From: Dave Martin <Dave.Martin@arm.com>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: linux-arch@vger.kernel.org, Will Deacon <will.deacon@arm.com>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed
Date: Fri, 26 May 2017 12:37:32 +0100 [thread overview]
Message-ID: <20170526113729.GO3559@e103592.cambridge.arm.com> (raw)
In-Reply-To: <20170523113019.GB5948@e104818-lin.cambridge.arm.com>
On Tue, May 23, 2017 at 12:30:19PM +0100, Catalin Marinas wrote:
> On Mon, May 15, 2017 at 02:24:45PM +0100, Dave P Martin wrote:
> > On Fri, May 12, 2017 at 05:57:24PM +0100, Catalin Marinas wrote:
> > > On Wed, Apr 12, 2017 at 06:01:13PM +0100, Dave P Martin wrote:
[...]
> > Originally I preferred not to waste the space and did move fp/lr to the
> > end, but someone (I think you or Will) expressed concern that the fp/lr
> > position relative to the signal frame _might_ count as ABI.
> >
> > I think it's not that likely that software will be relying on this,
> > since it appears easier just to follow the frame chain than to treat
> > this as a special case.
> >
> > But it's hard to be certain. It comes down to a judgement call.
>
> I would not consider this ABI. The ABI part is that the fp register
> points to where fp/lr were saved.
Fair enough, I'm happy to move it back. (That was my preferred design
in the first place anyway).
> > > > +#define EXTRA_MAGIC 0x45585401
> > > > +
> > > > +struct extra_context {
> > > > + struct _aarch64_ctx head;
> > > > + void __user *data; /* 16-byte aligned pointer to extra space */
> > > "__user" is a kernel-only attribute, we shouldn't expose it in a uapi
> > > header.
> >
> > This is filtered out by headers_install, just like #ifdef __KERNEL__.
>
> Ah, ok, I missed this.
It was a surprise to me too...
> > > > + __u32 size; /* size in bytes of the extra space */
> > > > +};
> > >
> > > Do we need the size of the extra space? Can we not infer it anyway by
> > > walking the contexts save there? Surely we don't expect more than one
> > > extra context.
> >
> > Strictly speaking we don't need it. When userspace parses a signal
> > frame generated by the kernel, it can trust the kernel to write a well-
> > formed signal frame.
> >
> > In sigreturn it allows us to retain a sanity-check on overall size
> > similar to what sizeof(__reserved) gives us. This "feels cleaner"
> > to me, but the value of it is debatable, since we can still apply
> > SIGFRAME_MAXSZ and uaccess should protect us against gross overruns.
>
> I'm not keen on the size information, it seems superfluous.
Are you referring to the fact that fp will point to the end of
extra_context, or simply that we don't really need to know the size?
The first is only true of the signal frame. For a sigcontext on the
heap (e.g., getcontext/setcontext) the frame record has no role and
nothing would point to it, so it's no use for locating the end of
extra_context. In practice there won't be a frame record in this
situation.
The second is a valid point, just as we don't need to know the size of
the destination buffer of strcpy() or sprintf(). The programmer can
ensure that it's big enough. Moreover, from the kernel we're also
protected by uaccess.
It's easy to screw up here though. setcontext assumes that mcontext_t
is fixed-size, so if there is no embedded size information then there
is no way to protect against overruns. In userspace, there is no
uaccess protection and we can simply walk across the end of a heap
block etc.
> BTW, does SIGFRAME_MAXSZ now become ABI? Or the user only needs to
> interrogate the frame size and we keep this internal to the kernel?
If the kernel rejects extra_contexts that cause this limit to be
exceeded, then yes -- though it will rarely be relevant except in the
case of memory corruption, or if architecture extensions eventually
require a larger frame.
(sve_context could theoretically grow larger then SIGFRAME_MAXSZ all by
itself, but that's unlikely to happen any time soon.)
Userspace could hit SIGFRAME_MAXSZ by constructing a valid sequence of
records that is ridiculously large, by padding out the records: common
sense suggests not to do this, but it's never been documented or
enforced. I didn't feel comfortable changing the behaviour here to be
more strict.
So, SIGFRAME_MAXSZ should either be given a larger, more future-proof
value ... or otherwise we should perhaps get rid of it entirely.
?
Cheers
---Dave
WARNING: multiple messages have this Message-ID (diff)
From: Dave.Martin@arm.com (Dave Martin)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed
Date: Fri, 26 May 2017 12:37:32 +0100 [thread overview]
Message-ID: <20170526113729.GO3559@e103592.cambridge.arm.com> (raw)
In-Reply-To: <20170523113019.GB5948@e104818-lin.cambridge.arm.com>
On Tue, May 23, 2017 at 12:30:19PM +0100, Catalin Marinas wrote:
> On Mon, May 15, 2017 at 02:24:45PM +0100, Dave P Martin wrote:
> > On Fri, May 12, 2017 at 05:57:24PM +0100, Catalin Marinas wrote:
> > > On Wed, Apr 12, 2017 at 06:01:13PM +0100, Dave P Martin wrote:
[...]
> > Originally I preferred not to waste the space and did move fp/lr to the
> > end, but someone (I think you or Will) expressed concern that the fp/lr
> > position relative to the signal frame _might_ count as ABI.
> >
> > I think it's not that likely that software will be relying on this,
> > since it appears easier just to follow the frame chain than to treat
> > this as a special case.
> >
> > But it's hard to be certain. It comes down to a judgement call.
>
> I would not consider this ABI. The ABI part is that the fp register
> points to where fp/lr were saved.
Fair enough, I'm happy to move it back. (That was my preferred design
in the first place anyway).
> > > > +#define EXTRA_MAGIC 0x45585401
> > > > +
> > > > +struct extra_context {
> > > > + struct _aarch64_ctx head;
> > > > + void __user *data; /* 16-byte aligned pointer to extra space */
> > > "__user" is a kernel-only attribute, we shouldn't expose it in a uapi
> > > header.
> >
> > This is filtered out by headers_install, just like #ifdef __KERNEL__.
>
> Ah, ok, I missed this.
It was a surprise to me too...
> > > > + __u32 size; /* size in bytes of the extra space */
> > > > +};
> > >
> > > Do we need the size of the extra space? Can we not infer it anyway by
> > > walking the contexts save there? Surely we don't expect more than one
> > > extra context.
> >
> > Strictly speaking we don't need it. When userspace parses a signal
> > frame generated by the kernel, it can trust the kernel to write a well-
> > formed signal frame.
> >
> > In sigreturn it allows us to retain a sanity-check on overall size
> > similar to what sizeof(__reserved) gives us. This "feels cleaner"
> > to me, but the value of it is debatable, since we can still apply
> > SIGFRAME_MAXSZ and uaccess should protect us against gross overruns.
>
> I'm not keen on the size information, it seems superfluous.
Are you referring to the fact that fp will point to the end of
extra_context, or simply that we don't really need to know the size?
The first is only true of the signal frame. For a sigcontext on the
heap (e.g., getcontext/setcontext) the frame record has no role and
nothing would point to it, so it's no use for locating the end of
extra_context. In practice there won't be a frame record in this
situation.
The second is a valid point, just as we don't need to know the size of
the destination buffer of strcpy() or sprintf(). The programmer can
ensure that it's big enough. Moreover, from the kernel we're also
protected by uaccess.
It's easy to screw up here though. setcontext assumes that mcontext_t
is fixed-size, so if there is no embedded size information then there
is no way to protect against overruns. In userspace, there is no
uaccess protection and we can simply walk across the end of a heap
block etc.
> BTW, does SIGFRAME_MAXSZ now become ABI? Or the user only needs to
> interrogate the frame size and we keep this internal to the kernel?
If the kernel rejects extra_contexts that cause this limit to be
exceeded, then yes -- though it will rarely be relevant except in the
case of memory corruption, or if architecture extensions eventually
require a larger frame.
(sve_context could theoretically grow larger then SIGFRAME_MAXSZ all by
itself, but that's unlikely to happen any time soon.)
Userspace could hit SIGFRAME_MAXSZ by constructing a valid sequence of
records that is ridiculously large, by padding out the records: common
sense suggests not to do this, but it's never been documented or
enforced. I didn't feel comfortable changing the behaviour here to be
more strict.
So, SIGFRAME_MAXSZ should either be given a larger, more future-proof
value ... or otherwise we should perhaps get rid of it entirely.
?
Cheers
---Dave
next prev parent reply other threads:[~2017-05-26 11:37 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-12 16:56 [RFC PATCH v2 0/6] Signal frame expansion support Dave Martin
2017-04-12 16:56 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 1/6] arm64: signal: Refactor sigcontext parsing in rt_sigreturn Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 2/6] arm64: signal: factor frame layout and population into separate passes Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 3/6] arm64: signal: factor out signal frame record allocation Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-05-12 16:57 ` Catalin Marinas
2017-05-12 16:57 ` Catalin Marinas
2017-05-15 13:24 ` Dave Martin
2017-05-15 13:24 ` Dave Martin
2017-05-23 11:30 ` Catalin Marinas
2017-05-23 11:30 ` Catalin Marinas
2017-05-26 11:37 ` Dave Martin [this message]
2017-05-26 11:37 ` Dave Martin
2017-06-05 14:17 ` Catalin Marinas
2017-06-05 14:17 ` Catalin Marinas
2017-06-06 11:37 ` Dave Martin
2017-06-06 11:37 ` Dave Martin
2017-06-06 13:58 ` Dave Martin
2017-06-06 13:58 ` Dave Martin
2017-06-06 16:15 ` Catalin Marinas
2017-06-06 16:15 ` Catalin Marinas
2017-06-06 16:15 ` Catalin Marinas
2017-06-06 16:15 ` Catalin Marinas
2017-06-08 8:46 ` Dave Martin
2017-06-08 8:46 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 6/6] arm64: signal: Report signal frame size to userspace via auxv Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-20 11:49 ` [RFC PATCH v2 0/6] Signal frame expansion support Michael Ellerman
2017-04-20 11:49 ` Michael Ellerman
2017-04-20 12:45 ` Dave Martin
2017-04-20 12:45 ` Dave Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170526113729.GO3559@e103592.cambridge.arm.com \
--to=dave.martin@arm.com \
--cc=catalin.marinas@arm.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.