| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 Mar 2023 19:08:19 +0100
From: Dmitry Safonov <0x7f454c46@...il.com>
To: Axel Rasmussen <axelrasmussen@...gle.com>
Cc: Peter Xu <peterx@...hat.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org,
Mike Kravetz <mike.kravetz@...cle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Andrea Arcangeli <aarcange@...hat.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Nadav Amit <nadav.amit@...il.com>,
Leonardo Bras Soares Passos <lsoaresp@...hat.com>,
David Hildenbrand <david@...hat.com>,
linux-stable <stable@...r.kernel.org>
Subject: Re: [PATCH 01/29] Revert "userfaultfd: don't fail on unrecognized features"
On Fri, 31 Mar 2023 at 17:52, Axel Rasmussen <axelrasmussen@...gle.com> wrote:
>
> On Thu, Mar 30, 2023 at 3:27 PM Peter Xu <peterx@...hat.com> wrote:
> >
> > On Thu, Mar 30, 2023 at 12:04:09PM -0700, Axel Rasmussen wrote:
> > > On Thu, Mar 30, 2023 at 8:57 AM Peter Xu <peterx@...hat.com> wrote:
> > > >
> > > > This is a proposal to revert commit 914eedcb9ba0ff53c33808.
> > > >
> > > > I found this when writting a simple UFFDIO_API test to be the first unit
> > > > test in this set. Two things breaks with the commit:
> > > >
> > > > - UFFDIO_API check was lost and missing. According to man page, the
> > > > kernel should reject ioctl(UFFDIO_API) if uffdio_api.api != 0xaa. This
> > > > check is needed if the api version will be extended in the future, or
> > > > user app won't be able to identify which is a new kernel.
> > > >
> > > > - Feature flags checks were removed, which means UFFDIO_API with a
> > > > feature that does not exist will also succeed. According to the man
> > > > page, we should (and it makes sense) to reject ioctl(UFFDIO_API) if
> > > > unknown features passed in.
If features/flags are not checked in kernel, and the kernel doesn't
return an error on
an unknown flag/error, that makes the syscall non-extendable, meaning
that adding
any new feature may break existing software, which doesn't sanitize
them properly.
https://lwn.net/Articles/588444/
See a bunch of painful exercises from syscalls with numbers in the end:
https://lwn.net/Articles/792628/
To adding an additional setsockopt() because an old one didn't have
sanity checks for flags:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8917a777be3b
(not the best example, as the new setsockopt() didn't check flags for
sanity as well (sic!),
but that's near the code I work on now)
This is even documented nowadays:
https://www.kernel.org/doc/html/latest/process/adding-syscalls.html#designing-the-api-planning-for-extension
...and everyone knows what happens when you blame userspace for breaking by
not doing what you would have expected it to do:
https://lkml.org/lkml/2012/12/23/75
[..]
> > There's one reason that we may consider keeping the behavior. IMHO it is
> > when there're major softwares that uses the "wrong" ABI (let's say so;
> > because it's not following the man pages). If you're aware any such major
> > softwares (especially open sourced) will break due to this revert patch,
> > please shoot.
>
> Well, I did find one example, criu:
> https://github.com/checkpoint-restore/criu/blob/criu-dev/criu/uffd.c#L266
Mike can speak better than me about uffd, but AFAICS, CRIU correctly detects
features with kerneldat/kdat:
https://github.com/checkpoint-restore/criu/blob/criu-dev/criu/kerndat.c#L1235
So, doing a sane thing in kernel shouldn't break CRIU (at least here).
Thanks,
Dmitry
Powered by blists - more mailing lists