| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Apr 2021 16:51:06 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Kees Cook <keescook@...omium.org>
Cc: "H. Peter Anvin" <hpa@...or.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andrew Lutomirski <luto@...nel.org>,
Borislav Petkov <bp@...en8.de>, linux-kernel@...r.kernel.org,
oleg@...hat.com, Will Drewry <wad@...omium.org>
Subject: Re: pt_regs->ax == -ENOSYS
> On Apr 27, 2021, at 4:29 PM, Kees Cook <keescook@...omium.org> wrote:
>
> On Tue, Apr 27, 2021 at 03:58:03PM -0700, H. Peter Anvin wrote:
>>> On 4/27/21 2:28 PM, Andy Lutomirski wrote:
>>>
>>>> On Apr 27, 2021, at 2:15 PM, H. Peter Anvin <hpa@...or.com> wrote:
>>>>
>>>> Trying to stomp out some possible cargo cult programming?
>>>>
>>>> In the process of going through the various entry code paths, I have to admit to being a bit confused why pt_regs->ax is set to -ENOSYS very early in the system call path.
>>>>
>>>
>>> It has to get set to _something_, and copying orig_ax seems perhaps silly. There could also be code that relies on ptrace poking -1 into the nr resulting in -ENOSYS.
>>>
>>
>> Yeah. I obviously ran into this working on the common entry-exit code for
>> FRED; the frame has annoyingly different formats because of this, and I
>> wanted to avoid slowing down the system call path.
>>
>>>> What is perhaps even more confusing is:
>>>>
>>>> __visible noinstr void do_syscall_64(struct pt_regs *regs, unsigned long nr)
>>>> {
>>>> nr = syscall_enter_from_user_mode(regs, nr);
>>>>
>>>> instrumentation_begin();
>>>> if (likely(nr < NR_syscalls)) {
>>>> nr = array_index_nospec(nr, NR_syscalls);
>>>> regs->ax = sys_call_table[nr](regs);
>>>> #ifdef CONFIG_X86_X32_ABI
>>>> } else if (likely((nr & __X32_SYSCALL_BIT) &&
>>>> (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) {
>>>> nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT,
>>>> X32_NR_syscalls);
>>>> regs->ax = x32_sys_call_table[nr](regs);
>>>> #endif
>>>> }
>>>> instrumentation_end();
>>>> syscall_exit_to_user_mode(regs);
>>>> }
>>>> #endif
>>>>
>>>> Now, unless I'm completely out to sea, it seems to me that if syscall_enter_from_user_mode() changes the system call number to an invalid number and pt_regs->ax to !-ENOSYS then the system call will return a different value(!) depending on if it is out of range for the table (whatever was poked into pt_regs->ax) or if it corresponds to a hole in the table. This seems to me at least to be The Wrong Thing.
>>>
>>> I think you’re right.
>>>
>>>>
>>>> Calling regs->ax = sys_ni_syscall() in an else clause would arguably be the right thing here, except possibly in the case where nr (or (int)nr, see below) == -1 or < 0.
>>>
>>> I think the check should be -1 for 64 bit but (u32)nr == (u32)-1 for the 32-bit path. Does that seem reasonable?
>
> FWIW, there is some confusion with how syscall_trac_enter() signals the
> "skip syscall" condition (-1L), vs actually calling "syscall -1".
Fortunately there is not, and never will be, a syscall -1. But I agree that calling max syscall + 1 should behave identically to calling a nonexistent syscall in the middle of the table.
Powered by blists - more mailing lists