Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp4479398rwd; Tue, 23 May 2023 08:13:40 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5kamvvVbmyy5tQDuy1YixD2J+4qRDIXb1uzRgAcbVoArHfRqe8G3ydn3FwDYKSUxRzjIGO X-Received: by 2002:a17:90b:1907:b0:24d:e975:8b91 with SMTP id mp7-20020a17090b190700b0024de9758b91mr12771342pjb.40.1684854819816; Tue, 23 May 2023 08:13:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684854819; cv=none; d=google.com; s=arc-20160816; b=ThvtkCQIlqgy1pxdWo5rwxdSO45DxjFNyonegpXWY1UFkr5dXeAfhinNuJITYLMBu9 kEVEKKSxMavJiEuBpYW01Mn29jsOrJ1CfNdSA54RvRWSbXECVDDO0b1XbqejdOqfK0RO GMJb28h6vkBp/aJViFiJTH1ZBQxI69EGQ52n04RZfmEaDhdKjUe+MNHJx8BEpd1NmOgh QAl4Q9zabmmMmFrUO2RTXuV2XICIRFAbhjDBeyOAI4+4viIMPS3VJhv8BFaVWOgtM/fX jIGwvx2q2NtkRG/W86ykVSneGFU/Puo/IEoltIXAsa9QA22wj1Rwq3BHPkXYyr238Ev4 edEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:user-agent :references:in-reply-to:subject:cc:to:from:date:mime-version :dkim-signature:dkim-filter; bh=WjIqZeXgtE4G/zI0XOtx3zWtmrcxBElWuTM9Lec+WqA=; b=mEA4IjvYmzjLKvvd1MZ/Ky8cqX/tRGl9tJNrZij0/J2ssaqJL5QzahnqbuCIjlRipZ 2DTvfKEZU1CZtSI+k+IISequmsEIR8J9IA8wHsBYCxiRQM9Zy0o2dFYQ84NEreBOSaD0 PWFQdoZSQvPQCNb5JeIpBqGrhl4r8KgXKz/aljey61dYV4ceb0TQegHE/SMszqc0dJw/ 1K7469pUVy9o9lusdvij6XDZy+l0ZvDUJ/90MZHKIWbyxEUy0R7gWtdHk5x/4t/Wc0hj LvWLtzNBxx8PYAEf2RTMNi+e8WhwoCyiPLrIIivYrqHfand4t/BpS/Nt+4OZr1qHlNMb 58DQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=em5+wnNX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bt18-20020a632912000000b0053045e0307esi1638860pgb.451.2023.05.23.08.13.27; Tue, 23 May 2023 08:13:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=em5+wnNX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236100AbjEWOq5 (ORCPT + 99 others); Tue, 23 May 2023 10:46:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232856AbjEWOq4 (ORCPT ); Tue, 23 May 2023 10:46:56 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2925BCD for ; Tue, 23 May 2023 07:46:54 -0700 (PDT) Received: from mail.ispras.ru (unknown [83.149.199.84]) by mail.ispras.ru (Postfix) with ESMTPSA id 1233B4010159; Tue, 23 May 2023 14:46:52 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 1233B4010159 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1684853212; bh=WjIqZeXgtE4G/zI0XOtx3zWtmrcxBElWuTM9Lec+WqA=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=em5+wnNXj6hCrEQiF23O2r9tinzq/BP+++PJt+E8WhNc7tjRBxDVId/vJJu+PH2hB omexiFB7DKpFkruA6jJxtY9JckWeMTpIF46gW4Ys6mETiDKRbTwx5G77dGCE/riuQm BG/9MwDdQD8o4q47/ldEN0YskoRcA1GaEGyBMfes= MIME-Version: 1.0 Date: Tue, 23 May 2023 17:46:52 +0300 From: Alexey Izbyshev To: Catalin Marinas Cc: David Hildenbrand , Florent Revest , linux-kernel@vger.kernel.org, linux-mm@kvack.org, akpm@linux-foundation.org, anshuman.khandual@arm.com, joey.gouly@arm.com, mhocko@suse.com, keescook@chromium.org, peterx@redhat.com, broonie@kernel.org, szabolcs.nagy@arm.com, kpsingh@kernel.org, gthelen@google.com, toiwoton@gmail.com Subject: Re: [PATCH v2 3/5] mm: Make PR_MDWE_REFUSE_EXEC_GAIN an unsigned long In-Reply-To: References: <20230517150321.2890206-1-revest@chromium.org> <20230517150321.2890206-4-revest@chromium.org> <884d131bbc28ebfa0b729176e6415269@ispras.ru> <3c2e210b75bd56909322e8a3e5086d91@ispras.ru> User-Agent: Roundcube Webmail/1.4.4 Message-ID: X-Sender: izbyshev@ispras.ru Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023-05-23 17:09, Catalin Marinas wrote: > On Tue, May 23, 2023 at 