Folks,
Digging through the guts of exit I found something I am not quite
certain what to do with. On some architectures such as alpha, m68k, and
nios2 the kernel calls into system calls with a subset of the registers
saved on the kernel stack, and the kernel calls into signal handling and
a few other contexts with all of the registers saved on the kernel
stack. The problem is sometimes we read all of the registers from
a context where they are not all saved.
When this was initially observed it looked just like a coredump problem
and it could be solved by tweaking the coredump code. That change was
77f6ab8b7768 ("don't dump the threads that had been already exiting when
zapped.")
However I have looked farther and we have the location where get_signal
is called from io_uring, and we have the ptrace_stop in
PTRACE_EVENT_EXIT. In PTRACE_EVENT_EXIT we could be called from exit(2)
which is a syscall and we definitely won't have everything saved on the
kernel stack. I have not doubled checked create_io_thread but I don't
think create_io_threads saves all of the registers on the kernel stack.
I think at this point we need to say that the architectures that have a
do this need to be fixed to at least call do_exit and the kernel
function in create_io_thread with the deeper stack.
Is that reasonable of me to ask? Is there some other way to deal with
this issue that I am not seeing? Am I missing some critical detail that
makes PTRACE_EVENT_EXIT in do_exit not a problem if someone reads the
register with ptrace?
Eric
On Thu, Jun 10, 2021 at 1:58 PM Eric W. Biederman <[email protected]> wrote:
>
> The problem is sometimes we read all of the registers from
> a context where they are not all saved.
Ouch. Yes. And this is really painful because none of the *normal*
architectures do this, so it gets absolutely no coverage.
> I think at this point we need to say that the architectures that have a
> do this need to be fixed to at least call do_exit and the kernel
> function in create_io_thread with the deeper stack.
Yeah. We traditionally have that requirement for fork() and friends
too (vfork/clone), so adding exit and io_uring to do so seems like the
most straightforward thing.
But I really wish we had some way to test and trigger this so that we
wouldn't get caught on this before. Something in task_pt_regs() that
catches "this doesn't actually work" and does a WARN_ON_ONCE() on the
affected architectures?
Linus
Linus Torvalds <[email protected]> writes:
> On Thu, Jun 10, 2021 at 1:58 PM Eric W. Biederman <[email protected]> wrote:
>>
>> The problem is sometimes we read all of the registers from
>> a context where they are not all saved.
>
> Ouch. Yes. And this is really painful because none of the *normal*
> architectures do this, so it gets absolutely no coverage.
>
>> I think at this point we need to say that the architectures that have a
>> do this need to be fixed to at least call do_exit and the kernel
>> function in create_io_thread with the deeper stack.
>
> Yeah. We traditionally have that requirement for fork() and friends
> too (vfork/clone), so adding exit and io_uring to do so seems like the
> most straightforward thing.
Interesting. I am starting with Al's analysis and reading the code
to see if I can understand what is going on. So I am still glossing
over a few details as I dig into this. Kernel threads not having
all of their registers saved is one of those details.
Looking at copy_thread it looks like at least on alpha we are dealing
with a structure that defines all of the registers in copy_thread. So
perhaps all of the registers are there in kernel_threads already. I
don't read alpha assembly very well and fork is a bit subtle. I don't
know which piece of code is calling
ret_from_fork/ret_from_kernel_thread.
I really suspect that all of those registers are popped so at least for
IO_THREADS we need to push them again, in a way that signal_pt_regs()
can find them.
It looks like we just need something like this to cover the userspace
side of exit.
diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S
index e227f3a29a43..ab0dcb545bd1 100644
--- a/arch/alpha/kernel/entry.S
+++ b/arch/alpha/kernel/entry.S
@@ -812,6 +812,22 @@ fork_like fork
fork_like vfork
fork_like clone
+.macro exit_like name
+ .align 4
+ .globl alpha_\name
+ .ent alpha_\name
+alpha_\name:
+ .prologue 0
+ DO_SWITCH_STACK
+ jsr $26, sys_\name
+ UNDO_SWITCH_STACK
+ ret
+.end alpha_\name
+.endm
+
+exit_like exit
+exit_like exit_group
+
.macro sigreturn_like name
.align 4
.globl sys_\name
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl
index 3000a2e8ee21..b9d6449d6caa 100644
--- a/arch/alpha/kernel/syscalls/syscall.tbl
+++ b/arch/alpha/kernel/syscalls/syscall.tbl
@@ -8,7 +8,7 @@
# The <abi> is always "common" for this file
#
0 common osf_syscall alpha_syscall_zero
-1 common exit sys_exit
+1 common exit alpha_exit
2 common fork alpha_fork
3 common read sys_read
4 common write sys_write
@@ -333,7 +333,7 @@
400 common io_getevents sys_io_getevents
401 common io_submit sys_io_submit
402 common io_cancel sys_io_cancel
-405 common exit_group sys_exit_group
+405 common exit_group alpha_exit_group
406 common lookup_dcookie sys_lookup_dcookie
407 common epoll_create sys_epoll_create
408 common epoll_ctl sys_epoll_ctl
> But I really wish we had some way to test and trigger this so that we
> wouldn't get caught on this before. Something in task_pt_regs() that
> catches "this doesn't actually work" and does a WARN_ON_ONCE() on the
> affected architectures?
