Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3167710rwd; Mon, 22 May 2023 09:31:31 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4hKKxZRuC+l9Q62f50dXvsy92zYwUpr9FHlHfSYTceVzICZx+0oJp8/eWu4YQJjWZbymIR X-Received: by 2002:a05:6a21:9982:b0:10b:6e18:b694 with SMTP id ve2-20020a056a21998200b0010b6e18b694mr5347332pzb.55.1684773091603; Mon, 22 May 2023 09:31:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684773091; cv=none; d=google.com; s=arc-20160816; b=vKYPMqpO/9Dmibc6e1ttddQu+L3LZSQLIoy2JDdy/8tymXKBYatd/w9Xb3lp+82Q9S DkGqLRfFxUyTZR0sgpK45g+ggzNRPdDP5PDSy/eUInyJy2I9WaETj8HvuVWFgqfBrcRE VoHMTwp6Yu6PQ8kAt/A6lEfzubm63YUsWd3TwtvvpWV/w/URZNsQUm70vY8MUkKo4HPG gpBtLqlSjc+PzSRqZZSVC/qoTg/9pZxb5GgR8d230sddA/4pNDVWbsen23qzjSZfDzfB kPwWla86BYVw7hFPXJ7MiWOBtAjjnlWcNAXwAKJoRIWJojvWO1PUk4bPHIyvTw+v++Hs OvYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=5um2DUZCGOrnDKFk5C7dFmDvO0JwbcJTzc9WMdYWTFQ=; b=CETZbDm+6Xhdfjm8MKuOozBFuiPE5Y6du++SAV8fIIkmWM2q8HDithmwYQ1ExpiCf9 6785sPzUVHu+fNk38ExXoCxSLK6eGpnOT1zlEqdhLQ7KiDU0Z/NkMslAtMEvkSnFYLeG WNCMqILNzUrJHkqS05gWQg9rhqYnbC7s0GxiTRVbyE08QXBRNXq64Rd5z4Rvmfzi37E4 89svGpThI2c8WAqYiTUUOmFvs7MiKpWgn5p+wbIDYMRmHIL6l0dCJXLjHo0DiIqpOF8G KXXMSYlluwKqqINjzGbyTRsWMmgKjyNWaI5633EczRNWKBQtSi4bJjSMz+BOGq2VpgA8 RbgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U6cmhQEa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v66-20020a626145000000b0063d6708d1c9si1224185pfb.105.2023.05.22.09.31.18; Mon, 22 May 2023 09:31:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U6cmhQEa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231538AbjEVQXr (ORCPT + 99 others); Mon, 22 May 2023 12:23:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229617AbjEVQXn (ORCPT ); Mon, 22 May 2023 12:23:43 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D993FA for ; Mon, 22 May 2023 09:22:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684772576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5um2DUZCGOrnDKFk5C7dFmDvO0JwbcJTzc9WMdYWTFQ=; b=U6cmhQEaeX/ktiPz9tnNEECakn//OPU1F6gxncriJYhtsm/08ShvSroTBRxnzSYEbo8xP1 HO3Ce2y9fge+vwlsx0RmX8nTPsT9oBpDM5C/bLPJaPnoXNv0dA6glLZ2YarX68p7fw97Qr /V7tARIFrA3I3Pn73PQUYIsBL1dZmgc= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-33-nd9ZP6yuPcWc_zWglsEfAg-1; Mon, 22 May 2023 12:22:55 -0400 X-MC-Unique: nd9ZP6yuPcWc_zWglsEfAg-1 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-307814dd87eso2657325f8f.0 for ; Mon, 22 May 2023 09:22:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684772574; x=1687364574; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5um2DUZCGOrnDKFk5C7dFmDvO0JwbcJTzc9WMdYWTFQ=; b=ex42OcuskIZJ5RaF5XOfTVIgbaQ+b/JjvYZ5bxAq7iPgRypFUPxdoYBW5z+q7n+BKF W/tsgxUD72psDIefVxjmQ+rVWt0DSK1hwwrOtcvv9g50iOzvmXvuvr8sVYPc1nRr/pl2 ks6j+knDxoprJLsrx8cvP3TA4NBxPqXfiX/si9S0r32L3EKt8R8g1rip20IUnEKgSm/B J0bcggRNZxBdBeL5haWeS2C4dENJrTgDVRCprFRfIpLv8jmXy+FMEIab1oF998fE0EOq ydlvnwcbesZIvrhKL5Yp3EQlPHlJvq3+rsh9vhaN1qUyT4FLwJRP7hlT/XEJtBOWQTJl bsCQ== X-Gm-Message-State: AC+VfDyB4aFR+5hoRDOuSlgSQH/35TmZryZsIRdwB4Km4ND/0OVAXPGG QTeZCvEVgZKgdIInFSfcdPG9pUgCeljn4mNhMEmXM1FKZ7gDqQc7IuQKgQ6LUg9+3UU2VhI+hh/ FYRMnoFuPi/6uV5T/GiiR3QRr X-Received: by 2002:a5d:6b4c:0:b0:2f5:83a8:a9a9 with SMTP id x12-20020a5d6b4c000000b002f583a8a9a9mr8879055wrw.16.1684772574042; Mon, 22 May 2023 09:22:54 -0700 (PDT) X-Received: by 2002:a5d:6b4c:0:b0:2f5:83a8:a9a9 with SMTP id x12-20020a5d6b4c000000b002f583a8a9a9mr8879036wrw.16.1684772573694; Mon, 22 May 2023 09:22:53 -0700 (PDT) Received: from ?IPV6:2003:cb:c748:4300:c403:519c:6f8f:19c9? (p200300cbc7484300c403519c6f8f19c9.dip0.t-ipconnect.de. [2003:cb:c748:4300:c403:519c:6f8f:19c9]) by smtp.gmail.com with ESMTPSA id a2-20020a056000100200b0030903d44dbcsm8189116wrx.33.2023.05.22.09.22.