Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp9141963imu; Tue, 4 Dec 2018 22:49:16 -0800 (PST) X-Google-Smtp-Source: AFSGD/U6g7nmVMUqPo6iNOdtdgR9QoRaog5cUDMe8LELzVtRNXZDlq0qdHfIFOk8G/K7YaH+nSJG X-Received: by 2002:a63:4384:: with SMTP id q126mr19254704pga.160.1543992556853; Tue, 04 Dec 2018 22:49:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543992556; cv=none; d=google.com; s=arc-20160816; b=Sp6eMy6nOlcx/FEbVT9fZa+SyOjZLfv02SAxEW4tOy48EYGi6aEFdWZ1LfoZwtvBqq YylpQR9uc1v78ZtopgRfoAGAEK/cXE6+r32glPFbZsSGifNFrTQKW6UK8vzRgDhmIKDb ZlhuchTUqgWO8qU6bbIuRPq5BkAOCJ8TsfYSahbMmqyepnCcOXrOLGzmYaxkpRqzwqgJ SwsKII8zaH2t3l2oPxNXJhw3TN37kBPY8bIoHbDQ1A0GfnmuwnKaXHy1lxoqZAohCX2l xLqM19P3+hgk0ubNxzGzuSZKULc5/dsWKhTXmAnExF2h6nQGBYsZIlXbdbaArWNfPo2e WkBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=k+aJ9ULJsUuCBLbE1FFaQoiO9mg4/BkUiE2mBCKV9Mw=; b=NddficUsrFAL2psIIR/3TCynxBKI4Gp1okXkWwW2QxIg8Oh2f1OpGmXEEC6ToP3mMn B+c/VchbuczVezU8zZ5mTEKLTs9X/hybRCISpwxuAYgIqZZWt0QmTFxQeV882Vr9+OCI CFvFYqOnG9en5QaR+78dkicTdPvKbSqIAW7p6IpsWElkFGzPmfwG0NPQr5RYG+ZEjatH ehfemYjbMFI7O6x4S+K2JOgKk2VVsP+qA2HjklEBjUD3hLKrlLx0iqI0XHPH3RvZ9flC IN2/wfqAe9ySZ+gA5YhaqVMi0woNKD55i1HqHL76NSr3t9yczRmT1/LIykPCaNeU5JpX z4Aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jjmKejcF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p12si17249865pgj.56.2018.12.04.22.49.01; Tue, 04 Dec 2018 22:49:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jjmKejcF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727024AbeLEGs1 (ORCPT + 99 others); Wed, 5 Dec 2018 01:48:27 -0500 Received: from mail-oi1-f195.google.com ([209.85.167.195]:46088 "EHLO mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726037AbeLEGs1 (ORCPT ); Wed, 5 Dec 2018 01:48:27 -0500 Received: by mail-oi1-f195.google.com with SMTP id x202so16589721oif.13 for ; Tue, 04 Dec 2018 22:48:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=k+aJ9ULJsUuCBLbE1FFaQoiO9mg4/BkUiE2mBCKV9Mw=; b=jjmKejcF6VMM8VRilW5S/PSLMnoABN+i0CCjx4dI+SkN60yOprYkcUC6Ae6IbPJ259 kT7iGHXsfF0xyRn3tpPO7uDduh0AEeuiwjg22CqRjCxGpnqLPZpWOm3B56pirDIJOjtd qiP3kZC8MCtP7J2vApCR3UtW58GzKnVgSJaP3V/xxTshCsziSLRCRZKQD79/NGZHI1xm QOL1gfK2Cmcb3y660AnjXe5ZgST+p8SgI5c3pulpr7fn3HgSZS/hng9SHFRoj5kW6Zl3 0jShKSq5o/DIt5IlcLIETKehxV1eU24WvzqmWoumcfXYKZplRJBd1vo+9jB5v5W5JADK MjXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=k+aJ9ULJsUuCBLbE1FFaQoiO9mg4/BkUiE2mBCKV9Mw=; b=Q1aXGHbVMikJcuLCfI/IQDLq5J18vmVjvbeF/cjQgrnjPhIYPC7movrM4vgnAplFuB ztdvBXPxflTsqsYMqBKXsbenrOY8zefhjwz87bqNJDptlWxPNXmQSspzArJbYlaPnFx0 Gk+Ft/atMjFntmVKoRVJRmRfYbhkeLM6dHM/toCDXgCQB04W97WSVyWXTQ+ISpJanVr4 qs5qjL3Q3Wbx0K6kDAgORpW1Tusy6mQsUqO+3pP1ivUp4G0Tkzed7vSDVUpSqDklWJUG +vS8lJH1SMLkfUatU+vF6YJs1JU9oGK6hwSeXyINPkiUlF89hkPRM+SJP6eq0fw3nGTe 7cVQ== X-Gm-Message-State: AA+aEWaWmnj68q+jw0JBpp5Ryc3uZ3EwLUOcAXcn2ep+C0ksPPMzxLko Bzaqmk4hmhTGPxFFZUHTecifhqQLoI8sCKwXr4N/Pg== X-Received: by 2002:aca:e003:: with SMTP id x3mr14944256oig.39.1543992505577; Tue, 04 Dec 2018 22:48:25 -0800 (PST) MIME-Version: 1.0 References: <458c04d8-d189-4a26-729a-bb1d1d751534@cisco.com> <7741efa7-a3f8-62a1-ba52-613883164643@cisco.com> <84460a77-a111-404e-4bad-88104a6e246e@cisco.com> <20181026082812.GA10581@redhat.com> <21f678a8-4001-df36-c26e-e96cf203b1b1@cisco.com> <20181029111804.GA24820@redhat.com> <0c197608-3b7e-ffd1-8943-801a60beb917@cisco.com> <80e96710-f424-9b39-72ee-9cc7cbe7a5f7@cisco.com> <20181128151911.GN3505@e103592.cambridge.arm.com> <20181129115520.GO3505@e103592.cambridge.arm.com> In-Reply-To: <20181129115520.GO3505@e103592.cambridge.arm.com> From: Jann Horn Date: Tue, 4 Dec 2018 22:47:57 -0800 Message-ID: Subject: Re: [PATCH v5 1/2] kernel/signal: Signal-based pre-coredump notification To: Dave.Martin@arm.com Cc: enkechen@cisco.com, Oleg Nesterov , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H . Peter Anvin" , Peter Zijlstra , Arnd Bergmann , "Eric W. Biederman" , Khalid Aziz , Kate Stewart , deller@gmx.de, Greg Kroah-Hartman , Al Viro , Andrew Morton , christian@brauner.io, Catalin Marinas , Will Deacon , mchehab+samsung@kernel.org, Michal Hocko , Rik van Riel , "Kirill A . Shutemov" , guro@fb.com, Marcos Souza , linux@dominikbrodowski.net, Cyrill Gorcunov , yang.shi@linux.alibaba.com, Kees Cook , kernel list , linux-arch , Victor Kamensky , xe-linux-external@cisco.com, sstrogin@cisco.com, Andy Lutomirski , Michael Kerrisk-manpages , Dave Hansen Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 29, 2018 at 3:55 AM Dave Martin wrote: > On Thu, Nov 29, 2018 at 12:15:35AM +0000, Enke Chen wrote: > > Hi, Dave: > > > > Thanks for your comments. You have indeed missed some of the prior reviews > > and discussions. But that is OK. > > > > Please see my replies inline. > > > > On 11/28/18 7:19 AM, Dave Martin wrote: > > > On Tue, Nov 27, 2018 at 10:54:41PM +0000, Enke Chen wrote: > > >> diff --git a/kernel/sys.c b/kernel/sys.c > > >> index 123bd73..39aa3b8 100644 > > >> --- a/kernel/sys.c > > >> +++ b/kernel/sys.c > > >> @@ -2476,6 +2476,19 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, > > >> return -EINVAL; > > >> error = arch_prctl_spec_ctrl_set(me, arg2, arg3); > > >> break; > > >> + case PR_SET_PREDUMP_SIG: > > >> + if (arg3 || arg4 || arg5) > > > > > > glibc has > > > > > > int prctl(int option, ...); > > > > > > Some prctls() police extra arguments for zeros, but this means that > > > the userspace caller also has to supply pointless 0 arguments. > > > > > > It's debatable which is the preferred approach. Did you have any > > > particular rationale for your choice here? > > > > > > > The initial version did not check the values of these unused arguments. > > But Jann Horn pointed out the new convention is to enforce the 0 values > > so I followed ... > > Hmmm, I wasn't aware of this convention when I added PR_SVE_SET_VL etc., > and there is no clear pattern in sys.c, and nobody commented at the > time. > > Of course, it works either way. Looking at the last couple prctls that have been added: PR_GET_SPECULATION_CTRL/PR_GET_SPECULATION_CTRL: checks unused args (commit b617cfc858161140d69cc0b5cc211996b557a1c7, by tglx) PR_SVE_GET_VL/PR_SVE_SET_VL: doesn't check unused args (commit 2d2123bc7c7f843aa9db87720de159a049839862, by Dave Martin) PR_CAP_AMBIENT: checks unused args (by Andy Lutomirski) PR_SET_FP_MODE/PR_GET_FP_MODE: doesn't check unused args PR_MPX_ENABLE_MANAGEMENT/PR_MPX_DISABLE_MANAGEMENT: checks unused args; this one actually specifically added such checks in commit e9d1b4f3c60997fe197bf0243cb4a41a44387a88 ("x86, mpx: Strictly enforce empty prctl() args") and specifically says "should be done for all new prctl()s": Description from Michael Kerrisk. He suggested an identical patch to one I had already coded up and tested. commit fe3d197f8431 "x86, mpx: On-demand kernel allocation of bounds tables" added two new prctl() operations, PR_MPX_ENABLE_MANAGEMENT and PR_MPX_DISABLE_MANAGEMENT. However, no checks were included to ensure that unused arguments are zero, as is done in many existing prctl()s and as should be done for all new prctl()s. This patch adds the required checks. Suggested-by: Andy Lutomirski Suggested-by: Michael Kerrisk Signed-off-by: Dave Hansen Cc: Dave Hansen Link: http://lkml.kernel.org/r/20150108223022.7F56FD13@viggo.jf.intel.com Signed-off-by: Thomas Gleixner