Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp1033066imm;
        Fri, 29 Jun 2018 10:12:02 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLw1pbTYH46JBnwxnI2IytMCVpL+x4/NX7pjj03/IndZmQTUl/0TF6zMQfvW5ITpRUv5I6I
X-Received: by 2002:a65:4dc3:: with SMTP id q3-v6mr13231389pgt.331.1530292322253;
        Fri, 29 Jun 2018 10:12:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530292322; cv=none;
        d=google.com; s=arc-20160816;
        b=RCp1zkaR4JlqUpr5+4FSh/f3xp3cGPcPxjAp5Y3pwnUq8pJFAZ1B5Z8VWn/xaNZ8ti
         XuXI+PXC2mOKwZAHq88yEx+HUloowGtrlV6ZCyXkq2fMf6WtAaerE8WsffW6+Zo4zHjJ
         so1PYcySuyLtYO0lfHM2705zvJs74VDrtdj+QTp0Ybm92IomrIri96kLpRUKISadyIxo
         Wc88/thhoM0leAglVh8t4wz6tRin4P1nbEjUGOOMJZxpe4JRi9fuL/AkLeZdXB8Tkmh6
         5TCuXcNQDnslHXXtVSJHCg4sWkjKj/rAZ8uI8uA0/tcZmbuJsvhJh9wXlIdoZvz/fjDY
         4JCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=GGwnDXlLbeRmIec1NSGl+vqHliYHgpn/3YZHQja5QPc=;
        b=D1kZvhz91kuouKpdcuSWgApt53OsCQ/57cDZ4e0QbNiJBNYamTEfU9tfZFNY6aMvdy
         nA65EAsIpD0n/lJXgroTQTL221CDiYc+tnK+18KEHKd67+Yyx7CB88an/8ApbPTTyjvP
         7uy7651Cy+INi6TA1YI/6hAdjTkGOxzx+yEhyYukhiTl95420mrGE0HZxaFE05ptiCdr
         YARgda6PVP6oyS2UdISMDPW4eeFySZk+UYiy+AqqlT4sWeq0h9zRCTT/8KNk54MvUnvX
         ltjxwnqfVe/X+L6DNrri2MPbDm1qXCDRtN7Ry2re/rEvqDdPjmZCHYEk0jtj++EvUiJe
         +8KA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=CLsa1vGc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z20-v6si8074256pfj.337.2018.06.29.10.11.47;
        Fri, 29 Jun 2018 10:12:02 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=CLsa1vGc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753904AbeF2PyS (ORCPT <rfc822;mailist1go@gmail.com>
        + 99 others); Fri, 29 Jun 2018 11:54:18 -0400
Received: from mail-it0-f68.google.com ([209.85.214.68]:40438 "EHLO
        mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751433AbeF2PyQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 29 Jun 2018 11:54:16 -0400
Received: by mail-it0-f68.google.com with SMTP id 188-v6so3501301ita.5;
        Fri, 29 Jun 2018 08:54:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=GGwnDXlLbeRmIec1NSGl+vqHliYHgpn/3YZHQja5QPc=;
        b=CLsa1vGcPtp85OZzzd+cSEf1FQQA8EeI3oTA8lfVzMXO2Z0jSuJf8PPfEnWHKokd4s
         vtRdxX20pqkAR5JyAfTvUwVs7czhdzLQAVhjfcenAHpYpGuwSU49VFcLKy74xngfnOQb
         5dBVAVpvSppze+wexxJh5CPUMdDe/agWjoDx8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=GGwnDXlLbeRmIec1NSGl+vqHliYHgpn/3YZHQja5QPc=;
        b=Are0tnoEWCnDkVWxAX4IaQ3Hz9AyrSukaVHbNBEgmG8MlcjcofzI2ZN5BkFHHBCQXv
         eo0rN64Oud/6pizVxA3emU8x24IHAsER/OPt2NPi2Vm0dqLMz8D7wB157Qbb9776pJIi
         u8jvgA0euveu5fxnbvAtWxH7iZnGuZQIhtWjALVfmWYdFG3Rrpvo6lUNzI1xqk+qUzdY
         YxzQTpN9OD7DZLMlTKGkJ7wghxEOkkPya9Jc2lI+K0zrBBPcTyM2Dxytaw8wK5uEAMve
         whd0PPLe43UzUZWbQWFovELL3i+WYjzC22Xxkoh84RBrjJVQ7JKtuugEWEuzFtj6lPzT
         fXVg==
X-Gm-Message-State: APt69E2UJBhismFxCC9UbLPg/fVI2ul1GTyfrguNsehGSKgeo+R1vGTl
        QrFK9i7UdiLfDHtSU2UByly+2/1iqUwSPOSKYXY=
