Re: [PATCH v5 13/25] m68k: add asm/syscall.h

From: Dmitry V. Levin
Date: Wed Dec 12 2018 - 04:27:17 EST


On Wed, Dec 12, 2018 at 10:01:29AM +0100, Geert Uytterhoeven wrote:
> Hi Dmitry,
>
> On Wed, Dec 12, 2018 at 9:55 AM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:
> > On Mon, Dec 10, 2018 at 04:30:25PM +0300, Dmitry V. Levin wrote:
> > > On Mon, Dec 10, 2018 at 02:06:28PM +0100, Geert Uytterhoeven wrote:
> > > > On Mon, Dec 10, 2018 at 1:41 PM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:
> > > > > On Mon, Dec 10, 2018 at 09:45:42AM +0100, Geert Uytterhoeven wrote:
> > > > > > On Mon, Dec 10, 2018 at 5:30 AM Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:
> > > > > > > syscall_get_* functions are required to be implemented on all
> > > > > > > architectures in order to extend the generic ptrace API with
> > > > > > > PTRACE_GET_SYSCALL_INFO request.
> > > > > > >
> > > > > > > This introduces asm/syscall.h on m68k implementing all 5 syscall_get_*
> > > > > > > functions as documented in asm-generic/syscall.h: syscall_get_nr,
> > > > > > > syscall_get_arguments, syscall_get_error, syscall_get_return_value,
> > > > > > > and syscall_get_arch.
> > > > > > >
> > > > > > > Cc: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>
> > > > > > > Cc: Oleg Nesterov <oleg@xxxxxxxxxx>
> > > > > > > Cc: Andy Lutomirski <luto@xxxxxxxxxx>
> > > > > > > Cc: Elvira Khabirova <lineprinter@xxxxxxxxxxxx>
> > > > > > > Cc: Eugene Syromyatnikov <esyr@xxxxxxxxxx>
> > > > > > > Cc: linux-m68k@xxxxxxxxxxxxxxxxxxxx
> > > > > > > Signed-off-by: Dmitry V. Levin <ldv@xxxxxxxxxxxx>
> > > > > > > ---
> > > > > > >
> > > > > > > Notes:
> > > > > > > v5: added syscall_get_nr, syscall_get_arguments, syscall_get_error,
> > > > > > > and syscall_get_return_value
> > > > > > > v1: added syscall_get_arch
> > > > > >
> > > > > > > --- /dev/null
> > > > > > > +++ b/arch/m68k/include/asm/syscall.h
> > > > > > > @@ -0,0 +1,39 @@
> > > > > >
> > > > > > > +static inline void
> > > > > > > +syscall_get_arguments(struct task_struct *task, struct pt_regs *regs,
> > > > > > > + unsigned int i, unsigned int n, unsigned long *args)
> > > > > > > +{
> > > > > > > + BUG_ON(i + n > 6);
> > > > > >
> > > > > > Does this have to crash the kernel?
> > > > >
> > > > > This is what most of other architectures do, but we could choose
> > > > > a softer approach, e.g. use WARN_ON_ONCE instead.
> > > > >
> > > > > > Perhaps you can return an error code instead?
> > > > >
> > > > > That would be problematic given the signature of this function
> > > > > and the nature of the potential bug which would most likely be a usage error.
> > > >
> > > > Of course to handle that, the function's signature need to be changed.
> > > > Changing it has the advantage that the error handling can be done at the
> > > > caller, in common code, instead of duplicating it for all
> > > > architectures, possibly
> > > > leading to different semantics.
> > >
> > > Given that *all* current users of syscall_get_arguments specify i == 0
> > > (and there is an architecture that has BUG_ON(i)),
> > > it should be really a usage error to get into situation where i + n > 6,
> > > I wish a BUILD_BUG_ON could be used here instead.
> > >
> > > I don't think it worths pushing the change of API just to convert
> > > a "cannot happen" assertion into an error that would have to be dealt with
> > > on the caller side.
> >
> > I suggest the following BUG_ON replacement for syscall_get_arguments:
> >
> > #define SYSCALL_MAX_ARGS 6
> >
> > static inline void
> > syscall_get_arguments(struct task_struct *task, struct pt_regs *regs,
> > unsigned int i, unsigned int n, unsigned long *args)
> > {
> > /*
> > * Ideally there should have been
> > * BUILD_BUG_ON(i + n > SYSCALL_MAX_ARGS);
> > * instead of these checks.
> > */
> > if (unlikely(i > SYSCALL_MAX_ARGS)) {
> > WARN_ONCE(1, "i > SYSCALL_MAX_ARGS");
> > return;
>
> Does this have security implications, as args is an output parameter?
> I.e. if you don't fill the array, the caller will use whatever is on the stack.
> Can this ever be passed to userspace, leaking data?

In the current kernel code n is always less or equal to 6,
but in theory future changes can potentially break the assertion
and this could lead to leaking data to userspace.

Do you think we should rather be defensive and add some memsets, e.g.

if (unlikely(i > SYSCALL_MAX_ARGS)) {
WARN_ONCE(1, "i > SYSCALL_MAX_ARGS");
memset(args, 0, n * sizeof(args[0]));
return;
}
if (unlikely(n > SYSCALL_MAX_ARGS - i)) {
unsigned int extra = n - (SYSCALL_MAX_ARGS - i);

WARN_ONCE(1, "i + n > SYSCALL_MAX_ARGS");
n = SYSCALL_MAX_ARGS - i;
memset(&args[n], 0, extra * sizeof(args[0]));
}
?


--
ldv

Attachment: signature.asc
Description: PGP signature