* [PATCH 0/4] MIPS: syscall tracing fixes @ 2017-08-11 20:56 James Hogan 2017-08-11 20:56 ` [PATCH 1/4] MIPS/seccomp: Fix indirect syscall args James Hogan 0 siblings, 1 reply; 3+ messages in thread From: James Hogan @ 2017-08-11 20:56 UTC (permalink / raw) To: linux-mips Cc: linux-kernel, James Hogan, Ralf Baechle, David Daney, Kees Cook, Andy Lutomirski, Will Drewry, Oleg Nesterov, Alexei Starovoitov, Daniel Borkmann, Lars Persson, netdev These patches fix some system call tracing issues around seccomp and ptrace on MIPS. Patch 1 fixes an issue introduced in v4.13-rc1, where o32 indirect syscall arguments aren't shifted when filling out seccomp_data struct. Arguably the samples/bpf/tracex5 case that was being fixed in -rc1 is flawed, or else other arches are broken too. thoughts welcome on that, but either way this fix should be okay. It'd be good to get this fix in particular into v4.13. Patches 2 and 3 fix changing of system calls by ptrace and SECCOMP_RET_TRACE so that seccomp & syscall trace don't use the stale system call number, which appears to have been conceptually broken since v3.19 when thread_info::syscall was introduced, but also prevented the change in v4.8 to re-run the seccomp filter against a changed syscall from being effective on MIPS. First (patch 2) syscall_trace_enter() is fixed to re-read the syscall number from thread_info:syscall, then (patch 3) ptrace is fixed to update thread_info::syscall when the relevant registers are altered. Finally patch 4 fixes an API gap for MIPS which prevents a SECCOMP_RET_TRACE tracer from being able to cancel a system call, since you can't set both the system call number (v0) to -1 and the return value (v0) to the chosen error code. A PTRACE_SET_SYSCALL is added which allows thread_info::syscall to be set to -1 after the return value has already been set in the v0 register to some other value. Cc: Ralf Baechle <ralf@linux-mips.org> Cc: David Daney <david.daney@cavium.com> Cc: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Lars Persson <lars.persson@axis.com> Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-mips@linux-mips.org James Hogan (4): MIPS/seccomp: Fix indirect syscall args MIPS/ptrace: Pick up ptrace/seccomp changed syscalls MIPS/ptrace: Update syscall nr on register changes MIPS/ptrace: Add PTRACE_SET_SYSCALL operation arch/mips/include/asm/syscall.h | 29 ++++++++++++++++++++---- arch/mips/include/uapi/asm/ptrace.h | 1 + arch/mips/kernel/ptrace.c | 45 +++++++++++++++++++++++++++++-------- arch/mips/kernel/ptrace32.c | 18 +++++++++++++++ 4 files changed, 80 insertions(+), 13 deletions(-) -- 2.13.2 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/4] MIPS/seccomp: Fix indirect syscall args 2017-08-11 20:56 [PATCH 0/4] MIPS: syscall tracing fixes James Hogan @ 2017-08-11 20:56 ` James Hogan 2017-08-11 22:17 ` Kees Cook 0 siblings, 1 reply; 3+ messages in thread From: James Hogan @ 2017-08-11 20:56 UTC (permalink / raw) To: linux-mips Cc: linux-kernel, James Hogan, Ralf Baechle, David Daney, Kees Cook, Andy Lutomirski, Will Drewry, Oleg Nesterov, Alexei Starovoitov, Daniel Borkmann, netdev Since commit 669c4092225f ("MIPS: Give __secure_computing() access to syscall arguments."), upon syscall entry when seccomp is enabled, syscall_trace_enter() passes a carefully prepared struct seccomp_data containing syscall arguments to __secure_computing(). Unfortunately it directly uses mips_get_syscall_arg() and fails to take into account the indirect O32 system calls (i.e. syscall(2)) which put the system call number in a0 and have the arguments shifted up by one entry. We can't just revert that commit as samples/bpf/tracex5 would break again, so use syscall_get_arguments() which already takes indirect syscalls into account instead of directly using mips_get_syscall_arg(), similar to what populate_seccomp_data() does. This also removes the redundant error checking of the mips_get_syscall_arg() return value (get_user() already zeroes the result if an argument from the stack can't be loaded). Reported-by: James Cowgill <James.Cowgill@imgtec.com> Fixes: 669c4092225f ("MIPS: Give __secure_computing() access to syscall arguments.") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: David Daney <david.daney@cavium.com> Cc: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-mips@linux-mips.org --- It would have been much simpler for MIPS arch code to just pass a NULL seccomp_data to secure_computing() so populate_seccomp_data() would take care of fetching arguments, as it did for MIPS prior to commit 669c4092225f ("MIPS: Give __secure_computing() access to syscall arguments."), but as that commit mentions it breaks samples/bpf/tracex5, which relies on sd being non-NULL at entry to __seccomp_filter(). Arguably the samples/bpf/tracex5 test is flawed, at least for every arch except x86 (and now MIPS). --- arch/mips/kernel/ptrace.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 6dd13641a418..1395654cfc8d 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -872,15 +872,13 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) if (unlikely(test_thread_flag(TIF_SECCOMP))) { int ret, i; struct seccomp_data sd; + unsigned long args[6]; sd.nr = syscall; sd.arch = syscall_get_arch(); - for (i = 0; i < 6; i++) { - unsigned long v, r; - - r = mips_get_syscall_arg(&v, current, regs, i); - sd.args[i] = r ? 0 : v; - } + syscall_get_arguments(current, regs, 0, 6, args); + for (i = 0; i < 6; i++) + sd.args[i] = args[i]; sd.instruction_pointer = KSTK_EIP(current); ret = __secure_computing(&sd); -- 2.13.2 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/4] MIPS/seccomp: Fix indirect syscall args 2017-08-11 20:56 ` [PATCH 1/4] MIPS/seccomp: Fix indirect syscall args James Hogan @ 2017-08-11 22:17 ` Kees Cook 0 siblings, 0 replies; 3+ messages in thread From: Kees Cook @ 2017-08-11 22:17 UTC (permalink / raw) To: James Hogan Cc: Linux MIPS Mailing List, LKML, Ralf Baechle, David Daney, Andy Lutomirski, Will Drewry, Oleg Nesterov, Alexei Starovoitov, Daniel Borkmann, Network Development On Fri, Aug 11, 2017 at 1:56 PM, James Hogan <james.hogan@imgtec.com> wrote: > Since commit 669c4092225f ("MIPS: Give __secure_computing() access to > syscall arguments."), upon syscall entry when seccomp is enabled, > syscall_trace_enter() passes a carefully prepared struct seccomp_data > containing syscall arguments to __secure_computing(). Unfortunately it > directly uses mips_get_syscall_arg() and fails to take into account the > indirect O32 system calls (i.e. syscall(2)) which put the system call > number in a0 and have the arguments shifted up by one entry. > > We can't just revert that commit as samples/bpf/tracex5 would break > again, so use syscall_get_arguments() which already takes indirect > syscalls into account instead of directly using mips_get_syscall_arg(), > similar to what populate_seccomp_data() does. > > This also removes the redundant error checking of the > mips_get_syscall_arg() return value (get_user() already zeroes the > result if an argument from the stack can't be loaded). > > Reported-by: James Cowgill <James.Cowgill@imgtec.com> > Fixes: 669c4092225f ("MIPS: Give __secure_computing() access to syscall arguments.") > Signed-off-by: James Hogan <james.hogan@imgtec.com> > Cc: Ralf Baechle <ralf@linux-mips.org> > Cc: David Daney <david.daney@cavium.com> > Cc: Kees Cook <keescook@chromium.org> > Cc: Andy Lutomirski <luto@amacapital.net> > Cc: Will Drewry <wad@chromium.org> > Cc: Oleg Nesterov <oleg@redhat.com> > Cc: Alexei Starovoitov <ast@kernel.org> > Cc: Daniel Borkmann <daniel@iogearbox.net> > Cc: netdev@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: linux-mips@linux-mips.org > --- > It would have been much simpler for MIPS arch code to just pass a NULL > seccomp_data to secure_computing() so populate_seccomp_data() would take > care of fetching arguments, as it did for MIPS prior to commit > 669c4092225f ("MIPS: Give __secure_computing() access to syscall > arguments."), but as that commit mentions it breaks samples/bpf/tracex5, > which relies on sd being non-NULL at entry to __seccomp_filter(). > > Arguably the samples/bpf/tracex5 test is flawed, at least for every arch > except x86 (and now MIPS). Weird. Yeah, that sample is broken. Allowing NULL sd is totally fine. The point is that seccomp will use syscall_get_arguments() when it's NULL (which is effectively what this is doing...) The reason sd can be _non_-NULL is when an architecture has access to the args in some way that might be faster than calling syscall_get_arguments(). Regardless, I'm fine with this change. It should either be this or reverting 669c4092225f, but it looks like kprobes of __seccomp_filter() is desired on MIPS... Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > --- > arch/mips/kernel/ptrace.c | 10 ++++------ > 1 file changed, 4 insertions(+), 6 deletions(-) > > diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c > index 6dd13641a418..1395654cfc8d 100644 > --- a/arch/mips/kernel/ptrace.c > +++ b/arch/mips/kernel/ptrace.c > @@ -872,15 +872,13 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) > if (unlikely(test_thread_flag(TIF_SECCOMP))) { > int ret, i; > struct seccomp_data sd; > + unsigned long args[6]; > > sd.nr = syscall; > sd.arch = syscall_get_arch(); > - for (i = 0; i < 6; i++) { > - unsigned long v, r; > - > - r = mips_get_syscall_arg(&v, current, regs, i); > - sd.args[i] = r ? 0 : v; > - } > + syscall_get_arguments(current, regs, 0, 6, args); > + for (i = 0; i < 6; i++) > + sd.args[i] = args[i]; > sd.instruction_pointer = KSTK_EIP(current); > > ret = __secure_computing(&sd); > -- > 2.13.2 > -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-08-11 22:17 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-08-11 20:56 [PATCH 0/4] MIPS: syscall tracing fixes James Hogan 2017-08-11 20:56 ` [PATCH 1/4] MIPS/seccomp: Fix indirect syscall args James Hogan 2017-08-11 22:17 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox