Re: [PATCH] signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio

[ebiederm@xmission.com (Eric W. Biederman)]

Alan Stern <stern@rowland.harvard.edu> writes:

> On Tue, 21 May 2019, Eric W. Biederman wrote:
>
>> The usb support for asyncio encoded one of it's values in the wrong
>> field.  It should have used si_value but instead used si_addr which is
>> not present in the _rt union member of struct siginfo.
>> 
>> The practical result of this is that on a 64bit big endian kernel
>> when delivering a signal to a 32bit process the si_addr field
>> is set to NULL, instead of the expected pointer value.
>> 
>> This issue can not be fixed in copy_siginfo_to_user32 as the usb
>> usage of the the _sigfault (aka si_addr) member of the siginfo
>> union when SI_ASYNCIO is set is incompatible with the POSIX and
>> glibc usage of the _rt member of the siginfo union.
>> 
>> Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
>> dedicated function for this one specific case.  There are no other
>> users of kill_pid_info_as_cred so this specialization should have no
>> impact on the amount of code in the kernel.  Have kill_pid_usb_asyncio
>> take instead of a siginfo_t which is difficult and error prone, 3
>> arguments, a signal number, an errno value, and an address enconded as
>> a sigval_t.  The encoding of the address as a sigval_t allows the
>> code that reads the userspace request for a signal to handle this
>> compat issue along with all of the other compat issues.
>> 
>> Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
>> the pointer value at the in si_pid (instead of si_addr).  That is the
>> code now verifies that si_pid and si_addr always occur at the same
>> location.  Further the code veries that for native structures a value
>> placed in si_pid and spilling into si_uid will appear in userspace in
>> si_addr (on a byte by byte copy of siginfo or a field by field copy of
>> siginfo).  The code also verifies that for a 64bit kernel and a 32bit
>> userspace the 32bit pointer will fit in si_pid.
>
> Okay, I have gone through this.  Although I still don't really
> understand the detailed issues concerning the layout of the data fields
> (probably hopeless without seeing a diagram), the USB portions of the
> patch look good and do what the patch description says.
>
> Acked-by: Alan Stern <stern@rowland.harvard.edu>
>
> Alan Stern

Thanks.

Perhaps this will work as a diagram.  I don't know if there is a better
way to say it in my patch description.  In struct siginfo there are 3
fields in fixed positions:

   int si_signo;
   int si_errno;
   int si_code;

After that there is a union.  The si_signo and si_code fields are
examined to see which union member is valid (see siginfo_layout).
In every other case a si_code of SI_ASYNCIO corresponds to
the the _rt union member which has the fields:

   int si_pid;
   int si_uid;
   sigval_t si_sigval;

However when usb started using SI_ASYNCIO the _sigfault union member
that (except for special exceptions) only has the field:

   void __user *si_addr;

Or in short the relevant piece of the union looks like:

         0   1  2   3    4   5   6  7
       +---+---+---+---+---+---+---+---+
       |    si_pid     |   si_uid      |
       +---+---+---+---+---+---+---+---+
       |             si_addr           | (64bit)
       +---+---+---+---+---+---+---+---+
       |     si_addr   | (32bit)
       +---+---+---+---+

Which means if siginfo is copied field by field on 32bit everything
works because si_pid and si_addr are in the same location.

Similarly if siginfo is copied field by field on 64bit everything
works because there is no padding between si_pid and si_uid. So
copying both of those fields results in the entire si_addr being
copied.

It is the compat case that gets tricky.  Half of the bits are
zero.  If those zero bits show up in bytes 4-7 and the data
shows up in bytes 0-3 (aka little endian) everything works.
If those zero bits show in in bytes 0-3 (aka big endian) userspace sees
a NULL pointer instead of the value it passed.



Fixing this while maintaining some modicum of sanity is the tricky bit.
The interface is made to kill_pid_usb_asyncio is made a sigval_t so the
standard signal compat tricks can be used.  sigval_t is a union of:

        int sival_int;
        void __user *sival_ptr;

         0   1  2   3    4   5   6  7
       +---+---+---+---+---+---+---+---+
       |            sival_ptr          | (64bit)
       +---+---+---+---+---+---+---+---+ 
       |    sival_ptr  | (32bit)
       +---+---+---+---+
       |    sival_int  |
       +---+---+---+---+

The signal code solves the compat issues for sigval_t by storing the
32bit pointers in sival_int.  So they meaningful bits are guaranteed to
be in the low 32bits, just like the 32bit sival_ptr.

After a bunch of build BUG_ONs to verify my reasonable assumptions
of but the siginfo layout are actually true, the code that generates
the siginfo just copies a sigval_t to si_pid.  And assumes the code
in the usb stack placed the pointer in the proper part of the sigval_t
when it read the information from userspace.

I don't know if that helps make it easy to understand but I figured I
would give it a shot.

Eric