I think that would require pushing an extra magic value in SWITCH_STACK
and not just popping it but deliberately changing that value in
UNDO_SWITCH_STACK. Basically stack canaries.
I don't see how we could do it in an arch independent way though.
Which means it will require auditing all of the architectures to get
there. Volunteers?
This is looking straight forward enough that I can probably pull
something together, just don't count on me to have it done in anything
resembling a timely manner.
Eric
On Fri, Jun 11, 2021 at 2:40 PM Eric W. Biederman <[email protected]> wrote:
>
> Looking at copy_thread it looks like at least on alpha we are dealing
> with a structure that defines all of the registers in copy_thread.
On the target side, yes.
On the _source_ side, the code does
struct pt_regs *regs = current_pt_regs();
and that's the part that means that fork() and related functions need
to have done that DO_SWITCH_STACK(), so that they have the full
register set to be copied.
Otherwise it would copy random contents from the source stack.
But that
if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {
ends up protecting us, and the code never uses that set of source
registers for the io worker threads.
So io_uring looks fine on alpha. I didn't check m68k and friends, but
I think they have the same thing going.
> It looks like we just need something like this to cover the userspace
> side of exit.
Looks correct to me. Except I think you could just use "fork_like()"
instead of creating a new (and identical) "exit_like()" macro.
> > But I really wish we had some way to test and trigger this so that we
> > wouldn't get caught on this before. Something in task_pt_regs() that
> > catches "this doesn't actually work" and does a WARN_ON_ONCE() on the
> > affected architectures?
>
> I think that would require pushing an extra magic value in SWITCH_STACK
> and not just popping it but deliberately changing that value in
> UNDO_SWITCH_STACK. Basically stack canaries.
>
> I don't see how we could do it in an arch independent way though.
No, I think you're right. There's no obvious generic solution to it,
and once we look at arch-specific ones we're vback to "just alpha,
m68k and nios needs this or cares" and tonce you're there you might as
well just fix it.
ia64 has soem "fast system call" model with limited registers too, but
I think that's limited to just a few very special system calls (ie it
does the reverse of what alpha does: alpha does the fast case by
default, and then marks fork/vfork/clone as special).
Linus
Linus Torvalds <[email protected]> writes:
> On Fri, Jun 11, 2021 at 2:40 PM Eric W. Biederman <[email protected]> wrote:
>>
>> Looking at copy_thread it looks like at least on alpha we are dealing
>> with a structure that defines all of the registers in copy_thread.
>
> On the target side, yes.
>
> On the _source_ side, the code does
>
> struct pt_regs *regs = current_pt_regs();
>
> and that's the part that means that fork() and related functions need
> to have done that DO_SWITCH_STACK(), so that they have the full
> register set to be copied.
>
> Otherwise it would copy random contents from the source stack.
>
> But that
>
> if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {
>
> ends up protecting us, and the code never uses that set of source
> registers for the io worker threads.
The test in copy_thread. That isn't the case I am worried about.
> So io_uring looks fine on alpha. I didn't check m68k and friends, but
> I think they have the same thing going.
As I have read through the code more I don't think so.
The code paths I am worried about are:
ret_from_kernel_thread
io_wqe_worker
get_signal
do_coredump
ptrace_stop
ret_from_kernel_thread
io_sq_thread
get_signal
do_coredump
ptrace_stop
As I understand the code the new thread created by create_thread
initially has a full complement of registers, and then is started
by alpha_switch_to:
.align 4
.globl alpha_switch_to
.type alpha_switch_to, @function
.cfi_startproc
alpha_switch_to:
DO_SWITCH_STACK
call_pal PAL_swpctx
lda $8, 0x3fff
UNDO_SWITCH_STACK
bic $sp, $8, $8
mov $17, $0
ret
.cfi_endproc
.size alpha_switch_to, .-alpha_switch_to
The alpha_switch_to will remove the extra registers from the stack and
then call ret which if I understand alpha assembly correctly is
equivalent to jumping to where $26 points. Which is
ret_from_kernel_thread (as setup by copy_thread).
Which leaves ret_from_kernel_thread and everything it calls without
the extra context saved on the stack.
I am still trying to understand how we get registers populated at a
fixed offset on the stack during schedule. As it looks like switch_to
assumes the stack pointer is in the proper location.
>> It looks like we just need something like this to cover the userspace
>> side of exit.
>
> Looks correct to me. Except I think you could just use "fork_like()"
> instead of creating a new (and identical) "exit_like()" macro.
>
>> > But I really wish we had some way to test and trigger this so that we
>> > wouldn't get caught on this before. Something in task_pt_regs() that
>> > catches "this doesn't actually work" and does a WARN_ON_ONCE() on the
>> > affected architectures?
>>
>> I think that would require pushing an extra magic value in SWITCH_STACK
>> and not just popping it but deliberately changing that value in
>> UNDO_SWITCH_STACK. Basically stack canaries.
>>
>> I don't see how we could do it in an arch independent way though.
>
> No, I think you're right. There's no obvious generic solution to it,
> and once we look at arch-specific ones we're vback to "just alpha,
> m68k and nios needs this or cares" and tonce you're there you might as
> well just fix it.
>
> ia64 has soem "fast system call" model with limited registers too, but
> I think that's limited to just a few very special system calls (ie it
> does the reverse of what alpha does: alpha does the fast case by
> default, and then marks fork/vfork/clone as special).
I wonder if the arch specific solution should be to move the registers
to a fixed location in task_struct (perhaps thread_struct ) so that the
same patterns can apply across all architectures and we don't get
surprises at all.
What appears to be unique about alpha, m68k, and nios is that
space is not always reserved for all of the registers, so we can't
always count on them being saved after a task switch.
Eric
On Sun, Jun 13, 2021 at 2:55 PM Eric W. Biederman <[email protected]> wrote:
>
> The alpha_switch_to will remove the extra registers from the stack and
> then call ret which if I understand alpha assembly correctly is
> equivalent to jumping to where $26 points. Which is
> ret_from_kernel_thread (as setup by copy_thread).
>
> Which leaves ret_from_kernel_thread and everything it calls without
> the extra context saved on the stack.
Uhhuh. Right you are, I think. It's been ages since I worked on that
code and my alpha handbook is somewhere else, but yes, when
alpha_switch_to() has context-switched to the new PCB state, it will
then pop those registers in the new context and return.
So we do set up the right stack frame for the worker thread, but as
you point out, it then gets used up immediately when running. So by
the time the IO worker thread calls get_signal(), it's no longer
useful.
How very annoying.
The (obviously UNTESTED) patch might be something like the attached.
I wouldn't be surprised if m68k has the exact same thing for the exact
same reason, but I didn't check..
Linus
Hi Linus,
On 14/06/21 10:18 am, Linus Torvalds wrote:
> On Sun, Jun 13, 2021 at 2:55 PM Eric W. Biederman <[email protected]> wrote:
>> The alpha_switch_to will remove the extra registers from the stack and
>> then call ret which if I understand alpha assembly correctly is
>> equivalent to jumping to where $26 points. Which is
>> ret_from_kernel_thread (as setup by copy_thread).
>>
>> Which leaves ret_from_kernel_thread and everything it calls without
>> the extra context saved on the stack.
> Uhhuh. Right you are, I think. It's been ages since I worked on that
> code and my alpha handbook is somewhere else, but yes, when
> alpha_switch_to() has context-switched to the new PCB state, it will
> then pop those registers in the new context and return.
>
> So we do set up the right stack frame for the worker thread, but as
> you point out, it then gets used up immediately when running. So by
> the time the IO worker thread calls get_signal(), it's no longer
> useful.
>
> How very annoying.
>
> The (obviously UNTESTED) patch might be something like the attached.
>
> I wouldn't be surprised if m68k has the exact same thing for the exact
> same reason, but I didn't check..
m68k is indeed similar, it has:
if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {
/* kernel thread */
memset(frame, 0, sizeof(struct fork_frame));
frame->regs.sr = PS_S;
frame->sw.a3 = usp; /* function */
frame->sw.d7 = arg;
frame->sw.retpc = (unsigned long)ret_from_kernel_thread;
p->thread.usp = 0;
return 0;
}
so a similar patch should be possible.
Cheers,
Michael
>
> Linus
On second thought, I'm not certain what adding another empty stack frame
would achieve here.
On m68k, 'frame' already is a new stack frame, for running the new
thread in. This new frame does not have any user context at all, and
it's explicitly wiped anyway.
Unless we save all user context on the stack, then push that context to
a new save frame, and somehow point get_signal to look there for IO
threads (essentially what Eric suggested), I don't see how this could work?
I must be missing something.
Cheers,
Michael Schmitz
Am 14.06.2021 um 14:05 schrieb Michael Schmitz:
>>
>> I wouldn't be surprised if m68k has the exact same thing for the exact
>> same reason, but I didn't check..
>
> m68k is indeed similar, it has:
>
> if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {
> /* kernel thread */
> memset(frame, 0, sizeof(struct fork_frame));
> frame->regs.sr = PS_S;
> frame->sw.a3 = usp; /* function */
> frame->sw.d7 = arg;
> frame->sw.retpc = (unsigned long)ret_from_kernel_thread;
> p->thread.usp = 0;
> return 0;
> }
>
> so a similar patch should be possible.
