lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <324DA988-B44C-4B98-A74F-BC5EDBE69C46@amacapital.net>
Date:   Sat, 20 Oct 2018 00:58:39 -0700
From:   Andy Lutomirski <luto@...capital.net>
To:     Andreas Dilger <adilger@...ger.ca>,
        Al Viro <viro@...iv.linux.org.uk>,
        linux-fsdevel@...r.kernel.org
Cc:     Andy Lutomirski <luto@...nel.org>, NeilBrown <neilb@...e.com>,
        Ted Ts'o <tytso@....edu>,
        Peter Zijlstra <peterz@...radead.org>,
        Dmitry Safonov <dsafonov@...tuozzo.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Denys Vlasenko <dvlasenk@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Borislav Petkov <bp@...en8.de>, Ingo Molnar <mingo@...nel.org>,
        Brian Gerst <brgerst@...il.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        linux-tip-commits@...r.kernel.org,
        James Simmons <jsimmons@...radead.org>
Subject: Re: in_compat_syscall() returns from kernel thread for X86_32.



> On Oct 19, 2018, at 11:02 PM, Andreas Dilger <adilger@...ger.ca> wrote:
> 
>> On Oct 18, 2018, at 11:26 AM, Andy Lutomirski <luto@...nel.org> wrote:
>> 
>>> On Wed, Oct 17, 2018 at 9:36 PM NeilBrown <neilb@...e.com> wrote:
>>> 
>>>> On Wed, Oct 17 2018, Andy Lutomirski wrote:
>>>> 
>>>>> On Wed, Oct 17, 2018 at 6:48 PM NeilBrown <neilb@...e.com> wrote:
>>>>> 
>>>>> 
>>>>> Was: Re: [tip:x86/asm] x86/entry: Rename is_{ia32,x32}_task() to in_{ia32,x32}_syscall()
>>>>>> On Tue, Apr 19 2016, tip-bot for Dmitry Safonov wrote:
>>>>>> 
>>>>>> Commit-ID:  abfb9498ee1327f534df92a7ecaea81a85913bae
>>>>>> Gitweb:     http://git.kernel.org/tip/abfb9498ee1327f534df92a7ecaea81a85913bae
>>>>>> Author:     Dmitry Safonov <dsafonov@...tuozzo.com>
>>>>>> AuthorDate: Mon, 18 Apr 2016 16:43:43 +0300
>>>>>> Committer:  Ingo Molnar <mingo@...nel.org>
>>>>>> CommitDate: Tue, 19 Apr 2016 10:44:52 +0200
>>>>>> 
>>>>>> x86/entry: Rename is_{ia32,x32}_task() to in_{ia32,x32}_syscall()
>>>>>> 
>>>>> ...
>>>>>> @@ -318,7 +318,7 @@ static inline bool is_x32_task(void)
>>>>>> 
>>>>>> static inline bool in_compat_syscall(void)
>>>>>> {
>>>>>> -     return is_ia32_task() || is_x32_task();
>>>>>> +     return in_ia32_syscall() || in_x32_syscall();
>>>>>> }
>>>>> 
>>>>> Hi,
>>>>> I'm reply to this patch largely to make sure I get the right people
>>>>> .....
>>>>> 
>>>>> This test is always true when CONFIG_X86_32 is set, as that forces
>>>>> in_ia32_syscall() to true.
>>>>> However we might not be in a syscall at all - we might be running a
>>>>> kernel thread which is always in 64 mode.
>>>>> Every other implementation of in_compat_syscall() that I found is
>>>>> dependant on a thread flag or syscall register flag, and so returns
>>>>> "false" in a kernel thread.
>>>>> 
>>>>> Might something like this be appropriate?
>>>>> 
>>>>> diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
>>>>> index 2ff2a30a264f..c265b40a78f2 100644
>>>>> --- a/arch/x86/include/asm/thread_info.h
>>>>> +++ b/arch/x86/include/asm/thread_info.h
>>>>> @@ -219,7 +219,7 @@ static inline int arch_within_stack_frames(const void * const stack,
>>>>> #ifndef __ASSEMBLY__
>>>>> 
>>>>> #ifdef CONFIG_X86_32
>>>>> -#define in_ia32_syscall() true
>>>>> +#define in_ia32_syscall() (!(current->flags & PF_KTHREAD))
>>>>> #else
>>>>> #define in_ia32_syscall() (IS_ENABLED(CONFIG_IA32_EMULATION) && \
>>>>>                          current_thread_info()->status & TS_COMPAT)
>>>>> 
>>>>> This came up in the (no out-of-tree) lustre filesystem where some code
>>>>> needs to assume 32-bit mode in X86_32 syscalls, and 64-bit mode in kernel
>>>>> threads.
>>>>> 
>>>> 
>>>> I could get on board with:
>>>> 
>>>> ({WARN_ON_ONCE(current->flags & PF_KTHREAD); true})
>>>> 
>>>> The point of these accessors is to be used *in a syscall*.
>>>> 
>>>> What on Earth is Lustre doing that makes it have this problem?
>>> 
>>> Lustre uses it in the ->getattr method to make sure ->ino, ->dev and
>>> ->rdev are appropriately sized.  This isn't very different from the
>>> usage in ext4 to ensure the seek offset for directories is suitable.
>>> 
>>> These interfaces can be used both from systemcalls and from kernel
>>> threads, such as via nfsd.
>>> 
>>> I don't *know* if nfsd is the particular kthread that causes problems
>>> for lustre.  All I know is that ->getattr returns 32bit squashed inode
>>> numbers in kthread context where 64 bit numbers would be expected.
>>> 
>> 
>> Well, that looks like Lustre is copying an ext4 bug.
>> 
>> Hi ext4 people-
>> 
>> ext4's is_32bit_api() function is bogus.  You can't use
>> in_compat_syscall() unless you know you're in a syscall
>> 
>> The buggy code was introduced in:
>> 
>> commit d1f5273e9adb40724a85272f248f210dc4ce919a
>> Author: Fan Yong <yong.fan@...mcloud.com>
>> Date:   Sun Mar 18 22:44:40 2012 -0400
>> 
>>   ext4: return 32/64-bit dir name hash according to usage type
>> 
>> I don't know what the right solution is.  Al, is it legit at all for
>> fops->llseek to care about the caller's bitness?  If what ext4 is
>> doing is legit, then ISTM the VFS needs to gain a new API to tell
>> ->llseek what to do.  But I'm wondering why FMODE_64BITHASH by itself
>> isn't sufficient,
>> 
>> I'm quite tempted to add a warning to the x86 arch code to try to
>> catch this type of bug.  Fortunately, a bit of grepping suggests that
>> ext4 is the only filesystem with this problem.
> 
> We need to know whether the readdir cookie returned to userspace
> should be a 32-bit cookie or a 64-bit cookie.  Trying to return
> a 64-bit value will result in -EOVERFLOW for a 32-bit application,
> but is preferable (if possible) because it reduces the chance of
> hash collisions causing readdir to have problems.
> 
> 

Let’s rope Al in. Sorry, I thought he was already on cc.

The concept seems reasonable, but the implementation is problematic. For example, the behavior of calling vfs_llseek() is basically undefined.

Is some VFS change needed to fix this?  Maybe a .compat_llseek or some other explicit indication of whether a 64-bit hash is okay?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