mirror of
https://github.com/genodelabs/genode.git
synced 2025-06-18 23:28:29 +00:00
mmio: upper-bounds checks
The classes Genode::Mmio, Genode::Register_set, Genode::Attached_mmio, and Platform::Device::Mmio now receive a template parameter 'size_t SIZE'. In each type that derives from one of these classes, it is now statically checked that the range of each Genode::Register::Register- and Genode::Register_set::Register_array-deriving sub-type is within [0..SIZE). That said, SIZE is the minimum size of the memory region provided to the above mentioned Mmio classes in order to avoid page faults or memory corruption when accessing the registers and register arrays declared inside. Note, that the range end of a register array is not the end of the last item but the end of integer access that is used for accessing the last bit in the last item. The constructors of Genode::Mmio, Genode::Attached_mmio, and Platform::Device::Mmio now receive an argument 'Byte_range_ptr range' that is expected to be the range of the backing memory region. In each type that derives from on of these classes, it is now dynamically checked that 'range.num_bytes >= SIZE', thereby implementing the above mention protection against page faults and memory corruption. The rest of the commit adapts the code throughout the Genode Labs repositories regarding the changes. Note that for that code inside Core, the commits mostly uses a simplified approach by constructing MMIO objects with range [base..base+SIZE) and not with a mapping- or specification-related range size. This should be fixed in the future. Furthermore, there are types that derive from an MMIO class but don't declare any registers or register arrays (especially with Platform::Device::Mmio). In this case SIZE is set to 0. This way, the parameters must be actively corrected by someone who later wants to add registers or register arrays, plus the places can be easily found by grep'ing for Mmio<0>. Fix #4081
This commit is contained in:
Martin Stein
committed by
Christian Helmuth
Christian Helmuth
parent
ee6f5f3b1b
commit
1336b0a751
@ -15,12 +15,14 @@
|
||||
#define _INCLUDE__UTIL__MMIO_H_
|
||||
|
||||
/* Genode includes */
|
||||
#include <base/log.h>
|
||||
#include <util/string.h>
|
||||
#include <util/register_set.h>
|
||||
|
||||
namespace Genode {
|
||||
|
||||
class Mmio_plain_access;
|
||||
class Mmio;
|
||||
template <size_t> class Mmio;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -32,27 +34,24 @@ class Genode::Mmio_plain_access
|
||||
|
||||
private:
|
||||
|
||||
addr_t const _base;
|
||||
Byte_range_ptr const _range;
|
||||
|
||||
/**
|
||||
* Write '_ACCESS_T' typed 'value' to MMIO base + 'offset'
|
||||
* Write 'ACCESS_T' typed 'value' to MMIO base + 'offset'
|
||||
*/
|
||||
template <typename ACCESS_T>
|
||||
inline void _write(off_t const offset, ACCESS_T const value)
|
||||
{
|
||||
addr_t const dst = _base + offset;
|
||||
*(ACCESS_T volatile *)dst = value;
|
||||
*(ACCESS_T volatile *)(_range.start + offset) = value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Read '_ACCESS_T' typed from MMIO base + 'offset'
|
||||
* Read 'ACCESS_T' typed from MMIO base + 'offset'
|
||||
*/
|
||||
template <typename ACCESS_T>
|
||||
inline ACCESS_T _read(off_t const &offset) const
|
||||
{
|
||||
addr_t const dst = _base + offset;
|
||||
ACCESS_T const value = *(ACCESS_T volatile *)dst;
|
||||
return value;
|
||||
return *(ACCESS_T volatile *)(_range.start + offset);
|
||||
}
|
||||
|
||||
public:
|
||||
@ -62,9 +61,16 @@ class Genode::Mmio_plain_access
|
||||
*
|
||||
* \param base base address of targeted MMIO region
|
||||
*/
|
||||
Mmio_plain_access(addr_t const base) : _base(base) { }
|
||||
Mmio_plain_access(Byte_range_ptr const &range) : _range(range.start, range.num_bytes) { }
|
||||
|
||||
addr_t base() const { return _base; }
|
||||
Byte_range_ptr range_at(off_t offset) const
|
||||
{
|
||||
return {_range.start + offset, _range.num_bytes - offset};
|
||||
}
|
||||
|
||||
Byte_range_ptr range() const { return range_at(0); }
|
||||
|
||||
addr_t base() const { return (addr_t)range().start; }
|
||||
};
|
||||
|
||||
|
||||
@ -73,17 +79,28 @@ class Genode::Mmio_plain_access
|
||||
*
|
||||
* For further details refer to the documentation of the 'Register_set' class.
|
||||
*/
|
||||
struct Genode::Mmio : Mmio_plain_access, Register_set<Mmio_plain_access>
|
||||
template <Genode::size_t MMIO_SIZE>
|
||||
struct Genode::Mmio : Mmio_plain_access, Register_set<Mmio_plain_access, MMIO_SIZE>
|
||||
{
|
||||
static constexpr size_t SIZE = MMIO_SIZE;
|
||||
|
||||
class Range_violation : Exception { };
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*
|
||||
* \param base base address of targeted MMIO region
|
||||
* \param range byte range of targeted MMIO region
|
||||
*/
|
||||
Mmio(addr_t const base)
|
||||
Mmio(Byte_range_ptr const &range)
|
||||
:
|
||||
Mmio_plain_access(base),
|
||||
Register_set(*static_cast<Mmio_plain_access *>(this)) { }
|
||||
Mmio_plain_access(range),
|
||||
Register_set<Mmio_plain_access, SIZE>(*static_cast<Mmio_plain_access *>(this))
|
||||
{
|
||||
if (range.num_bytes < SIZE) {
|
||||
error("MMIO range is unexpectedly too small");
|
||||
throw Range_violation { };
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
#endif /* _INCLUDE__UTIL__MMIO_H_ */
|
||||
|
||||
Reference in New Issue
Block a user