lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Oct 2020 12:29:03 -0500 From: Segher Boessenkool <segher@...nel.crashing.org> To: David Laight <David.Laight@...lab.com> Cc: Al Viro <viro@...iv.linux.org.uk>, David Hildenbrand <david@...hat.com>, "linux-aio@...ck.org" <linux-aio@...ck.org>, "linux-mips@...r.kernel.org" <linux-mips@...r.kernel.org>, David Howells <dhowells@...hat.com>, "linux-mm@...ck.org" <linux-mm@...ck.org>, "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>, "sparclinux@...r.kernel.org" <sparclinux@...r.kernel.org>, Christoph Hellwig <hch@....de>, "linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>, "linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>, "linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>, "kernel-team@...roid.com" <kernel-team@...roid.com>, Arnd Bergmann <arnd@...db.de>, "linux-block@...r.kernel.org" <linux-block@...r.kernel.org>, "io-uring@...r.kernel.org" <io-uring@...r.kernel.org>, "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, Jens Axboe <axboe@...nel.dk>, "linux-parisc@...r.kernel.org" <linux-parisc@...r.kernel.org>, "'Greg KH'" <gregkh@...uxfoundation.org>, Nick Desaulniers <ndesaulniers@...gle.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org>, "linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org> Subject: Re: Buggy commit tracked to: "Re: [PATCH 2/9] iov_iter: move rw_copy_check_uvector() into lib/iov_iter.c" On Fri, Oct 23, 2020 at 09:28:59PM +0000, David Laight wrote: > From: Segher Boessenkool > > Sent: 23 October 2020 19:27 > > On Fri, Oct 23, 2020 at 06:58:57PM +0100, Al Viro wrote: > > > On Fri, Oct 23, 2020 at 03:09:30PM +0200, David Hildenbrand wrote: > > > On arm64 when callee expects a 32bit argument, the caller is *not* responsible > > > for clearing the upper half of 64bit register used to pass the value - it only > > > needs to store the actual value into the lower half. The callee must consider > > > the contents of the upper half of that register as undefined. See AAPCS64 (e.g. > > > https://github.com/ARM-software/abi-aa/blob/master/aapcs64/aapcs64.rst#parameter-passing-rules > > > ); AFAICS, the relevant bit is > > > "Unlike in the 32-bit AAPCS, named integral values must be narrowed by > > > the callee rather than the caller." > > > > Or the formal rule: > > > > C.9 If the argument is an Integral or Pointer Type, the size of the > > argument is less than or equal to 8 bytes and the NGRN is less > > than 8, the argument is copied to the least significant bits in > > x[NGRN]. The NGRN is incremented by one. The argument has now > > been allocated. > > So, in essence, if the value is in a 64bit register the calling > code is independent of the actual type of the formal parameter. > Clearly a value might need explicit widening. No, this says that if you pass a 32-bit integer in a 64-bit register, then the top 32 bits of that register hold an undefined value. > I've found a copy of the 64 bit arm instruction set. > Unfortunately it is alpha sorted and repetitive so shows none > of the symmetry and makes things difficult to find. All of this is ABI, not ISA. Look at the AAPCS64 pointed to above. > But, contrary to what someone suggested most register writes > (eg from arithmetic) seem to zero/extend the high bits. Everything that writes a "w" does, yes. But that has nothing to do with the parameter passing rules, that is ABI. It just means that very often a 32-bit integer will be passed zero-extended in a 64-bit register, but that is just luck (or not, it makes finding bugs harder ;-) ) Segher
Powered by blists - more mailing lists