Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1504029pxu;
        Sat, 5 Dec 2020 20:20:10 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwnxJkVoTLdLJNsY27SuRziuPtGnRG4G06HYkyevltqY25AJOphUEYZzffrgJilOrPihHvz
X-Received: by 2002:a17:907:2061:: with SMTP id qp1mr13315477ejb.222.1607228410084;
        Sat, 05 Dec 2020 20:20:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607228410; cv=none;
        d=google.com; s=arc-20160816;
        b=xr0Wqi3KBSNKuh2uYMp4x+3r2/C5GBG+a1UGFxvcROsAx46ofHHTFl5nnaNXBU86zE
         WS8zvWB329KxgiQUJx6bubaPnVqtxhY5Whr3pHQIaPZrPrHYItMvua1shxWTZLNMJ04T
         LmWS4U25QuDYnAVqeN0605R0GgUomSGbtFDlnlpM7pk/KJTBEWVQfLjOg9ByVjaiHKhx
         6as3C22Hn5FvrzygnH9dfj73Bv3mzhGaCMlUcCrFIz05Kl+EJTWreQc61AcLDwIto2cj
         2ltyPI5Cmyzn1l/Hma/Y6DModm+JOQ6znntbEMFomeaRi/r+Bya3xK0Mm2P5xd4mjzsJ
         SkHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=iAkAfY9KavXQPNcfXU/NNVQSFVMPTEMW2qTbjIlV3oI=;
        b=yp6RZ+rSffNkSGwSjFaiCezLolFLM3sWoGB/MFQdqXzVBMZ0rKw4/dRtU4zEGZIpAg
         IWlg/LL3BpP1e8imoQUO34Ga5aarKRMWl0AlqdsCXbRpCduiNrhwcT/oemy5Kl8wQ8hr
         qu/L88jleSe2K4XgmxU6UDcZU0WTVZTaOCKqtVxBKGtRDbq5Wzyp+Ra6YR8IkKywBqyS
         VV7cPiQe4PeQaXd3EN9xFlTQkk5Y8aC8B40EVu1A3DwGA/XpR+Vo7Rt58X25B6L3SG3h
         0Vt18GdhKphDsrJit4r5tdnplzfTrdoBUqh+hEJZefiY2AEJaDg7sb4/Luvk0AHieXJe
         eVdA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a21si5841808eda.110.2020.12.05.20.19.47;
        Sat, 05 Dec 2020 20:20:10 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727466AbgLFESZ (ORCPT <rfc822;guohui850712@gmail.com>
        + 99 others); Sat, 5 Dec 2020 23:18:25 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36180 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727071AbgLFESX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 5 Dec 2020 23:18:23 -0500
Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C6CFC0613D0;
        Sat,  5 Dec 2020 20:17:43 -0800 (PST)
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux))
        id 1klkdd-00Gpbw-Nh; Sun, 06 Dec 2020 03:23:05 +0000
Date:   Sun, 6 Dec 2020 03:23:05 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        the arch/x86 maintainers <x86@kernel.org>,
        linux-mips@vger.kernel.org, Randy Dunlap <rdunlap@infradead.org>,
        "H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCHSET] saner elf compat
Message-ID: <20201206032305.GD3579531@ZenIV.linux.org.uk>
References: <20201203214529.GB3579531@ZenIV.linux.org.uk>
 <CAHk-=wiRNT+-ahz2KRUE7buYJMZ84bp=h_vGLrAaOKW3n_xyXQ@mail.gmail.com>
 <20201203230336.GC3579531@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20201203230336.GC3579531@ZenIV.linux.org.uk>
Sender: Al Viro <viro@ftp.linux.org.uk>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Dec 03, 2020 at 11:03:36PM +0000, Al Viro wrote:
> > >  The answer (for mainline) is that mips compat does *NOT* want
> > > COMPAT_BINFMT_ELF.  Not a problem with that series, though, so I'd
> > > retested it (seems to work, both for x86_64 and mips64, execs and
> > > coredumps for all ABIs alike), with centralization of Kconfig logics
> > > thrown in.
> > 
> > Well, the diffstat looks nice:
> > 
> > >  26 files changed, 127 insertions(+), 317 deletions(-)
> > 
> > and the patches didn't trigger anything for me, but how much did this
> > get tested? Do you actually have both kinds of 32-bit elf mips
> > binaries around and a machine to test on?
> 
> Yes (aptitude install gcc-multilib on debian mips64el/stretch sets the toolchain
> and libraries just fine, and then it's just a matter of -mabi=n32 passed
> to gcc).  "Machine" is qemu-system-mips64el -machine malta -m 1024 -cpu 5KEc
> and the things appear to work; I hadn't tried that on the actual hardware.
> I do have a Loongson-2 box, but it would take a while to dig it out and
> get it up-to-date.
> 
> > Linux-mips was cc'd, but I'm adding Thomas B to the cc here explicitly
> > just so that he has a heads-up on this thing and can go and look at
> > the mailing list in case it goes to a separate mailbox for him..
> 
> I would certainly appreciate review and testing - this branch sat
> around in the "should post it someday" state since June (it was
> one of the followups grown from regset work back then), and I'm
> _not_ going to ask pulling it without an explicit OK from mips
> folks.

BTW, there's something curious going on in ELF binary recognition for
x32.  Unlike other 64bit architectures, here we have a 32bit binary
that successfully passes the native elf_check_arch().  Usually we
either have different EM_... values for 64bit and 32bit (e.g. for ppc
and sparc) or we have an explicit check for ->e_ident[EI_CLASS]
having the right value (ELFCLASS32 or ELFCLASS64 for 32bit and 64bit
binaries resp.)

For x32 that's not true - we use EM_X86_64 for ->e_machine and that's
the only thing the native elf_check_arch() is looking at.  IOW,
it looks like amd64 elf_load_binary() progresses past elf_check_arch()
for x32 binaries.  And gets to load_elf_phdrs(), which would appear
to have a check of its own that should reject the sucker:
        /*
         * If the size of this structure has changed, then punt, since
         * we will be doing the wrong thing.
         */
        if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
                goto out;
After all, ->e_phentsize is going to be 32 (sizeof(struct elf32_phdr)
rather than expected 56 (sizeof(struct elf64_phdr)) and off we bugger,
even though it happens at slightly later point than usual.  Except that
we are looking at struct elf64_hdr ->e_phentsize - in struct elf32_hdr.
I.e. at offset 54, two bytes past the end of in-file struct elf32_hdr.

Usually we won't find 0x38 0x00 in that location, so everything works,
but IMO that's too convoluted.

Peter, is there any reason not to check ->ei_ident[EI_CLASS] in
amd64 elf_check_arch()?  It's a 1-byte load from hot cacheline
(offset 4 and we'd just read the 4 bytes at offsets 0..3) +
compare + branch not taken, so performance impact is pretty much
nil.  I'm not saying it's a security problem or anything of that
sort, just that it makes the analysis more subtle than it ought
to be...

Is it about some malformed homegrown 64bit binaries with BS value
at offset 4?  Confused...