From: Kees Cook <keescook@chromium.org>
To: Tycho Andersen <tycho@tycho.ws>
Cc: LKML <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Linux API <linux-api@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Oleg Nesterov <oleg@redhat.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
Jann Horn <jannh@google.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH v7 1/6] seccomp: add a return code to trap to userspace
Date: Wed, 17 Oct 2018 15:21:02 -0700 [thread overview]
Message-ID: <CAGXu5jK5yN7zcPUMzFYnUbRrVkLNE0YDCioYdNC3P6mF437+5g@mail.gmail.com> (raw)
In-Reply-To: <20181017202933.GB14047@cisco>
On Wed, Oct 17, 2018 at 1:29 PM, Tycho Andersen <tycho@tycho.ws> wrote:
> On Thu, Sep 27, 2018 at 02:31:24PM -0700, Kees Cook wrote:
>> On Thu, Sep 27, 2018 at 8:11 AM, Tycho Andersen <tycho@tycho.ws> wrote:
>> > @@ -60,4 +62,29 @@ struct seccomp_data {
>> > __u64 args[6];
>> > };
>> >
>> > +struct seccomp_notif {
>> > + __u16 len;
>> > + __u64 id;
>> > + __u32 pid;
>> > + __u8 signaled;
>> > + struct seccomp_data data;
>> > +};
>> > +
>> > +struct seccomp_notif_resp {
>> > + __u16 len;
>> > + __u64 id;
>> > + __s32 error;
>> > + __s64 val;
>> > +};
>>
>> So, len has to come first, for versioning. However, since it's ahead
>> of a u64, this leaves a struct padding hole. pahole output:
>>
>> struct seccomp_notif {
>> __u16 len; /* 0 2 */
>>
>> /* XXX 6 bytes hole, try to pack */
>>
>> __u64 id; /* 8 8 */
>> __u32 pid; /* 16 4 */
>> __u8 signaled; /* 20 1 */
>>
>> /* XXX 3 bytes hole, try to pack */
>>
>> struct seccomp_data data; /* 24 64 */
>> /* --- cacheline 1 boundary (64 bytes) was 24 bytes ago --- */
>>
>> /* size: 88, cachelines: 2, members: 5 */
>> /* sum members: 79, holes: 2, sum holes: 9 */
>> /* last cacheline: 24 bytes */
>> };
>> struct seccomp_notif_resp {
>> __u16 len; /* 0 2 */
>>
>> /* XXX 6 bytes hole, try to pack */
>>
>> __u64 id; /* 8 8 */
>> __s32 error; /* 16 4 */
>>
>> /* XXX 4 bytes hole, try to pack */
>>
>> __s64 val; /* 24 8 */
>>
>> /* size: 32, cachelines: 1, members: 4 */
>> /* sum members: 22, holes: 2, sum holes: 10 */
>> /* last cacheline: 32 bytes */
>> };
>>
>> How about making len u32, and moving pid and error above "id"? This
>> leaves a hole after signaled, so changing "len" won't be sufficient
>> for versioning here. Perhaps move it after data?
>
> Just to confirm my understanding; I've got these as:
>
> struct seccomp_notif {
> __u32 len; /* 0 4 */
> __u32 pid; /* 4 4 */
> __u64 id; /* 8 8 */
> __u8 signaled; /* 16 1 */
>
> /* XXX 7 bytes hole, try to pack */
>
> struct seccomp_data data; /* 24 64 */
> /* --- cacheline 1 boundary (64 bytes) was 24 bytes ago --- */
>
> /* size: 88, cachelines: 2, members: 5 */
> /* sum members: 81, holes: 1, sum holes: 7 */
> /* last cacheline: 24 bytes */
> };
> struct seccomp_notif_resp {
> __u32 len; /* 0 4 */
> __s32 error; /* 4 4 */
> __u64 id; /* 8 8 */
> __s64 val; /* 16 8 */
>
> /* size: 24, cachelines: 1, members: 4 */
> /* last cacheline: 24 bytes */
> };
>
> in the next version. Since the structure has no padding at the end of
> it, I think the Right Thing will happen. Note that this is slightly
> different than what Kees suggested, if I add signaled after data, then
> I end up with:
>
> struct seccomp_notif {
> __u32 len; /* 0 4 */
> __u32 pid; /* 4 4 */
> __u64 id; /* 8 8 */
> struct seccomp_data data; /* 16 64 */
> /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */
> __u8 signaled; /* 80 1 */
>
> /* size: 88, cachelines: 2, members: 5 */
> /* padding: 7 */
> /* last cacheline: 24 bytes */
> };
>
> which I think will have the versioning problem if the next member
> introduces is < 7 bytes.
It'll be a problem in either place. What I was thinking was that
specific versioning is required instead of just length.
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2018-10-17 22:21 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-27 15:11 [PATCH v7 0/6] seccomp trap to userspace Tycho Andersen
2018-09-27 15:11 ` [PATCH v7 1/6] seccomp: add a return code to " Tycho Andersen
2018-09-27 21:31 ` Kees Cook
2018-09-27 22:48 ` Tycho Andersen
2018-09-27 22:48 ` Tycho Andersen
2018-09-27 23:10 ` Kees Cook
2018-09-28 14:39 ` Tycho Andersen
2018-10-08 14:58 ` Christian Brauner
2018-10-09 14:28 ` Tycho Andersen
2018-10-09 16:24 ` Christian Brauner
2018-10-09 16:29 ` Tycho Andersen
2018-10-17 20:29 ` Tycho Andersen
2018-10-17 22:21 ` Kees Cook [this message]
2018-10-17 22:33 ` Tycho Andersen
2018-10-21 16:04 ` Tycho Andersen
2018-10-22 9:42 ` Christian Brauner
2018-09-27 21:51 ` Jann Horn
2018-09-27 22:45 ` Kees Cook
2018-09-27 23:08 ` Tycho Andersen
2018-09-27 23:04 ` Tycho Andersen
2018-09-27 23:37 ` Jann Horn
2018-09-29 0:28 ` Aleksa Sarai
2018-09-27 15:11 ` [PATCH v7 2/6] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE Tycho Andersen
2018-09-27 16:51 ` Jann Horn
2018-09-27 21:42 ` Kees Cook
2018-10-08 13:55 ` Christian Brauner
2018-09-27 15:11 ` [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-09-27 16:20 ` Jann Horn
2018-09-27 16:34 ` Tycho Andersen
2018-09-27 17:35 ` Jann Horn
2018-09-27 18:09 ` Tycho Andersen
2018-09-27 21:53 ` Kees Cook
2018-10-08 15:16 ` Christian Brauner
2018-10-08 15:33 ` Jann Horn
2018-10-08 16:21 ` Christian Brauner
2018-10-08 16:42 ` Jann Horn
2018-10-08 18:18 ` Christian Brauner
2018-10-09 12:39 ` Jann Horn
2018-10-09 13:28 ` Christian Brauner
2018-10-09 13:36 ` Jann Horn
2018-10-09 13:49 ` Christian Brauner
2018-10-09 13:50 ` Jann Horn
2018-10-09 14:09 ` Christian Brauner
2018-10-09 15:26 ` Jann Horn
2018-10-09 16:20 ` Christian Brauner
2018-10-09 16:26 ` Jann Horn
2018-10-10 12:54 ` Christian Brauner
2018-10-10 13:09 ` Christian Brauner
2018-10-10 13:10 ` Jann Horn
2018-10-10 13:18 ` Christian Brauner
2018-10-10 15:31 ` Paul Moore
2018-10-10 15:33 ` Jann Horn
2018-10-10 15:39 ` Christian Brauner
2018-10-10 16:54 ` Tycho Andersen
2018-10-10 17:15 ` Christian Brauner
2018-10-10 17:26 ` Tycho Andersen
2018-10-10 18:28 ` Christian Brauner
2018-10-11 7:24 ` Paul Moore
2018-10-11 7:24 ` Paul Moore
2018-10-11 13:39 ` Jann Horn
2018-10-11 23:10 ` Paul Moore
2018-10-11 23:10 ` Paul Moore
2018-10-12 1:02 ` Andy Lutomirski
2018-10-12 20:02 ` Tycho Andersen
2018-10-12 20:06 ` Jann Horn
2018-10-12 20:06 ` Jann Horn
2018-10-12 20:11 ` Christian Brauner
2018-10-08 18:00 ` Tycho Andersen
2018-10-08 18:41 ` Christian Brauner
2018-10-10 17:45 ` Andy Lutomirski
2018-10-10 18:26 ` Christian Brauner
2018-09-27 15:11 ` [PATCH v7 4/6] files: add a replace_fd_files() function Tycho Andersen
2018-09-27 16:49 ` Jann Horn
2018-09-27 18:04 ` Tycho Andersen
2018-09-27 21:59 ` Kees Cook
2018-09-28 2:20 ` Kees Cook
2018-09-28 2:46 ` Jann Horn
2018-09-28 5:23 ` Tycho Andersen
2018-09-27 15:11 ` [PATCH v7 5/6] seccomp: add a way to pass FDs via a notification fd Tycho Andersen
2018-09-27 16:39 ` Jann Horn
2018-09-27 22:13 ` Tycho Andersen
2018-09-27 19:28 ` Jann Horn
2018-09-27 22:14 ` Tycho Andersen
2018-09-27 22:17 ` Jann Horn
2018-09-27 22:49 ` Tycho Andersen
2018-09-27 22:09 ` Kees Cook
2018-09-27 22:15 ` Tycho Andersen
2018-09-27 15:11 ` [PATCH v7 6/6] samples: add an example of seccomp user trap Tycho Andersen
2018-09-27 22:11 ` Kees Cook
2018-09-28 21:57 ` [PATCH v7 0/6] seccomp trap to userspace Michael Kerrisk (man-opages)
2018-09-28 22:03 ` Tycho Andersen
2018-09-28 22:16 ` Michael Kerrisk (man-pages)
2018-09-28 22:34 ` Kees Cook
2018-09-28 22:46 ` Michael Kerrisk (man-pages)
2018-09-28 22:48 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jK5yN7zcPUMzFYnUbRrVkLNE0YDCioYdNC3P6mF437+5g@mail.gmail.com \
--to=keescook@chromium.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=suda.akihiro@lab.ntt.co.jp \
--cc=tycho@tycho.ws \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.