Hi Yury, On 2020/9/1 19:40, Xiongfeng Wang wrote: > > > On 2020/9/1 2:15, Yury Norov wrote: >> On Mon, Aug 31, 2020 at 5:48 AM Xiongfeng Wang >> <wangxiongfeng2@xxxxxxxxxx> wrote: >>> >>> Hi Yury, >>> >> >> Hi Xiongfeng, >> >> [restore CC list] >> >> Haven't seen this before. What kernel / glibc / ltp do you use? > > The kernel version is 4.19. I applied the ILP32 patches from > https://github.com/norov/linux.git. The glibc version is 2.28 and I applyed the > ILP32 patches. > The ltp testsuite is from https://github.com/linux-test-project/ltp. I build it > with '-mabi=ilp32'. > >> >>> We were testing the ILP32 feature and came accross a problem. Very apperaciate >>> it if you could give us some help ! >>> >>> We compile the LTP testsuite with '-mabi=ilp32' and run it on a machine with >>> kernel and glibc applied with ILP32 patches. But we failed on one testcase, >>> prctl04. It print the following error info. >>> 'prctl04.c:199: FAIL: SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and >>> _exit(2)' >>> >>> The testcase is like below, syscall 'prctl' followed by a syscall 'write'. >>> prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); >>> SAFE_WRITE(1, fd, "a", 1); >>> >>> When we execute syscall 'write', we receive a SIGKILL. It's not as expected. >>> We track the kernel and found out it is because we failed the syscall_whitelist >>> check in '__secure_computing_strict'. Because flag 'TIF_32BIT_AARCH64' is set, >>> we falls into the 'in_compat_syscall()' branch. We compare the parameter >>> 'this_syscall' with return value of 'get_compat_model_syscalls()' >>> The syscall number of '__NR_write' for ilp32 application is 64, but it is 4 for >>> 'model_syscalls_32' returned from 'get_compat_model_syscalls()' >>> So '__secure_computing_strict' retuned with 'do_exit(SIGKILL)'. We have a >>> modification like below, but I am not sure if it correct or not. >>> >>> --- a/kernel/seccomp.c >>> +++ b/kernel/seccomp.c >>> @@ -618,7 +618,7 @@ static void __secure_computing_strict(int this_syscall) >>> { >>> const int *syscall_whitelist = mode1_syscalls; >>> #ifdef CONFIG_COMPAT >>> - if (in_compat_syscall()) >>> + if (is_a32_compat_task()) >>> syscall_whitelist = get_compat_mode1_syscalls(); >> >> It calls the arch function from generic code. It may break build for >> other arches. >> This also looks dangerous because it treats ILP32 execution as non-compat. >> >> The right approach would be implementing arch-specific >> get_compat_mode1_syscalls() >> in arch/arm64/include/asm/seccomp.h that returns an appropriate table. >> Refer MIPS >> code for this: arch/mips/include/asm/seccomp.h > > Thanks for your advice. Thanks a lot. > I have written another version according to your advice. > > --- a/arch/arm64/include/asm/seccomp.h > +++ b/arch/arm64/include/asm/seccomp.h > @@ -20,6 +20,36 @@ > #define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn > #endif /* CONFIG_COMPAT */ > > +#ifdef CONFIG_COMPAT > +#ifndef __COMPAT_SYSCALL_NR > + > +static inline const int *get_compat_mode1_syscalls(void) > +{ > +#ifdef CONFIG_AARCH32_EL0 > + static const int mode1_syscalls_a32[] = { > + __NR_compat_read, __NR_compat_write, > + __NR_compat_read, __NR_compat_sigreturn, A little fix here. It should be __NR_compat_exit, __NR_compat_sigreturn, Sorry, my fault. Thanks, Xiongfeng > + 0, /* null terminated */ > + }; > +#endif > + static const int mode1_syscalls_ilp32[] = { > + __NR_read, __NR_write, > + __NR_exit, __NR_rt_sigreturn, > + 0, /* null terminated */ > + }; > + > + if (is_ilp32_compat_task()) > + return mode1_syscalls_ilp32; > +#ifdef CONFIG_AARCH32_EL0 > + return mode1_syscalls_a32; > +#endif > +} > + > +#define get_compat_mode1_syscalls get_compat_mode1_syscalls > + > +#endif > +#endif > + > #include <asm-generic/seccomp.h> > > #endif /* _ASM_SECCOMP_H */ > > > Thanks, > Xiongfeng > >> >> Thanks, >> Yury >> >>> #endif >>> do { >>> >>> >>> Thanks, >>> Xiongfeng >>> >> >> . >> > > > _______________________________________________ > linux-arm-kernel mailing list > linux-arm-kernel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/linux-arm-kernel > > . >