Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp3326367ybk;
        Tue, 19 May 2020 01:39:58 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx5zVOwOolQEmUFB40NAA1OHe8bmYYroH/5IAsCCrO7HYv8/R5o72IR0XB95YvYUcAoq704
X-Received: by 2002:a50:d98b:: with SMTP id w11mr15982526edj.196.1589877598418;
        Tue, 19 May 2020 01:39:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589877598; cv=none;
        d=google.com; s=arc-20160816;
        b=RO3HFzL31tWLrZTAFhFXs4sW/tsOz5F1dHr6zUmDgWRQ8vFWNa3EWSYk2hskfd/+eQ
         JSnhrS81gdLu67WUCnSj3gRVeDmCvRejJ/7bStjxA/yOuQTcfmfbKNe5dQV8DEN52zvi
         KZ1hPRWx6qAlVA4tYMxBtmoLNrfdAf44YWARF/NcXzcJjrO6ge2ywb3hfrhdsf9q1rfS
         p5yTHJLlbWwaKfU4X71kCvkGTlE15Ihg4IVOeGM+nloxRSbo/g4uy+N7+TSdbqdV5xg1
         e03KooPyk4VOXzlxZ/eSR8aWnhtivwHiYdExXSr5BNTNRjN0NcbG3HCIHN00cZ0Si/iO
         jeQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=jabd/ejZir+aDGBzqGMPlMd6x0TFls4+w9CeMWu63EY=;
        b=KWu4uNIEMGpJO92ukWLVk2XfCvyytbntHrB0Cx5oS/mR8gQIgcOrjpy9eMNAMgAyx6
         /DwKs/YIqadleJ7wrWQ9x4EpMB2PxkuqbgB3MqTD+NKJpwBzS4vCMdHczEk9G/5qIprQ
         6JVjbXqgQoGgSnqTA03yDRe/HHcCU+4i4LtNxJ0KmIuPzDx3qa0TJO70Fcyg6aKeT7V1
         H+z5h+Miu0/qXB3/cNQmcGEd4m2vz+KecPqmhtwQqbr3yL9JM6l+4c/nll0p98RF6+u6
         3yCB6UMfi/PbYmqH6M9EGpVbbsf2/uJrnyv7qNRJbZ/rP8GHzS5rttwu8G5nEEMLZZSy
         yL4g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@juliacomputing-com.20150623.gappssmtp.com header.s=20150623 header.b=SUqHQSv6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g24si7981442edj.457.2020.05.19.01.39.35;
        Tue, 19 May 2020 01:39:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@juliacomputing-com.20150623.gappssmtp.com header.s=20150623 header.b=SUqHQSv6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728407AbgESIiM (ORCPT <rfc822;ulfalizer@gmail.com> + 99 others);
        Tue, 19 May 2020 04:38:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58292 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726388AbgESIiM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 May 2020 04:38:12 -0400
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18237C061A0C
        for <linux-kernel@vger.kernel.org>; Tue, 19 May 2020 01:38:11 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id e18so13634824iog.9
        for <linux-kernel@vger.kernel.org>; Tue, 19 May 2020 01:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=juliacomputing-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=jabd/ejZir+aDGBzqGMPlMd6x0TFls4+w9CeMWu63EY=;
        b=SUqHQSv6GAjdG2b6FWtocyMNWRVlTcdf7POaW1bc+Lk6ciKmy0MFk88a+d8roSURhR
         Czj46TJprxBtrMAgCT+gn6NftmSeGDu6oaGL0aQMwCrEUJXHRzc8YkFBgcL11MyDMBXW
         CMXTWojXrQodz+8wn5k5OktAssHTpD1i12niYv0LC6X4JYduCoAnRf2l83YugXzWf73f
         6An19MZU6exGDMtyIsmUCNVHJMzHqm2p0RrVr84os8yZ7Iwng4H3PPggKgaG/fYBldak
         /ShPvBWNOqzxgQqT/TJK0PiP8yJRwWNcK8X0f4V+A/6bWo+oPQcQWKol6pSHdKkCn1jb
         QlSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=jabd/ejZir+aDGBzqGMPlMd6x0TFls4+w9CeMWu63EY=;
        b=MWO3jMXLZ6HSD16JdOYWN8FGexmSZg4mFjUV4+9wexSO2t0sLssd4sHq/ZIDzhJXw0
         au0E05z2yWiKizo5Rgsd76bzY4/lPG229ItmRujKZ3EPqC821ZKx6IF4tMWMPkZZFlAJ
         3VV3x7SgkivieMqv8oL79UDhbprgfzdOdUivX2B2mr2OKY857ToUvZvNzF2LJp2P6IPS
         WE49tEPuVM1OghsPUfZqhcTwNQldrEUZnrWU8P1e4/TMY9Pub3tgW7t9q/Gqxdokby0k
         jMOIpzF1Z6gUXMq/uWGGyr2Ar/qV9M/by1nGGDt4eX57lmAWKa37SGI021U63GbBPiOl
         QRiw==
X-Gm-Message-State: AOAM532o8S8kP5u6XCIz0omkC59yjCiIwBFSa5K/A3wfOnOPk2seccTF
        uwZqBtdsODVdsZD1PxJkRJQ4dBnfT8bGmB5MLNDAFQ==
X-Received: by 2002:a6b:902:: with SMTP id t2mr18230256ioi.153.1589877490392;
 Tue, 19 May 2020 01:38:10 -0700 (PDT)
MIME-Version: 1.0
References: <CABV8kRz0mKSc=u1LeonQSLroKJLOKWOWktCoGji2nvEBc=e7=w@mail.gmail.com>
 <20200519081551.GA9980@willie-the-truck>
In-Reply-To: <20200519081551.GA9980@willie-the-truck>
From:   Keno Fischer <keno@juliacomputing.com>
Date:   Tue, 19 May 2020 04:37:34 -0400
Message-ID: <CABV8kRzYzBrdzC1_opmmdpW63N2htfOsAUZ+RjiSDsy=SJW6Yg@mail.gmail.com>
Subject: Re: arm64: Register modification during syscall entry/exit stop
To:     Will Deacon <will@kernel.org>
Cc:     linux-arm-kernel@lists.infradead.org,
        Catalin Marinas <catalin.marinas@arm.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Kyle Huey <khuey@pernos.co>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Will,

> Yes, we inherited this from ARM and I think strace relies on it. In
> hindsight, it is a little odd, although x7 is a parameter register in the
> PCS and so it won't be live on entry to a system call.

I'm not familiar with the PCS acronym, but I assume you mean the
calling convention? You have more faith in userspace than I do ;). For
example, cursory googling brought up this arm64 syscall definition in musl:

https://github.com/bminor/musl/blob/593caa456309714402ca4cb77c3770f4c24da9da/arch/aarch64/syscall_arch.h

The constraints on those asm blocks allow the compiler to assume that
x7 is preserved across the syscall. If a ptracer accidentally modified it
(which is easy to do in the situations that I mentioned), it could
absolutely cause incorrect execution of the userspace program.

> Although the examples you've
> listed above are interesting, I don't see why x7 is important in any of
> them (and we only support up to 6 system call arguments).

It's not so much that x7 is important, it's that lying to the ptracer is
problematic, because it might remember that lie and act on it later.
I did run into exactly this problem, where my ptracer accidentally
changed the value of x7 and caused incorrect execution in the tracee
(now that incorrect execution happened to be an assertion, because
my application is paranoid about these kinds of issues, but it was
incorrect nevertheless)

If it would be helpful, I can code up the syscall entry -> signal trap example
ptracer to have a concrete example.

Keno