *name, uenv_t *cur_env)
    {
        goto end_del_obj;
    }
-    tag = thread_msg_buf_set(hd_thread, (void *)(ram_base + app->i.ram_size));
+    tag = thread_bind_task(hd_thread, hd_task);
    if (msg_tag_get_prot(tag) < 0)
    {
        goto end_del_obj;
    }
-    tag = thread_bind_task(hd_thread, hd_task);
+    tag = thread_msg_buf_set(hd_thread, (void *)(ram_base + app->i.ram_size));
    if (msg_tag_get_prot(tag) < 0)
    {
        goto end_del_obj;
--- a/mkrtos_user/lib/util/src/u_thread_util.c
+++ b/mkrtos_user/lib/util/src/u_thread_util.c
@@ -29,12 +29,7 @@ int u_thread_create(obj_handler_t *th_hd, void *stack, umword_t stack_size, void
        handler_free(th1_hd);
        return msg_tag_get_prot(tag);
    }
-    tag = thread_msg_buf_set(th1_hd, msg_buf);
-    if (msg_tag_get_prot(tag) < 0)
-    {
-        handler_free_umap(th1_hd);
-        return msg_tag_get_prot(tag);
-    }
+
    tag = thread_exec_regs(th1_hd, (umword_t)thread_func, (umword_t)stack + stack_size - sizeof(void *), RAM_BASE(), 0);
    if (msg_tag_get_prot(tag) < 0)
    {
@@ -47,6 +42,12 @@ int u_thread_create(obj_handler_t *th_hd, void *stack, umword_t stack_size, void
        handler_free_umap(th1_hd);
        return msg_tag_get_prot(tag);
    }
+    tag = thread_msg_buf_set(th1_hd, msg_buf);
+    if (msg_tag_get_prot(tag) < 0)
+    {
+        handler_free_umap(th1_hd);
+        return msg_tag_get_prot(tag);
+    }
    *th_hd = th1_hd;
    return 0;
 }
--- a/mkrtos_user/server/init/src/namespace.c
+++ b/mkrtos_user/server/init/src/namespace.c
@@ -1,12 +1,12 @@
 /**
 * @file namespace.c
 * @author zhangzheng (1358745329@qq.com)
- * @brief 
+ * @brief
 * @version 0.1
 * @date 2023-11-28
- * 
+ *
 * @copyright Copyright (c) 2023
- * 
+ *
 */
 #include <u_types.h>
 #include <string.h>
@@ -81,6 +81,12 @@ int namespace_query(const char *path, obj_handler_t *hd)
            char *split_str = strstr(path, ns.ne_list[i].path);
            if (split_str && (split_str == path))
            {
+                msg_tag_t tag = task_obj_valid(TASK_THIS, ns.ne_list[i].hd);
+                if (msg_tag_get_val(tag) != 1)
+                {
+                    // 对象变为无效，删除该条记录
+                    ns.ne_list[i].hd = HANDLER_INVALID;
+                }
                *hd = ns.ne_list[i].hd;
                return (int)(strlen(ns.ne_list[i].path));
            }