From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: linux interprets an fcntl int arg as long
Date: Tue, 1 Nov 2022 09:11:15 +0000 [thread overview]
Message-ID: <Y2DisyknbKxeCik4@arm.com> (raw)
In-Reply-To: <Y2B6jcLUJ1F2y2yL@mit.edu>
The 10/31/2022 21:46, Theodore Ts'o wrote:
> On Mon, Oct 31, 2022 at 12:44:59PM +0000, Szabolcs Nagy wrote:
> > and such fcntl call can happen with c code that just passes
> > F_SEAL_WRITE since it is an int and e.g. with aarch64 pcs rules
> > it is passed in a register where top bits can be non-zero
> > (unlikely in practice but valid).
>
> In Linux's aarch64 ABI, an int is a 4-byte value. It is *not* an
> 8-byte value. So passing in "F_SEAL_WRITE | 0xF00000000" as an int
> (as in your example) is simply not valid thing for the userspace
> program to do.
>
> Now, if there is a C program which has "int c = F_SEAL_WRITE", if the
> PCS allows the compiler to pass a function paramter c --- for example
> f(a, b, c) --- where the 4-byte paramter 'c' is placed in a 64-bit
> register where the high bits of the 64-bit register contains non-zero
> garbage values, I would argue that this is a bug in the PCS and/or the
> compiler.
the callee uses va_arg(ap, type) to get the argument,
and if the type is wider than what was actually passed
then anything can happen. in practice what happens is
that the top bits can be non-zero.
many pcs are affected (aarch64 is the one i know well,
but at least x86_64, arm are affected too). and even if
it was aarch64 pcs only, it is incompetent to say that
the pcs is wrong: that's a constraint we are working with.
the kernel must not read a wider type than what it
documents as argument to variadic functions in the c api.
(it does not make much sense to expect anything there
anyway, but it can break userspace)
WARNING: multiple messages have this Message-ID (diff)
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: linux interprets an fcntl int arg as long
Date: Tue, 1 Nov 2022 09:11:15 +0000 [thread overview]
Message-ID: <Y2DisyknbKxeCik4@arm.com> (raw)
In-Reply-To: <Y2B6jcLUJ1F2y2yL@mit.edu>
The 10/31/2022 21:46, Theodore Ts'o wrote:
> On Mon, Oct 31, 2022 at 12:44:59PM +0000, Szabolcs Nagy wrote:
> > and such fcntl call can happen with c code that just passes
> > F_SEAL_WRITE since it is an int and e.g. with aarch64 pcs rules
> > it is passed in a register where top bits can be non-zero
> > (unlikely in practice but valid).
>
> In Linux's aarch64 ABI, an int is a 4-byte value. It is *not* an
> 8-byte value. So passing in "F_SEAL_WRITE | 0xF00000000" as an int
> (as in your example) is simply not valid thing for the userspace
> program to do.
>
> Now, if there is a C program which has "int c = F_SEAL_WRITE", if the
> PCS allows the compiler to pass a function paramter c --- for example
> f(a, b, c) --- where the 4-byte paramter 'c' is placed in a 64-bit
> register where the high bits of the 64-bit register contains non-zero
> garbage values, I would argue that this is a bug in the PCS and/or the
> compiler.
the callee uses va_arg(ap, type) to get the argument,
and if the type is wider than what was actually passed
then anything can happen. in practice what happens is
that the top bits can be non-zero.
many pcs are affected (aarch64 is the one i know well,
but at least x86_64, arm are affected too). and even if
it was aarch64 pcs only, it is incompetent to say that
the pcs is wrong: that's a constraint we are working with.
the kernel must not read a wider type than what it
documents as argument to variadic functions in the c api.
(it does not make much sense to expect anything there
anyway, but it can break userspace)
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-11-01 9:11 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-31 12:44 linux interprets an fcntl int arg as long Szabolcs Nagy
2022-10-31 12:44 ` Szabolcs Nagy
2022-11-01 1:46 ` Theodore Ts'o
2022-11-01 1:46 ` Theodore Ts'o
2022-11-01 9:11 ` Szabolcs Nagy [this message]
2022-11-01 9:11 ` Szabolcs Nagy
2022-11-01 10:02 ` David Laight
2022-11-01 10:02 ` David Laight
2022-11-01 11:44 ` 'Szabolcs Nagy'
2022-11-01 11:44 ` 'Szabolcs Nagy'
2022-11-01 12:19 ` David Laight
2022-11-01 12:19 ` David Laight
2022-11-01 12:49 ` 'Szabolcs Nagy'
2022-11-01 12:49 ` 'Szabolcs Nagy'
2022-11-01 13:12 ` Mark Rutland
2022-11-01 13:12 ` Mark Rutland
2022-11-01 13:29 ` David Laight
2022-11-01 13:29 ` David Laight
2022-11-01 13:35 ` David Laight
2022-11-01 13:35 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y2DisyknbKxeCik4@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.