From: Dave Martin <Dave.Martin@arm.com> To: Catalin Marinas <catalin.marinas@arm.com> Cc: linux-arch@vger.kernel.org, Will Deacon <will.deacon@arm.com>, linux-arm-kernel@lists.infradead.org Subject: Re: [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed Date: Fri, 26 May 2017 12:37:32 +0100 [thread overview] Message-ID: <20170526113729.GO3559@e103592.cambridge.arm.com> (raw) In-Reply-To: <20170523113019.GB5948@e104818-lin.cambridge.arm.com> On Tue, May 23, 2017 at 12:30:19PM +0100, Catalin Marinas wrote: > On Mon, May 15, 2017 at 02:24:45PM +0100, Dave P Martin wrote: > > On Fri, May 12, 2017 at 05:57:24PM +0100, Catalin Marinas wrote: > > > On Wed, Apr 12, 2017 at 06:01:13PM +0100, Dave P Martin wrote: [...] > > Originally I preferred not to waste the space and did move fp/lr to the > > end, but someone (I think you or Will) expressed concern that the fp/lr > > position relative to the signal frame _might_ count as ABI. > > > > I think it's not that likely that software will be relying on this, > > since it appears easier just to follow the frame chain than to treat > > this as a special case. > > > > But it's hard to be certain. It comes down to a judgement call. > > I would not consider this ABI. The ABI part is that the fp register > points to where fp/lr were saved. Fair enough, I'm happy to move it back. (That was my preferred design in the first place anyway). > > > > +#define EXTRA_MAGIC 0x45585401 > > > > + > > > > +struct extra_context { > > > > + struct _aarch64_ctx head; > > > > + void __user *data; /* 16-byte aligned pointer to extra space */ > > > "__user" is a kernel-only attribute, we shouldn't expose it in a uapi > > > header. > > > > This is filtered out by headers_install, just like #ifdef __KERNEL__. > > Ah, ok, I missed this. It was a surprise to me too... > > > > + __u32 size; /* size in bytes of the extra space */ > > > > +}; > > > > > > Do we need the size of the extra space? Can we not infer it anyway by > > > walking the contexts save there? Surely we don't expect more than one > > > extra context. > > > > Strictly speaking we don't need it. When userspace parses a signal > > frame generated by the kernel, it can trust the kernel to write a well- > > formed signal frame. > > > > In sigreturn it allows us to retain a sanity-check on overall size > > similar to what sizeof(__reserved) gives us. This "feels cleaner" > > to me, but the value of it is debatable, since we can still apply > > SIGFRAME_MAXSZ and uaccess should protect us against gross overruns. > > I'm not keen on the size information, it seems superfluous. Are you referring to the fact that fp will point to the end of extra_context, or simply that we don't really need to know the size? The first is only true of the signal frame. For a sigcontext on the heap (e.g., getcontext/setcontext) the frame record has no role and nothing would point to it, so it's no use for locating the end of extra_context. In practice there won't be a frame record in this situation. The second is a valid point, just as we don't need to know the size of the destination buffer of strcpy() or sprintf(). The programmer can ensure that it's big enough. Moreover, from the kernel we're also protected by uaccess. It's easy to screw up here though. setcontext assumes that mcontext_t is fixed-size, so if there is no embedded size information then there is no way to protect against overruns. In userspace, there is no uaccess protection and we can simply walk across the end of a heap block etc. > BTW, does SIGFRAME_MAXSZ now become ABI? Or the user only needs to > interrogate the frame size and we keep this internal to the kernel? If the kernel rejects extra_contexts that cause this limit to be exceeded, then yes -- though it will rarely be relevant except in the case of memory corruption, or if architecture extensions eventually require a larger frame. (sve_context could theoretically grow larger then SIGFRAME_MAXSZ all by itself, but that's unlikely to happen any time soon.) Userspace could hit SIGFRAME_MAXSZ by constructing a valid sequence of records that is ridiculously large, by padding out the records: common sense suggests not to do this, but it's never been documented or enforced. I didn't feel comfortable changing the behaviour here to be more strict. So, SIGFRAME_MAXSZ should either be given a larger, more future-proof value ... or otherwise we should perhaps get rid of it entirely. ? Cheers ---Dave
WARNING: multiple messages have this Message-ID (diff)
From: Dave.Martin@arm.com (Dave Martin) To: linux-arm-kernel@lists.infradead.org Subject: [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed Date: Fri, 26 May 2017 12:37:32 +0100 [thread overview] Message-ID: <20170526113729.GO3559@e103592.cambridge.arm.com> (raw) In-Reply-To: <20170523113019.GB5948@e104818-lin.cambridge.arm.com> On Tue, May 23, 2017 at 12:30:19PM +0100, Catalin Marinas wrote: > On Mon, May 15, 2017 at 02:24:45PM +0100, Dave P Martin wrote: > > On Fri, May 12, 2017 at 05:57:24PM +0100, Catalin Marinas wrote: > > > On Wed, Apr 12, 2017 at 06:01:13PM +0100, Dave P Martin wrote: [...] > > Originally I preferred not to waste the space and did move fp/lr to the > > end, but someone (I think you or Will) expressed concern that the fp/lr > > position relative to the signal frame _might_ count as ABI. > > > > I think it's not that likely that software will be relying on this, > > since it appears easier just to follow the frame chain than to treat > > this as a special case. > > > > But it's hard to be certain. It comes down to a judgement call. > > I would not consider this ABI. The ABI part is that the fp register > points to where fp/lr were saved. Fair enough, I'm happy to move it back. (That was my preferred design in the first place anyway). > > > > +#define EXTRA_MAGIC 0x45585401 > > > > + > > > > +struct extra_context { > > > > + struct _aarch64_ctx head; > > > > + void __user *data; /* 16-byte aligned pointer to extra space */ > > > "__user" is a kernel-only attribute, we shouldn't expose it in a uapi > > > header. > > > > This is filtered out by headers_install, just like #ifdef __KERNEL__. > > Ah, ok, I missed this. It was a surprise to me too... > > > > + __u32 size; /* size in bytes of the extra space */ > > > > +}; > > > > > > Do we need the size of the extra space? Can we not infer it anyway by > > > walking the contexts save there? Surely we don't expect more than one > > > extra context. > > > > Strictly speaking we don't need it. When userspace parses a signal > > frame generated by the kernel, it can trust the kernel to write a well- > > formed signal frame. > > > > In sigreturn it allows us to retain a sanity-check on overall size > > similar to what sizeof(__reserved) gives us. This "feels cleaner" > > to me, but the value of it is debatable, since we can still apply > > SIGFRAME_MAXSZ and uaccess should protect us against gross overruns. > > I'm not keen on the size information, it seems superfluous. Are you referring to the fact that fp will point to the end of extra_context, or simply that we don't really need to know the size? The first is only true of the signal frame. For a sigcontext on the heap (e.g., getcontext/setcontext) the frame record has no role and nothing would point to it, so it's no use for locating the end of extra_context. In practice there won't be a frame record in this situation. The second is a valid point, just as we don't need to know the size of the destination buffer of strcpy() or sprintf(). The programmer can ensure that it's big enough. Moreover, from the kernel we're also protected by uaccess. It's easy to screw up here though. setcontext assumes that mcontext_t is fixed-size, so if there is no embedded size information then there is no way to protect against overruns. In userspace, there is no uaccess protection and we can simply walk across the end of a heap block etc. > BTW, does SIGFRAME_MAXSZ now become ABI? Or the user only needs to > interrogate the frame size and we keep this internal to the kernel? If the kernel rejects extra_contexts that cause this limit to be exceeded, then yes -- though it will rarely be relevant except in the case of memory corruption, or if architecture extensions eventually require a larger frame. (sve_context could theoretically grow larger then SIGFRAME_MAXSZ all by itself, but that's unlikely to happen any time soon.) Userspace could hit SIGFRAME_MAXSZ by constructing a valid sequence of records that is ridiculously large, by padding out the records: common sense suggests not to do this, but it's never been documented or enforced. I didn't feel comfortable changing the behaviour here to be more strict. So, SIGFRAME_MAXSZ should either be given a larger, more future-proof value ... or otherwise we should perhaps get rid of it entirely. ? Cheers ---Dave
next prev parent reply other threads:[~2017-05-26 11:37 UTC|newest] Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-04-12 16:56 [RFC PATCH v2 0/6] Signal frame expansion support Dave Martin 2017-04-12 16:56 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 1/6] arm64: signal: Refactor sigcontext parsing in rt_sigreturn Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 2/6] arm64: signal: factor frame layout and population into separate passes Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 3/6] arm64: signal: factor out signal frame record allocation Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-05-12 16:57 ` Catalin Marinas 2017-05-12 16:57 ` Catalin Marinas 2017-05-15 13:24 ` Dave Martin 2017-05-15 13:24 ` Dave Martin 2017-05-23 11:30 ` Catalin Marinas 2017-05-23 11:30 ` Catalin Marinas 2017-05-26 11:37 ` Dave Martin [this message] 2017-05-26 11:37 ` Dave Martin 2017-06-05 14:17 ` Catalin Marinas 2017-06-05 14:17 ` Catalin Marinas 2017-06-06 11:37 ` Dave Martin 2017-06-06 11:37 ` Dave Martin 2017-06-06 13:58 ` Dave Martin 2017-06-06 13:58 ` Dave Martin 2017-06-06 16:15 ` Catalin Marinas 2017-06-06 16:15 ` Catalin Marinas 2017-06-06 16:15 ` Catalin Marinas 2017-06-06 16:15 ` Catalin Marinas 2017-06-08 8:46 ` Dave Martin 2017-06-08 8:46 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 6/6] arm64: signal: Report signal frame size to userspace via auxv Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-20 11:49 ` [RFC PATCH v2 0/6] Signal frame expansion support Michael Ellerman 2017-04-20 11:49 ` Michael Ellerman 2017-04-20 12:45 ` Dave Martin 2017-04-20 12:45 ` Dave Martin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20170526113729.GO3559@e103592.cambridge.arm.com \ --to=dave.martin@arm.com \ --cc=catalin.marinas@arm.com \ --cc=linux-arch@vger.kernel.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=will.deacon@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.