fix_nvoc_pfunc*.cocci: fix bad pFunc fprt casts

minipli-oss · minipli-oss · commit 4451786ab60e · 2026-03-19T07:13:39.000-04:00
Signed-off-by: Mathias Krause &lt;minipli@grsecurity.net&gt;
diff --git a/src/nvidia/cocci.sh b/src/nvidia/cocci.sh
@@ -7,6 +7,49 @@
 #
 # (c) 2025,2026 Open Source Security, Inc. All Rights Reserved.
 
+pfunc_filter() {
+	# What a hack!
+	#
+	# coccinelle doesn't evaluate both sides of a #if ...  #else ... #endif
+	# block and even worse, it doesn't even implement enough preprocessor
+	# logic to actually understand the #if expression and always only
+	# handles the #if branch for non-trivial expressions.
+	# Work around that by modifying the expression to '#if 0' and use
+	# --noif0-passing to get the #else branch. *sigh!*
+	#
+	# Hack #2:
+	# On top of that we need yet another hack to get thunk definitions as
+	# blindly adding thunks for all ever possible functions doesn't work
+	# (there are multiple decls that'd lead to multiple static inline thunk
+	# definitions). So we record which functions we want a thunk for via
+	# pfunc_list_filter() and use that to actually generate thunks only for
+	# these. Gross!
+	case "$1" in
+		pre)	sed 's|\(#if\) \(NVOC_EXPORTED_METHOD_DISABLED_BY_FLAG\)|\1 0//\2|' -i generated/*.[ch]; ;;
+		diff)	sed 's|\(#if\) 0//\(NVOC_EXPORTED_METHOD_DISABLED_BY_FLAG\)|\1 \2|'; ;;
+		post)	sed 's|\(#if\) 0//\(NVOC_EXPORTED_METHOD_DISABLED_BY_FLAG\)|\1 \2|' -i generated/*.[ch]; ;;
+	esac
+}
+
+pfunc_list_filter() {
+	case "$1" in
+		diff)
+			fifo=$(mktemp -u)
+			mkfifo "$fifo"
+
+			sed -n 's|^-.*pFunc=.*&\(.*\),|\1|p' <"$fifo" >pfunc.list &
+			sed_pid=$!
+
+			pfunc_filter "$@" | tee "$fifo"
+
+			wait $sed_pid
+			rm "$fifo"
+			;;
+
+		*)	pfunc_filter "$@";;
+	esac
+}
+
 null_filter() {
 	case "$1" in
 		pre)	;;
diff --git a/src/nvidia/fix_nvoc_pfunc_addr.cocci b/src/nvidia/fix_nvoc_pfunc_addr.cocci
@@ -0,0 +1,50 @@
+// Coccinelle script to fix 'pFunc' function pointer casts to use proper
+// types to prevent runtime CFI violations, e.g. under RAP.
+//
+// As for fix_nvoc_dtor.cocci, we need to create a thunk. The thunk takes two
+// arguments, even if the implementation takes only one. That'll get handled
+// when adding a thunk definition.
+//
+//   NV_STATUS (*pFunc)(void *, void *);
+//
+// As coccinelle cannot handle the preprocessor branches for the 'pFunc'
+// assignment correctly, we need a workaround that simplifies the code so
+// coccinelle can understand it (see cocci.sh:pfunc_filter()).
+//
+// This script only handles the part of replacing taking the address of the
+// real function. See fix_nvoc_pfunc_null.cocci for the NULL fptr cast mangling
+// and fix_nvoc_pfunc_thunk.cocci for the thunk generation.
+//
+// (c) 2025,2026 Open Source Security, Inc. All Rights Reserved.
