Re: svn commit: r332086 - head/sys/kern

2018-04-05 Thread Brooks Davis 
On Thu, Apr 05, 2018 at 08:31:45PM +, Brooks Davis wrote:
> Author: brooks
> Date: Thu Apr  5 20:31:45 2018
> New Revision: 332086
> URL: https://svnweb.freebsd.org/changeset/base/332086
> 
> Log:
>   Added SAL annotatations to system calls.
>   
>   Modify makesyscalls.sh to strip out SAL annotations.
>   
>   No functional change.
>   
>   This is based on work I started in CheriBSD and use to validate fat
>   pointers at the syscall boundary.  Tal Garfinkel reviewed the changes,
>   added annotations to COMPAT* syscalls and is using them in a record and
>   playback framework.  One can envision other uses such as a WITNESS-like
>   validator for copyin/out as speculated on in the review.
>   
>   As this time we are only annotating sys/kern/syscalls.master as that is
>   sufficient for userspace work.  If kernel use cases materialize, we can
>   annotate other syscalls.master as needed.
>   
>   Submitted by:   Tal Garfinkel 
>   Sponsored by:   DARPA, AFRL (in part)
>   Differential Revision:  https://reviews.freebsd.org/D14285

Sorry, I misplaced a:

Reviewed by:cem (prior version)

-- Brooks


signature.asc
Description: PGP signature

svn commit: r332086 - head/sys/kern

2018-04-05 Thread Brooks Davis 
Author: brooks
Date: Thu Apr  5 20:31:45 2018
New Revision: 332086
URL: https://svnweb.freebsd.org/changeset/base/332086

Log:
  Added SAL annotatations to system calls.
  
  Modify makesyscalls.sh to strip out SAL annotations.
  
  No functional change.
  
  This is based on work I started in CheriBSD and use to validate fat
  pointers at the syscall boundary.  Tal Garfinkel reviewed the changes,
  added annotations to COMPAT* syscalls and is using them in a record and
  playback framework.  One can envision other uses such as a WITNESS-like
  validator for copyin/out as speculated on in the review.
  
  As this time we are only annotating sys/kern/syscalls.master as that is
  sufficient for userspace work.  If kernel use cases materialize, we can
  annotate other syscalls.master as needed.
  
  Submitted by: Tal Garfinkel 
  Sponsored by: DARPA, AFRL (in part)
  Differential Revision:https://reviews.freebsd.org/D14285

Modified:
  head/sys/kern/makesyscalls.sh
  head/sys/kern/syscalls.master

Modified: head/sys/kern/makesyscalls.sh
==
--- head/sys/kern/makesyscalls.sh   Thu Apr  5 19:45:30 2018
(r332085)
+++ head/sys/kern/makesyscalls.sh   Thu Apr  5 20:31:45 2018
(r332086)
@@ -400,6 +400,16 @@ sed -e '
}
if (argtype[argc] == "")
parserr($f, "argument definition")
+
+   # The parser adds space around parens.
+   # Remove it from annotations.
+   gsub(/ \( /, "(", argtype[argc]);
+   gsub(/ \)/, ")", argtype[argc]);
+
+   #remove annotations
+   gsub(/_In[^ ]*[_)] /, "", argtype[argc]);
+   gsub(/_Out[^ ]*[_)] /, "", argtype[argc]);
+
argname[argc]=$f;
f += 2; # skip name, and any comma
}

Modified: head/sys/kern/syscalls.master
==
--- head/sys/kern/syscalls.master   Thu Apr  5 19:45:30 2018
(r332085)
+++ head/sys/kern/syscalls.master   Thu Apr  5 20:31:45 2018
(r332086)
@@ -43,7 +43,32 @@
 ;  function prototype in sys/sysproto.h.  Does add a
 ;  definition to syscall.h besides adding a sysent.
 ;  NOTSTATIC syscall is loadable
+
+; annotations:
+;  SAL 2.0 annotations are used to specify how system calls treat
+;  arguments that are passed using pointers. There are three basic
+;  annotations.
 ;
+;  _In_Object pointed to will be read and not modified.
+;  _Out_   Object pointed to will be written and not read.
+;  _Inout_ Object pointed to will be written and read.
+;
+;  These annotations are used alone when the pointer refers to a single
+;  object i.e. scalar types, structs, and pointers, and not NULL. Adding
+;  the _opt_ suffix, e.g. _In_opt_, implies that the pointer may also
+;  refer to NULL.
+;
+;  For pointers to arrays, additional suffixes are added:
+;
+;  _In_z_, _Out_z_, _Inout_z_:
+;  for a NUL terminated array e.g. a string.
+;  _In_reads_z_(n),_Out_writes_z_(n), _Inout_updates_z_(n):
+;  for a NUL terminated array e.g. a string, of known length n bytes.
+;  _In_reads_(n),_Out_writes_(n),_Inout_updates_(n):
+;  for an array of n elements.
+;  _In_reads_bytes_(n), _Out_writes_bytes_(n), _Inout_updates_bytes(n):
+;  for a buffer of n-bytes.
+
 ; Please copy any additions and changes to the following compatability tables:
 ; sys/compat/freebsd32/syscalls.master
 
@@ -63,143 +88,181 @@
 1  AUE_EXITSTD { void sys_exit(int rval); } exit \
sys_exit_args void
 2  AUE_FORKSTD { int fork(void); }
-3  AUE_READSTD { ssize_t read(int fd, void *buf, \
+3  AUE_READSTD { ssize_t read(int fd, \
+   _Out_writes_bytes_(nbyte) void *buf, \
size_t nbyte); }
-4  AUE_WRITE   STD { ssize_t write(int fd, const void *buf, \
+4  AUE_WRITE   STD { ssize_t write(int fd, \
+   _In_reads_bytes_(nbyte) const void *buf, \
size_t nbyte); }
-5  AUE_OPEN_RWTC   STD { int open(char *path, int flags, int mode); }
+5  AUE_OPEN_RWTC   STD { int open( \
+   _In_z_ char *path, \
+   int flags, \
+   int mode); }
 ; XXX should be{ int open(const char *path, int flags, ...); }
 ; but we're not ready for `const' or varargs.
 ; XXX man page says `mode_t mode'.
 6  AUE_CLOSE   STD { int close(int