All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Dmitry V. Levin" <ldv@strace.io>
To: Nathan Chancellor <nathan@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Oleg Nesterov <oleg@redhat.com>,
	Charlie Jenkins <charlie@rivosinc.com>,
	Arnd Bergmann <arnd@arndb.de>,
	strace-devel@lists.strace.io, linux-kernel@vger.kernel.org,
	linux-riscv@lists.infradead.org
Subject: Re: [PATCH v7 2/6] syscall.h: add syscall_set_arguments()
Date: Wed, 9 Apr 2025 09:40:18 +0300	[thread overview]
Message-ID: <20250409064017.GA30836@strace.io> (raw)
In-Reply-To: <20250409003803.GA2876360@ax162>

On Tue, Apr 08, 2025 at 05:38:03PM -0700, Nathan Chancellor wrote:
> On Wed, Apr 09, 2025 at 01:36:11AM +0300, Dmitry V. Levin wrote:
> > On Tue, Apr 08, 2025 at 02:31:31PM -0700, Nathan Chancellor wrote:
> > > On Mon, Mar 03, 2025 at 01:20:09PM +0200, Dmitry V. Levin wrote:
> > > > +static inline void syscall_set_arguments(struct task_struct *task,
> > > > +					 struct pt_regs *regs,
> > > > +					 const unsigned long *args)
> > > > +{
> > > > +	regs->orig_a0 = args[0];
> > > > +	args++;
> > > > +	memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> > > > +}
> > > 
> > > This upsets the compiletime fortify checks, as I see a warning after
> > > syscall_set_arguments() starts being used in kernel/ptrace.c later in
> > > the series.
> > > 
> > >   $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux- allmodconfig kernel/ptrace.o
> > >   In file included from include/linux/string.h:392,
> > >                    from include/linux/bitmap.h:13,
> > >                    from include/linux/cpumask.h:12,
> > >                    from arch/riscv/include/asm/processor.h:55,
> > >                    from include/linux/sched.h:13,
> > >                    from kernel/ptrace.c:13:
> > >   In function 'fortify_memcpy_chk',
> > >       inlined from 'syscall_set_arguments.isra' at arch/riscv/include/asm/syscall.h:82:2:
> > >   include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
> > >     571 |                         __write_overflow_field(p_size_field, size);
> > >         |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >   cc1: all warnings being treated as errors
> > 
> > I certainly tested the series on riscv64, but somehow I haven't seen this
> > compiler diagnostics before.
> 
> Maybe CONFIG_FORTIFY_SOURCE was not enabled? This comes from the
> kernel's fortified memcpy checking function, fortify_memcpy_chk(), not
> necessarily the compiler itself.
> 
> > > diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> > > index a5281cdf2b10..70ec19dc8506 100644
> > > --- a/arch/riscv/include/asm/syscall.h
> > > +++ b/arch/riscv/include/asm/syscall.h
> > > @@ -78,8 +78,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
> > >                                          const unsigned long *args)
> > >  {
> > >         regs->orig_a0 = args[0];
> > > -       args++;
> > > -       memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> > > +       regs->a1 = args[1];
> > > +       regs->a2 = args[2];
> > > +       regs->a3 = args[3];
> > > +       regs->a4 = args[4];
> > > +       regs->a5 = args[5];
> > >  }
> > 
> > I don't mind eliminating the memcpy() altogether, but
> > I'd like to note that syscall_set_arguments() is an exact mirror
> > of syscall_get_arguments(), so if the intentional overwrite in
> > syscall_set_arguments() is not acceptable, then the intentional
> > overread in syscall_get_arguments() shouldn't be acceptable either.
> 
> Yes, I noticed the symmetry too but I was only looking at it from the
> overwrite perspective, not the overread one. That reminded me to double
> check what fortify_memcpy_chk() actually checks for and I remembered
> that the overread version of this warning is hidden under W=1 (I guess
> because it happens more frequently).
> 
>   $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux- W=1 allmodconfig kernel/ptrace.o
>   In file included from include/linux/string.h:392,
>                    from include/linux/bitmap.h:13,
>                    from include/linux/cpumask.h:12,
>                    from arch/riscv/include/asm/processor.h:55,
>                    from include/linux/sched.h:13,
>                    from kernel/ptrace.c:13:
>   In function 'fortify_memcpy_chk',
>       inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:73:2:
>   include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
>     580 |                         __read_overflow2_field(q_size_field, size);
>         |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   cc1: all warnings being treated as errors
> 
> So memcpy() should indeed be eliminated from both, which obviously
> clears up the warnings.
> 
> Cheers,
> Nathan
> 
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index a5281cdf2b10..34313387f977 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -69,8 +69,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
>  					 unsigned long *args)
>  {
>  	args[0] = regs->orig_a0;
> -	args++;
> -	memcpy(args, &regs->a1, 5 * sizeof(args[0]));
> +	args[1] = regs->a1;
> +	args[2] = regs->a2;
> +	args[3] = regs->a3;
> +	args[4] = regs->a4;
> +	args[5] = regs->a5;
>  }
>  
>  static inline void syscall_set_arguments(struct task_struct *task,
> @@ -78,8 +81,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  					 const unsigned long *args)
>  {
>  	regs->orig_a0 = args[0];
> -	args++;
> -	memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> +	regs->a1 = args[1];
> +	regs->a2 = args[2];
> +	regs->a3 = args[3];
> +	regs->a4 = args[4];
> +	regs->a5 = args[5];
>  }
>  
>  static inline int syscall_get_arch(struct task_struct *task)