+
+@initialize:python@
+@@
+import re
+
+# cocci's regex support is too limiting, use python for the filtering
+type_match = re.compile(r"void *\( *\* *\) *\( *void *\)")	# cocci adds spaces
+func_match = re.compile(r"_(IMPL|DISPATCH|KERNEL|[0-9a-f]{6})$")
+
+// search for (function) pointer casts (filtered in @pfunc_cast_filter@)
+@pfunc_cast disable drop_cast@
+identifier fn;
+type T;
+@@
+ (T) &fn
+
+@script:python pfunc_cast_filter@
+t << pfunc_cast.T;
+f << pfunc_cast.fn;
+@@
+if not type_match.search(t) or not func_match.search(f):
+#	print(f">>> '({t}) {f}' didn't match")
+	cocci.include_match(False)
+
+// drop cast and replace function with a thunk
+@remove_cast depends on pfunc_cast_filter@
+identifier pfunc_cast.fn;
+type pfunc_cast.T;
+fresh identifier fnthunk = "THUNK_" ## fn;
+@@
+- (T) &fn
++ &fnthunk
diff --git a/src/nvidia/fix_nvoc_pfunc_null.cocci b/src/nvidia/fix_nvoc_pfunc_null.cocci
@@ -0,0 +1,35 @@
+// Coccinelle script to fix 'pFunc' function pointer casts to use proper types.
+//
+// Similar to fix_nvoc_pfunc_addr.cocci, just for the NULL fptr.
+//
+// We simply want to drop the cast as it's unneeded. As it's in the '#if 0'
+// block, we need to tell cocci to look at that:
+//
+// options: --noif0-passing
+//
+// (c) 2025,2026 Open Source Security, Inc. All Rights Reserved.
+
+@initialize:python@
+@@
+import re
+
+type_match = re.compile(r"void *\( *\* *\) *\( *void *\)")	# cocci adds spaces
+
+// search for (function) pointer casts (filtered in @pfunc_cast_filter@)
+@pfunc_null_cast disable drop_cast@
+type T;
+@@
+ (T) NULL
+
+@script:python pfunc_cast_filter@
+t << pfunc_null_cast.T;
+@@
+if not type_match.search(t):
+	cocci.include_match(False)
+
+@remove_null_cast depends on pfunc_cast_filter@
+type pfunc_null_cast.T;
+@@
+- (T)
+  NULL
+
diff --git a/src/nvidia/fix_nvoc_pfunc_thunk.cocci b/src/nvidia/fix_nvoc_pfunc_thunk.cocci
@@ -0,0 +1,87 @@
+// Coccinelle script to fix 'pFunc' function pointer casts to use proper
+// types to prevent runtime CFI violations, e.g. under RAP.
+//
+// fix_nvoc_pfunc_addr.cocci already replaced the function pointer with a
+// thunk. What's left is to actually generate the thunk declarations and
+// definitions.
+//
+//   NV_STATUS (*pFunc)(void *, void *);
+//
+// This script depends on fix_nvoc_pfunc_addr.cocci to generate a file
+// 'pfunc.list' with all the functions that have been replaced (see
+// cocci.sh:pfunc_list_filter()).
+//
+// (c) 2025,2026 Open Source Security, Inc. All Rights Reserved.
+
+@initialize:python@
+@@
+with open('pfunc.list', 'r') as file:
+	pfuncs = file.read().splitlines()
+
+// search for pfunc decls, filtered by @pfunc_decl_filter@
+@pfunc_decl@
+identifier fn;
+identifier a1, a2;
+type T1, T2, R;
+@@
+(
+R fn(T1 a1);
+|
+R fn(T1 a1, T2 a2);
+)
+
+@script:python pfunc_decl_filter@
+func << pfunc_decl.fn;
+@@
+if func not in pfuncs:
+	cocci.include_match(False)
+#else:
+#	print(f">>> {func} included")
+
+// Add thunk decls right next to the original function's decl to make sure
+// it'll be declared when its address is taken.