X-Received: by 2002:a02:1bdc:: with SMTP id 89-v6mr12517409jas.72.1530287655988;
 Fri, 29 Jun 2018 08:54:15 -0700 (PDT)
MIME-Version: 1.0
References: <20180628162359.9054-1-mathieu.desnoyers@efficios.com>
 <CA+55aFxZrv9koOGKNzpBjcpzwaKQBg9ybqcvQ9u=5d94y1F+mQ@mail.gmail.com>
 <CALCETrUrXk3wRg8SKhWf98v8jK=HwX9XLvP+Ypi+TktZoNx_Jg@mail.gmail.com>
 <CA+55aFzxCjkSbfRUeX3W_oXSJ6LMUdRVYB=DR2b3rUNkiixM1A@mail.gmail.com>
 <9200ED2A-AE4B-4094-81C9-E92240B4840F@amacapital.net> <CA+55aFzpD5xF80iiFNd+EMkJnRQdKPumM5p24Sr+LeBt8Gg=wg@mail.gmail.com>
 <1706339668.9644.1530281144560.JavaMail.zimbra@efficios.com>
 <CA+55aFxRJWjbgLeSQ_swi3F5nF1SYgZnC-R7QsOvZdcuSaWeaw@mail.gmail.com>
 <729451355.9702.1530284622326.JavaMail.zimbra@efficios.com> <CA+55aFw==YnFJn7iGnKMW=RbPT74YHNa0QDF96mEdMPA2oX9SA@mail.gmail.com>
In-Reply-To: <CA+55aFw==YnFJn7iGnKMW=RbPT74YHNa0QDF96mEdMPA2oX9SA@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri, 29 Jun 2018 08:54:05 -0700
Message-ID: <CA+55aFwJWxsE_LL=-8WgB7uH_mYeMSu=boWF4N5KdOW673g4hA@mail.gmail.com>
Subject: Re: [RFC PATCH for 4.18 1/2] rseq: validate rseq_cs fields are < TASK_SIZE
To:     Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        Andrew Lutomirski <luto@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Paul McKenney <paulmck@linux.vnet.ibm.com>,
        Boqun Feng <boqun.feng@gmail.com>,
        Dave Watson <davejwatson@fb.com>, Paul Turner <pjt@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Russell King - ARM Linux <linux@arm.linux.org.uk>,
        Ingo Molnar <mingo@redhat.com>, Peter Anvin <hpa@zytor.com>,
        Andi Kleen <andi@firstfloor.org>,
        Christoph Lameter <cl@linux.com>, Ben Maurer <bmaurer@fb.com>,
        Steven Rostedt <rostedt@goodmis.org>,
        Josh Triplett <josh@joshtriplett.org>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Joel Fernandes <joelaf@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 29, 2018 at 8:27 AM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> You simply can't have it both ways.

Put another way.

This is ok in the native path:

        if ((unsigned long) rseq_cs->abort_ip != rseq_cs->abort_ip)
                return -EINVAL;

because it's checking that the value fits in the native register size
(and it also ends up being a no-op if the native size is the same size
as abort_ip).

And this is very much ok in a compat syscall:

        if (rseq_cs->abort_ip & ~(unsigned long)-1u)
                return -EINVAL;

because it's checking that the pointer doesn't have (invalid in
compat) high bits set.

But it is NOT OK to say "the rseq system call doesn't have any compat
syscall, but we'll do that compat check in the native case, because we
worry about compat issues".

See what I'm saying? Either you worry about compat issues (and have a
compat syscall), or you don't.

The whole "let's not do a compat syscall, but then check compat issues
at run-time in the native system call because compat processes will
use it" is braindamage.

                   Linus