Looks good, thanks.  How do we proceed from this point?


-- 
ldv

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

WARNING: multiple messages have this Message-ID (diff)
From: "Dmitry V. Levin" <ldv@strace.io>
To: Nathan Chancellor <nathan@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Oleg Nesterov <oleg@redhat.com>,
	Charlie Jenkins <charlie@rivosinc.com>,
	Arnd Bergmann <arnd@arndb.de>,
	strace-devel@lists.strace.io, linux-kernel@vger.kernel.org,
	linux-riscv@lists.infradead.org
Subject: Re: [PATCH v7 2/6] syscall.h: add syscall_set_arguments()
Date: Wed, 9 Apr 2025 09:40:18 +0300	[thread overview]
Message-ID: <20250409064017.GA30836@strace.io> (raw)
In-Reply-To: <20250409003803.GA2876360@ax162>

On Tue, Apr 08, 2025 at 05:38:03PM -0700, Nathan Chancellor wrote:
> On Wed, Apr 09, 2025 at 01:36:11AM +0300, Dmitry V. Levin wrote:
> > On Tue, Apr 08, 2025 at 02:31:31PM -0700, Nathan Chancellor wrote:
> > > On Mon, Mar 03, 2025 at 01:20:09PM +0200, Dmitry V. Levin wrote:
> > > > +static inline void syscall_set_arguments(struct task_struct *task,
> > > > +					 struct pt_regs *regs,
> > > > +					 const unsigned long *args)
> > > > +{
> > > > +	regs->orig_a0 = args[0];
> > > > +	args++;
> > > > +	memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> > > > +}
> > > 
> > > This upsets the compiletime fortify checks, as I see a warning after
> > > syscall_set_arguments() starts being used in kernel/ptrace.c later in
> > > the series.
> > > 
> > >   $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux- allmodconfig kernel/ptrace.o
> > >   In file included from include/linux/string.h:392,
> > >                    from include/linux/bitmap.h:13,
> > >                    from include/linux/cpumask.h:12,
> > >                    from arch/riscv/include/asm/processor.h:55,
> > >                    from include/linux/sched.h:13,
> > >                    from kernel/ptrace.c:13:
> > >   In function 'fortify_memcpy_chk',
> > >       inlined from 'syscall_set_arguments.isra' at arch/riscv/include/asm/syscall.h:82:2:
> > >   include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
> > >     571 |                         __write_overflow_field(p_size_field, size);
> > >         |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >   cc1: all warnings being treated as errors
> > 
> > I certainly tested the series on riscv64, but somehow I haven't seen this
> > compiler diagnostics before.
> 
> Maybe CONFIG_FORTIFY_SOURCE was not enabled? This comes from the
> kernel's fortified memcpy checking function, fortify_memcpy_chk(), not
> necessarily the compiler itself.
> 
> > > diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> > > index a5281cdf2b10..70ec19dc8506 100644
> > > --- a/arch/riscv/include/asm/syscall.h
> > > +++ b/arch/riscv/include/asm/syscall.h
> > > @@ -78,8 +78,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
> > >                                          const unsigned long *args)
> > >  {
> > >         regs->orig_a0 = args[0];
> > > -       args++;
> > > -       memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> > > +       regs->a1 = args[1];
> > > +       regs->a2 = args[2];
> > > +       regs->a3 = args[3];
> > > +       regs->a4 = args[4];
> > > +       regs->a5 = args[5];
> > >  }
> > 
> > I don't mind eliminating the memcpy() altogether, but
> > I'd like to note that syscall_set_arguments() is an exact mirror
> > of syscall_get_arguments(), so if the intentional overwrite in
> > syscall_set_arguments() is not acceptable, then the intentional
> > overread in syscall_get_arguments() shouldn't be acceptable either.
> 
> Yes, I noticed the symmetry too but I was only looking at it from the
> overwrite perspective, not the overread one. That reminded me to double
> check what fortify_memcpy_chk() actually checks for and I remembered
> that the overread version of this warning is hidden under W=1 (I guess
> because it happens more frequently).
> 
>   $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux- W=1 allmodconfig kernel/ptrace.o
>   In file included from include/linux/string.h:392,
>                    from include/linux/bitmap.h:13,
>                    from include/linux/cpumask.h:12,
>                    from arch/riscv/include/asm/processor.h:55,
>                    from include/linux/sched.h:13,
>                    from kernel/ptrace.c:13:
>   In function 'fortify_memcpy_chk',
>       inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:73:2:
>   include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
>     580 |                         __read_overflow2_field(q_size_field, size);
>         |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   cc1: all warnings being treated as errors
> 
> So memcpy() should indeed be eliminated from both, which obviously
> clears up the warnings.
> 
> Cheers,
> Nathan
> 
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index a5281cdf2b10..34313387f977 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -69,8 +69,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
>  					 unsigned long *args)
>  {
>  	args[0] = regs->orig_a0;
> -	args++;
> -	memcpy(args, &regs->a1, 5 * sizeof(args[0]));
> +	args[1] = regs->a1;
> +	args[2] = regs->a2;
> +	args[3] = regs->a3;
> +	args[4] = regs->a4;
> +	args[5] = regs->a5;
>  }
>  
>  static inline void syscall_set_arguments(struct task_struct *task,
> @@ -78,8 +81,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  					 const unsigned long *args)
>  {
>  	regs->orig_a0 = args[0];
> -	args++;
> -	memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> +	regs->a1 = args[1];
> +	regs->a2 = args[2];
> +	regs->a3 = args[3];
> +	regs->a4 = args[4];
> +	regs->a5 = args[5];
>  }
>  
>  static inline int syscall_get_arch(struct task_struct *task)

Looks good, thanks.  How do we proceed from this point?


-- 
ldv

  reply	other threads:[~2025-04-09  6:48 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-03 11:19 [PATCH v7 0/6] ptrace: introduce PTRACE_SET_SYSCALL_INFO API Dmitry V. Levin
2025-03-03 11:19 ` Dmitry V. Levin
2025-03-03 11:19 ` Dmitry V. Levin
2025-03-03 11:19 ` [PATCH v7 1/6] hexagon: add syscall_set_return_value() Dmitry V. Levin
2025-03-03 11:20 ` [PATCH v7 2/6] syscall.h: add syscall_set_arguments() Dmitry V. Levin
2025-03-03 11:20   ` Dmitry V. Levin
2025-03-03 11:20   ` Dmitry V. Levin
2025-04-08 21:31   ` Nathan Chancellor
2025-04-08 21:31     ` Nathan Chancellor
2025-04-08 22:36     ` Dmitry V. Levin
2025-04-08 22:36       ` Dmitry V. Levin
2025-04-09  0:38       ` Nathan Chancellor
2025-04-09  0:38         ` Nathan Chancellor
2025-04-09  6:40         ` Dmitry V. Levin [this message]
2025-04-09  6:40           ` Dmitry V. Levin
2025-04-09 15:52           ` Nathan Chancellor
2025-04-09 15:52             ` Nathan Chancellor
2025-04-09 23:18             ` Dmitry V. Levin
2025-04-09 23:18               ` Dmitry V. Levin
2025-04-10 18:14     ` Nathan Chancellor
2025-04-10 18:14       ` Nathan Chancellor
2025-03-03 11:20 ` [PATCH v7 3/6] syscall.h: introduce syscall_set_nr() Dmitry V. Levin
2025-03-03 11:20   ` Dmitry V. Levin
2025-03-03 11:20   ` Dmitry V. Levin
2025-03-03 11:20 ` [PATCH v7 4/6] ptrace_get_syscall_info: factor out ptrace_get_syscall_info_op Dmitry V. Levin
2025-03-03 11:20 ` [PATCH v7 5/6] ptrace: introduce PTRACE_SET_SYSCALL_INFO request Dmitry V. Levin
2025-03-03 11:20 ` [PATCH v7 6/6] selftests/ptrace: add a test case for PTRACE_SET_SYSCALL_INFO Dmitry V. Levin
2025-03-06  2:02 ` [PATCH v7 0/6] ptrace: introduce PTRACE_SET_SYSCALL_INFO API Dmitry V. Levin
2025-03-25 10:41   ` Dmitry V. Levin
2025-03-25 17:57     ` Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250409064017.GA30836@strace.io \
    --to=ldv@strace.io \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=charlie@rivosinc.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=nathan@kernel.org \
    --cc=oleg@redhat.com \
    --cc=strace-devel@lists.strace.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.