Received: by 2002:a25:d783:0:0:0:0:0 with SMTP id o125csp97811ybg;
        Wed, 18 Mar 2020 18:11:29 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vu0A/4x+k0rtGntFhSntmLuLPv5gz53ByfC3V6mUrbyFWiz5XBKfP2X+myoQ6+eWpTM8bAM
X-Received: by 2002:aca:5652:: with SMTP id k79mr600252oib.15.1584580288928;
        Wed, 18 Mar 2020 18:11:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584580288; cv=none;
        d=google.com; s=arc-20160816;
        b=YQ/BYV+Z/+vsBdeK0Jqhyi9+fwjEq/nFH+jzanCxcWQ8s8Xe+JIsjL3LQraiYRIbBY
         wbJ2BYbrty0dp4AOXaPsZbTpfqGUWnKTuvck7/oQd+n8IUhzjnwRe5AlwtAGN6UmCXE5
         HnOpl1gru9XxikR15IpiR7oRvZbRphrg3zs8J7c1G64uF+X95BZ3BRoPaIQmHVslNggz
         JysFkRC3BEfiiXvYOCq08wPRQ04LmkxJOuJiwyj7/9WVE4l8CJnwe1v21QKT7HyU99F6
         xCAjr2QbxwZhMVvnpNGHK0nxIJYUyjXjug+jr32f3vZqwU2BAyJjX1WkkiC87HKKsSL2
         CfcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:references
         :in-reply-to:subject:cc:to:from:dkim-signature;
        bh=vUxfsbN+6lM+7HqtYeWUDTHXYsYtldxWkfgAyPUUb34=;
        b=aVtZboKpmL93iSRktAdNXBceZUQePaLuzS2K+MO24iUVWXsqRpk3M091Qnzsb2M5A2
         Swkh9YPdwb12p6GCoBv5pCCMCHffuKdxS2PZ79vtzRZIC80tUGH4L/nWf6svTwuGHtfU
         BrjbODP8ySoWBKCtxQAAbi6GdOtv2ZlsitA4EZ9xdgjkBzmkloR0k27O58krEs/oHJJ2
         RfdiJNimlk2Rb3bfr6AlARJ80csxAU+HDLdMl/OW2n+FJLcBXVhMp3V6bs6C5oFx0lY6
         NcUC/pexJHavUlsDM82yL2XKPBqrSK5NrJOVS+jVqUo2cLjPZxIm8G2LJ0poIlfkxEJK
         JEEg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=Zb3sKzT6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g22si356115otn.56.2020.03.18.18.11.15;
        Wed, 18 Mar 2020 18:11:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=Zb3sKzT6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726975AbgCSBKG (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Wed, 18 Mar 2020 21:10:06 -0400
Received: from bilbo.ozlabs.org ([203.11.71.1]:55877 "EHLO ozlabs.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726663AbgCSBKG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Mar 2020 21:10:06 -0400
Received: from authenticated.ozlabs.org (localhost [127.0.0.1])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        by mail.ozlabs.org (Postfix) with ESMTPSA id 48jTNB4zmfz9sPR;
        Thu, 19 Mar 2020 12:10:02 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ellerman.id.au;
        s=201909; t=1584580202;
        bh=dsAYUpBIHWyRqWv4FX0udbRGa8tLjAzSdzZd9Xm8pUc=;
        h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
        b=Zb3sKzT6T9ViFk6GbzMBqYOtExyqc326gRnRRFeY93+ikmdpL/2w3BjoZYonb8xdB
         zNGeceQor22vgMsAqPzV2zcAEAQUhN/6BsBts7nvjXHmHscSS+eLB8ZFbBgwCe9amv
         NacobufLfRXgHz8hrby6XyLxQ3lsJUIsOARwMvDXgt85rL5f/2LK+yI42UsqXzRn41
         Fa8suzuIUejDuskRsHDvt9HYad1CfrU9dJvQ1JQGcMp1+eLS+4qK2FiqAG9Pf99xm+
         EahjJq64zjm9cSrJ5jwNLAy+G5YP9Kfy9U56PFB4b85CGiBQZxnicbvCaM3SjNcVen
         pnT8waua6xXjw==
From:   Michael Ellerman <mpe@ellerman.id.au>
To:     Anton Blanchard <anton@ozlabs.org>, linuxppc-dev@lists.ozlabs.org,
        linux-kernel@vger.kernel.org
Cc:     Nicholas Piggin <npiggin@gmail.com>, christophe.leroy@c-s.fr,
        benh@kernel.crashing.org, paulus@ozlabs.org
Subject: Re: [PATCH] powerpc/vdso: Fix multiple issues with sys_call_table
In-Reply-To: <20200306135705.7f80fcad@kryten.localdomain>
References: <20200306135705.7f80fcad@kryten.localdomain>
Date:   Thu, 19 Mar 2020 12:10:03 +1100
Message-ID: <87pnd9duac.fsf@mpe.ellerman.id.au>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Anton Blanchard <anton@ozlabs.org> writes:
> The VDSO exports a bitmap of valid syscalls. vdso_setup_syscall_map()
> sets this up, but there are both little and big endian bugs. The issue
> is with:
>
>        if (sys_call_table[i] != sys_ni_syscall)
>
> On little endian, instead of comparing pointers to the two functions,
> we compare the first two instructions of each function. If a function
> happens to have the same first two instructions as sys_ni_syscall, then
> we have a spurious match and mark the instruction as not implemented.
> Fix this by removing the inline declarations.
>
> On big endian we have a further issue where sys_ni_syscall is a function
> descriptor and sys_call_table[] holds pointers to the instruction text.
> Fix this by using dereference_kernel_function_descriptor().
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Anton Blanchard <anton@ozlabs.org>

That's some pretty epic breakage.

Is it even worth keeping, or should we just rip it out and declare that
the syscall map is junk? Userspace can hardly rely on it given it's been
this broken for so long.

If not it would be really nice to have a selftest of this stuff so we
can verify it works and not break it again in future.

cheers

> ---
> diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c
> index b9a108411c0d..d186b729026e 100644
> --- a/arch/powerpc/kernel/vdso.c
> +++ b/arch/powerpc/kernel/vdso.c
> @@ -17,6 +17,7 @@
>  #include <linux/elf.h>
>  #include <linux/security.h>
>  #include <linux/memblock.h>
> +#include <linux/syscalls.h>
>  
>  #include <asm/pgtable.h>
>  #include <asm/processor.h>
> @@ -30,6 +31,7 @@
>  #include <asm/vdso.h>
>  #include <asm/vdso_datapage.h>
>  #include <asm/setup.h>
> +#include <asm/syscall.h>
>  
>  #undef DEBUG
>  
> @@ -644,19 +646,16 @@ static __init int vdso_setup(void)
>  static void __init vdso_setup_syscall_map(void)
>  {
>  	unsigned int i;
> -	extern unsigned long *sys_call_table;
> -#ifdef CONFIG_PPC64
> -	extern unsigned long *compat_sys_call_table;
> -#endif
> -	extern unsigned long sys_ni_syscall;
> +	unsigned long ni_syscall;
>  
> +	ni_syscall = (unsigned long)dereference_kernel_function_descriptor(sys_ni_syscall);
>  
>  	for (i = 0; i < NR_syscalls; i++) {
>  #ifdef CONFIG_PPC64
> -		if (sys_call_table[i] != sys_ni_syscall)
> +		if (sys_call_table[i] != ni_syscall)
>  			vdso_data->syscall_map_64[i >> 5] |=
>  				0x80000000UL >> (i & 0x1f);
> -		if (compat_sys_call_table[i] != sys_ni_syscall)
> +		if (compat_sys_call_table[i] != ni_syscall)
>  			vdso_data->syscall_map_32[i >> 5] |=
>  				0x80000000UL >> (i & 0x1f);
>  #else /* CONFIG_PPC64 */