04:25:45PM +0300, Alexey Izbyshev wrote: >> On 2023-05-23 16:07, Catalin Marinas wrote: >> > On Tue, May 23, 2023 at 11:12:37AM +0200, David Hildenbrand wrote: >> > > Also, how is passing "0"s to e.g., PR_GET_THP_DISABLE reliable? We >> > > need arg2 >> > > -> arg5 to be 0. But wouldn't the following also just pass a 0 "int" ? >> > > >> > > prctl(PR_GET_THP_DISABLE, 0, 0, 0, 0) >> > > >> > > I'm easily confused by such (va_args) things, so sorry for the dummy >> > > questions. >> > >> > Isn't the prctl() prototype in the user headers defined with the first >> > argument as int while the rest as unsigned long? At least from the man >> > page: >> > >> > int prctl(int option, unsigned long arg2, unsigned long arg3, >> > unsigned long arg4, unsigned long arg5); >> > >> > So there are no va_args tricks (which confuse me as well). >> > >> I have explicitly mentioned the problem with man pages in my response >> to >> David[1]. Quoting myself: >> >> > This stuff *is* confusing, and note that Linux man pages don't even tell >> that prctl() is actually declared as a variadic function (and for >> ptrace() this is mentioned only in the notes, but not in its >> signature). > > Ah, thanks for the clarification (I somehow missed your reply). > >> The reality: >> >> * glibc: >> https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/sys/prctl.h;h=821aeefc1339b35210e8918ecfe9833ed2792626;hb=glibc-2.37#l42 >> >> * musl: >> https://git.musl-libc.org/cgit/musl/tree/include/sys/prctl.h?h=v1.2.4#n180 >> >> Though there is a test in the kernel that does define its own >> prototype, >> avoiding the issue: >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/testing/selftests/sched/cs_prctl_test.c?h=v6.3#n77 > > At least for glibc, it seems that there is a conversion to unsigned > long: > > https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/prctl.c#l28 > > unsigned long int arg2 = va_arg (arg, unsigned long int); > > (does va_arg expand to an actual cast?) > No, this not a conversion or a cast in the sense that I think you mean it. What happens in the situation discussed in this thread is the following (assuming the argument is passed via a register, which is typical for initial variadic arguments on 64-bit targets): * User calls prctl(op, 0) on a 64-bit target. * The second argument is an int. * The compiler generates code to pass an int (32 bits) via a 64-bit register. The compiler is NOT required to clear the upper 32 bits of the register, so they might contain arbitrary junk in a general case. * The prctl() implementation calls va_arg(arg, unsigned long) (as in your quote). * The compiler extracts the full 64-bit value of the same register (which in our case might contain junk in the upper 32 bits). * This extracted 64-bit value is then passed to the system call. So... > If the libc passes a 32-bit to a kernel ABI that expects 64-bit, I > think > it's a user-space bug and not a kernel ABI issue. ... the problem happens not at the user/kernel boundary, but in prctl() call/implementation in user space. But yes, it's still a user-space bug and not a kernel ABI issue. The David's question, as I understand it, was whether we want to keep such buggy code that happens to pass junk failing with EINVAL in future kernels or not. If we do want to keep it failing, we can never assign any meaning to the upper 32 bits of the second prctl() argument for PR_SET_MDWE op. Thanks, Alexey