| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Jan 2016 22:12:20 +0100 From: Arnd Bergmann <arnd@...db.de> To: linux-arm-kernel@...ts.infradead.org Cc: Yury Norov <ynorov@...iumnetworks.com>, Andrew Pinski <pinskia@...il.com>, "Kapoor, Prasun" <Prasun.Kapoor@...iumnetworks.com>, Catalin Marinas <catalin.marinas@....com>, "Joseph S. Myers" <joseph@...esourcery.com>, Nathan Lynch <Nathan_Lynch@...tor.com>, LKML <linux-kernel@...r.kernel.org>, Alexander Graf <agraf@...e.de>, Alexey Klimov <klimov.linux@...il.com>, broonie@...nel.org, Jan Dakinevich <jan.dakinevich@...il.com>, Andrew Pinski <apinski@...ium.com>, David Daney <ddaney.cavm@...il.com>, Andreas Schwab <schwab@...e.de>, "Zhangjian (Bamvor)" <bamvor.zhangjian@...wei.com>, Philipp Tomsich <philipp.tomsich@...obroma-systems.com>, christoph.muellner@...obroma-systems.com Subject: Re: [PATCH v6 12/20] arm64:ilp32: add sys_ilp32.c and a separate table (in entry.S) to use it On Tuesday 05 January 2016 18:26:57 Yury Norov wrote: > > So the calling conventions avoid the problem of being able to set > > the upper bits from malicious user space when the kernel assumes they > > are zeroed out (we had security bugs in this area, before we introduced > > SYSCALL_DEFINEx()), but it means that we need wrappers around each > > syscall that takes an argument that is different length between user > > and kernel space (as Catalin guessed). arch/s390 has the same problem and > > works around it with code in arch/s390/kernel/compat_wrapper.c, while > > other architectures (at least powerpc, x86 and tile IIRC, don't know much > > about mips, parisc and sparc) don't have the problem because of their > > calling conventions. > > > > This also means that we cannot work around it in glibc at all, because > > we have to be able to handle malicious user space, so it has to be > > done in the kernel using something similar to what s390 does. > > > > Arnd > > So it seems like we (should) have 2 compat modes - with and without access > to upper half of register. I'm thinking now on how put it in generic > unistd.h less painfull way. I think we can do that by slightly modifying the existing __SYSCALL/__SC_3264/ __SC_COMP/__SC_COMP_3264 macros: The first two need extra wrappers for arm64-ilp32 and s390, the other two don't. We can use some clever string concatenation to add a ##_wrapper to the name of the handler where needed and then just have a file that implements the wrappers, copied from s390. Unfortunately, we can't just zero out all the upper halves and be done with it: even if we went back to passing 64-bit arguments as separate 32-bit registers, we'd still need to deal with sign-extending negative 32-bit numbers. > Beside of that, I think I almost finished with all current comments. As > this issue is not related to ILP32 directly, I think, it's better to show > it now, as there is pretty massive rework. What do you think? Good idea, yes. Arnd -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists