[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+=Sn1=CF8nn59AGbrZAg5fzOM3tk1C_DGLTu4DUcVmYhY46BQ@mail.gmail.com>
Date: Tue, 21 Jun 2016 09:37:47 -0700
From: Andrew Pinski <pinskia@...il.com>
To: Arnd Bergmann <arnd@...db.de>
Cc: Joseph Myers <joseph@...esourcery.com>,
Yury Norov <ynorov@...iumnetworks.com>,
GNU C Library <libc-alpha@...rceware.org>,
LKML <linux-kernel@...r.kernel.org>,
Catalin Marinas <catalin.marinas@....com>,
Marcus Shawcroft <marcus.shawcroft@....com>, philb@....org,
David Miller <davem@...emloft.net>,
Szabolcs Nagy <szabolcs.nagy@....com>,
Maxim Kuvyrkov <maxim.kuvyrkov@...aro.org>
Subject: Re: [PATCH 23/27] [AARCH64] delouse input arguments in system functions
On Tue, Jun 21, 2016 at 8:42 AM, Arnd Bergmann <arnd@...db.de> wrote:
> On Tuesday, June 21, 2016 10:36:53 AM CEST Joseph Myers wrote:
>> On Tue, 21 Jun 2016, Yury Norov wrote:
>>
>> > Signed-off-by: Yury Norov <ynorov@...iumnetworks.com>
>>
>> You're missing a patch description. What does "delouse" even mean? What
>> is the ABI peculiarity that means there are ABI-conforming arguments to
>> these functions that need such a manipulation?
>>
>
> This is the term the kernel uses for making sure that no system call
> from user space passes data in the upper bits of the argument registers,
> which could end up being used in an exploit when the calling conventions
> between functions assume that the upper bits contain zeroes.
>
> I don't think there is any point in doing this in glibc though: we
> can safely assume that any application calling into glibc follows
> the documented calling conventions (it would otherwise be a bug),
> but the kernel still has to zero those registers because malicious
> user space code would simply execute the system call instruction
> directly instead of calling into glibc...
The documented abi leaves the top 32bits undefined which is why the
zeroing is needed in these cases. Maybe a different name is needed
here.
It is the same reason why it is needed for vdso assembly code. If
these functions were written in C, the compiler would be emitting the
zero extend for you.
Thanks,
Andrew
>
> Arnd
Powered by blists - more mailing lists