From: Eric Blake <eblake@redhat.com>
To: Helge Deller <deller@gmx.de>, Riku Voipio <riku.voipio@iki.fi>,
Laurent Vivier <laurent@vivier.eu>,
qemu-devel@nongnu.org
Subject: Re: [PATCH] linux-user: Drop unnecessary check in dup3 syscall
Date: Fri, 24 Apr 2020 16:53:53 -0500 [thread overview]
Message-ID: <bb774102-33a9-8d78-a0a5-779ef7eb815b@redhat.com> (raw)
In-Reply-To: <86df80e9-c747-1854-d210-5856b71e2f7b@gmx.de>
On 4/24/20 4:47 PM, Helge Deller wrote:
>>> - host_flags = target_to_host_bitmask(arg3, fcntl_flags_tbl);
>>> + int host_flags = target_to_host_bitmask(arg3, fcntl_flags_tbl);
>>
>> I don't think this is quite correct. target_to_host_bitmask()
>> silently ignores unknown bits, and a user that was relying on bit
>> 0x40000000 to cause an EINVAL will not fail with this change (unless
>> bit 0x40000000 happens to be one of the bits translated by
>> fcntl_flags_tbl).
>
> True.
>
>> The open() syscall is notorious for ignoring unknown bits rather than
>> failing with EINVAL, and it is has come back to haunt kernel
>> developers; newer syscalls like dup3() learned from the mistake, and
>> we really do want to catch unsupported bits up to make it easier for
>> future kernels to define meanings to those bits without them being
>> silently swallowed when run on older systems that did not know what
>> those bits meant.
> Ok, I wasn't aware that it's a design goal to manually find such
> cases of wrong userspace applications. But in this case, you're right
> that my patch shouldn't be applied.
This, and several similar ones that you also posted.
Maybe you could add a new int target_to_host_bitmask_strict(int src,
translate_tbl, int *dst), which returns 0 when *dst is bit-for-bit
translated from src, and returns -1 if src had bits not specified by
translate_tbl. In that case, the caller can then translate all usual
bits and rely on the syscall() failure (as you tried here), but you can
also flag -TARGET_EINVAL up front for bits not covered by the table.
>
> While looking at the code I just noticed another bug too, which needs
> fixing then:
>>> - if ((arg3 & ~TARGET_O_CLOEXEC) != 0) {
>>> - return -EINVAL;
> this needs to be:
>>> - return -TARGET_EINVAL;
Indeed. Good catch.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2020-04-24 22:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-24 20:57 [PATCH] linux-user: Drop unnecessary check in dup3 syscall Helge Deller
2020-04-24 21:32 ` Eric Blake
2020-04-24 21:47 ` Helge Deller
2020-04-24 21:53 ` Eric Blake [this message]
2020-04-25 13:01 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bb774102-33a9-8d78-a0a5-779ef7eb815b@redhat.com \
--to=eblake@redhat.com \
--cc=deller@gmx.de \
--cc=laurent@vivier.eu \
--cc=qemu-devel@nongnu.org \
--cc=riku.voipio@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).