Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp3422151pxb; Thu, 10 Feb 2022 22:08:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJziOfVKeqfPIJslnkfc984HOwYrdf4AClDXUOMLqTj1hIlE9A+MuwxMderArGCRhEI0q+oE X-Received: by 2002:a17:906:794b:: with SMTP id l11mr109157ejo.760.1644559680525; Thu, 10 Feb 2022 22:08:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644559680; cv=none; d=google.com; s=arc-20160816; b=SyLicJll01talfCci988Uwrx2K1RVKjMv6CfZLdyMvapV1CDAqczIrsbxR7Jc1euRK nOMy6q2+NNwohH/zxTloIjOHpvY0MQ3Ge8QN6yWnXSRtpS2RGi6+JHbUroRzKXxLVkdU 6OfV1QJ7JtqSA/SkSOXAXHGwzP9MkHDZyFPTrQ4QcUyFzroB4xdD0JM3G6sgmm3ddGrU VCiFurnDZB13opx67DmYS1y3q7+deYqTWNMKEQ2zyMyLETn1jocuStM2N/PeoUkYlZDI mzXIfB5UinJxf5UNw1jVMeQxGUF5MQ4N6qxkk9hxYwu0c+7UQcpGAoE6pPfUs3eVWZSd ffgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=q7nVE8+FuxeU5FFClhGDXDoFJV628rh5FpUiGKzXxNE=; b=jRvm6AXUsl1FHvEhacDeJK19IzRjpzeyOX7f5sFoWwwMxS1RZdTaReyZ1bOsjmWF+V NIV9efO9it9D0SYCjgEwgxNSaHOinFkkdrYxWy5oCCf6HPQdmuND42Bb2RAsm2efWHD8 QYHwHRZD8EBcYE4z7SQbF+OYFcbRoj3z2yF5RPMqEUNnIAN6T62YhDuBTai4IA5F0dzL 6VzcmacQ7oyIIcUiifbDbl+YTCvBAHkHI4eBrVkv6EKnzb5E898y0IaXGJxUnFtJ0MwZ a0v1ZXdcdDax3ozEWKUSkVbnQVRaLLEnS6ye/NL+K5Ie/mKS5Nj3l3nd186AzoX+TizJ O9uQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Q4jSNnEE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w20si13993023eje.418.2022.02.10.22.07.35; Thu, 10 Feb 2022 22:08:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Q4jSNnEE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347508AbiBKCxp (ORCPT + 99 others); Thu, 10 Feb 2022 21:53:45 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:36190 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347500AbiBKCxo (ORCPT ); Thu, 10 Feb 2022 21:53:44 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B67B5F4F for ; Thu, 10 Feb 2022 18:53:44 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id l9so1936121plg.0 for ; Thu, 10 Feb 2022 18:53:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=q7nVE8+FuxeU5FFClhGDXDoFJV628rh5FpUiGKzXxNE=; b=Q4jSNnEEf5TTnDFdP+QIrGYCniWqlMjDtDl15EB6BuVgp/1kgHtK7NuR7irQUhk5HC h8JWRdNp5hfF1oaO0ia3rX1PLWPZ2sWlOgSooZy8LQUlQYFmEjQCm77cXB2nsH+NvJ0y /OSkr+7dew1D0TRgpAeJM01soH519lB49TkBc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=q7nVE8+FuxeU5FFClhGDXDoFJV628rh5FpUiGKzXxNE=; b=GtbVoGxrnsnFENTD82gp9FW66FdTUvE50Q3HLPf4qES1oz5oCYkO2eG9xnvZ20HmDB 6LbG+uBvWCK1HvUlA1Z6GPVasopUqTta6NoJ3wpEmufsArneAKh09oMuAUndW9Zvc/X4 JIKIY0/DAwQurx4rlIRagZfzXDRwCzQrGVV1MvIsvW4Pqjz/QAJbaU4CYBczSlKrXmy6 N2INl8Gl/4D54EdAWJQhWAKQSkzUVwlJ/RxT1onFX2DlHQF7eGZzQy82tqzIPLNqFFCa Sng+oEp8v8FYBueQQFqvHJjCV4VaHneQj01vxk32mKd93g8iIc9k24r+m44MN4bofJPz 0C3A== X-Gm-Message-State: AOAM530h+vuG3N+ckm4y+uGt5D26PBVIoJyqBmFa0Zahvp2J1M4teBwo q3z4JarC9iDo/xKignnckz40YA== X-Received: by 2002:a17:90a:9e5:: with SMTP id 92mr500097pjo.128.1644548023775; Thu, 10 Feb 2022 18:53:43 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id lj14sm3553116pjb.48.2022.02.10.18.53.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 18:53:43 -0800 (PST) Date: Thu, 10 Feb 2022 18:53:42 -0800 From: Kees Cook To: "Eric W. Biederman" Cc: Robert =?utf-8?B?xZp3acSZY2tp?= , Andy Lutomirski , Will Drewry , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH 0/3] signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE Message-ID: <202202101827.4B16DF54@keescook> References: <20220210025321.787113-1-keescook@chromium.org> <871r0a8u29.fsf@email.froward.int.ebiederm.org> <202202101033.9C04563D9@keescook> <87pmnu5z28.fsf@email.froward.int.ebiederm.org> <202202101137.B48D02138@keescook> <87k0e249tt.fsf@email.froward.int.ebiederm.org> <202202101710.668EDCDC@keescook> <875ypm41kb.fsf@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <875ypm41kb.fsf@email.froward.int.ebiederm.org> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 10, 2022 at 07:47:00PM -0600, Eric W. Biederman wrote: > Kees Cook writes: > > The common accessors for the bits are set_syscall_work()/clear_syscall_work() > > but I don't see anything to operate on an entire mask. Maybe it needs to > > grow something like reset_syscall_work()? > > Oh. I hadn't realized SYSCALL_WORK_EXIT and TIF_SYSCALL_WORK were > masks. Yes it looks like a simple addition of reset_syscall_work() > and calling it from force_sig_info when HANDLER_EXIT will hide these > events. Yeah, it's varied by features, architectures, etc. The good news is it's WAY nicer now after the USER_DISPATCH. :) > When you say the events are corrupted did you mean they return wrong data > to userspace or simply that the events should not fire? It's mainly about the exit stuff having never been run before on these kinds of process states, so things don't make sense. For example, on the SIGSYS death, the registers have been rewound for the coredump, so when the exit trace runs on x86 it sees the syscall return value as equal to the syscall number (since %rax is used for the syscall number on entry and for the syscall result on exit). So when a tracer watches a seccomp fatal SIGSYS, it sees the syscall exit before it sees the child exit (and therefore the signal). For example, x86_64 write (syscall number 1), will return as if it had written 1 byte. :P So, it's not harmful, but it's confusing and weird. :) > I am trying to figure out if there is a case to be made that it was a > bug that these events were missing. I don't think so -- the syscall did not finish, so there isn't a valid return code. The process exited before it completed. -- Kees Cook