[MIPS] Add seccomp bpf support

sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Note: any code in this file MUST be async-signal safe.
 
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 
 #include <unistd.h>
 
@@ skipping 26 matching lines @@
     // TODO(jln): query the current policy to check if send() is available and
     // use it to perform a non-blocking write.
     const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size));
     // We can't handle any type of error here.
     if (ret <= 0 || static_cast<size_t>(ret) > size) break;
     size -= ret;
     error_message += ret;
   }
 }
 
+// Invalid syscall values are truncated to zero.
+// On architectures where base value is zero (Intel and Arm),
+// syscall number is the same as offset from base.
+// On architectures where base value is different than zero (Mips),
+// we are truncating valid syscall value to offset from base.

[jln (very slow on Chromium), 2014/05/28 00:06:57]

Let's add the guarantee explicitly that sysno will be between 0 and 1023 in the
comment.

[nedeljko, 2014/05/28 09:33:43]

for MIPS 0 to __NR_Linux_syscalls, for Intel/Arm 0 to 1023.

[nedeljko, 2014/05/29 14:06:45]

Done.

+uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno) {
+#if defined(__mips__)
+  // On MIPS syscall numbers are in different range than on x86 and ARM.
+  // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for
+  // simlicity.
+  if (sysno > __NR_Linux && sysno <= __NR_Linux + __NR_Linux_syscalls)
+    sysno = sysno - __NR_Linux;
+  else
+    sysno = 0;
+#else
+  if (sysno >= 1024)

[jln (very slow on Chromium), 2014/05/28 00:06:57]

Let's do this unconditionally. On MIPS, this should be a no-op, but it makes it
easy to assert that this function will never return something bigger than 1023.

[nedeljko, 2014/05/28 09:33:43]

I am not sure that I understand you correctly.
If I remove this condition, the function will truncate both invalid and valid
sysno to zero on Intel/Arm.

[jln (very slow on Chromium), 2014/06/03 01:00:33]

The "if (sysno >= 1024) sysno = 0" should be kept there on all architectures.
That way, we can guarantee that the function will return a value between 0 and
1023. With that guarantee, we know that dereferencing this value will end-up in
the first page of the address space.

+    sysno = 0;
+#endif
+  return sysno;
+}
+
 // Print a seccomp-bpf failure to handle |sysno| to stderr in an
 // async-signal safe way.
 void PrintSyscallError(uint32_t sysno) {
-  if (sysno >= 1024)
-    sysno = 0;
+
+  sysno = SyscallNumberToOffsetFromBase(sysno);
+
   // TODO(markus): replace with async-signal safe snprintf when available.
   const size_t kNumDigits = 4;
   char sysno_base10[kNumDigits];
   uint32_t rem = sysno;
   uint32_t mod = 0;
   for (int i = kNumDigits - 1; i >= 0; i--) {
     mod = rem % 10;
     rem /= 10;
     sysno_base10[i] = '0' + mod;
   }
+#if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
+  static const char kSeccompErrorPrefix[] =
+      __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT
+                               " in syscall 4000 + ";
+#else
   static const char kSeccompErrorPrefix[] =
       __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall ";
+#endif
   static const char kSeccompErrorPostfix[] = "\n";
   WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1);
   WriteToStdErr(sysno_base10, sizeof(sysno_base10));
   WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1);
 }
 
 }  // namespace.
 
 namespace sandbox {
 
 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
   uint32_t syscall = args.nr;
-  if (syscall >= 1024)
-    syscall = 0;
+
   PrintSyscallError(syscall);

[jln (very slow on Chromium), 2014/05/28 00:06:57]

The truncation here is important for security, as we are dereferencing this as
an address.

You still need to call SyscallNumberToOffsetFromBase()

[nedeljko, 2014/05/28 09:33:43]

Calling SyscallNumberToOffsetFromBase() here is a problem on MIPS.

First call would truncate valid syscall numbers to offset from base, but then
the second call (in PrintSyscallError()) would truncate this offset to zero,
since offset is not a valid sysno...

Maybe I should call SyscallNumberToOffsetFromBase() here and in
PrintSyscallError() just do truncation:
  if (sysno >= 1024)
    sysno = 0;

This way it will work correctly on MIPS also.

 
   // Encode 8-bits of the 1st two arguments too, so we can discern which socket
   // type, which fcntl, ... etc., without being likely to hit a mapped
   // address.
   // Do not encode more bits here without thinking about increasing the
   // likelihood of collision with mapped pages.
   syscall |= ((args.args[0] & 0xffUL) << 12);
   syscall |= ((args.args[1] & 0xffUL) << 20);
   // Purposefully dereference the syscall as an address so it'll show up very
   // clearly and easily in crash dumps.
@@ skipping 89 matching lines @@
 
 const char* GetIoctlErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_IOCTL_CONTENT;
 }
 
 const char* GetKillErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_KILL_CONTENT;
 }
 
 }  // namespace sandbox.