From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dave Martin <Dave.Martin@arm.com>
Subject: Re: [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext
 space as needed
Date: Tue, 6 Jun 2017 12:37:53 +0100
Message-ID: <20170606113739.GF30160@e103592.cambridge.arm.com>
References: <1492016239-19511-1-git-send-email-Dave.Martin@arm.com>
 <1492016495-19689-1-git-send-email-Dave.Martin@arm.com>
 <1492016495-19689-4-git-send-email-Dave.Martin@arm.com>
 <20170512165724.GB8387@e104818-lin.cambridge.arm.com>
 <20170515132442.GB3559@e103592.cambridge.arm.com>
 <20170523113019.GB5948@e104818-lin.cambridge.arm.com>
 <20170526113729.GO3559@e103592.cambridge.arm.com>
 <20170605141744.GB9163@e104818-lin.cambridge.arm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-arch-owner@vger.kernel.org>
Received: from foss.arm.com ([217.140.101.70]:44698 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751389AbdFFLiC (ORCPT <rfc822;linux-arch@vger.kernel.org>);
        Tue, 6 Jun 2017 07:38:02 -0400
Content-Disposition: inline
In-Reply-To: <20170605141744.GB9163@e104818-lin.cambridge.arm.com>
Sender: linux-arch-owner@vger.kernel.org
List-ID: <linux-arch.vger.kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: linux-arch@vger.kernel.org, Will Deacon <will.deacon@arm.com>, linux-arm-kernel@lists.infradead.org

On Mon, Jun 05, 2017 at 03:17:44PM +0100, Catalin Marinas wrote:
> On Fri, May 26, 2017 at 12:37:32PM +0100, Dave P Martin wrote:
> > On Tue, May 23, 2017 at 12:30:19PM +0100, Catalin Marinas wrote:
> > > On Mon, May 15, 2017 at 02:24:45PM +0100, Dave P Martin wrote:
> > > > On Fri, May 12, 2017 at 05:57:24PM +0100, Catalin Marinas wrote:
> > > > > On Wed, Apr 12, 2017 at 06:01:13PM +0100, Dave P Martin wrote:
> > > > > > +	__u32 size;		/* size in bytes of the extra space */
> > > > > > +};
> > > > > 
> > > > > Do we need the size of the extra space? Can we not infer it anyway by
> > > > > walking the contexts save there? Surely we don't expect more than one
> > > > > extra context.
> > > > 
> > > > Strictly speaking we don't need it.  When userspace parses a signal
> > > > frame generated by the kernel, it can trust the kernel to write a well-
> > > > formed signal frame.
> > > > 
> > > > In sigreturn it allows us to retain a sanity-check on overall size
> > > > similar to what sizeof(__reserved) gives us.  This "feels cleaner"
> > > > to me, but the value of it is debatable, since we can still apply
> > > > SIGFRAME_MAXSZ and uaccess should protect us against gross overruns.
> > > 
> > > I'm not keen on the size information, it seems superfluous.
> > 
> > Are you referring to the fact that fp will point to the end of
> > extra_context, or simply that we don't really need to know the size?
> 
> The latter, I don't think we need to know the size explicitly, we can
> add up the chained structures to calculate it.
> 
> > The second is a valid point, just as we don't need to know the size of
> > the destination buffer of strcpy() or sprintf().  The programmer can
> > ensure that it's big enough.  Moreover, from the kernel we're also
> > protected by uaccess.
> > 
> > It's easy to screw up here though.  setcontext assumes that mcontext_t
> > is fixed-size, so if there is no embedded size information then there
> > is no way to protect against overruns.  In userspace, there is no
> > uaccess protection and we can simply walk across the end of a heap
> > block etc.
> 
> So you intend size to be the maximum size, not the actual size of the

Yes, except that when the signal frame is generated by the kernel those
will be the same, since the kernel generates a frame that is only as
large as needed for the records dumped.

I'm thinking of the case where userspace, or a debugger, modifies a
frame obtained from a signal, or similar.  This might involve deleting
or resizing records.  Encoding the original size of the frame may help
code defend against overrun bugs, though obviously it's no guarantee.

> chained contexts? If that's the case, I think we can keep it, only that
> I'd rather have the time size_t or __u64 to avoid implicit padding.

Sure, it can be a u64.  I wanted to avoid the suggestion that the frame
should be that large, but 32 bits already allows it to be crazy large
anyway, so I don't think making it 32-bit helps.

> > > BTW, does SIGFRAME_MAXSZ now become ABI? Or the user only needs to
> > > interrogate the frame size and we keep this internal to the kernel?
> > 
> > If the kernel rejects extra_contexts that cause this limit to be
> > exceeded, then yes -- though it will rarely be relevant except in the
> > case of memory corruption, or if architecture extensions eventually
> > require a larger frame.
> > 
> > (sve_context could theoretically grow larger then SIGFRAME_MAXSZ all by
> > itself, but that's unlikely to happen any time soon.)
> > 
> > Userspace could hit SIGFRAME_MAXSZ by constructing a valid sequence of
> > records that is ridiculously large, by padding out the records: common
> > sense suggests not to do this, but it's never been documented or
> > enforced.  I didn't feel comfortable changing the behaviour here to be
> > more strict.
> > 
> > So, SIGFRAME_MAXSZ should either be given a larger, more future-proof
> > value ... or otherwise we should perhaps get rid of it entirely.
> 
> If we can, yes, I would get rid of it.

If the size field is retained I prefer to keep this, but it's
deliberately not in any header.  This allows the kernel to have a
stricter idea about what is sane, without it formally being ABI.

This is supposed to be a deterrent against people writing signal frame
code manipulation code in a stupid way.  SIGFRAME_MAXSZ should only
ever be increased during maintenance -- it's probably worth adding a
comment on that point.

Cheers
---Dave

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dave.Martin@arm.com (Dave Martin)
Date: Tue, 6 Jun 2017 12:37:53 +0100
Subject: [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext
 space as needed
In-Reply-To: <20170605141744.GB9163@e104818-lin.cambridge.arm.com>
References: <1492016239-19511-1-git-send-email-Dave.Martin@arm.com>
 <1492016495-19689-1-git-send-email-Dave.Martin@arm.com>
 <1492016495-19689-4-git-send-email-Dave.Martin@arm.com>
 <20170512165724.GB8387@e104818-lin.cambridge.arm.com>
 <20170515132442.GB3559@e103592.cambridge.arm.com>
 <20170523113019.GB5948@e104818-lin.cambridge.arm.com>
 <20170526113729.GO3559@e103592.cambridge.arm.com>
 <20170605141744.GB9163@e104818-lin.cambridge.arm.com>
Message-ID: <20170606113739.GF30160@e103592.cambridge.arm.com>
To: linux-arm-kernel@lists.infradead.org
List-Id: linux-arm-kernel.lists.infradead.org

On Mon, Jun 05, 2017 at 03:17:44PM +0100, Catalin Marinas wrote:
> On Fri, May 26, 2017 at 12:37:32PM +0100, Dave P Martin wrote:
> > On Tue, May 23, 2017 at 12:30:19PM +0100, Catalin Marinas wrote:
> > > On Mon, May 15, 2017 at 02:24:45PM +0100, Dave P Martin wrote:
> > > > On Fri, May 12, 2017 at 05:57:24PM +0100, Catalin Marinas wrote:
> > > > > On Wed, Apr 12, 2017 at 06:01:13PM +0100, Dave P Martin wrote:
> > > > > > +	__u32 size;		/* size in bytes of the extra space */
> > > > > > +};
> > > > > 
> > > > > Do we need the size of the extra space? Can we not infer it anyway by
> > > > > walking the contexts save there? Surely we don't expect more than one
> > > > > extra context.
> > > > 
> > > > Strictly speaking we don't need it.  When userspace parses a signal
> > > > frame generated by the kernel, it can trust the kernel to write a well-
> > > > formed signal frame.
> > > > 
> > > > In sigreturn it allows us to retain a sanity-check on overall size
> > > > similar to what sizeof(__reserved) gives us.  This "feels cleaner"
> > > > to me, but the value of it is debatable, since we can still apply
> > > > SIGFRAME_MAXSZ and uaccess should protect us against gross overruns.
> > > 
> > > I'm not keen on the size information, it seems superfluous.
> > 
> > Are you referring to the fact that fp will point to the end of
> > extra_context, or simply that we don't really need to know the size?
> 
> The latter, I don't think we need to know the size explicitly, we can
> add up the chained structures to calculate it.
> 
> > The second is a valid point, just as we don't need to know the size of
> > the destination buffer of strcpy() or sprintf().  The programmer can
> > ensure that it's big enough.  Moreover, from the kernel we're also
> > protected by uaccess.
> > 
> > It's easy to screw up here though.  setcontext assumes that mcontext_t
> > is fixed-size, so if there is no embedded size information then there
> > is no way to protect against overruns.  In userspace, there is no
> > uaccess protection and we can simply walk across the end of a heap
> > block etc.
> 
> So you intend size to be the maximum size, not the actual size of the

Yes, except that when the signal frame is generated by the kernel those
will be the same, since the kernel generates a frame that is only as
large as needed for the records dumped.

I'm thinking of the case where userspace, or a debugger, modifies a
frame obtained from a signal, or similar.  This might involve deleting
or resizing records.  Encoding the original size of the frame may help
code defend against overrun bugs, though obviously it's no guarantee.

> chained contexts? If that's the case, I think we can keep it, only that
> I'd rather have the time size_t or __u64 to avoid implicit padding.

Sure, it can be a u64.  I wanted to avoid the suggestion that the frame
should be that large, but 32 bits already allows it to be crazy large
anyway, so I don't think making it 32-bit helps.

> > > BTW, does SIGFRAME_MAXSZ now become ABI? Or the user only needs to
> > > interrogate the frame size and we keep this internal to the kernel?
> > 
> > If the kernel rejects extra_contexts that cause this limit to be
> > exceeded, then yes -- though it will rarely be relevant except in the
> > case of memory corruption, or if architecture extensions eventually
> > require a larger frame.
> > 
> > (sve_context could theoretically grow larger then SIGFRAME_MAXSZ all by
> > itself, but that's unlikely to happen any time soon.)
> > 
> > Userspace could hit SIGFRAME_MAXSZ by constructing a valid sequence of
> > records that is ridiculously large, by padding out the records: common
> > sense suggests not to do this, but it's never been documented or
> > enforced.  I didn't feel comfortable changing the behaviour here to be
> > more strict.
> > 
> > So, SIGFRAME_MAXSZ should either be given a larger, more future-proof
> > value ... or otherwise we should perhaps get rid of it entirely.
> 
> If we can, yes, I would get rid of it.

If the size field is retained I prefer to keep this, but it's
deliberately not in any header.  This allows the kernel to have a
stricter idea about what is sane, without it formally being ABI.

This is supposed to be a deterrent against people writing signal frame
code manipulation code in a stupid way.  SIGFRAME_MAXSZ should only
ever be increased during maintenance -- it's probably worth adding a
comment on that point.

Cheers
---Dave