+//
+// XXX: merging @pfunc_thunk_decl_two_args@ and @pfunc_thunk_decl_one_arg@
+// XXX: doesn't work :(
+@pfunc_thunk_decl_two_args depends on pfunc_decl_filter@
+identifier pfunc_decl.fn;
+identifier pfunc_decl.a1, pfunc_decl.a2;
+type pfunc_decl.T1, pfunc_decl.T2, pfunc_decl.R;
+fresh identifier thunk = "THUNK_" ## fn;
+typedef NV_STATUS;
+@@
+// XXX: matching function decls is only poorly supported, so we need this hack
+-R fn(T1 a1, T2 a2)
++R fn(T1 a1, T2 a2);
++NV_STATUS thunk(void *obj, void *arg)
+;
+
+// TODO: merge with @pfunc_thunk_decl_two_args@
+@pfunc_thunk_decl_one_arg depends on pfunc_decl_filter@
+identifier pfunc_decl.fn;
+identifier pfunc_decl.a1;
+type pfunc_decl.T1, pfunc_decl.R;
+fresh identifier thunk = "THUNK_" ## fn;
+typedef NV_STATUS;
+@@
+// XXX: matching function decls is only poorly supported, so we need this hack
+-R fn(T1 a1)
++R fn(T1 a1);
++NV_STATUS thunk(void *obj, void *arg)
+;
+
+// XXX: TODO: thunk definitions -> these need '--dir src/' override!
+@pfunc_thunk_def_two_args depends on pfunc_decl_filter@
+identifier pfunc_decl.fn;
+identifier pfunc_decl.a1, pfunc_decl.a2;
+type pfunc_decl.T1, pfunc_decl.T2, pfunc_decl.R;
+fresh identifier thunk = "THUNK_" ## fn;
+typedef NV_STATUS;
+@@
+// XXX: matching function decls is only poorly supported, so we need this hack
+R fn(T1 a1, T2 a2) { ... }
++NV_STATUS thunk(void *obj, void *arg)
++{
++	return fn((T1)obj, (T2)arg);
++}
+
diff --git a/src/nvidia/fix_nvoc_pfunc_type.cocci b/src/nvidia/fix_nvoc_pfunc_type.cocci
@@ -0,0 +1,21 @@
+// Coccinelle script to fix 'pFunc' member function pointer type to match what
+// fix_nvoc_pfunc.cocci expects.
+//
+// The structure type is located in inc/libraries/nvoc/runtime.h, override
+// the --dir ... parameter to only patch that:
+//
+// options: --dir inc/libraries/nvoc/
+//
+// (c) 2025,2026 Open Source Security, Inc. All Rights Reserved.
+
+@pfunc_member@
+typedef NV_STATUS;
+@@
+struct NVOC_EXPORTED_METHOD_DEF
+{
+	...
+-	void (*pFunc) (...)
++	NV_STATUS (*pFunc)(void *, void *)
+	;
+	...
+};
diff --git a/src/nvidia/fix_nvoc_pfunc_use.cocci b/src/nvidia/fix_nvoc_pfunc_use.cocci
@@ -0,0 +1,49 @@
+// Coccinelle script to fix 'pFunc' function pointer users to use the type
+// expected by fix_nvoc_pfunc_type.cocci and ensure it gets passed two args.
+//
+//  NV_STATUS (*pFunc)(void *, void *);
+//
+// pFunc use is in src/kernel/gpu/deferred_api.c, src/kernel/gpu/gpu.c and
+// src/libraries/resserv/src/rs_resource.c, therefore override the --dir
+// option:
+//
+// options: --dir src/
+//
+// (c) 2025,2026 Open Source Security, Inc. All Rights Reserved.
+
+// cases with a local variable
+@pfunc_use_var@
+struct NVOC_EXPORTED_METHOD_DEF *e;
+typedef NV_STATUS;
+expression arg;
+identifier fn;
+type T;
+@@
+
+-T fn = ((T) e->pFunc)
++NV_STATUS (*fn)(void *, void *) = e->pFunc
+ ;
+ <...
+	fn(
+		arg
++		, NULL
+	  )
+ ...>
+
+// cases which cast and use ->pFunc directly
+@pfunc_use_cast@
+struct NVOC_EXPORTED_METHOD_DEF *e;
+expression arg1, arg2;
+type T;
+@@
+(
+-((T) e->pFunc)
++(pEntry->pFunc)
+	(arg1, arg2)
+|
+-((T) e->pFunc)
++(pEntry->pFunc)
+	(arg1
++	, NULL
+	)
+)
