lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <78327AF2-575F-415E-98D4-6ECDFE311D0F@amacapital.net>
Date:   Tue, 27 Apr 2021 16:51:06 -0700
From:   Andy Lutomirski <luto@...capital.net>
To:     Kees Cook <keescook@...omium.org>
Cc:     "H. Peter Anvin" <hpa@...or.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Ingo Molnar <mingo@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Andrew Lutomirski <luto@...nel.org>,
        Borislav Petkov <bp@...en8.de>, linux-kernel@...r.kernel.org,
        oleg@...hat.com, Will Drewry <wad@...omium.org>
Subject: Re: pt_regs->ax == -ENOSYS



> On Apr 27, 2021, at 4:29 PM, Kees Cook <keescook@...omium.org> wrote:
> 
> On Tue, Apr 27, 2021 at 03:58:03PM -0700, H. Peter Anvin wrote:
>>> On 4/27/21 2:28 PM, Andy Lutomirski wrote:
>>> 
>>>> On Apr 27, 2021, at 2:15 PM, H. Peter Anvin <hpa@...or.com> wrote:
>>>> 
>>>> Trying to stomp out some possible cargo cult programming?
>>>> 
>>>> In the process of going through the various entry code paths, I have to admit to being a bit confused why pt_regs->ax is set to -ENOSYS very early in the system call path.
>>>> 
>>> 
>>> It has to get set to _something_, and copying orig_ax seems perhaps silly.  There could also be code that relies on ptrace poking -1 into the nr resulting in -ENOSYS.
>>> 
>> 
>> Yeah. I obviously ran into this working on the common entry-exit code for
>> FRED; the frame has annoyingly different formats because of this, and I
>> wanted to avoid slowing down the system call path.
>> 
>>>> What is perhaps even more confusing is:
>>>> 
>>>> __visible noinstr void do_syscall_64(struct pt_regs *regs, unsigned long nr)
>>>> {
>>>>        nr = syscall_enter_from_user_mode(regs, nr);
>>>> 
>>>>        instrumentation_begin();
>>>>        if (likely(nr < NR_syscalls)) {
>>>>                nr = array_index_nospec(nr, NR_syscalls);
>>>>                regs->ax = sys_call_table[nr](regs);
>>>> #ifdef CONFIG_X86_X32_ABI
>>>>        } else if (likely((nr & __X32_SYSCALL_BIT) &&
>>>>                          (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) {
>>>>                nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT,
>>>>                                        X32_NR_syscalls);
>>>>                regs->ax = x32_sys_call_table[nr](regs);
>>>> #endif
>>>>        }
>>>>        instrumentation_end();
>>>>        syscall_exit_to_user_mode(regs);
>>>> }
>>>> #endif
>>>> 
>>>> Now, unless I'm completely out to sea, it seems to me that if syscall_enter_from_user_mode() changes the system call number to an invalid number and pt_regs->ax to !-ENOSYS then the system call will return a different value(!) depending on if it is out of range for the table (whatever was poked into pt_regs->ax) or if it corresponds to a hole in the table. This seems to me at least to be The Wrong Thing.
>>> 
>>> I think you’re right.
>>> 
>>>> 
>>>> Calling regs->ax = sys_ni_syscall() in an else clause would arguably be the right thing here, except possibly in the case where nr (or (int)nr, see below) == -1 or < 0.
>>> 
>>> I think the check should be -1 for 64 bit but (u32)nr == (u32)-1 for the 32-bit path. Does that seem reasonable?
> 
> FWIW, there is some confusion with how syscall_trac_enter() signals the
> "skip syscall" condition (-1L), vs actually calling "syscall -1".

Fortunately there is not, and never will be, a syscall -1.  But I agree that calling max syscall + 1 should behave identically to calling a nonexistent syscall in the middle of the table.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