Re: [Question] About SECCOMP issue for ILP32

Re: [Question] About SECCOMP issue for ILP32

[Yury Norov]

On Mon, Aug 31, 2020 at 5:48 AM Xiongfeng Wang
<wangxiongfeng2@huawei.com> wrote:
>
> Hi Yury,
>

Hi Xiongfeng,

[restore CC list]

Haven't seen this before. What kernel / glibc / ltp do you use?

> We were testing the ILP32 feature and came accross a problem. Very apperaciate
> it if you could give us some help !
>
> We compile the LTP testsuite with '-mabi=ilp32' and run it on a machine with
> kernel and glibc applied with ILP32 patches. But we failed on one testcase,
> prctl04. It print the following error info.
> 'prctl04.c:199: FAIL: SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and
> _exit(2)'
>
> The testcase is like below, syscall 'prctl' followed by a syscall 'write'.
> prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
> SAFE_WRITE(1, fd, "a", 1);
>
> When we execute syscall 'write', we receive a SIGKILL. It's not as expected.
> We track the kernel and found out it is because we failed the syscall_whitelist
> check in '__secure_computing_strict'. Because flag 'TIF_32BIT_AARCH64' is set,
> we falls into the 'in_compat_syscall()' branch. We compare the parameter
> 'this_syscall' with return value of 'get_compat_model_syscalls()'
> The syscall number of '__NR_write' for ilp32 application is 64, but it is 4 for
> 'model_syscalls_32' returned from 'get_compat_model_syscalls()'
> So '__secure_computing_strict' retuned with 'do_exit(SIGKILL)'. We have a
> modification like below, but I am not sure if it correct or not.
>
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -618,7 +618,7 @@ static void __secure_computing_strict(int this_syscall)
>  {
>         const int *syscall_whitelist = mode1_syscalls;
>  #ifdef CONFIG_COMPAT
> -       if (in_compat_syscall())
> +       if (is_a32_compat_task())
>                 syscall_whitelist = get_compat_mode1_syscalls();

It calls the arch function from generic code. It may break build for
other arches.
This also looks dangerous because it treats ILP32 execution as non-compat.

The right approach would be implementing arch-specific
get_compat_mode1_syscalls()
in arch/arm64/include/asm/seccomp.h that returns an appropriate table.
Refer MIPS
code for this: arch/mips/include/asm/seccomp.h

Thanks,
Yury

>  #endif
>         do {
>
>
> Thanks,
> Xiongfeng
>

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [Question] About SECCOMP issue for ILP32

[Xiongfeng Wang]

On 2020/9/1 2:15, Yury Norov wrote:
> On Mon, Aug 31, 2020 at 5:48 AM Xiongfeng Wang
> <wangxiongfeng2@huawei.com> wrote:
>>
>> Hi Yury,
>>
> 
> Hi Xiongfeng,
> 
> [restore CC list]
> 
> Haven't seen this before. What kernel / glibc / ltp do you use?

The kernel version is 4.19. I applied the ILP32 patches from
https://github.com/norov/linux.git. The glibc version is 2.28 and I applyed the
ILP32 patches.
The ltp testsuite is from https://github.com/linux-test-project/ltp. I build it
with '-mabi=ilp32'.

> 
>> We were testing the ILP32 feature and came accross a problem. Very apperaciate
>> it if you could give us some help !
>>
>> We compile the LTP testsuite with '-mabi=ilp32' and run it on a machine with
>> kernel and glibc applied with ILP32 patches. But we failed on one testcase,
>> prctl04. It print the following error info.
>> 'prctl04.c:199: FAIL: SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and
>> _exit(2)'
>>
>> The testcase is like below, syscall 'prctl' followed by a syscall 'write'.
>> prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
>> SAFE_WRITE(1, fd, "a", 1);
>>
>> When we execute syscall 'write', we receive a SIGKILL. It's not as expected.
>> We track the kernel and found out it is because we failed the syscall_whitelist
>> check in '__secure_computing_strict'. Because flag 'TIF_32BIT_AARCH64' is set,
>> we falls into the 'in_compat_syscall()' branch. We compare the parameter
>> 'this_syscall' with return value of 'get_compat_model_syscalls()'
>> The syscall number of '__NR_write' for ilp32 application is 64, but it is 4 for
>> 'model_syscalls_32' returned from 'get_compat_model_syscalls()'
>> So '__secure_computing_strict' retuned with 'do_exit(SIGKILL)'. We have a
>> modification like below, but I am not sure if it correct or not.
>>
>> --- a/kernel/seccomp.c
>> +++ b/kernel/seccomp.c
>> @@ -618,7 +618,7 @@ static void __secure_computing_strict(int this_syscall)
>>  {
>>         const int *syscall_whitelist = mode1_syscalls;
>>  #ifdef CONFIG_COMPAT
>> -       if (in_compat_syscall())
>> +       if (is_a32_compat_task())
>>                 syscall_whitelist = get_compat_mode1_syscalls();
> 
> It calls the arch function from generic code. It may break build for
> other arches.
> This also looks dangerous because it treats ILP32 execution as non-compat.
> 
> The right approach would be implementing arch-specific
> get_compat_mode1_syscalls()
> in arch/arm64/include/asm/seccomp.h that returns an appropriate table.
> Refer MIPS
> code for this: arch/mips/include/asm/seccomp.h

Thanks for your advice. Thanks a lot.
I have written another version according to your advice.

