lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87367ovy6k.fsf@oldenburg2.str.redhat.com>
Date:   Mon, 25 May 2020 17:20:19 +0200
From:   Florian Weimer <fweimer@...hat.com>
To:     Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc:     libc-alpha <libc-alpha@...rceware.org>,
        Rich Felker <dalias@...c.org>,
        linux-api <linux-api@...r.kernel.org>,
        Boqun Feng <boqun.feng@...il.com>,
        Will Deacon <will.deacon@....com>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Ben Maurer <bmaurer@...com>, Dave Watson <davejwatson@...com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Paul <paulmck@...ux.vnet.ibm.com>, Paul Turner <pjt@...gle.com>,
        Joseph Myers <joseph@...esourcery.com>
Subject: Re: [PATCH glibc 1/3] glibc: Perform rseq registration at C startup and thread creation (v19)

* Mathieu Desnoyers:

> The larger question here is: considering that we re-implement the entire
> uapi header within glibc (which includes the uptr addition), do we still
> care about using the header provided by the Linux kernel ?

We don't care, but our users do.  Eventually, they want to include
<sys/rseq.h> and <linux/rseq.h> to get new constants that are not yet
known to glibc.

> Having different definitions depending on whether a kernel header is
> installed or not when including a glibc header seems rather unexpected.

Indeed.

> *If* we want to use the uapi header, I think something is semantically
> missing. Here is the scheme I envision. We could rely on the kernel header
> version.h to figure out which of glibc or kernel uapi header is more
> recent. Any new concept we try to integrate into glibc (e.g. uptr)
> should go into the upstream Linux uapi header first.

I think we should always prefer the uapi header.  The Linux version
check does not tell you anything about backports.

> For the coming glibc e.g. 2.32, we use the kernel uapi header if
> kernel version is >= 4.18.0. Within glibc, the fallback implements
> exactly the API exposed by the kernel rseq.h header.

Agreed.

> As we eventually introduce the uptr change into the Linux kernel, and
> say it gets merged for Linux 5.9.0, we mirror this change into glibc
> (e.g. release 2.33), and bump the Linux kernel version cutoff to 5.9.0.
> So starting from that version, we use the Linux kernel header only if
> version >= 5.9.0, else we fallback on glibc's own implementation.

Fortunately, we don't need to settle this today. 8-)

Let's stick to the 4.18 definitions for the fallback for now, and
discuss the incorporation of future changes later.

>>> +/* Ensure the compiler supports __attribute__ ((aligned)).  */
>>> +_Static_assert (__alignof__ (struct rseq_cs) >= 32, "alignment");
>>> +_Static_assert (__alignof__ (struct rseq) >= 32, "alignment");
>> 
>> This needs #ifndef __cplusplus or something like that.  I'm surprised
>> that this passes the installed header tests.
>
> Would the following be ok ?
>
> #ifdef __cplusplus
> #define rseq_static_assert      static_assert
> #else
> #define rseq_static_assert      _Static_assert
> #endif
>
> /* Ensure the compiler supports __attribute__ ((aligned)).  */
> rseq_static_assert (__alignof__ (struct rseq_cs) >= 32, "alignment");
> rseq_static_assert (__alignof__ (struct rseq) >= 32, "alignment");

Seems reasonable, yes.  __alignof__ is still a GCC extension.  C++11 has
alignof, C11 has _Alignof.  So you could use something like this
(perhaps without indentation for the kernel header version):

#ifdef __cplusplus
# if  __cplusplus >= 201103L
#  define rseq_static_assert(x)      static_assert x;
#  define rseq_alignof alignof
# endif
#elif __STDC_VERSION__ >= 201112L
# define rseq_static_assert(x)      _Static_assert x;
# define rseq_alignof _Alignof
#endif
#ifndef rseq_static_assert
# define rseq_static_assert /* nothing */
#endif
rseq_static_assert ((rseq_alignof__ (struct rseq_cs) >= 32, "alignment"))
rseq_static_assert ((rseq_alignof (struct rseq) >= 32, "alignment"))

And something similar for _Alignas/attribute aligned, with an error for
older standards and !__GNUC__ compilers (because neither the type nor
__thread can be represented there).

Thanks,
Florian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