Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp2370610pxx; Sat, 31 Oct 2020 18:31:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPmyD/pQlxdHR10GHqZvpwKu4s6191OePqQlWf66P2wCMRx0wNsXAE894Rmmg21Zoae0Rv X-Received: by 2002:a17:906:b1c9:: with SMTP id bv9mr9407652ejb.495.1604194262160; Sat, 31 Oct 2020 18:31:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604194262; cv=none; d=google.com; s=arc-20160816; b=EoZ8lD49+a8UNl0fJvcIf8xaQxqcGqI+f2HV178PL0rHIfZVqqYe17zhq8CGpFXgXJ NbpEcWSsitjwjf80+q7rCiGegohEG+O3hvimEoU3mqy44B9LuPG+JKob7vP9p5MH2hhR tw6wsLarzHTNd98y922VSgshpA1eBCLqle11mO7deRPnssfooIUVqC4Xcdhrla4ti2uf 4t5A/5g6gxpUzq8d7dpKwLoHzsNVpRo2eWl/IPLLZ5lxTWqJX3Tng4rZ7uKRai6RYg3J 18EgpzKNlbqljkZ2aQKh+dA91Eg2kT1RW5ZWV8wsmr7ejQ2i/tsINOgaSb/kRPCBzpgI TBEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=IGq76GXYY6EdRt5mLYHGEQ/4efh89Nje4UePFgmdf0w=; b=Da8Ikt6kXTLyuSOB2Cv1lXtJ8ZIWDUD+uu8Cjj7cW79upD1dwRQIgZAEx5SZ09g8nL k1p5Pyvq5nzWzgXYAWKNC8xz0Nh9pjPk+TByvZrpLR+3V+c7fqod5HGm2l/jDXTtRFq/ ke9CiWAp7tBVNOBTXGRP4QMmIt48dU4nVbSKvfp8MVCMGZeWbXd/EgLnhp6lOHJcvMgL pZDlzXmbS25ZrjR70tSfMwtglLEbPDk37a4MqNXW4xcQCzDZ+NskY3F/Bu1PNd2WcXVa uiv9arwYm/ZgcN6Qk25E2CfzuhX1dVak1NzJUHQorQ3houLt0xwcjAscEUJ4Sw6NkhTS H+XA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a16si4796017ejb.196.2020.10.31.18.30.12; Sat, 31 Oct 2020 18:31:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726283AbgKABWF (ORCPT + 99 others); Sat, 31 Oct 2020 21:22:05 -0400 Received: from brightrain.aerifal.cx ([216.12.86.13]:39078 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726243AbgKABWF (ORCPT ); Sat, 31 Oct 2020 21:22:05 -0400 Date: Sat, 31 Oct 2020 21:22:02 -0400 From: Rich Felker To: Andy Lutomirski Cc: Jessica Clarke , Florian Weimer , linux-x86_64@vger.kernel.org, Thomas Gleixner , Ingo Molnar , Borislav Petkov , X86 ML , "H. Peter Anvin" , LKML Subject: Re: [PATCH v2] x86: Fix x32 System V message queue syscalls Message-ID: <20201101012202.GM534@brightrain.aerifal.cx> References: <1156938F-A9A3-4EE9-B059-2294A0B9FBFE@jrtc27.com> <20201012134444.1905-1-jrtc27@jrtc27.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 31, 2020 at 04:30:44PM -0700, Andy Lutomirski wrote: > cc: some libc folks > > On Mon, Oct 12, 2020 at 6:45 AM Jessica Clarke wrote: > > > > POSIX specifies that the first field of the supplied msgp, namely mtype, > > is a long, not a __kernel_long_t, and it's a user-defined struct due to > > the variable-length mtext field so we can't even bend the spec and make > > it a __kernel_long_t even if we wanted to. Thus we must use the compat > > syscalls on x32 to avoid buffer overreads and overflows in msgsnd and > > msgrcv respectively. > > This is a mess. > > include/uapi/linux/msg.h has: > > /* message buffer for msgsnd and msgrcv calls */ > struct msgbuf { > __kernel_long_t mtype; /* type of message */ > char mtext[1]; /* message text */ > }; > > Your test has: > > struct msg_long { > long mtype; > char mtext[8]; > }; > > struct msg_long_ext { > struct msg_long msg_long; > char mext[4]; > }; > > and I'm unclear as to exactly what you're trying to do there with the > "mext" part. > > POSIX says: > > The application shall ensure that the argument msgp points to a user- > defined buffer that contains first a field of type long specifying the > type of the message, and then a data portion that holds the data bytes > of the message. The structure below is an example of what this user-de‐ > fined buffer might look like: > > struct mymsg { > long mtype; /* Message type. */ > char mtext[1]; /* Message text. */ > } > > NTP has this delightful piece of code: > > 44 typedef union { > 45 struct msgbuf msgp; > 46 struct { > 47 long mtype; > 48 int code; > 49 struct timeval tv; > 50 } msgb; > 51 } MsgBuf; > > bluefish has: > > struct small_msgbuf { > long mtype; > char mtext[MSQ_QUEUE_SMALL_SIZE]; > } small_msgp; > > > My laptop has nothing at all in /dev/mqueue. > > So I don't really know what the right thing to do is. Certainly if > we're going to apply this patch, we should also fix the header. I > almost think we should *delete* struct msgbuf from the headers, since > it's all kinds of busted, but that will break the NTP build. Ideally > we would go back in time and remove it from the headers. > > Libc people, any insight? We can probably fix the bug without > annoying anyone given how lightly x32 is used and how lightly POSIX > message queues are used. If it's that outright wrong and always has been, I feel like the old syscall numbers should just be deprecated and new ones assigned. Otherwise, there's no way for userspace to be safe against data corruption when run on older kernels. If there's a new syscall number, libc can just use the new one unconditionally (giving ENOSYS on kernels where it would be broken) or have a x32-specific implementation that makes the old syscall and performs translation if the new one fails with ENOSYS. Rich