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 22 May 2023 09:22:52 -0700 (PDT) Message-ID: Date: Mon, 22 May 2023 18:22:50 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH v2 3/5] mm: Make PR_MDWE_REFUSE_EXEC_GAIN an unsigned long Content-Language: en-US To: Alexey Izbyshev Cc: Florent Revest , linux-kernel@vger.kernel.org, linux-mm@kvack.org, akpm@linux-foundation.org, catalin.marinas@arm.com, anshuman.khandual@arm.com, joey.gouly@arm.com, mhocko@suse.com, keescook@chromium.org, peterx@redhat.com, broonie@kernel.org, szabolcs.nagy@arm.com, kpsingh@kernel.org, gthelen@google.com, toiwoton@gmail.com References: <20230517150321.2890206-1-revest@chromium.org> <20230517150321.2890206-4-revest@chromium.org> <884d131bbc28ebfa0b729176e6415269@ispras.ru> From: David Hildenbrand Organization: Red Hat In-Reply-To: <884d131bbc28ebfa0b729176e6415269@ispras.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22.05.23 12:35, Alexey Izbyshev wrote: > On 2023-05-22 11:55, David Hildenbrand wrote: >> On 17.05.23 17:03, Florent Revest wrote: >>> Alexey pointed out that defining a prctl flag as an int is a footgun >>> because, under some circumstances, when used as a flag to prctl, it >>> can >>> be casted to long with garbage upper bits which would result in >>> unexpected behaviors. >>> >>> This patch changes the constant to a UL to eliminate these >>> possibilities. >>> >>> Signed-off-by: Florent Revest >>> Suggested-by: Alexey Izbyshev >>> --- >>> include/uapi/linux/prctl.h | 2 +- >>> tools/include/uapi/linux/prctl.h | 2 +- >>> 2 files changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h >>> index f23d9a16507f..6e9af6cbc950 100644 >>> --- a/include/uapi/linux/prctl.h >>> +++ b/include/uapi/linux/prctl.h >>> @@ -283,7 +283,7 @@ struct prctl_mm_map { >>> /* Memory deny write / execute */ >>> #define PR_SET_MDWE 65 >>> -# define PR_MDWE_REFUSE_EXEC_GAIN 1 >>> +# define PR_MDWE_REFUSE_EXEC_GAIN (1UL << 0) >>> #define PR_GET_MDWE 66 >>> diff --git a/tools/include/uapi/linux/prctl.h >>> b/tools/include/uapi/linux/prctl.h >>> index 759b3f53e53f..6e6563e97fef 100644 >>> --- a/tools/include/uapi/linux/prctl.h >>> +++ b/tools/include/uapi/linux/prctl.h >>> @@ -283,7 +283,7 @@ struct prctl_mm_map { >>> /* Memory deny write / execute */ >>> #define PR_SET_MDWE 65 >>> -# define PR_MDWE_REFUSE_EXEC_GAIN 1 >>> +# define PR_MDWE_REFUSE_EXEC_GAIN (1UL << 0) >>> #define PR_GET_MDWE 66 >>> >> >> Both are changing existing uapi, so you'll already have existing user >> space using the old values, that your kernel code has to deal with no? > > I'm the one who suggested this change, so I feel the need to clarify. > > For any existing 64-bit user space code using the kernel and the uapi > headers before this patch and doing the wrong prctl(PR_SET_MDWE, > PR_MDWE_REFUSE_EXEC_GAIN) call instead of the correct prctl(PR_SET_MDWE, > (unsigned long)PR_MDWE_REFUSE_EXEC_GAIN), there are two possibilities > when prctl() implementation extracts the second argument via va_arg(op, > unsigned long): > > * It gets lucky, and the upper 32 bits of the argument are zero. The > call does what is expected by the user. > > * The upper 32 bits are non-zero junk. The flags argument is rejected by > the kernel, and the call fails with EINVAL (unexpectedly for the user). > > This change is intended to affect only the second case, and only after > the program is recompiled with the new uapi headers. The currently > wrong, but naturally-looking prctl(PR_SET_MDWE, > PR_MDWE_REFUSE_EXEC_GAIN) call becomes correct. > > The kernel ABI is unaffected by this change, since it has been defined > in terms of unsigned long from the start. The thing I'm concerned about is the following: old user space (that would fail) on new kernel where we define some upper 32bit to actually have a meaning (where it would succeed with wrong semantics). IOW, can we ever really "use" these upper 32bit, or should we instead only consume the lower 32bit in the kernel and effectively ignore the upper 32bit? I guess the feature is not that old, so having many existing user space applications is unlikely. Which raises the question if we want to tag this here with a "Fixes" and eventually cc stable (hmm ...)? -- Thanks, David / dhildenb