From: Florian Weimer <fweimer@redhat.com>
To: Jann Horn <jannh@google.com>
Cc: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,
Christian Brauner <christian@brauner.io>,
lkml <linux-kernel@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Oleg Nesterov <oleg@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
David Howells <dhowells@redhat.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Andrew Morton <akpm@linux-foundation.org>,
Adrian Reber <adrian@lisas.de>, Andrei Vagin <avagin@gmail.com>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: For review: documentation of clone3() system call
Date: Mon, 11 Nov 2019 16:20:36 +0100 [thread overview]
Message-ID: <875zjqwibf.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <CAG48ez3zpBwU6vHSuY6VoP+Uw_Jz6uxYN1Teg2wSpwZrPmAn-g@mail.gmail.com> (Jann Horn's message of "Mon, 11 Nov 2019 16:15:58 +0100")
* Jann Horn:
> On Mon, Nov 11, 2019 at 4:03 PM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * Michael Kerrisk:
>>
>> > Another difference for the raw clone() system call is that the
>> > stack argument may be NULL, in which case the child uses a dupli‐
>> > cate of the parent's stack. (Copy-on-write semantics ensure that
>> > the child gets separate copies of stack pages when either process
>> > modifies the stack.) In this case, for correct operation, the
>> > CLONE_VM option should not be specified. (If the child shares the
>> > parent's memory because of the use of the CLONE_VM flag, then no
>> > copy-on-write duplication occurs and chaos is likely to result.)
>>
>> I think sharing the stack also works with CLONE_VFORK with CLONE_VM, as
>> long as measures are taken to preserve the return address in a register.
>
> That basically just requires that the userspace function declaration
> for clone3 includes __attribute__((returns_twice)), right?
The clone3 implementation itself would have to store the return address
in a register because at the time of the second return, a return address
on the stack may have been corrupted by the subprocess because what used
to be the stack frame of the clone function has since been reused for
something else.
__attribute__ ((returns_twice)) is likely needed as well, but that
benefits the caller. It's also not clear that it is sufficient for this
to work in all cases. (But the mandatory-to-implement vfork function
faces the same problems.)
Thanks,
Florian
WARNING: multiple messages have this Message-ID (diff)
From: Florian Weimer <fweimer@redhat.com>
To: Jann Horn <jannh@google.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Christian Brauner <christian@brauner.io>,
lkml <linux-kernel@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Oleg Nesterov <oleg@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
David Howells <dhowells@redhat.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Andrew Morton <akpm@linux-foundation.org>,
Adrian Reber <adrian@lisas.de>, Andrei Vagin <avagin@gmail.com>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: For review: documentation of clone3() system call
Date: Mon, 11 Nov 2019 16:20:36 +0100 [thread overview]
Message-ID: <875zjqwibf.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <CAG48ez3zpBwU6vHSuY6VoP+Uw_Jz6uxYN1Teg2wSpwZrPmAn-g@mail.gmail.com> (Jann Horn's message of "Mon, 11 Nov 2019 16:15:58 +0100")
* Jann Horn:
> On Mon, Nov 11, 2019 at 4:03 PM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * Michael Kerrisk:
>>
>> > Another difference for the raw clone() system call is that the
>> > stack argument may be NULL, in which case the child uses a dupli‐
>> > cate of the parent's stack. (Copy-on-write semantics ensure that
>> > the child gets separate copies of stack pages when either process
>> > modifies the stack.) In this case, for correct operation, the
>> > CLONE_VM option should not be specified. (If the child shares the
>> > parent's memory because of the use of the CLONE_VM flag, then no
>> > copy-on-write duplication occurs and chaos is likely to result.)
>>
>> I think sharing the stack also works with CLONE_VFORK with CLONE_VM, as
>> long as measures are taken to preserve the return address in a register.
>
> That basically just requires that the userspace function declaration
> for clone3 includes __attribute__((returns_twice)), right?
The clone3 implementation itself would have to store the return address
in a register because at the time of the second return, a return address
on the stack may have been corrupted by the subprocess because what used
to be the stack frame of the clone function has since been reused for
something else.
__attribute__ ((returns_twice)) is likely needed as well, but that
benefits the caller. It's also not clear that it is sufficient for this
to work in all cases. (But the mandatory-to-implement vfork function
faces the same problems.)
Thanks,
Florian
next prev parent reply other threads:[~2019-11-11 15:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 16:59 For review: documentation of clone3() system call Michael Kerrisk (man-pages)
2019-10-25 17:07 ` Christian Brauner
2019-11-07 12:26 ` Michael Kerrisk (man-pages)
2019-10-26 2:28 ` G. Branden Robinson
2019-10-31 6:06 ` Michael Kerrisk (man-pages)
2019-10-28 15:12 ` Jann Horn
2019-10-28 17:21 ` Christian Brauner
2019-10-28 19:09 ` Jann Horn
2019-10-29 11:27 ` Christian Brauner
2019-10-29 14:26 ` Christian Brauner
2019-10-29 14:26 ` Christian Brauner
2019-10-29 14:36 ` Florian Weimer
2019-10-29 16:04 ` Christian Brauner
2019-10-29 15:20 ` Jann Horn
2019-10-29 16:05 ` Christian Brauner
2019-11-07 15:19 ` Christian Brauner
2019-11-07 16:10 ` Florian Weimer
2019-11-07 16:10 ` Florian Weimer
2019-11-09 8:09 ` Michael Kerrisk (man-pages)
2019-11-09 16:53 ` Christian Brauner
2019-11-11 9:02 ` Michael Kerrisk (man-pages)
2019-11-11 11:36 ` Christian Brauner
2019-11-11 19:56 ` Michael Kerrisk (man-pages)
2019-11-11 14:55 ` Jann Horn
2019-11-11 16:58 ` Theodore Y. Ts'o
2019-11-11 20:24 ` Jann Horn
2019-11-12 23:03 ` Kees Cook
2019-11-14 12:15 ` Michael Kerrisk (man-pages)
2019-11-14 12:29 ` Christian Brauner
2019-11-11 15:03 ` Florian Weimer
2019-11-11 15:03 ` Florian Weimer
2019-11-11 15:15 ` Jann Horn
2019-11-11 15:20 ` Florian Weimer [this message]
2019-11-11 15:20 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875zjqwibf.fsf@oldenburg2.str.redhat.com \
--to=fweimer@redhat.com \
--cc=adrian@lisas.de \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=avagin@gmail.com \
--cc=christian@brauner.io \
--cc=dhowells@redhat.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.