| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160512142016.GH11226@e104818-lin.cambridge.arm.com>
Date: Thu, 12 May 2016 15:20:16 +0100
From: Catalin Marinas <catalin.marinas@....com>
To: Yury Norov <ynorov@...iumnetworks.com>
Cc: linux-arch@...r.kernel.org, linux-s390@...r.kernel.org,
arnd@...db.de, pinskia@...il.com, Prasun.Kapoor@...iumnetworks.com,
heiko.carstens@...ibm.com, linux-doc@...r.kernel.org,
Nathan_Lynch@...tor.com, linux-kernel@...r.kernel.org,
agraf@...e.de, klimov.linux@...il.com, broonie@...nel.org,
bamvor.zhangjian@...wei.com, linux-arm-kernel@...ts.infradead.org,
schwab@...e.de, schwidefsky@...ibm.com, joseph@...esourcery.com,
christoph.muellner@...obroma-systems.com
Subject: Re: [RFC6 PATCH v6 00/21] ILP32 for ARM64
On Thu, May 12, 2016 at 03:07:35PM +0100, Catalin Marinas wrote:
> On Thu, May 12, 2016 at 04:44:31PM +0300, Yury Norov wrote:
> > On Thu, May 12, 2016 at 02:35:34PM +0100, Catalin Marinas wrote:
> > > On Thu, May 12, 2016 at 03:20:00AM +0300, Yury Norov wrote:
> > > > I debugged preadv02 and pwritev02 failures and found very weird bug.
> > > > Test passes {iovec_base = 0xffffffff, iovec_len = 64} as one element
> > > > of vector, and kernel reports successful read/write.
> > > >
> > > > There are 2 problems:
> > > > 1. How kernel allows such address to be passed to fs subsystem;
> > > > 2. How fs successes to read/write at non-mapped, and in fact non-user
> > > > address.
> > > >
> > > > I don't know the answer on 2'nd question, and it might be something
> > > > generic. But I investigated first problem.
> > > >
> > > > The problem is that compat_rw_copy_check_uvector() uses access_ok() to
> > > > validate user address, and on arm64 it ends up with checking buffer
> > > > end against current_thread_info()->addr_limit.
> > > >
> > > > current_thread_info()->addr_limit for ilp32, and most probably for
> > > > aarch32 is equal to aarch64 one, and so adress_ok() doesn't fail.
> > > > It happens because on thread creation we call flush_old_exec() to set
> > > > addr_limit, and completely ignore compat mode there.
>
> [...]
>
> > > > --- a/arch/arm64/kernel/binfmt_elf32.c
> > > > +++ b/arch/arm64/kernel/binfmt_elf32.c
> > > > @@ -12,6 +12,7 @@
> > > > do { \
> > > > clear_thread_flag(TIF_32BIT_AARCH64); \
> > > > set_thread_flag(TIF_32BIT); \
> > > > + set_fs(TASK_SIZE_32); \
> > > > } while (0)
> > > >
> > > > #define COMPAT_ARCH_DLINFO
> > > > diff --git a/arch/arm64/kernel/binfmt_ilp32.c b/arch/arm64/kernel/binfmt_ilp32.c
> > > > index a934fd4..a8599c6 100644
> > > > --- a/arch/arm64/kernel/binfmt_ilp32.c
> > > > +++ b/arch/arm64/kernel/binfmt_ilp32.c
> > > > @@ -59,6 +59,7 @@ static void cputime_to_compat_timeval(const cputime_t cputime,
> > > > do { \
> > > > set_thread_flag(TIF_32BIT_AARCH64); \
> > > > clear_thread_flag(TIF_32BIT); \
> > > > + set_fs(TASK_SIZE_32); \
> > > > } while (0)
> > >
> > > I don't think we need these two. AFAICT, flush_old_exec() takes care of
> > > setting the USER_DS for the new thread.
> >
> > That's true, but USER_DS depends on personality which is not set yet
> > for new thread, as I wrote above. In fact, I tried correct USER_DS
> > only, and it doesn't work
>
> Ah, it looks like load_elf_binary() sets the personality after
> flush_old_exec(). Looking at powerpc and x86, they set USER_DS to the
> maximum 64-bit task value, so they should have a similar issue with
> native 32-bit vs compat behaviour.
I think we have another problem. flush_old_exec() calls the arm64
flush_thread() where tls_thread_flush() checks for is_compat_task(). So
starting a 32-bit application from a 64-bit one not go on the correct
path.
--
Catalin
Powered by blists - more mailing lists