lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87ldya4nv0.ffs@tglx>
Date: Sat, 26 Oct 2024 22:21:07 +0200
From: Thomas Gleixner <tglx@...utronix.de>
To: Björn Töpel <bjorn@...nel.org>, Celeste Liu
 <coelacanthushex@...il.com>, Celeste Liu via B4 Relay
 <devnull+CoelacanthusHex.gmail.com@...nel.org>, Paul Walmsley
 <paul.walmsley@...ive.com>, Palmer Dabbelt <palmer@...belt.com>, Albert Ou
 <aou@...s.berkeley.edu>, Björn Töpel
 <bjorn@...osinc.com>
Cc: Palmer Dabbelt <palmer@...osinc.com>, Alexandre Ghiti <alex@...ti.fr>,
 "Dmitry V. Levin" <ldv@...ace.io>, Andrea Bolognani <abologna@...hat.com>,
 Felix Yan <felixonmars@...hlinux.org>, Ruizhe Pan <c141028@...il.com>,
 Shiqi Zhang <shiqi@...c.iscas.ac.cn>, Guo Ren <guoren@...nel.org>, Yao Zi
 <ziyao@...root.org>, Han Gao <gaohan@...as.ac.cn>,
 linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org,
 stable@...r.kernel.org
Subject: Re: [PATCH] riscv/entry: get correct syscall number from
 syscall_get_nr()

On Fri, Oct 25 2024 at 07:30, Björn Töpel wrote:
> Thomas Gleixner <tglx@...utronix.de> writes:
>> It's completely unclear to me what the actual problem is. The flow how
>> this works on all architectures is:
>>
>>        regs->orig_a0  = regs->a0
>>        regs->a0 = -ENOSYS;
>>
>>        nr = syscall_enter_from_user_mode(....);
>>
>>        if (nr >= 0)
>>           regs->a0 = nr < MAX_SYSCALL ? syscall(nr) : -ENOSYS;
>>                      
>> If syscall_trace_enter() returns -1 to skip the syscall, then regs->a0
>> is unmodified, unless one of the magic operations modified it.
>>
>> If syscall_trace_enter() was not active (no tracer, no seccomp ...) then
>> regs->a0 already contains -ENOSYS.
>>
>> So what's the exact problem?
>
> It's a mix of calling convention, and UAPI:
>   * RISC-V uses a0 for arg0 *and* return value (like arm64).
>   * RISC-V does not expose orig_a0 to userland, and cannot easily start
>     doing that w/o breaking UAPI.
>
> Now, when setting a0 to -ENOSYS, it's clobbering arg0, and the ptracer
> will have an incorrect arg0 (-ENOSYS).

Oh I see. I was looking at it from the x86 POV... 

Looking deeper into this, this is all completely inconsistent across
architectures. All of them copied either from x86 or from some other
close enough existing copy and changed stuff on top.

So we have two different scenarios AFAICT (I did not look really
deeply):

   1) The register which holds the syscall number is used for the
      return value

   2) An argument register is used for the return value

#1 is the easy case and just "works"

   because orig_$REG holds the original syscall number and everything
   falls into place.

#2 needs some thought, but we are not going to add this:

>	 if (work & SYSCALL_WORK_ENTER)
>		 syscall = syscall_trace_enter(regs, syscall, work);
> +	else if (syscall == -1L)
> +		syscall_set_return_value(current, regs, -ENOSYS, 0);
>

into the syscall path just to make #2 work. That's hotpath and affects
all other architectures too.

So the problem for the #2 case is that there is no distinction between a
user space issued syscall(@nr = -1) and the return value of (-1) of
various functions involved in the syscall 'tracer' processing.

So what the issue with Celeste's change is:

	res = syscall_enter_from_user_mode(regs, syscall);
	syscall = syscall_get_nr(current, regs);

	add_random_kstack_offset();

	if (syscall < 0 || syscall >= NR_syscalls)
        	regs->a0 = -ENOSYS;

As the tracer can invalidate the syscall number along with regs->a0,
this overwrites the error code set by the tracer. Your solution has a
similar problem.

There is another issue vs. regs->a0. Assume a ptracer modified regs->a0
(arg0) and lets the task continue (no fatal signal pending).

Then the following seccomp() invocation will get regs->orig_a0 from
syscall_get_arguments(), which is not what the ptracer set, right?

Let me look at your failure analysis from your first reply:

>  1. strace "tracing": Requires that regs->a0 is not tampered with prior
>     ptrace notification
> 
>     E.g.:
>     | # ./strace /
>     | execve("/", ["/"], 0x7ffffaac3890 /* 21 vars */) = -1 EACCES (Permission denied)
>     | ./strace: exec: Permission denied
>     | +++ exited with 1 +++
>     | # ./disable_ptrace_get_syscall_info ./strace /
>     | execve(0xffffffffffffffda, ["/"], 0x7fffd893ce10 /* 21 vars */) = -1 EACCES (Permission denied)
>     | ./strace: exec: Permission denied
>     | +++ exited with 1 +++
> 
>     In the second case, arg0 is prematurely set to -ENOSYS
>     (0xffffffffffffffda).

That's expected if ptrace_get_syscall_info() is not used. Plain dumping
registers will give you the current value on all architectures.
ptrace_get_syscall_info() exist exactly for that reason.

>  2. strace "syscall tampering": Requires that ENOSYS is returned for
>     syscall(-1), and not skipped w/o a proper return value.
> 
>     E.g.:
>     | ./strace -a0 -ewrite -einject=write:error=enospc echo helloject=write:error=enospc echo hello   
> 
>     Here, strace expects that injecting -1, would result in a ENOSYS.

No. It expects ENOSPC with the above command line. man strace:

       If :error=errno option is specified, a fault is injected into a
       syscall invocation: the syscall number is replaced by -1 which
       corresponds to an invalid syscall (unless a syscall is specified
       with :syscall= option), and the error code is specified using a
       symbolic errno value like ENOSYS or a numeric value within
       1..4095 range.

Similar for -einject:retval=$N

So you cannot overwrite a0 with ENOSYS if the syscall needs to be
skipped.

>  3. seccomp filtering: Requires that the a0 is not tampered to

No. seccomp uses syscall_get_arguments() which sets a0 to orig_a0 for
inspection. As I said before that fails when the ptracer changed
argument 0 before the seccomp invocation. seccomp will see the original
argument and waves it through.

Looking at Celeste's analysis again:

> We can't know whether syscall_nr is -1 when we get -1
> from syscall_enter_from_user_mode(). And the old syscall variable is
> unusable because syscall_enter_from_user_mode() may change a7 register.

You obviously can save the user space supplied value away
in do_trap_ecall_u() by simply doing

       long orig_nr = regs->a7;

No? But I'm not sure that it solves all problems. It cannot solve the
ptrace/seccomp interaction.

The rest of the changelog is simply bogus. Just because riscv made a
mistake with the UABI design does not mean that it's useless for
everyone else.

And no, I'm not going to change x86 for that just to have a pointless
load in the syscall hotpath, when the normal operation just keeps the
syscall number in the same register.

The real problem is that orig_a0 is not exposed in the user view of the
registers. Changing that struct breaks the existing applications
obviously.

But you can expose it without changing the struct by exposing a regset
for orig_a0 which allows you to read and write it similar to what ARM64
does for the syscall number.

That of course requires updated user space, but existing user space will
continue to work with the current limitations.

Thanks,

        tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