| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 May 2016 15:07:35 +0100
From: Catalin Marinas <catalin.marinas@....com>
To: Yury Norov <ynorov@...iumnetworks.com>
Cc: linux-arch@...r.kernel.org, linux-s390@...r.kernel.org,
arnd@...db.de, pinskia@...il.com, Prasun.Kapoor@...iumnetworks.com,
Nathan_Lynch@...tor.com, linux-doc@...r.kernel.org,
heiko.carstens@...ibm.com, linux-kernel@...r.kernel.org,
agraf@...e.de, klimov.linux@...il.com, broonie@...nel.org,
bamvor.zhangjian@...wei.com, joseph@...esourcery.com,
schwab@...e.de, schwidefsky@...ibm.com,
linux-arm-kernel@...ts.infradead.org,
christoph.muellner@...obroma-systems.com
Subject: Re: [RFC6 PATCH v6 00/21] ILP32 for ARM64
On Thu, May 12, 2016 at 04:44:31PM +0300, Yury Norov wrote:
> On Thu, May 12, 2016 at 02:35:34PM +0100, Catalin Marinas wrote:
> > On Thu, May 12, 2016 at 03:20:00AM +0300, Yury Norov wrote:
> > > I debugged preadv02 and pwritev02 failures and found very weird bug.
> > > Test passes {iovec_base = 0xffffffff, iovec_len = 64} as one element
> > > of vector, and kernel reports successful read/write.
> > >
> > > There are 2 problems:
> > > 1. How kernel allows such address to be passed to fs subsystem;
> > > 2. How fs successes to read/write at non-mapped, and in fact non-user
> > > address.
> > >
> > > I don't know the answer on 2'nd question, and it might be something
> > > generic. But I investigated first problem.
> > >
> > > The problem is that compat_rw_copy_check_uvector() uses access_ok() to
> > > validate user address, and on arm64 it ends up with checking buffer
> > > end against current_thread_info()->addr_limit.
> > >
> > > current_thread_info()->addr_limit for ilp32, and most probably for
> > > aarch32 is equal to aarch64 one, and so adress_ok() doesn't fail.
> > > It happens because on thread creation we call flush_old_exec() to set
> > > addr_limit, and completely ignore compat mode there.
[...]
> > > --- a/arch/arm64/kernel/binfmt_elf32.c
> > > +++ b/arch/arm64/kernel/binfmt_elf32.c
> > > @@ -12,6 +12,7 @@
> > > do { \
> > > clear_thread_flag(TIF_32BIT_AARCH64); \
> > > set_thread_flag(TIF_32BIT); \
> > > + set_fs(TASK_SIZE_32); \
> > > } while (0)
> > >
> > > #define COMPAT_ARCH_DLINFO
> > > diff --git a/arch/arm64/kernel/binfmt_ilp32.c b/arch/arm64/kernel/binfmt_ilp32.c
> > > index a934fd4..a8599c6 100644
> > > --- a/arch/arm64/kernel/binfmt_ilp32.c
> > > +++ b/arch/arm64/kernel/binfmt_ilp32.c
> > > @@ -59,6 +59,7 @@ static void cputime_to_compat_timeval(const cputime_t cputime,
> > > do { \
> > > set_thread_flag(TIF_32BIT_AARCH64); \
> > > clear_thread_flag(TIF_32BIT); \
> > > + set_fs(TASK_SIZE_32); \
> > > } while (0)
> >
> > I don't think we need these two. AFAICT, flush_old_exec() takes care of
> > setting the USER_DS for the new thread.
>
> That's true, but USER_DS depends on personality which is not set yet
> for new thread, as I wrote above. In fact, I tried correct USER_DS
> only, and it doesn't work
Ah, it looks like load_elf_binary() sets the personality after
flush_old_exec(). Looking at powerpc and x86, they set USER_DS to the
maximum 64-bit task value, so they should have a similar issue with
native 32-bit vs compat behaviour.
So what exactly is LTP complaining about? Is different error (like
EFAULT vs EINVAL) or not getting an error at all.
(I need to update my LTP, the preadv tests appeared in December last
year)
--
Catalin
Powered by blists - more mailing lists