[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160527130446.GD7865@e104818-lin.cambridge.arm.com>
Date: Fri, 27 May 2016 14:04:47 +0100
From: Catalin Marinas <catalin.marinas@....com>
To: Arnd Bergmann <arnd@...db.de>
Cc: Heiko Carstens <heiko.carstens@...ibm.com>,
Yury Norov <ynorov@...iumnetworks.com>,
David Miller <davem@...emloft.net>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-arch@...r.kernel.org,
linux-s390@...r.kernel.org, libc-alpha@...rceware.org,
schwidefsky@...ibm.com, pinskia@...il.com, broonie@...nel.org,
joseph@...esourcery.com, christoph.muellner@...obroma-systems.com,
bamvor.zhangjian@...wei.com, szabolcs.nagy@....com,
klimov.linux@...il.com, Nathan_Lynch@...tor.com, agraf@...e.de,
Prasun.Kapoor@...iumnetworks.com, kilobyte@...band.pl,
geert@...ux-m68k.org, philipp.tomsich@...obroma-systems.com
Subject: Re: [PATCH 01/23] all: syscall wrappers: add documentation
On Fri, May 27, 2016 at 12:49:11PM +0200, Arnd Bergmann wrote:
> On Friday, May 27, 2016 10:30:52 AM CEST Catalin Marinas wrote:
> > On Fri, May 27, 2016 at 10:42:59AM +0200, Arnd Bergmann wrote:
> > > On Friday, May 27, 2016 8:03:57 AM CEST Heiko Carstens wrote:
> > > > > > > > Cost wise, this seems like it all cancels out in the end, but what
> > > > > > > > do I know?
> > > > > > >
> > > > > > > I think you know something, and I also think Heiko and other s390 guys
> > > > > > > know something as well. So I'd like to listen their arguments here.
> > > >
> > > > If it comes to 64 bit arguments for compat system calls: s390 also has an
> > > > x32-like ABI extension which allows user space to use full 64 bit
> > > > registers. As far as I know hardly anybody ever made use of that.
> > > >
> > > > However even if that would be widely used, to me it wouldn't make sense to
> > > > add new compat system calls which allow 64 bit arguments, simply because
> > > > something like
> > > >
> > > > c = (u32)a | (u64)b << 32;
> > > >
> > > > can be done with a single 1-cycle instruction. It's just not worth the
> > > > extra effort to maintain additional system call variants.
> > >
> > > For reference, both tile and mips also have separate 32-bit ABIs that are
> > > only used on 64-bit kernels (aside from the normal 32-bit ABI). Tile
> > > does it like s390 and passes 64-bit arguments as pairs, while MIPS
> > > and x86 and pass them as single registers.
> >
> > AFAIK, x32 also requires that the upper half of a 64-bit reg is zeroed
> > by the user when a 32-bit value is passed. We could require the same on
> > AArch64/ILP32 but I'm a bit uneasy on trusting a multitude of C
> > libraries on this.
>
> It's not about trusting a C library, it's about ensuring malicious code
> cannot pass argumentst that the kernel code assumes will never happen.
At least for pointers and sizes, we have additional checks in place
already, like __access_ok(). Most of the syscalls should be safe since
they either go through some compat functions taking 32-bit arguments or
are routed to native functions which already need to cope with a full
random 64-bit value.
On arm64, I think the only risk comes from syscall handlers expecting
32-bit arguments but using 64-bit types. Apart from pointer types, I
don't expect this to happen but we could enforce it via a
BUILD_BUG_ON(sizeof(t) > 4 && !__TYPE_IS_PTR(t)) in __SC_DELOUSE as per
the s390 implementation. With ILP32 if we go for 64-bit off_t, those
syscalls would be routed directly to the native layer.
--
Catalin
Powered by blists - more mailing lists