libkern: Fix bcopy_c/memcpy_c handling of final capability

The use of > rather than >= meant that for capability-aligned ends, if copying backwands, and capability-aligned starts, if copying forwards, the final capability to be copied was copied byte-wise, losing its tag, rather than as a capability. This bug has been present since the very first commit of this generic C version, but does not appear to have existed in the old CHERI-MIPS assembly version. Notably this breaks the DRM_IOCTL_VERSION ioctl, which has a capability as its final struct member, in hybrid kernels, since the memcpy_c used in drm_ioctl clears the tag on that member and then proceeds to EFAULT when trying to copy out to it (note that it always performs a forward copy here since it's copying from a higher stack frame to a lower one). This gets even worse for libdrm since the mutated struct is then copied back out itself, and libdrm tries to free the pointer on error, which results in a tag fault.
CTSRD-CHERI · Nov 17, 2022 · 3bea3f8 · 3bea3f8
1 parent 7f7a745
commit 3bea3f8
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/sys/libkern/bcopy_c.c b/sys/libkern/bcopy_c.c
@@ -76,7 +76,7 @@ memcpy_c(void * __capability dst0, const void * __capability src0, size_t len)
 			    (void *)(__cheri_addr uintptr_t)src));
 
 			/* Copy capabilities. */
-			while (len > sizeof(uintcap_t)) {
+			while (len >= sizeof(uintcap_t)) {
 				*(uintcap_t * __capability)dst =
 				    *(const uintcap_t * __capability)src;
 				dst += sizeof(uintcap_t);
@@ -118,7 +118,7 @@ memcpy_c(void * __capability dst0, const void * __capability src0, size_t len)
 			    ("src %p not aligned", (void *)(__cheri_addr uintptr_t)src));
 
 			/* Copy capabilities. */
-			while (len > sizeof(uintcap_t)) {
+			while (len >= sizeof(uintcap_t)) {
 				dst -= sizeof(uintcap_t);
 				src -= sizeof(uintcap_t);
 				*(uintcap_t * __capability)dst =