--- a/arch/arm64/include/asm/seccomp.h
+++ b/arch/arm64/include/asm/seccomp.h
@@ -20,6 +20,36 @@
 #define __NR_seccomp_sigreturn_32      __NR_compat_rt_sigreturn
 #endif /* CONFIG_COMPAT */

+#ifdef CONFIG_COMPAT
+#ifndef __COMPAT_SYSCALL_NR
+
+static inline const int *get_compat_mode1_syscalls(void)
+{
+#ifdef CONFIG_AARCH32_EL0
+       static const int mode1_syscalls_a32[] = {
+               __NR_compat_read, __NR_compat_write,
+               __NR_compat_read, __NR_compat_sigreturn,
+               0, /* null terminated */
+       };
+#endif
+       static const int mode1_syscalls_ilp32[] = {
+               __NR_read, __NR_write,
+               __NR_exit, __NR_rt_sigreturn,
+               0, /* null terminated */
+       };
+
+       if (is_ilp32_compat_task())
+               return mode1_syscalls_ilp32;
+#ifdef CONFIG_AARCH32_EL0
+       return mode1_syscalls_a32;
+#endif
+}
+
+#define get_compat_mode1_syscalls get_compat_mode1_syscalls
+
+#endif
+#endif
+
 #include <asm-generic/seccomp.h>

 #endif /* _ASM_SECCOMP_H */


Thanks,
Xiongfeng

> 
> Thanks,
> Yury
> 
>>  #endif
>>         do {
>>
>>
>> Thanks,
>> Xiongfeng
>>
> 
> .
> 


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [Question] About SECCOMP issue for ILP32

[Yury Norov]

On Mon, Aug 31, 2020 at 11:15 AM Yury Norov <yury.norov@gmail.com> wrote:
>
> On Mon, Aug 31, 2020 at 5:48 AM Xiongfeng Wang
> <wangxiongfeng2@huawei.com> wrote:
> >
> > Hi Yury,
> >
>
> Hi Xiongfeng,
>
> [restore CC list]
>
> Haven't seen this before. What kernel / glibc / ltp do you use?
>
> > We were testing the ILP32 feature and came accross a problem. Very apperaciate
> > it if you could give us some help !
> >
> > We compile the LTP testsuite with '-mabi=ilp32' and run it on a machine with
> > kernel and glibc applied with ILP32 patches. But we failed on one testcase,
> > prctl04. It print the following error info.
> > 'prctl04.c:199: FAIL: SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and
> > _exit(2)'
> >
> > The testcase is like below, syscall 'prctl' followed by a syscall 'write'.
> > prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
> > SAFE_WRITE(1, fd, "a", 1);
> >
> > When we execute syscall 'write', we receive a SIGKILL. It's not as expected.
> > We track the kernel and found out it is because we failed the syscall_whitelist
> > check in '__secure_computing_strict'. Because flag 'TIF_32BIT_AARCH64' is set,
> > we falls into the 'in_compat_syscall()' branch. We compare the parameter
> > 'this_syscall' with return value of 'get_compat_model_syscalls()'
> > The syscall number of '__NR_write' for ilp32 application is 64, but it is 4 for
> > 'model_syscalls_32' returned from 'get_compat_model_syscalls()'
> > So '__secure_computing_strict' retuned with 'do_exit(SIGKILL)'. We have a
> > modification like below, but I am not sure if it correct or not.
> >
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -618,7 +618,7 @@ static void __secure_computing_strict(int this_syscall)
> >  {
> >         const int *syscall_whitelist = mode1_syscalls;
> >  #ifdef CONFIG_COMPAT
> > -       if (in_compat_syscall())
> > +       if (is_a32_compat_task())
> >                 syscall_whitelist = get_compat_mode1_syscalls();
>
> It calls the arch function from generic code. It may break build for
> other arches.
> This also looks dangerous because it treats ILP32 execution as non-compat.
>
> The right approach would be implementing arch-specific
> get_compat_mode1_syscalls()
> in arch/arm64/include/asm/seccomp.h that returns an appropriate table.
> Refer MIPS
> code for this: arch/mips/include/asm/seccomp.h
>
> Thanks,
> Yury
>
> >  #endif
> >         do {
> >
> >
> > Thanks,
> > Xiongfeng
> >

