From: arnd@arndb.de (Arnd Bergmann)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v6 12/20] arm64:ilp32: add sys_ilp32.c and a separate table (in entry.S) to use it
Date: Thu, 17 Dec 2015 21:50:52 +0100 [thread overview]
Message-ID: <2634904.E1fnEZUKo9@wuerfel> (raw)
In-Reply-To: <CA+=Sn1ktUCa_8MzMvZtQhE+fUNY5-V9JXTLXKDDe8a0iENgd=w@mail.gmail.com>
On Thursday 17 December 2015 12:14:20 Andrew Pinski wrote:
> On Thu, Dec 17, 2015 at 12:10 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> > On Thursday 17 December 2015 18:27:53 Catalin Marinas wrote:
> >> On Wed, Dec 16, 2015 at 12:42:38AM +0300, Yury Norov wrote:
> >
> >> > +#define compat_sys_lookup_dcookie sys_lookup_dcookie
> >> > +#define compat_sys_pread64 sys_pread64
> >> > +#define compat_sys_pwrite64 sys_pwrite64
> >> > +#define compat_sys_readahead sys_readahead
> >> > +#define compat_sys_shmat sys_shmat
> >>
> >> I wonder whether we need wrappers (actually, not only for these but
> >> sys_read etc.). These functions take either a pointer or a size_t
> >> argument which are 32-bit with ILP32 but treated as 64-bit by an LP64
> >> kernel. Can we guarantee that user space zeros the top 32-bit of the
> >> arguments passed here?
> >
> > I'm pretty sure that is safe. I haven't read the calling conventions
> > specification for arm64 ilp32, but usually all function arguments are
> > passed as 64-bit registers with proper sign-extend or zero-extend.
>
> Well (just like LP64 on AARCH64), when passing a 32bit value to a
> function, the upper 32bits are undefined. I ran into this when I was
> debugging the GCC go library on ILP32 (though reproduced with pure C
> code) and the assembly functions inside glibc where pointers are
> passed with the upper 32bits as undefined.
> So we have an issue if called with syscall function or using pure
> assembly to create the syscall functions (which glibc does).
Ok, I see :-(
So the calling conventions avoid the problem of being able to set
the upper bits from malicious user space when the kernel assumes they
are zeroed out (we had security bugs in this area, before we introduced
SYSCALL_DEFINEx()), but it means that we need wrappers around each
syscall that takes an argument that is different length between user
and kernel space (as Catalin guessed). arch/s390 has the same problem and
works around it with code in arch/s390/kernel/compat_wrapper.c, while
other architectures (at least powerpc, x86 and tile IIRC, don't know much
about mips, parisc and sparc) don't have the problem because of their
calling conventions.
This also means that we cannot work around it in glibc at all, because
we have to be able to handle malicious user space, so it has to be
done in the kernel using something similar to what s390 does.
Arnd
next prev parent reply other threads:[~2015-12-17 20:50 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-15 21:42 [RFC3 PATCH v6 00/20] ILP32 for ARM64 Yury Norov
2015-12-15 21:42 ` [PATCH v6 01/20] arm64: ilp32: add documentation on the ILP32 ABI " Yury Norov
2015-12-15 21:42 ` [PATCH v6 02/20] arm64: ensure the kernel is compiled for LP64 Yury Norov
2015-12-15 21:42 ` [PATCH v6 03/20] arm64: rename COMPAT to AARCH32_EL0 in Kconfig Yury Norov
2015-12-17 11:23 ` Catalin Marinas
2015-12-15 21:42 ` [PATCH v6 04/20] arm64: change some CONFIG_COMPAT over to use CONFIG_AARCH32_EL0 instead Yury Norov
2015-12-23 14:15 ` Yury Norov
2015-12-28 8:43 ` > diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile Bamvor Jian Zhang
2015-12-28 9:01 ` [PATCH v6 04/20] arm64: change some CONFIG_COMPAT over to use CONFIG_AARCH32_EL0 instead Zhangjian (Bamvor)
2015-12-29 12:27 ` Yury Norov
2015-12-29 14:59 ` [PATCH] arm64: compat: fix wrong dependency Bamvor Jian Zhang
2015-12-29 13:12 ` [PATCH v6 04/20] arm64: change some CONFIG_COMPAT over to use CONFIG_AARCH32_EL0 instead Yury Norov
2015-12-15 21:42 ` [PATCH v6 05/20] arm64:uapi: set __BITS_PER_LONG correctly for ILP32 and LP64 Yury Norov
2015-12-15 21:42 ` [PATCH v6 06/20] thread: move thread bits accessors to separated file Yury Norov
2015-12-15 21:42 ` [PATCH v6 07/20] arm64: introduce is_a32_task and is_a32_thread (for AArch32 compat) Yury Norov
2015-12-17 11:38 ` Catalin Marinas
2015-12-15 21:42 ` [PATCH v6 08/20] arm64: ilp32: add is_ilp32_compat_{task, thread} and TIF_32BIT_AARCH64 Yury Norov
2015-12-17 11:41 ` Catalin Marinas
2015-12-18 14:11 ` Yury Norov
2015-12-18 14:44 ` Yury Norov
2015-12-21 17:42 ` Catalin Marinas
2015-12-15 21:42 ` [PATCH v6 09/20] arm64:ilp32: share HWCAP between LP64 and ILP32 Yury Norov
2015-12-16 15:54 ` Arnd Bergmann
2015-12-16 16:58 ` Catalin Marinas
2015-12-16 17:19 ` Catalin Marinas
2015-12-16 19:17 ` Arnd Bergmann
2015-12-17 10:54 ` Catalin Marinas
2015-12-17 13:56 ` Arnd Bergmann
2015-12-15 21:42 ` [PATCH v6 10/20] arm64:ilp32 use the native LP64 'start_thread' for ILP32 threads Yury Norov
2015-12-16 15:50 ` Arnd Bergmann
2015-12-18 13:57 ` Yury Norov
2015-12-15 21:42 ` [PATCH v6 11/20] arm64:ilp32: support core dump generation for ILP32 Yury Norov
2015-12-17 14:05 ` Catalin Marinas
2015-12-15 21:42 ` [PATCH v6 12/20] arm64:ilp32: add sys_ilp32.c and a separate table (in entry.S) to use it Yury Norov
2015-12-16 16:07 ` Arnd Bergmann
2015-12-17 18:27 ` Catalin Marinas
2015-12-17 20:10 ` Arnd Bergmann
2015-12-17 20:14 ` Andrew Pinski
2015-12-17 20:50 ` Arnd Bergmann [this message]
2016-01-05 15:26 ` Yury Norov
2016-01-05 21:12 ` Arnd Bergmann
2016-01-06 17:10 ` Catalin Marinas
2016-01-07 14:13 ` Arnd Bergmann
2016-01-07 15:42 ` Yury Norov
2016-01-07 17:23 ` Catalin Marinas
2015-12-18 11:42 ` Catalin Marinas
2015-12-18 12:47 ` Arnd Bergmann
2015-12-21 18:31 ` Catalin Marinas
2015-12-21 22:19 ` Arnd Bergmann
2015-12-21 18:39 ` Dr. Philipp Tomsich
2015-12-21 22:13 ` Arnd Bergmann
2015-12-21 22:31 ` Arnd Bergmann
2015-12-23 18:31 ` Yury Norov
2015-12-23 21:48 ` Arnd Bergmann
2015-12-15 21:42 ` [PATCH v6 13/20] arm64: ilp32: share aarch32 syscall wrappers to ilp32 Yury Norov
2015-12-17 14:38 ` Andreas Schwab
2015-12-18 13:49 ` Yury Norov
2015-12-22 12:25 ` Catalin Marinas
2015-12-22 21:44 ` Arnd Bergmann
2015-12-23 13:37 ` Catalin Marinas
2015-12-23 20:41 ` Arnd Bergmann
2015-12-30 17:29 ` Yury Norov
2015-12-30 22:36 ` Arnd Bergmann
2015-12-23 4:21 ` Yury Norov
2015-12-15 21:42 ` [PATCH v6 14/20] arm64: signal: wrap struct ucontext, fp and lr with struct sigframe Yury Norov
2015-12-15 21:42 ` [PATCH v6 15/20] arm64: signal: move ilp32 and lp64 common code to separated file Yury Norov
2015-12-16 16:08 ` Arnd Bergmann
2015-12-18 13:48 ` Yury Norov
2015-12-18 14:09 ` Arnd Bergmann
2015-12-22 17:11 ` Catalin Marinas
2015-12-15 21:42 ` [PATCH v6 16/20] arm64: signal32: move ilp32 and aarch32 " Yury Norov
2015-12-22 14:29 ` Catalin Marinas
2015-12-15 21:42 ` [PATCH v6 17/20] arm64: ilp32: introduce ilp32-specific handlers for sigframe Yury Norov
2015-12-22 17:08 ` Catalin Marinas
2015-12-15 21:42 ` [PATCH v6 18/20] arm64:ilp32: add vdso-ilp32 and use for signal return Yury Norov
2015-12-15 21:42 ` [PATCH v6 19/20] arm64:ilp32: change COMPAT_ELF_PLATFORM to report a a subplatform for ILP32 Yury Norov
2015-12-15 21:42 ` [PATCH v6 20/20] arm64:ilp32: add ARM64_ILP32 to Kconfig Yury Norov
2015-12-16 16:24 ` [RFC3 PATCH v6 00/20] ILP32 for ARM64 Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2634904.E1fnEZUKo9@wuerfel \
--to=arnd@arndb.de \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox