Re: [PATCH] riscv/entry: get correct syscall number from syscall_get_nr()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-10-27 04:21, Thomas Gleixner wrote:
> On Fri, Oct 25 2024 at 07:30, Björn Töpel wrote:
>> Thomas Gleixner <tglx@xxxxxxxxxxxxx> writes:
>>> It's completely unclear to me what the actual problem is. The flow how
>>> this works on all architectures is:
>>>
>>>        regs->orig_a0  = regs->a0
>>>        regs->a0 = -ENOSYS;
>>>
>>>        nr = syscall_enter_from_user_mode(....);
>>>
>>>        if (nr >= 0)
>>>           regs->a0 = nr < MAX_SYSCALL ? syscall(nr) : -ENOSYS;
>>>                      
>>> If syscall_trace_enter() returns -1 to skip the syscall, then regs->a0
>>> is unmodified, unless one of the magic operations modified it.
>>>
>>> If syscall_trace_enter() was not active (no tracer, no seccomp ...) then
>>> regs->a0 already contains -ENOSYS.
>>>
>>> So what's the exact problem?
>>
>> It's a mix of calling convention, and UAPI:
>>   * RISC-V uses a0 for arg0 *and* return value (like arm64).
>>   * RISC-V does not expose orig_a0 to userland, and cannot easily start
>>     doing that w/o breaking UAPI.
>>
>> Now, when setting a0 to -ENOSYS, it's clobbering arg0, and the ptracer
>> will have an incorrect arg0 (-ENOSYS).
> 
> Oh I see. I was looking at it from the x86 POV... 
> 
> Looking deeper into this, this is all completely inconsistent across
> architectures. All of them copied either from x86 or from some other
> close enough existing copy and changed stuff on top.
> 
> So we have two different scenarios AFAICT (I did not look really
> deeply):
> 
>    1) The register which holds the syscall number is used for the
>       return value
> 
>    2) An argument register is used for the return value
> 
> #1 is the easy case and just "works"
> 
>    because orig_$REG holds the original syscall number and everything
>    falls into place.
> 
> #2 needs some thought, but we are not going to add this:
> 
>> 	 if (work & SYSCALL_WORK_ENTER)
>> 		 syscall = syscall_trace_enter(regs, syscall, work);
>> +	else if (syscall == -1L)
>> +		syscall_set_return_value(current, regs, -ENOSYS, 0);
>>
> 
> into the syscall path just to make #2 work. That's hotpath and affects
> all other architectures too.
> 
> So the problem for the #2 case is that there is no distinction between a
> user space issued syscall(@nr = -1) and the return value of (-1) of
> various functions involved in the syscall 'tracer' processing.
> 
> So what the issue with Celeste's change is:
> 
> 	res = syscall_enter_from_user_mode(regs, syscall);
> 	syscall = syscall_get_nr(current, regs);
> 
> 	add_random_kstack_offset();
> 
> 	if (syscall < 0 || syscall >= NR_syscalls)
>         	regs->a0 = -ENOSYS;
> 
> As the tracer can invalidate the syscall number along with regs->a0,
> this overwrites the error code set by the tracer. Your solution has a
> similar problem.

Oh. It's a real issue.

> 
> There is another issue vs. regs->a0. Assume a ptracer modified regs->a0
> (arg0) and lets the task continue (no fatal signal pending).
> 
> Then the following seccomp() invocation will get regs->orig_a0 from
> syscall_get_arguments(), which is not what the ptracer set, right?
> 
> Let me look at your failure analysis from your first reply:
> 
>>  1. strace "tracing": Requires that regs->a0 is not tampered with prior
>>     ptrace notification
>>
>>     E.g.:
>>     | # ./strace /
>>     | execve("/", ["/"], 0x7ffffaac3890 /* 21 vars */) = -1 EACCES (Permission denied)
>>     | ./strace: exec: Permission denied
>>     | +++ exited with 1 +++
>>     | # ./disable_ptrace_get_syscall_info ./strace /
>>     | execve(0xffffffffffffffda, ["/"], 0x7fffd893ce10 /* 21 vars */) = -1 EACCES (Permission denied)
>>     | ./strace: exec: Permission denied
>>     | +++ exited with 1 +++
>>
>>     In the second case, arg0 is prematurely set to -ENOSYS
>>     (0xffffffffffffffda).
> 
> That's expected if ptrace_get_syscall_info() is not used. Plain dumping
> registers will give you the current value on all architectures.
> ptrace_get_syscall_info() exist exactly for that reason.
> 
>>  2. strace "syscall tampering": Requires that ENOSYS is returned for
>>     syscall(-1), and not skipped w/o a proper return value.
>>
>>     E.g.:
>>     | ./strace -a0 -ewrite -einject=write:error=enospc echo helloject=write:error=enospc echo hello   
>>
>>     Here, strace expects that injecting -1, would result in a ENOSYS.
> 
> No. It expects ENOSPC with the above command line. man strace:
> 
>        If :error=errno option is specified, a fault is injected into a
>        syscall invocation: the syscall number is replaced by -1 which
>        corresponds to an invalid syscall (unless a syscall is specified
>        with :syscall= option), and the error code is specified using a
>        symbolic errno value like ENOSYS or a numeric value within
>        1..4095 range.
> 
> Similar for -einject:retval=$N
> 
> So you cannot overwrite a0 with ENOSYS if the syscall needs to be
> skipped.
> 
>>  3. seccomp filtering: Requires that the a0 is not tampered to
> 
> No. seccomp uses syscall_get_arguments() which sets a0 to orig_a0 for
> inspection. As I said before that fails when the ptracer changed
> argument 0 before the seccomp invocation. seccomp will see the original
> argument and waves it through.
> 
> Looking at Celeste's analysis again:
> 
>> We can't know whether syscall_nr is -1 when we get -1
>> from syscall_enter_from_user_mode(). And the old syscall variable is
>> unusable because syscall_enter_from_user_mode() may change a7 register.
> 
> You obviously can save the user space supplied value away
> in do_trap_ecall_u() by simply doing
> 
>        long orig_nr = regs->a7;
> 
> No? But I'm not sure that it solves all problems. It cannot solve the
> ptrace/seccomp interaction.
> 
> The rest of the changelog is simply bogus. Just because riscv made a
> mistake with the UABI design does not mean that it's useless for
> everyone else.
> 
> And no, I'm not going to change x86 for that just to have a pointless
> load in the syscall hotpath, when the normal operation just keeps the
> syscall number in the same register.
> 
> The real problem is that orig_a0 is not exposed in the user view of the
> registers. Changing that struct breaks the existing applications
> obviously.
> 
> But you can expose it without changing the struct by exposing a regset
> for orig_a0 which allows you to read and write it similar to what ARM64
> does for the syscall number.

If we add something like NT_SYSCALL_NR to UAPI, it cannot solve anything: We 
already have PTRACE_GET_SYSCALL_INFO to get syscall number, which was introduced 
in 5.3 kernel. The problem is only in the kernel before 5.3. So we can't fix 
this issue unless we also backport NT_SYSCALL_NR to 4.19 LTS. But if we can 
backport it, we can backport PTRACE_GET_SYSCALL_INFO directly instead.

That's why I try to limit changes in "internal handle logic" in all 3 tries 
before.

> 
> That of course requires updated user space, but existing user space will
> continue to work with the current limitations.
> 
> Thanks,
> 
>         tglx




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux