Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp595372ybx; Fri, 1 Nov 2019 08:15:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqxVjoz+jWcJphQ8tllOvu1ISNQ4CCY70y3FJuPNqQKZvNLGsDPA4loXRnioXbgj2GrVJCx/ X-Received: by 2002:aa7:db82:: with SMTP id u2mr13063807edt.256.1572621316324; Fri, 01 Nov 2019 08:15:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572621316; cv=none; d=google.com; s=arc-20160816; b=mojMo0T+/h1tn4ZLhGeN5aCUQxpuyPbbKncp2Q/2TY24MPrD3JosPAaTKuwHc7OK5T 0uM+LxX/vKbw+n/1OzPQodZSZoYrpGuX7Ebnn1+bwyzioFGdeC5CPkROs3Ep4PSFUCS8 8HhOpAFpClF2hkGaRV/uboVJJ8Qbl+u8GdRWbu4Bma/4CdSrVUemoKdqzNObH1gZxjAl AH8pAv7M3Kv1ExCKcmNOdYi8JHVrxUBXzN8Qp271mKI79QJ7quWeDv8RJrvyGbWlzahA 2gw/krwKSxfC5C0Pk+L4F4GQcmCAKD8fE+evX0TK8Tq8IXMhQGA7hviSdKXgwNrq0tcn 1bXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=uVdbI2IvMeDLSL2PQyy5Yx4bKJTv4fv3vOKBfoWGnSM=; b=OQy6ntuQQvtHzcZ1VOO9VMqc750PhuAaAp7Y9y39NX4ZSoY8pKLtOw6xUwGkCQKAUc tZ64kNrGUWYxofgsvLV/cEgORl2R61baLaGwAP55AupgqolaAuEijq/ZOTRRD/XJ/ACq fibgkzvov00ul6VyfBkTaT9aRbhraQDi6Y5qR90xVk0XOT6KkbcEELMFkfu5rQjCnyA3 SXiax6Rf0MsY7xA91XHKBK7lTyRH73JWOBtoB3W7RsYE3OVjSpzHqY3NmBb6DE0pnE/Q f4kh7c64y1dCpcpT9V7NbFyC2zlF9CashszhUfW8KDPXQOibLeS/6FVi/6mE5AS7TfoM SiYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b27si661225ede.48.2019.11.01.08.14.52; Fri, 01 Nov 2019 08:15:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728421AbfKAPKV (ORCPT + 99 others); Fri, 1 Nov 2019 11:10:21 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:60008 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727326AbfKAPKV (ORCPT ); Fri, 1 Nov 2019 11:10:21 -0400 Received: from [91.217.168.176] (helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iQYZ5-0001ct-CM; Fri, 01 Nov 2019 15:10:15 +0000 Date: Fri, 1 Nov 2019 16:10:14 +0100 From: Christian Brauner To: Szabolcs Nagy , Florian Weimer Cc: "linux-kernel@vger.kernel.org" , GNU C Library , nd , Arnd Bergmann , Kees Cook , Jann Horn , David Howells , Ingo Molnar , Oleg Nesterov , Linus Torvalds , Peter Zijlstra , "linux-api@vger.kernel.org" , "stable@vger.kernel.org" Subject: Re: [PATCH] clone3: validate stack arguments Message-ID: <20191101151014.75jfcdc3hrwt6ssv@wittgenstein> References: <20191031113608.20713-1-christian.brauner@ubuntu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 01, 2019 at 02:57:10PM +0000, Szabolcs Nagy wrote: > On 31/10/2019 11:36, Christian Brauner wrote: > > diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h > > index 99335e1f4a27..25b4fa00bad1 100644 > > --- a/include/uapi/linux/sched.h > > +++ b/include/uapi/linux/sched.h > > @@ -51,6 +51,10 @@ > > * sent when the child exits. > > * @stack: Specify the location of the stack for the > > * child process. > > + * Note, @stack is expected to point to the > > + * lowest address. The stack direction will be > > + * determined by the kernel and set up > > + * appropriately based on @stack_size. > > * @stack_size: The size of the stack for the child process. > > * @tls: If CLONE_SETTLS is set, the tls descriptor > > * is set to tls. > > diff --git a/kernel/fork.c b/kernel/fork.c > > index bcdf53125210..55af6931c6ec 100644 > > --- a/kernel/fork.c > > +++ b/kernel/fork.c > > @@ -2561,7 +2561,35 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs, > > return 0; > > } > > > > -static bool clone3_args_valid(const struct kernel_clone_args *kargs) > > +/** > > + * clone3_stack_valid - check and prepare stack > > + * @kargs: kernel clone args > > + * > > + * Verify that the stack arguments userspace gave us are sane. > > + * In addition, set the stack direction for userspace since it's easy for us to > > + * determine. > > + */ > > +static inline bool clone3_stack_valid(struct kernel_clone_args *kargs) > > +{ > > + if (kargs->stack == 0) { > > + if (kargs->stack_size > 0) > > + return false; > > + } else { > > + if (kargs->stack_size == 0) > > + return false; > > + > > + if (!access_ok((void __user *)kargs->stack, kargs->stack_size)) > > + return false; > > + > > +#if !defined(CONFIG_STACK_GROWSUP) && !defined(CONFIG_IA64) > > + kargs->stack += kargs->stack_size; > > +#endif > > + } > > from the description it is not clear whose > responsibility it is to guarantee the alignment > of sp on entry. Userspace. > > i think 0 stack size may work if signals are > blocked and then prohibiting it might not be > the right thing. Note that stack size 0 is allowed: struct clone_args args = { .exit_signal = SIGCHLD, }; clone3(&args, sizeof(args)); will just work fine. > > it's not clear how libc should deal with v5.3 > kernels which don't have the stack+=stack_size > logic. stable is already Cced and the change will be backported to v5.3. Nearly all distros track pull in stable updates. Florian, thoughts on this? Christian