From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F4CEC388F9 for ; Wed, 11 Nov 2020 20:16:51 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EBA46206E3 for ; Wed, 11 Nov 2020 20:16:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="YQKriKgm" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EBA46206E3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=xmission.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:In-Reply-To:Date: References:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=vYjJjdhmlLnRulxIQKwkiKUlB6HuYmPEFyWmKZgfcZo=; b=YQKriKgmbKUJJIWP/SL/tXU2B 8XMsOIbqOOIabgpw/m1sf5rkQZbvtuaTSBZEP15OKt2v9or7iqBkED+8d4SDL4voCEQO60IICL2+J HClHHmhToTsgJl6KAHIIgDWTm1rg9fDcBw0z6iw/6L6CmvZ2r2uJkrPTMFLYzxF/gxjdETfT/Ncr6 53oztzKd8VAIjQWHPtfBdoDezw+h7jMDCFQL8Rh51g4+iKtDIgZ2a+OvyjyShDyMggf8MFSimLhtu W6ODjYro6aNa5YS0AUvfhLvUON0yaHfxxg0rYMMLv5blXgmOSaNFUbUfYhQwLOyC4Ii5EzBpMO9XD GYxugQm7A==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kcwWp-0003gZ-SK; Wed, 11 Nov 2020 20:15:39 +0000 Received: from out03.mta.xmission.com ([166.70.13.233]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kcwWm-0003fH-4P for linux-arm-kernel@lists.infradead.org; Wed, 11 Nov 2020 20:15:37 +0000 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1kcwWe-006g7P-Aw; Wed, 11 Nov 2020 13:15:28 -0700 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1kcwWc-0000EG-Pi; Wed, 11 Nov 2020 13:15:28 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Dave Martin References: <0eb601a5d1906fadd7099149eb605181911cfc04.1604523707.git.pcc@google.com> <87zh3qug6q.fsf@x220.int.ebiederm.org> <20201111172703.GP6882@arm.com> Date: Wed, 11 Nov 2020 14:15:15 -0600 In-Reply-To: <20201111172703.GP6882@arm.com> (Dave Martin's message of "Wed, 11 Nov 2020 17:27:04 +0000") Message-ID: <87imabr6p8.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 X-XM-SPF: eid=1kcwWc-0000EG-Pi; ; ; mid=<87imabr6p8.fsf@x220.int.ebiederm.org>; ; ; hst=in01.mta.xmission.com; ; ; ip=68.227.160.95; ; ; frm=ebiederm@xmission.com; ; ; spf=neutral X-XM-AID: U2FsdGVkX1/7N/eWBv/4p/S3APPKai60j3a29t5pU/E= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH v14 7/8] signal: define the field siginfo.si_faultflags X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201111_151536_301428_D1C7F466 X-CRM114-Status: GOOD ( 36.21 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Collingbourne , Catalin Marinas , Helge Deller , Kevin Brodsky , Oleg Nesterov , linux-api@vger.kernel.org, "James E.J. Bottomley" , Kostya Serebryany , Linux ARM , Andrey Konovalov , David Spickett , Vincenzo Frascino , Will Deacon , Evgenii Stepanov , Richard Henderson Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Dave Martin writes: > On Mon, Nov 09, 2020 at 07:57:33PM -0600, Eric W. Biederman wrote: >> Peter Collingbourne writes: >> >> > This field will contain flags that may be used by signal handlers to >> > determine whether other fields in the _sigfault portion of siginfo are >> > valid. An example use case is the following patch, which introduces >> > the si_addr_tag_bits{,_mask} fields. >> > >> > A new sigcontext flag, SA_FAULTFLAGS, is introduced in order to allow >> > a signal handler to require the kernel to set the field (but note >> > that the field will be set anyway if the kernel supports the flag, >> > regardless of its value). In combination with the previous patches, >> > this allows a userspace program to determine whether the kernel will >> > set the field. >> > >> > It is possible for an si_faultflags-unaware program to cause a signal >> > handler in an si_faultflags-aware program to be called with a provided >> > siginfo data structure by using one of the following syscalls: >> > >> > - ptrace(PTRACE_SETSIGINFO) >> > - pidfd_send_signal >> > - rt_sigqueueinfo >> > - rt_tgsigqueueinfo >> > >> > So we need to prevent the si_faultflags-unaware program from causing an >> > uninitialized read of si_faultflags in the si_faultflags-aware program when >> > it uses one of these syscalls. >> > >> > The last three cases can be handled by observing that each of these >> > syscalls fails if si_code >= 0. We also observe that kill(2) and >> > tgkill(2) may be used to send a signal where si_code == 0 (SI_USER), >> > so we define si_faultflags to only be valid if si_code > 0. >> > >> > There is no such check on si_code in ptrace(PTRACE_SETSIGINFO), so >> > we make ptrace(PTRACE_SETSIGINFO) clear the si_faultflags field if it >> > detects that the signal would use the _sigfault layout, and introduce >> > a new ptrace request type, PTRACE_SETSIGINFO2, that a si_faultflags-aware >> > program may use to opt out of this behavior. >> >> So I think while well intentioned this is misguided. >> >> gdb and the like may use this but I expect the primary user is CRIU >> which simply reads the signal out of one process saves it on disk >> and then restores the signal as read into the new process (possibly >> on a different machine). >> >> At least for the CRIU usage PTRACE_SETSIGINFO need to remain a raw >> pass through kind of operation. > > This is a problem, though. > > How can we tell the difference between a siginfo that was generated by > the kernel and a siginfo that was generated (or altered) by a non-xflags > aware userspace? > > Short of revving the whole API, I don't see a simple solution to this. Unlike receiving a signal. We do know that userspace old and new always sends unused fields as zero into PTRACE_SETSIGINFO. The split into kernel_siginfo verifies this and fails userspace if it does something different. No problems have been reported. So in the case of xflags a non-xflags aware userspace would either pass the siginfo from through from somewhere else (such as PTRACE_GETSIGINFO), or it would simply generate a signal with all of the xflags bits clear. So everything should work regardless. > Although a bit of a hack, could we include some kind of checksum in the > siginfo? If the checksum matches during PTRACE_SETSIGINFO, we could > accept the whole thing; xflags included. Otherwise, we could silently > drop non-self-describing extensions. > > If we only need to generate the checksum when PTRACE_GETSIGINFO is > called then it might be feasible to use a strong hash; otherwise, this > mechanism will be far from bulletproof. > > A hash has the advantage that we don't need any other information > to validate it beyond a salt: if the hash matches, it's self- > validating. We could also package other data with it to describe the > presence of extensions, but relying on this for regular sigaction()/ > signal delivery use feels too high-overhead. > > For debuggers, I suspect that PTRACE_SETSIGINFO2 is still useful: > userspace callers that want to write an extension field that they > knowingly generated themselves should have a way to express that. > > Thoughts? I think there are two cases: 1) CRIU -- It is just a passthrough of PTRACE_GETSIGINFO 2) Creating a signal from nowhere -- Code that does not know about xflags would leave xflags at 0 so no problem. Does anyone see any other cases I am missing? Eric _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel