On Tue, Mar 21, 2017 at 08:47:11PM +0300, Dmitry Safonov wrote: > After my changes to mmap(), its code now relies on the bitness of > performing syscall. According to that, it chooses the base of allocation: > mmap_base for 64-bit mmap() and mmap_compat_base for 32-bit syscall. > It was done by: > commit 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for > 32-bit mmap()"). > > The code afterwards relies on in_compat_syscall() returning true for > 32-bit syscalls. It's usually so while we're in context of application > that does 32-bit syscalls. But during exec() it is not valid for x32 ELF. > The reason is that the application hasn't yet done any syscall, so x32 > bit has not being set. > That results in -ENOMEM for x32 ELF files as there fired BAD_ADDR() > in elf_map(), that is called from do_execve()->load_elf_binary(). > For i386 ELFs it works as SET_PERSONALITY() sets TS_COMPAT flag. > > Set x32 bit before first return to userspace, during setting personality > at exec(). This way we can rely on in_compat_syscall() during exec(). > Do also the reverse: drop x32 syscall bit at SET_PERSONALITY for 64-bits. > > Fixes: commit 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for > 32-bit mmap()") Tested: with bash:x32, mksh:amd64, posh:i386, zsh:armhf (binfmt:qemu), fork+exec works for every parent-child combination. Contrary to my naive initial reading of your fix, mixing syscalls from a process of the wrong ABI also works as it did before. While using a glibc wrapper will call the right version, x32 processes calling amd64 syscalls is surprisingly common -- this brings seccomp joy. I've attached a freestanding test case for write() and mmap(); it's freestanding asm as most of you don't have an x32 toolchain at hand, sorry for unfriendly error messages. So with these two patches: x86/tls: Forcibly set the accessed bit in TLS segments x86/mm: set x32 syscall bit in SET_PERSONALITY() everything appears to be fine. -- ac?aGBP'a 3/4 a >>ac?aGBP|a ? Meow! aGBP 3/4 a ?ac a ?a ?aGBP?a!? ac?a!?a ?a .a ?a ?a ? Collisions shmolisions, let's see them find a collision or second a ?a 3aGBP?a ?a ?a ?a ? preimage for double rot13!