From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755969AbcFTSDk (ORCPT <rfc822;w@1wt.eu>);
	Mon, 20 Jun 2016 14:03:40 -0400
Received: from mx1.redhat.com ([209.132.183.28]:52094 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753958AbcFTSD1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 20 Jun 2016 14:03:27 -0400
Date: Mon, 20 Jun 2016 19:53:11 +0200
From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>, X86 ML <x86@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>, Borislav Petkov <bp@alien8.de>
Subject: the usage of __SYSCALL_MASK in entry_SYSCALL_64/do_syscall_64 is not
 consistent
Message-ID: <20160620175311.GA24505@redhat.com>
References: <94bda8cd5f326ae5591c80fb5d7c1c22624accec.1466244711.git.luto@kernel.org>
 <20160619211906.GA14712@redhat.com>
 <CALCETrXsg+5OencMrMrr6qZ8YmYj7UWqeAJMESHa5NqNMfcokg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALCETrXsg+5OencMrMrr6qZ8YmYj7UWqeAJMESHa5NqNMfcokg@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 20 Jun 2016 17:53:14 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 06/19, Andy Lutomirski wrote:
>
> Something's clearly buggy there,

The usage of __X32_SYSCALL_BIT doesn't look right too. Nothing serious
but still.

Damn, initially I thought I have found the serious bug in entry_64.S
and it took me some time to understand why my exploit doesn't work ;)
So I learned that

	andl    $__SYSCALL_MASK, %eax

in entry_SYSCALL_64_fastpath() zero-extends %rax and thus

	cmpl    $__NR_syscall_max, %eax
	...
	call    *sys_call_table(, %rax, 8)

is correct (rax <= __NR_syscall_max).

OK, so entry_64.S simply "ignores" the upper bits if CONFIG_X86_X32_ABI.
Fine, but this doesn't match the

	if (likely((nr & __SYSCALL_MASK) < NR_syscalls))

check in do_syscall_64(). So this test-case

	#include <stdio.h>

	int main(void)
	{
		// __NR_exit == 0x3c
		asm volatile ("movq $0xFFFFFFFF0000003c, %rax; syscall");

		printf("I didn't exit because I am traced\n");

		return 0;
	}

silently exits if not traced, otherwise it calls printf().

Should we do something or we do not care?

Oleg.