From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: linux interprets an fcntl int arg as long
Date: Mon, 31 Oct 2022 12:44:59 +0000 [thread overview]
Message-ID: <Y1/DS6uoWP7OSkmd@arm.com> (raw)
in short, F_ADD_SEALS fcntl cmd is documented to take int arg,
but linux mm/memfd.c has
switch (cmd) {
case F_ADD_SEALS:
/* disallow upper 32bit */
if (arg > UINT_MAX)
return -EINVAL;
fcntl is variadic:
int fcntl(int fd, int cmd, ... /* arg */);
and arg is either int or pointer in the current documentation.
the libc does not know which (except for existing commands,
but there can be future extensions).
so glibc just assumes pointer arg and passes it down to the
kernel. musl uses unsigned long arg, but either way depending
on the vararg abi rules of the target the top bits of an int
arg can be non-zero when passed to the kernel. (in principle
it could crash too: variadic args only supposed to work when
the type is right, but in existing abis this does not seem to
be a problem.)
e.g. the following fails with EINVAL:
int fd = memfd_create("test", MFD_CLOEXEC|MFD_ALLOW_SEALING);
int r = fcntl(fd, F_ADD_SEALS, F_SEAL_WRITE | 0xF00000000);
and such fcntl call can happen with c code that just passes
F_SEAL_WRITE since it is an int and e.g. with aarch64 pcs rules
it is passed in a register where top bits can be non-zero
(unlikely in practice but valid).
i think there are general issues with variadic syscalls:
1) existing varargs that are documented as int should be
interpret as int on the kernel side (the libc cannot fix this
up reliably). i.e. linux should fix the F_ADD_SEALS code.
2) variadic args ideally should not have mixed type and the
type that is used for future extensions should be documented.
3) macro defines for varargs that are long should have type
long and not int in the uapi. (affects some prctl flags)
otherwise users must cast manually to the right type.
thanks.
next reply other threads:[~2022-10-31 12:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-31 12:44 Szabolcs Nagy [this message]
2022-11-01 1:46 ` linux interprets an fcntl int arg as long Theodore Ts'o
2022-11-01 9:11 ` Szabolcs Nagy
2022-11-01 10:02 ` David Laight
2022-11-01 11:44 ` 'Szabolcs Nagy'
2022-11-01 12:19 ` David Laight
2022-11-01 12:49 ` 'Szabolcs Nagy'
2022-11-01 13:12 ` Mark Rutland
2022-11-01 13:29 ` David Laight
2022-11-01 13:35 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1/DS6uoWP7OSkmd@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).