Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2745299rwd; Mon, 22 May 2023 03:51:48 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4js+coEwOpyFVdfEwDKFfivIbsC/kiBLbHruGc7hu3wB7ZYfhRtGP8QTt6pqo7i6YB03f5 X-Received: by 2002:a05:6a00:4085:b0:64d:2a87:2596 with SMTP id bw5-20020a056a00408500b0064d2a872596mr12510638pfb.10.1684752708624; Mon, 22 May 2023 03:51:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684752708; cv=none; d=google.com; s=arc-20160816; b=W2mZFQQ3Bb7JdBdI8Mf+EDzYN7BkgWf6bUNPbLH6Z8hbIsdUeZYvfN3Nv1IzK5RF3m cMRUNQHQK94T5lhvAnCp3WF074f4wC3sLXtNY7g8uOxmo0bzm69HG3RoZ6HZpaTBikQT oQ3cjhHxIZH//2anS6RU3gh/FNnW3oPTQyCTmnG81JtMFOgwQxbYQapv9cHWJf5AW6lh fD2cPyxTDbIr9CJSO55XE+SNDEQjEtVDcjdVEAe0jG7tUHZfcdCdsH5HDCWQ6/tGhldt VSIWHjEcTb16HxMic2bUS7/SAT3Fp/t5KjCnJHgsOIisH2X9X4M2eyWxOlwa1YtSQFg4 RniA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:user-agent :references:in-reply-to:subject:cc:to:from:date:mime-version :dkim-signature:dkim-filter; bh=mSXND4dopui4Y7LqvtuGYun98AfqkQSXgYHcHwjTLcQ=; b=OeHl98ynyxJrl8LWmLd8zR+zArzyH2CA9kjf4+eSLKycdYsecBlTRwn4oYbsEuiv8R uJRa3OACLdmeLPdu+RbpSXcab1KO89072GeFyxat5RLYv4YMNKgy77tGN6iTVrIjs9Zs 6cg60hwi+jUg58EPycQUufm8iY3eob3HfHEPyHBIFSTEvWVIdYmdZ4sguW0VGXz+Mtf2 aYhLz7L8faBV/+/fnCrtknbiSnvxqkPaTl2YQ77zARoQ17bqL2jVcJb4ce4k7MXm7foY DidVjaH3V85SA2l/s6IevB/431+vV87Ir8z5SE5sM7cTXWoWYMxE0hoXthObwwOIs7ms kIkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=j8IkVeKT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g11-20020aa796ab000000b00625559a78a2si4650581pfk.107.2023.05.22.03.51.34; Mon, 22 May 2023 03:51:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=j8IkVeKT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232427AbjEVKfO (ORCPT + 99 others); Mon, 22 May 2023 06:35:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232377AbjEVKfM (ORCPT ); Mon, 22 May 2023 06:35:12 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F8AADC for ; Mon, 22 May 2023 03:35:10 -0700 (PDT) Received: from mail.ispras.ru (unknown [83.149.199.84]) by mail.ispras.ru (Postfix) with ESMTPSA id 4E18744C1016; Mon, 22 May 2023 10:35:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 4E18744C1016 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1684751707; bh=mSXND4dopui4Y7LqvtuGYun98AfqkQSXgYHcHwjTLcQ=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=j8IkVeKTt4of7mwQ7PGKXZ+0SOU028M167IWZdutlk0vPKGy8/WLAfT4I/nFza/R4 NDEpZiQ+AQmIwzRTEvIKztIDm8hIIcOqVZk5HI9pOtOE2iYCGvPunBpbsriUlmUo6P v81slCWiU3DxnNt5Nm9yPhg+Al1d0f/LKsCzROGo= MIME-Version: 1.0 Date: Mon, 22 May 2023 13:35:07 +0300 From: Alexey Izbyshev To: David Hildenbrand Cc: Florent Revest , linux-kernel@vger.kernel.org, linux-mm@kvack.org, akpm@linux-foundation.org, catalin.marinas@arm.com, anshuman.khandual@arm.com, joey.gouly@arm.com, mhocko@suse.com, keescook@chromium.org, peterx@redhat.com, broonie@kernel.org, szabolcs.nagy@arm.com, kpsingh@kernel.org, gthelen@google.com, toiwoton@gmail.com Subject: Re: [PATCH v2 3/5] mm: Make PR_MDWE_REFUSE_EXEC_GAIN an unsigned long In-Reply-To: References: <20230517150321.2890206-1-revest@chromium.org> <20230517150321.2890206-4-revest@chromium.org> User-Agent: Roundcube Webmail/1.4.4 Message-ID: <884d131bbc28ebfa0b729176e6415269@ispras.ru> X-Sender: izbyshev@ispras.ru Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023-05-22 11:55, David Hildenbrand wrote: > On 17.05.23 17:03, Florent Revest wrote: >> Alexey pointed out that defining a prctl flag as an int is a footgun >> because, under some circumstances, when used as a flag to prctl, it >> can >> be casted to long with garbage upper bits which would result in >> unexpected behaviors. >> >> This patch changes the constant to a UL to eliminate these >> possibilities. >> >> Signed-off-by: Florent Revest >> Suggested-by: Alexey Izbyshev >> --- >> include/uapi/linux/prctl.h | 2 +- >> tools/include/uapi/linux/prctl.h | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h >> index f23d9a16507f..6e9af6cbc950 100644 >> --- a/include/uapi/linux/prctl.h >> +++ b/include/uapi/linux/prctl.h >> @@ -283,7 +283,7 @@ struct prctl_mm_map { >> /* Memory deny write / execute */ >> #define PR_SET_MDWE 65 >> -# define PR_MDWE_REFUSE_EXEC_GAIN 1 >> +# define PR_MDWE_REFUSE_EXEC_GAIN (1UL << 0) >> #define PR_GET_MDWE 66 >> diff --git a/tools/include/uapi/linux/prctl.h >> b/tools/include/uapi/linux/prctl.h >> index 759b3f53e53f..6e6563e97fef 100644 >> --- a/tools/include/uapi/linux/prctl.h >> +++ b/tools/include/uapi/linux/prctl.h >> @@ -283,7 +283,7 @@ struct prctl_mm_map { >> /* Memory deny write / execute */ >> #define PR_SET_MDWE 65 >> -# define PR_MDWE_REFUSE_EXEC_GAIN 1 >> +# define PR_MDWE_REFUSE_EXEC_GAIN (1UL << 0) >> #define PR_GET_MDWE 66 >> > > Both are changing existing uapi, so you'll already have existing user > space using the old values, that your kernel code has to deal with no? I'm the one who suggested this change, so I feel the need to clarify. For any existing 64-bit user space code using the kernel and the uapi headers before this patch and doing the wrong prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN) call instead of the correct prctl(PR_SET_MDWE, (unsigned long)PR_MDWE_REFUSE_EXEC_GAIN), there are two possibilities when prctl() implementation extracts the second argument via va_arg(op, unsigned long): * It gets lucky, and the upper 32 bits of the argument are zero. The call does what is expected by the user. * The upper 32 bits are non-zero junk. The flags argument is rejected by the kernel, and the call fails with EINVAL (unexpectedly for the user). This change is intended to affect only the second case, and only after the program is recompiled with the new uapi headers. The currently wrong, but naturally-looking prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN) call becomes correct. The kernel ABI is unaffected by this change, since it has been defined in terms of unsigned long from the start. Thanks, Alexey