>
> Cheers,
>
> Michael
>
>
>
>>
>> Linus
Michael Schmitz <[email protected]> writes:
> On second thought, I'm not certain what adding another empty stack frame would
> achieve here.
>
> On m68k, 'frame' already is a new stack frame, for running the new thread
> in. This new frame does not have any user context at all, and it's explicitly
> wiped anyway.
>
> Unless we save all user context on the stack, then push that context to a new
> save frame, and somehow point get_signal to look there for IO threads
> (essentially what Eric suggested), I don't see how this could work?
>
> I must be missing something.
It is only designed to work well enough so that ptrace will access
something well defined when ptrace accesses io_uring tasks.
The io_uring tasks are special in that they are user process
threads that never run in userspace. So as long as everything
ptrace can read is accessible on that process all is well.
Having stared a bit longer at the code I think the short term
fix for both of PTRACE_EVENT_EXIT and io_uring is to guard
them both with CONFIG_HAVE_ARCH_TRACEHOOK.
Today CONFIG_HAVE_ARCH_TRACEHOOK guards access to /proc/self/syscall.
Which out of necessity ensures that user context is always readable.
Which seems to solve both the PTRACE_EVENT_EXIT and the io_uring
problems.
What I especially like about that is there are a lot of other reasons
to encourage architectures in a CONFIG_HAVE_ARCH_TRACEHOOK direction.
I think the biggies are getting architectures to store the extra
saved state on context switch into some place in task_struct
and to implement the regset view of registers.
Hmm. This is odd. CONFIG_HAVE_ARCH_TRACEHOOK is supposed to imply
CORE_DUMP_USE_REGSET. But alpha, csky, h8300, m68k, microblaze, nds32
don't implement CORE_DUMP_USE_REGSET but nds32 implements
CONFIG_ARCH_HAVE_TRACEHOOK.
I will keep digging and see what clean code I can come up with.
Eric
Hi Eric,
On 15/06/21 4:26 am, Eric W. Biederman wrote:
> Michael Schmitz <[email protected]> writes:
>
>> On second thought, I'm not certain what adding another empty stack frame would
>> achieve here.
>>
>> On m68k, 'frame' already is a new stack frame, for running the new thread
>> in. This new frame does not have any user context at all, and it's explicitly
>> wiped anyway.
>>
>> Unless we save all user context on the stack, then push that context to a new
>> save frame, and somehow point get_signal to look there for IO threads
>> (essentially what Eric suggested), I don't see how this could work?
>>
>> I must be missing something.
> It is only designed to work well enough so that ptrace will access
> something well defined when ptrace accesses io_uring tasks.
>
> The io_uring tasks are special in that they are user process
> threads that never run in userspace. So as long as everything
> ptrace can read is accessible on that process all is well.
OK, I'm testing a patch that would save extra context in
sys_io_uring_setup, which ought to ensure that for m68k.
> Having stared a bit longer at the code I think the short term
> fix for both of PTRACE_EVENT_EXIT and io_uring is to guard
> them both with CONFIG_HAVE_ARCH_TRACEHOOK.
Fair enough :-)
Cheers,
Michael
>
> Today CONFIG_HAVE_ARCH_TRACEHOOK guards access to /proc/self/syscall.
> Which out of necessity ensures that user context is always readable.
> Which seems to solve both the PTRACE_EVENT_EXIT and the io_uring
> problems.
>
> What I especially like about that is there are a lot of other reasons
> to encourage architectures in a CONFIG_HAVE_ARCH_TRACEHOOK direction.
> I think the biggies are getting architectures to store the extra
> saved state on context switch into some place in task_struct
> and to implement the regset view of registers.
>
> Hmm. This is odd. CONFIG_HAVE_ARCH_TRACEHOOK is supposed to imply
> CORE_DUMP_USE_REGSET. But alpha, csky, h8300, m68k, microblaze, nds32
> don't implement CORE_DUMP_USE_REGSET but nds32 implements
> CONFIG_ARCH_HAVE_TRACEHOOK.
>
> I will keep digging and see what clean code I can come up with.
>
> Eric
Michael Schmitz <[email protected]> writes:
> Hi Eric,
>
> On 15/06/21 4:26 am, Eric W. Biederman wrote:
>> Michael Schmitz <[email protected]> writes:
>>
>>> On second thought, I'm not certain what adding another empty stack frame would
>>> achieve here.
>>>
>>> On m68k, 'frame' already is a new stack frame, for running the new thread
>>> in. This new frame does not have any user context at all, and it's explicitly
>>> wiped anyway.
>>>
>>> Unless we save all user context on the stack, then push that context to a new
>>> save frame, and somehow point get_signal to look there for IO threads
>>> (essentially what Eric suggested), I don't see how this could work?
