From: David Hildenbrand <david@redhat.com>
To: Alexey Izbyshev <izbyshev@ispras.ru>
Cc: Florent Revest <revest@chromium.org>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
akpm@linux-foundation.org, catalin.marinas@arm.com,
anshuman.khandual@arm.com, joey.gouly@arm.com, mhocko@suse.com,
keescook@chromium.org, peterx@redhat.com, broonie@kernel.org,
szabolcs.nagy@arm.com, kpsingh@kernel.org, gthelen@google.com,
toiwoton@gmail.com
Subject: Re: [PATCH v2 3/5] mm: Make PR_MDWE_REFUSE_EXEC_GAIN an unsigned long
Date: Tue, 23 May 2023 16:10:12 +0200 [thread overview]
Message-ID: <c3530ffb-c004-98cd-2651-280c391aca92@redhat.com> (raw)
In-Reply-To: <7c572622c0d8e283fc880fe3f4ffac27@ispras.ru>
>> Wouldn't that also suffer from the same issue, or how is this
>> different?
>>
> Yes, it is the same issue, so e.g. prctl(PR_SET_DUMPABLE,
> SUID_DUMP_DISABLE ) may wrongly fail with EINVAL on 64-bit targets.
>
>> Also, how is passing "0"s to e.g., PR_GET_THP_DISABLE reliable? We
>> need arg2 -> arg5 to be 0. But wouldn't the following also just pass a
>> 0 "int" ?
>>
>> prctl(PR_GET_THP_DISABLE, 0, 0, 0, 0)
>>
> Yes, this is not reliable on 64-bit targets too. The simplest fix is to
> use "0L", as done in MDWE self-tests (but many other tests get this
> wrong).
Oh, it's even worse than I thought, then. :)
Even in our selftest most of
$ git grep prctl tools/testing/selftests/ | grep "0"
gets it wrong.
>
> Florent also expressed surprise[1] that we don't see a lot of failures
> due to such issues, and I tried to provide some reasons. To elaborate on
Yes, I'm also surprised!
> the x86-64 thing, for prctl(PR_SET_DUMPABLE, 0) the compiler will likely
> generate "xorl %esi, %esi" to pass zero, but this instruction will also
> clear the upper 32 bits of %rsi, so the problem is masked (and I believe
> CPU vendors are motivated to do such zeroing to reduce false
> dependencies). But this zeroing is not required by the ABI, so in a more
> complex situation junk might get through.
:/
>
> Real-world examples of very similar breakage in variadic functions
> involving NULL sentinels are mentioned in [2] (the musl bug report is
> [3]). In short, musl defined NULL as plain 0 for C++, so when people do
> e.g. execl("/bin/true", "true", NULL), junk might prevent detection of
> the sentinel in execl() impl. (Though if the sentinel is passed via
> stack because there are a lot of preceding arguments, the breakage
> becomes more apparent because auto-zeroing of registers doesn't come
> into play anymore.)
Yes, I heard about the "fun" with NULL already. Thanks for the musl
pointer. And thanks for the confirmation/explanation.
>
>>
>> I'm easily confused by such (va_args) things, so sorry for the dummy
>> questions.
>
> This stuff *is* confusing, and note that Linux man pages don't even tell
> that prctl() is actually declared as a variadic function (and for
> ptrace() this is mentioned only in the notes, but not in its signature).
Agreed, that's easy to miss (and probably many people missed it).
Anyhow, for this patch as is (although it feels like drops in the ocean
after our discussion)
Reviewed-by: David Hildenbrand <david@redhat.com>
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2023-05-23 14:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-17 15:03 [PATCH v2 0/5] MDWE without inheritance Florent Revest
2023-05-17 15:03 ` [PATCH v2 1/5] kselftest: vm: Fix tabs/spaces inconsistency in the mdwe test Florent Revest
2023-05-22 8:52 ` David Hildenbrand
2023-05-17 15:03 ` [PATCH v2 2/5] kselftest: vm: Fix mdwe's mmap_FIXED test case Florent Revest
2023-05-22 8:53 ` David Hildenbrand
2023-05-17 15:03 ` [PATCH v2 3/5] mm: Make PR_MDWE_REFUSE_EXEC_GAIN an unsigned long Florent Revest
2023-05-22 8:55 ` David Hildenbrand
[not found] ` <884d131bbc28ebfa0b729176e6415269@ispras.ru>
2023-05-22 16:22 ` David Hildenbrand
[not found] ` <3c2e210b75bd56909322e8a3e5086d91@ispras.ru>
2023-05-23 9:12 ` David Hildenbrand
2023-05-23 13:07 ` Catalin Marinas
[not found] ` <f47d587fe5a6285f88191fbb13f367c7@ispras.ru>
2023-05-23 14:09 ` Catalin Marinas
2023-05-23 15:01 ` Szabolcs Nagy
[not found] ` <7c572622c0d8e283fc880fe3f4ffac27@ispras.ru>
2023-05-23 14:10 ` David Hildenbrand [this message]
2023-05-26 19:04 ` Florent Revest
2023-05-26 19:02 ` Florent Revest
2023-05-23 14:11 ` Catalin Marinas
2023-05-17 15:03 ` [PATCH v2 4/5] mm: Add a NO_INHERIT flag to the PR_SET_MDWE prctl Florent Revest
2023-05-22 9:01 ` David Hildenbrand
2023-05-22 16:11 ` Florent Revest
2023-05-23 16:36 ` Catalin Marinas
2023-05-26 19:05 ` Florent Revest
2023-05-17 15:03 ` [PATCH v2 5/5] kselftest: vm: Add tests for no-inherit memory-deny-write-execute Florent Revest
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c3530ffb-c004-98cd-2651-280c391aca92@redhat.com \
--to=david@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=gthelen@google.com \
--cc=izbyshev@ispras.ru \
--cc=joey.gouly@arm.com \
--cc=keescook@chromium.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=peterx@redhat.com \
--cc=revest@chromium.org \
--cc=szabolcs.nagy@arm.com \
--cc=toiwoton@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox