| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3dc10d89-6c0c-4654-95ed-dd6f19efbad4@gmail.com>
Date: Sun, 27 Oct 2024 23:29:24 +0800
From: Celeste Liu <coelacanthushex@...il.com>
To: Thomas Gleixner <tglx@...utronix.de>, Björn Töpel
<bjorn@...nel.org>,
Celeste Liu via B4 Relay <devnull+CoelacanthusHex.gmail.com@...nel.org>,
Paul Walmsley <paul.walmsley@...ive.com>, Palmer Dabbelt
<palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>,
Björn Töpel <bjorn@...osinc.com>
Cc: Palmer Dabbelt <palmer@...osinc.com>, Alexandre Ghiti <alex@...ti.fr>,
"Dmitry V. Levin" <ldv@...ace.io>, Andrea Bolognani <abologna@...hat.com>,
Felix Yan <felixonmars@...hlinux.org>, Ruizhe Pan <c141028@...il.com>,
Shiqi Zhang <shiqi@...c.iscas.ac.cn>, Guo Ren <guoren@...nel.org>,
Yao Zi <ziyao@...root.org>, Han Gao <gaohan@...as.ac.cn>,
linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] riscv/entry: get correct syscall number from
syscall_get_nr()
On 2024-10-27 04:21, Thomas Gleixner wrote:
> On Fri, Oct 25 2024 at 07:30, Björn Töpel wrote:
>> Thomas Gleixner <tglx@...utronix.de> writes:
>>> It's completely unclear to me what the actual problem is. The flow how
>>> this works on all architectures is:
>>>
>>> regs->orig_a0 = regs->a0
>>> regs->a0 = -ENOSYS;
>>>
>>> nr = syscall_enter_from_user_mode(....);
>>>
>>> if (nr >= 0)
>>> regs->a0 = nr < MAX_SYSCALL ? syscall(nr) : -ENOSYS;
>>>
>>> If syscall_trace_enter() returns -1 to skip the syscall, then regs->a0
>>> is unmodified, unless one of the magic operations modified it.
>>>
>>> If syscall_trace_enter() was not active (no tracer, no seccomp ...) then
>>> regs->a0 already contains -ENOSYS.
>>>
>>> So what's the exact problem?
>>
>> It's a mix of calling convention, and UAPI:
>> * RISC-V uses a0 for arg0 *and* return value (like arm64).
>> * RISC-V does not expose orig_a0 to userland, and cannot easily start
>> doing that w/o breaking UAPI.
>>
>> Now, when setting a0 to -ENOSYS, it's clobbering arg0, and the ptracer
>> will have an incorrect arg0 (-ENOSYS).
>
> Oh I see. I was looking at it from the x86 POV...
>
> Looking deeper into this, this is all completely inconsistent across
> architectures. All of them copied either from x86 or from some other
> close enough existing copy and changed stuff on top.
>
> So we have two different scenarios AFAICT (I did not look really
> deeply):
>
> 1) The register which holds the syscall number is used for the
> return value
>
> 2) An argument register is used for the return value
>
> #1 is the easy case and just "works"
>
> because orig_$REG holds the original syscall number and everything
> falls into place.
>
> #2 needs some thought, but we are not going to add this:
>
>> if (work & SYSCALL_WORK_ENTER)
>> syscall = syscall_trace_enter(regs, syscall, work);
>> + else if (syscall == -1L)
>> + syscall_set_return_value(current, regs, -ENOSYS, 0);
>>
>
> into the syscall path just to make #2 work. That's hotpath and affects
> all other architectures too.
>
> So the problem for the #2 case is that there is no distinction between a
> user space issued syscall(@nr = -1) and the return value of (-1) of
> various functions involved in the syscall 'tracer' processing.
>
> So what the issue with Celeste's change is:
>
> res = syscall_enter_from_user_mode(regs, syscall);
> syscall = syscall_get_nr(current, regs);
>
> add_random_kstack_offset();
>
> if (syscall < 0 || syscall >= NR_syscalls)
> regs->a0 = -ENOSYS;
>
> As the tracer can invalidate the syscall number along with regs->a0,
> this overwrites the error code set by the tracer. Your solution has a
> similar problem.
Oh. It's a real issue.
>
> There is another issue vs. regs->a0. Assume a ptracer modified regs->a0
> (arg0) and lets the task continue (no fatal signal pending).
>
> Then the following seccomp() invocation will get regs->orig_a0 from
> syscall_get_arguments(), which is not what the ptracer set, right?
>
> Let me look at your failure analysis from your first reply:
>
>> 1. strace "tracing": Requires that regs->a0 is not tampered with prior
>> ptrace notification
>>
>> E.g.:
>> | # ./strace /
>> | execve("/", ["/"], 0x7ffffaac3890 /* 21 vars */) = -1 EACCES (Permission denied)
>> | ./strace: exec: Permission denied
>> | +++ exited with 1 +++
>> | # ./disable_ptrace_get_syscall_info ./strace /
>> | execve(0xffffffffffffffda, ["/"], 0x7fffd893ce10 /* 21 vars */) = -1 EACCES (Permission denied)
>> | ./strace: exec: Permission denied
>> | +++ exited with 1 +++
>>
>> In the second case, arg0 is prematurely set to -ENOSYS
>> (0xffffffffffffffda).
>
> That's expected if ptrace_get_syscall_info() is not used. Plain dumping
> registers will give you the current value on all architectures.
> ptrace_get_syscall_info() exist exactly for that reason.
>
>> 2. strace "syscall tampering": Requires that ENOSYS is returned for
>> syscall(-1), and not skipped w/o a proper return value.
>>
>> E.g.:
>> | ./strace -a0 -ewrite -einject=write:error=enospc echo helloject=write:error=enospc echo hello
>>
>> Here, strace expects that injecting -1, would result in a ENOSYS.
>
> No. It expects ENOSPC with the above command line. man strace:
>
> If :error=errno option is specified, a fault is injected into a
> syscall invocation: the syscall number is replaced by -1 which
> corresponds to an invalid syscall (unless a syscall is specified
> with :syscall= option), and the error code is specified using a
> symbolic errno value like ENOSYS or a numeric value within
> 1..4095 range.
>
> Similar for -einject:retval=$N
>
> So you cannot overwrite a0 with ENOSYS if the syscall needs to be
> skipped.
>
>> 3. seccomp filtering: Requires that the a0 is not tampered to
>
> No. seccomp uses syscall_get_arguments() which sets a0 to orig_a0 for
> inspection. As I said before that fails when the ptracer changed
> argument 0 before the seccomp invocation. seccomp will see the original
> argument and waves it through.
>
> Looking at Celeste's analysis again:
>
>> We can't know whether syscall_nr is -1 when we get -1
>> from syscall_enter_from_user_mode(). And the old syscall variable is
>> unusable because syscall_enter_from_user_mode() may change a7 register.
>
> You obviously can save the user space supplied value away
> in do_trap_ecall_u() by simply doing
>
> long orig_nr = regs->a7;
>
> No? But I'm not sure that it solves all problems. It cannot solve the
> ptrace/seccomp interaction.
>
> The rest of the changelog is simply bogus. Just because riscv made a
> mistake with the UABI design does not mean that it's useless for
> everyone else.
>
> And no, I'm not going to change x86 for that just to have a pointless
> load in the syscall hotpath, when the normal operation just keeps the
> syscall number in the same register.
>
> The real problem is that orig_a0 is not exposed in the user view of the
> registers. Changing that struct breaks the existing applications
> obviously.
>
> But you can expose it without changing the struct by exposing a regset
> for orig_a0 which allows you to read and write it similar to what ARM64
> does for the syscall number.
If we add something like NT_SYSCALL_NR to UAPI, it cannot solve anything: We
already have PTRACE_GET_SYSCALL_INFO to get syscall number, which was introduced
in 5.3 kernel. The problem is only in the kernel before 5.3. So we can't fix
this issue unless we also backport NT_SYSCALL_NR to 4.19 LTS. But if we can
backport it, we can backport PTRACE_GET_SYSCALL_INFO directly instead.
That's why I try to limit changes in "internal handle logic" in all 3 tries
before.
>
> That of course requires updated user space, but existing user space will
> continue to work with the current limitations.
>
> Thanks,
>
> tglx
Powered by blists - more mailing lists