>>>
>>> I must be missing something.
>> It is only designed to work well enough so that ptrace will access
>> something well defined when ptrace accesses io_uring tasks.
>>
>> The io_uring tasks are special in that they are user process
>> threads that never run in userspace. So as long as everything
>> ptrace can read is accessible on that process all is well.
> OK, I'm testing a patch that would save extra context in sys_io_uring_setup,
> which ought to ensure that for m68k.
I had to update ret_from_kernel_thread to pop that state to get Linus's
change to boot. Apparently kernel_threads exiting needs to be handled.
>> Having stared a bit longer at the code I think the short term
>> fix for both of PTRACE_EVENT_EXIT and io_uring is to guard
>> them both with CONFIG_HAVE_ARCH_TRACEHOOK.
Which does not work because nios2 which looks susceptible
sets CONFIG_HAVE_ARCH_TRACEHOOK.
A further look shows that there is also PTRACE_EVENT_EXEC that
needs to be handled so execve and execveat need to be wrapped
as well.
Do you happen to know if there is userspace that will run
in qemu-system-m68k that can be used for testing?
Eric
While thinking about the information leaks fixed in 77f6ab8b7768
("don't dump the threads that had been already exiting when zapped.")
I realized the problem is much more general than just coredumps and
exit_mm. We have io_uring threads, PTRACE_EVENT_EXEC and
PTRACE_EVENT_EXIT where ptrace is allowed to access userspace
registers, but on some architectures has not saved them.
The function alpha_switch_to does something reasonable it saves the
floating point registers and the caller saved registers and switches
to a different thread. Any register the caller is not expected to
save it does not save.
Meanhile the system call entry point on alpha also does something
reasonable. The system call entry point saves the all but the caller
saved integer registers and doesn't touch the floating point registers
as the kernel code does not touch them.
This is a nice happy fast path until the kernel wants to access the
user space's registers through ptrace or similar. As user spaces's
caller saved registers may be saved at an unpredictable point in the
kernel code's stack, the routime which may stop and make the userspace
registers available must be wrapped by code that will first save a
switch stack frame at the bottom of the call stack, call the code that
may access those registers and then pop the switch stack frame.
The practical problem with this code structure is that this results in
a game of whack-a-mole wrapping different kernel system calls. Loosing
the game of whack-a-mole results in a security hole where userspace can
write arbitrary data to the kernel stack.
I looked and there nothing I can do that is not arch specific, so
whack the moles with a minimal backportable fix.
This change survives boot testing on qemu-system-alpha.
Cc: [email protected]
Inspired-by: Linus Torvalds <[email protected]>
Fixes: 45c1a159b85b ("Add PTRACE_O_TRACEVFORKDONE and PTRACE_O_TRACEEXIT facilities.")
Fixes: a0691b116f6a ("Add new ptrace event tracing mechanism")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Signed-off-by: "Eric W. Biederman" <[email protected]>
---
arch/alpha/kernel/entry.S | 21 +++++++++++++++++++++
arch/alpha/kernel/process.c | 11 ++++++++++-
arch/alpha/kernel/syscalls/syscall.tbl | 8 ++++----
3 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S
index e227f3a29a43..98bb5b805089 100644
--- a/arch/alpha/kernel/entry.S
+++ b/arch/alpha/kernel/entry.S
@@ -785,6 +785,7 @@ ret_from_kernel_thread:
mov $9, $27
mov $10, $16
jsr $26, ($9)
+ lda $sp, SWITCH_STACK_SIZE($sp)
br $31, ret_to_user
.end ret_from_kernel_thread
@@ -811,6 +812,26 @@ alpha_\name:
fork_like fork
fork_like vfork
fork_like clone
+fork_like exit
+fork_like exit_group
+
+.macro exec_like name
+ .align 4
+ .globl alpha_\name
+ .ent alpha_\name
+ .cfi_startproc
+alpha_\name:
+ .prologue 0
+ DO_SWITCH_STACK
+ jsr $26, sys_\name
+ UNDO_SWITCH_STACK
+ ret
+ .cfi_endproc
+.end alpha_\name
+.endm
+
+exec_like execve
+exec_like execveat
.macro sigreturn_like name
.align 4
diff --git a/arch/alpha/kernel/process.c b/arch/alpha/kernel/process.c
index 5112ab996394..edbfe03f4b2c 100644
--- a/arch/alpha/kernel/process.c
+++ b/arch/alpha/kernel/process.c
@@ -251,8 +251,17 @@ int copy_thread(unsigned long clone_flags, unsigned long usp,
if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {
/* kernel thread */
+ /*
+ * Give it *two* switch stacks, one for the kernel
+ * state return that is used up by alpha_switch_to,
+ * and one for the "user state" which is accessed
+ * by ptrace.
+ */
+ childstack--;
+ childti->pcb.ksp = (unsigned long) childstack;
+
memset(childstack, 0,
- sizeof(struct switch_stack) + sizeof(struct pt_regs));
+ 2*sizeof(struct switch_stack) + sizeof(struct pt_regs));
childstack->r26 = (unsigned long) ret_from_kernel_thread;
childstack->r9 = usp; /* function */
childstack->r10 = kthread_arg;
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl
index 3000a2e8ee21..5f85f3c11ed4 100644
--- a/arch/alpha/kernel/syscalls/syscall.tbl
+++ b/arch/alpha/kernel/syscalls/syscall.tbl
@@ -8,7 +8,7 @@
# The <abi> is always "common" for this file
#
0 common osf_syscall alpha_syscall_zero
-1 common exit sys_exit
+1 common exit alpha_exit
2 common fork alpha_fork
3 common read sys_read
4 common write sys_write
@@ -65,7 +65,7 @@
56 common osf_revoke sys_ni_syscall
57 common symlink sys_symlink
58 common readlink sys_readlink
-59 common execve sys_execve
+59 common execve alpha_execve
60 common umask sys_umask
61 common chroot sys_chroot
62 common osf_old_fstat sys_ni_syscall
@@ -333,7 +333,7 @@
400 common io_getevents sys_io_getevents
401 common io_submit sys_io_submit
402 common io_cancel sys_io_cancel
-405 common exit_group sys_exit_group
+405 common exit_group alpha_exit_group
406 common lookup_dcookie sys_lookup_dcookie
407 common epoll_create sys_epoll_create
408 common epoll_ctl sys_epoll_ctl
@@ -441,7 +441,7 @@
510 common renameat2 sys_renameat2
511 common getrandom sys_getrandom
512 common memfd_create sys_memfd_create
-513 common execveat sys_execveat
+513 common execveat alpha_execveat
514 common seccomp sys_seccomp
515 common bpf sys_bpf
516 common userfaultfd sys_userfaultfd
--
2.20.1
Hi Eric,
On 16/06/21 7:30 am, Eric W. Biederman wrote:
>
>>> The io_uring tasks are special in that they are user process
>>> threads that never run in userspace. So as long as everything
>>> ptrace can read is accessible on that process all is well.
>> OK, I'm testing a patch that would save extra context in sys_io_uring_setup,
>> which ought to ensure that for m68k.
> I had to update ret_from_kernel_thread to pop that state to get Linus's
> change to boot. Apparently kernel_threads exiting needs to be handled.
Hadn't yet got to that stage, sorry. Still stress testing stage 1 of my
fix (push complete context). I would have thought that this should be
sufficient (gives us a complete stack frame for ptrace code to work on)?
But it makes sense that when you push an extra stack frame, you'd need
to pop that on exit.
>
>>> Having stared a bit longer at the code I think the short term
>>> fix for both of PTRACE_EVENT_EXIT and io_uring is to guard
>>> them both with CONFIG_HAVE_ARCH_TRACEHOOK.
> Which does not work because nios2 which looks susceptible
> sets CONFIG_HAVE_ARCH_TRACEHOOK.
>
> A further look shows that there is also PTRACE_EVENT_EXEC that
> needs to be handled so execve and execveat need to be wrapped
> as well.
>
> Do you happen to know if there is userspace that will run
> in qemu-system-m68k that can be used for testing?
I surmise so. I don't use qemu myself - either ARAnyM, or actual
hardware. Hardware is limited to 14 MB RAM, which has prevented me from
using more than simple regression testing. In particular, I can't test
sys_io_uring_setup there.
Adrian uses qemu a lot, and has supplied disk images to work from on
occasion. Maybe he's got something recent enough to support
sys_io_uring_setup ... I've CC:ed him in, as I'd love to do some more
testing as well.
Cheers,
Michael
>
> Eric
>
On Tue, Jun 15, 2021 at 12:36 PM Eric W. Biederman
<[email protected]> wrote:
>
> I looked and there nothing I can do that is not arch specific, so
> whack the moles with a minimal backportable fix.
>
> This change survives boot testing on qemu-system-alpha.
So as mentioned in the other thread, I think this patch is exactly right.
However, the need for this part
> @@ -785,6 +785,7 @@ ret_from_kernel_thread:
> mov $9, $27
> mov $10, $16
> jsr $26, ($9)
> + lda $sp, SWITCH_STACK_SIZE($sp)
> br $31, ret_to_user
> .end ret_from_kernel_thread
obviously eluded me in my "how about something like this", and I had
to really try to figure out why we'd ever return.
Which is why I came to that "oooh - kernel_execve()" realization.
It might be good to comment on that somewhere. And if you can think of
some other case, that should be mentioned too.
Anyway, thanks for looking into this odd case. And if you have a
test-case for this all, it really would be a good thing. Yes, it
should only affect a couple of odd-ball architectures, but still... It
would also be good to hear that you actually did verify the behavior
of this patch wrt that ptrace-of-io-worker-threads case..
