Hi Geert, On Wed, Dec 12, 2018 at 04:07:11PM +0300, Dmitry V. Levin wrote:
On Wed, Dec 12, 2018 at 01:54:05PM +0100, Geert Uytterhoeven wrote:On Wed, Dec 12, 2018 at 1:37 PM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:On Wed, Dec 12, 2018 at 01:27:14PM +0100, Geert Uytterhoeven wrote:On Wed, Dec 12, 2018 at 1:04 PM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:On Wed, Dec 12, 2018 at 10:43:33AM +0100, Geert Uytterhoeven wrote:On Wed, Dec 12, 2018 at 10:27 AM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:On Wed, Dec 12, 2018 at 10:01:29AM +0100, Geert Uytterhoeven wrote:On Wed, Dec 12, 2018 at 9:55 AM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:On Mon, Dec 10, 2018 at 04:30:25PM +0300, Dmitry V. Levin wrote:On Mon, Dec 10, 2018 at 02:06:28PM +0100, Geert Uytterhoeven wrote:On Mon, Dec 10, 2018 at 1:41 PM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:On Mon, Dec 10, 2018 at 09:45:42AM +0100, Geert Uytterhoeven wrote:On Mon, Dec 10, 2018 at 5:30 AM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:syscall_get_* functions are required to be implemented on all architectures in order to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request. This introduces asm/syscall.h on m68k implementing all 5 syscall_get_* functions as documented in asm-generic/syscall.h: syscall_get_nr, syscall_get_arguments, syscall_get_error, syscall_get_return_value, and syscall_get_arch. Cc: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx> Cc: Oleg Nesterov <oleg@xxxxxxxxxx> Cc: Andy Lutomirski <luto@xxxxxxxxxx> Cc: Elvira Khabirova <lineprinter@xxxxxxxxxxxx> Cc: Eugene Syromyatnikov <esyr@xxxxxxxxxx> Cc: linux-m68k@xxxxxxxxxxxxxxxxxxxx Signed-off-by: Dmitry V. Levin <ldv@xxxxxxxxxxxx> --- Notes: v5: added syscall_get_nr, syscall_get_arguments, syscall_get_error, and syscall_get_return_value v1: added syscall_get_arch--- /dev/null +++ b/arch/m68k/include/asm/syscall.h @@ -0,0 +1,39 @@+static inline void +syscall_get_arguments(struct task_struct *task, struct pt_regs *regs, + unsigned int i, unsigned int n, unsigned long *args) +{ + BUG_ON(i + n > 6);Does this have to crash the kernel?This is what most of other architectures do, but we could choose a softer approach, e.g. use WARN_ON_ONCE instead.Perhaps you can return an error code instead?That would be problematic given the signature of this function and the nature of the potential bug which would most likely be a usage error.Of course to handle that, the function's signature need to be changed. Changing it has the advantage that the error handling can be done at the caller, in common code, instead of duplicating it for all architectures, possibly leading to different semantics.Given that *all* current users of syscall_get_arguments specify i == 0 (and there is an architecture that has BUG_ON(i)), it should be really a usage error to get into situation where i + n > 6, I wish a BUILD_BUG_ON could be used here instead. I don't think it worths pushing the change of API just to convert a "cannot happen" assertion into an error that would have to be dealt with on the caller side.I suggest the following BUG_ON replacement for syscall_get_arguments: #define SYSCALL_MAX_ARGS 6 static inline void syscall_get_arguments(struct task_struct *task, struct pt_regs *regs, unsigned int i, unsigned int n, unsigned long *args) { /* * Ideally there should have been * BUILD_BUG_ON(i + n > SYSCALL_MAX_ARGS); * instead of these checks. */ if (unlikely(i > SYSCALL_MAX_ARGS)) { WARN_ONCE(1, "i > SYSCALL_MAX_ARGS"); return;Does this have security implications, as args is an output parameter? I.e. if you don't fill the array, the caller will use whatever is on the stack. Can this ever be passed to userspace, leaking data?In the current kernel code n is always less or equal to 6, but in theory future changes can potentially break the assertion and this could lead to leaking data to userspace.OK.Do you think we should rather be defensive and add some memsets, e.g. if (unlikely(i > SYSCALL_MAX_ARGS)) { WARN_ONCE(1, "i > SYSCALL_MAX_ARGS"); memset(args, 0, n * sizeof(args[0])); return; } if (unlikely(n > SYSCALL_MAX_ARGS - i)) { unsigned int extra = n - (SYSCALL_MAX_ARGS - i); WARN_ONCE(1, "i + n > SYSCALL_MAX_ARGS"); n = SYSCALL_MAX_ARGS - i; memset(&args[n], 0, extra * sizeof(args[0])); } ?Yes please. But please handle all of that in the generic code, so it doesn't have to be replicated across all architectures. E.g. make syscall_get_arguments() a wrapper in generic code, calling __syscall_get_arguments() in architecture-specific code. And make the latter return int, so it can indicate other failures.Other failures? What syscall_get_arguments is expected to do if __syscall_get_arguments returned, say, -1?Fail. Just like in case of other generic ill conditions it can detect itself.Sorry, I don't quite follow. syscall_get_arguments() has no return code,Which may be an indicator for a different problem. What is e.g. populate_seccomp_data() supposed to do if syscall_get_arguments() fails?Well, syscall_get_arguments() is not supposed to fail if invoked properly. Currently populate_seccomp_data() does this: struct task_struct *task = current; struct pt_regs *regs = task_pt_regs(task); unsigned long args[6]; ... syscall_get_arguments(task, regs, 0, 6, args); I don't see how this could fail.so all it can possibly do is to zero out args[], e.g. if (unlikely(__syscall_get_arguments(task, regs, i, n, args) < 0)) { memset(args, 0, n * sizeof(args[0])); return; } Do you mean this?Exactly.OK, I'll prepare the change, thanks.
I have the change ready, but I don't like it. The only architecture that could benefit from being able of signalling an error condition to syscall_get_arguments is MIPS, and even in that case the return code is not suitable because it wouldn't help to distinguish between the first 4 syscall arguments that cannot cause an error and remaining arguments that can. It looks like there is no need to make __syscall_get_arguments() to return int after all. -- ldv
Attachment:
signature.asc
Description: PGP signature