Linus
Linus
On Tue, Jun 15, 2021 at 12:32 PM Eric W. Biederman
<[email protected]> wrote:
>
> I had to update ret_from_kernel_thread to pop that state to get Linus's
> change to boot. Apparently kernel_threads exiting needs to be handled.
You are very right.
That, btw, seems to be a horrible design mistake, but I think it's how
"kernel_execve()" works - both for the initial "init", but also for
user-mode helper processes.
Both of those cases do "kernel_thread()" to create a new thread, and
then that new kernel thread does kernel_execve() to create the user
space image for that thread. And that act of "execve()" clears
PF_KTHREAD from the thread, and then the final return from the kernel
thread function returns to that new user space.
Or something like that. It's been ages since I looked at that code,
and your patch initially confused the heck out of me because I went
"that can't _possibly_ be needed".
But yes, I think your patch is right.
And I think our horrible "kernel threads return to user space when
done" is absolutely horrifically nasty. Maybe of the clever sort, but
mostly of the historical horror sort.
Or am I mis-rememberting how this ends up working? Did you look at
exactly what it was that returned from kernel threads?
This might be worth commenting on somewhere. But your patch for alpha
looks correct to me. Did you have some test-case to verify ptrace() on
io worker threads?
Linus
On Wed, 16 Jun 2021, Michael Schmitz wrote:
> >
> > Do you happen to know if there is userspace that will run in
> > qemu-system-m68k that can be used for testing?
>
> I surmise so. I don't use qemu myself - either ARAnyM, or actual
> hardware. Hardware is limited to 14 MB RAM, which has prevented me from
> using more than simple regression testing. In particular, I can't test
> sys_io_uring_setup there.
>
> Adrian uses qemu a lot, and has supplied disk images to work from on
> occasion. Maybe he's got something recent enough to support
> sys_io_uring_setup ... I've CC:ed him in, as I'd love to do some more
> testing as well.
>
As well as Debian/m68k, there is also a Gentoo/m68k stage3 rootfs
available here:
https://sourceforge.net/projects/linux-mac68k/files/Gentoo%20m68k%20unauthorized/
I built that rootfs last year using Catalyst. Some background (including
the qemu-system-m68k command-line) can be found here:
https://forums.gentoo.org/viewtopic-t-1100780.html
Hi Eric,
On Tue, Jun 15, 2021 at 9:32 PM Eric W. Biederman <[email protected]> wrote:
> Do you happen to know if there is userspace that will run
> in qemu-system-m68k that can be used for testing?
There's a link to an image in Laurent's patch series "[PATCH 0/2]
m68k: Add Virtual M68k Machine"
https://lore.kernel.org/linux-m68k/[email protected]/
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- [email protected]
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
Linus Torvalds <[email protected]> writes:
> On Tue, Jun 15, 2021 at 12:32 PM Eric W. Biederman
> <[email protected]> wrote:
>>
>> I had to update ret_from_kernel_thread to pop that state to get Linus's
>> change to boot. Apparently kernel_threads exiting needs to be handled.
>
> You are very right.
>
> That, btw, seems to be a horrible design mistake, but I think it's how
> "kernel_execve()" works - both for the initial "init", but also for
> user-mode helper processes.
>
> Both of those cases do "kernel_thread()" to create a new thread, and
> then that new kernel thread does kernel_execve() to create the user
> space image for that thread. And that act of "execve()" clears
> PF_KTHREAD from the thread, and then the final return from the kernel
> thread function returns to that new user space.
>
> Or something like that. It's been ages since I looked at that code,
> and your patch initially confused the heck out of me because I went
> "that can't _possibly_ be needed".
>
> But yes, I think your patch is right.
>
> And I think our horrible "kernel threads return to user space when
> done" is absolutely horrifically nasty. Maybe of the clever sort, but
> mostly of the historical horror sort.
>
> Or am I mis-rememberting how this ends up working? Did you look at
> exactly what it was that returned from kernel threads?
>
> This might be worth commenting on somewhere. But your patch for alpha
> looks correct to me. Did you have some test-case to verify ptrace() on
> io worker threads?
At this point I just booted an alpha image and on qemu-system-alpha.
I do have gdb in my kernel image so I can test that. I haven't yet but
I can and should.
Sleeping on it I came up with a plan to add TF_SWITCH_STACK_SAVED to
indicate if the registers have been saved. The DO_SWITCH_STACK and
UNDO_SWITCH_STACK helpers (except in alpha_switch_to) can test that.
The ptrace helpers can test that and turn an access of random kernel
stack contents into something well behaved that does WARN_ON_ONCE
because we should not get there.
I suspect adding TF_SWITCH_STACK_SAVED should come first so it
is easy to verify the problem behavior, before I fix it.
My real goal is to find a pattern that architectures whose register
saves are structured like alphas can emulate, to minimize problems in
the future.
Plus I would really like to get the last handful of architectures
updated so we can remove CONFIG_HAVE_ARCH_TRACEHOOK. I think we can
do that on alpha because we save all of the system call arguments
in pt_regs and that is all the other non-ptrace code paths care about.
AKA I am trying to move the old architectures forward so we can get rid
of unnecessary complications in the core code.
Eric
Linus Torvalds <[email protected]> writes:
> On Tue, Jun 15, 2021 at 12:36 PM Eric W. Biederman
> <[email protected]> wrote:
>>
>> I looked and there nothing I can do that is not arch specific, so
>> whack the moles with a minimal backportable fix.
>>
>> This change survives boot testing on qemu-system-alpha.
>
> So as mentioned in the other thread, I think this patch is exactly right.
>
> However, the need for this part
>
>> @@ -785,6 +785,7 @@ ret_from_kernel_thread:
>> mov $9, $27
>> mov $10, $16
>> jsr $26, ($9)
>> + lda $sp, SWITCH_STACK_SIZE($sp)
>> br $31, ret_to_user
>> .end ret_from_kernel_thread
>
> obviously eluded me in my "how about something like this", and I had
> to really try to figure out why we'd ever return.
>
> Which is why I came to that "oooh - kernel_execve()" realization.
>
> It might be good to comment on that somewhere. And if you can think of
> some other case, that should be mentioned too.
>
> Anyway, thanks for looking into this odd case. And if you have a
> test-case for this all, it really would be a good thing. Yes, it
> should only affect a couple of odd-ball architectures, but still... It
> would also be good to hear that you actually did verify the behavior
> of this patch wrt that ptrace-of-io-worker-threads case..
*Grumble*
So just going through and looking to see what it takes to instrument
and put in warnings when things go wrong I have found another issue.
Today there exists:
PTRACE_EVENT_FORK
PTRACE_EVENT_VFORK
PTRACE_EVENT_CLONE
Which happens after the actual fork operation in the kernel.
The following code wraps those operations in arch/alpha/kernel/entry.S
.macro fork_like name
.align 4
.globl alpha_\name
.ent alpha_\name
alpha_\name:
.prologue 0
bsr $1, do_switch_stack
jsr $26, sys_\name
ldq $26, 56($sp)
lda $sp, SWITCH_STACK_SIZE($sp)
ret
.end alpha_\name
.endm
The code in the kernel when calls in fork.c calls ptrace_event_pid
which ultimately calls ptrace_stop. So userspace can reasonably expect
to stop the process and change it's registers.
With unconditionally popping the switch stack any of those registers
that are modified are lost.
So I will update my changes to handle that case as well.
Eric
Hi Geert,
On 16/06/21 7:38 pm, Geert Uytterhoeven wrote:
> Hi Eric,
>
> On Tue, Jun 15, 2021 at 9:32 PM Eric W. Biederman <[email protected]> wrote:
>> Do you happen to know if there is userspace that will run
>> in qemu-system-m68k that can be used for testing?
> There's a link to an image in Laurent's patch series "[PATCH 0/2]
> m68k: Add Virtual M68k Machine"
> https://lore.kernel.org/linux-m68k/[email protected]/
Thanks, I'll try that one.
I'll try and implement a few of the solutions Eric came up with for
alpha, unless someone beats me to it (Andreas?).
Cheers,
Michael
>
> Gr{oetje,eeting}s,
>
> Geert
>
On Tue, Jun 15, 2021 at 02:36:38PM -0500, Eric W. Biederman wrote:
>
> While thinking about the information leaks fixed in 77f6ab8b7768
> ("don't dump the threads that had been already exiting when zapped.")
> I realized the problem is much more general than just coredumps and
> exit_mm. We have io_uring threads, PTRACE_EVENT_EXEC and
> PTRACE_EVENT_EXIT where ptrace is allowed to access userspace
> registers, but on some architectures has not saved them.
Wait a sec. To have anything happen on PTRACE_EVENT_EXEC, you need the
fucker traced. *IF* you want to go that way, at least make it conditional
upon the same thing.
This pair of changes has not received anything beyond build and boot
testing. I am posting these changes as they do a much better job of
warning of problems and shutting down the security hole. Making them
a much better pattern than the my last patch.
I hope to get the test cases soon.
arch/alpha/include/asm/thread_info.h | 2 ++
arch/alpha/kernel/entry.S | 62 ++++++++++++++++++++++++++--------
arch/alpha/kernel/process.c | 3 ++
arch/alpha/kernel/ptrace.c | 13 +++++--
arch/alpha/kernel/syscalls/syscall.tbl | 8 ++---
5 files changed, 67 insertions(+), 21 deletions(-)
Eric W. Biederman (2):
alpha/ptrace: Record and handle the absence of switch_stack
alpha/ptrace: Add missing switch_stack frames