The fix is on my repo; versions 5.2 and 4.19 are updated:

https://github.com/norov/linux/commits/ilp32-4.19
https://github.com/norov/linux/commits/ilp32-5.2

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [Question] About SECCOMP issue for ILP32

[Xiongfeng Wang]

Hi Yury,

On 2020/9/1 19:40, Xiongfeng Wang wrote:
> 
> 
> On 2020/9/1 2:15, Yury Norov wrote:
>> On Mon, Aug 31, 2020 at 5:48 AM Xiongfeng Wang
>> <wangxiongfeng2@huawei.com> wrote:
>>>
>>> Hi Yury,
>>>
>>
>> Hi Xiongfeng,
>>
>> [restore CC list]
>>
>> Haven't seen this before. What kernel / glibc / ltp do you use?
> 
> The kernel version is 4.19. I applied the ILP32 patches from
> https://github.com/norov/linux.git. The glibc version is 2.28 and I applyed the
> ILP32 patches.
> The ltp testsuite is from https://github.com/linux-test-project/ltp. I build it
> with '-mabi=ilp32'.
> 
>>
>>> We were testing the ILP32 feature and came accross a problem. Very apperaciate
>>> it if you could give us some help !
>>>
>>> We compile the LTP testsuite with '-mabi=ilp32' and run it on a machine with
>>> kernel and glibc applied with ILP32 patches. But we failed on one testcase,
>>> prctl04. It print the following error info.
>>> 'prctl04.c:199: FAIL: SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and
>>> _exit(2)'
>>>
>>> The testcase is like below, syscall 'prctl' followed by a syscall 'write'.
>>> prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
>>> SAFE_WRITE(1, fd, "a", 1);
>>>
>>> When we execute syscall 'write', we receive a SIGKILL. It's not as expected.
>>> We track the kernel and found out it is because we failed the syscall_whitelist
>>> check in '__secure_computing_strict'. Because flag 'TIF_32BIT_AARCH64' is set,
>>> we falls into the 'in_compat_syscall()' branch. We compare the parameter
>>> 'this_syscall' with return value of 'get_compat_model_syscalls()'
>>> The syscall number of '__NR_write' for ilp32 application is 64, but it is 4 for
>>> 'model_syscalls_32' returned from 'get_compat_model_syscalls()'
>>> So '__secure_computing_strict' retuned with 'do_exit(SIGKILL)'. We have a
>>> modification like below, but I am not sure if it correct or not.
>>>
>>> --- a/kernel/seccomp.c
>>> +++ b/kernel/seccomp.c
>>> @@ -618,7 +618,7 @@ static void __secure_computing_strict(int this_syscall)
>>>  {
>>>         const int *syscall_whitelist = mode1_syscalls;
>>>  #ifdef CONFIG_COMPAT
>>> -       if (in_compat_syscall())
>>> +       if (is_a32_compat_task())
>>>                 syscall_whitelist = get_compat_mode1_syscalls();
>>
>> It calls the arch function from generic code. It may break build for
>> other arches.
>> This also looks dangerous because it treats ILP32 execution as non-compat.
>>
>> The right approach would be implementing arch-specific
>> get_compat_mode1_syscalls()
>> in arch/arm64/include/asm/seccomp.h that returns an appropriate table.
>> Refer MIPS
>> code for this: arch/mips/include/asm/seccomp.h
> 
> Thanks for your advice. Thanks a lot.
> I have written another version according to your advice.
> 
> --- a/arch/arm64/include/asm/seccomp.h
> +++ b/arch/arm64/include/asm/seccomp.h
> @@ -20,6 +20,36 @@
>  #define __NR_seccomp_sigreturn_32      __NR_compat_rt_sigreturn
>  #endif /* CONFIG_COMPAT */
> 
> +#ifdef CONFIG_COMPAT
> +#ifndef __COMPAT_SYSCALL_NR
> +
> +static inline const int *get_compat_mode1_syscalls(void)
> +{
> +#ifdef CONFIG_AARCH32_EL0
> +       static const int mode1_syscalls_a32[] = {
> +               __NR_compat_read, __NR_compat_write,
> +               __NR_compat_read, __NR_compat_sigreturn,

A little fix here. It should be
  __NR_compat_exit, __NR_compat_sigreturn,
Sorry, my fault.

Thanks,
Xiongfeng

> +               0, /* null terminated */
> +       };
> +#endif
> +       static const int mode1_syscalls_ilp32[] = {
> +               __NR_read, __NR_write,
> +               __NR_exit, __NR_rt_sigreturn,
> +               0, /* null terminated */
> +       };
> +
> +       if (is_ilp32_compat_task())
> +               return mode1_syscalls_ilp32;
> +#ifdef CONFIG_AARCH32_EL0
> +       return mode1_syscalls_a32;
> +#endif
> +}
> +
> +#define get_compat_mode1_syscalls get_compat_mode1_syscalls
> +
> +#endif
> +#endif
> +
>  #include <asm-generic/seccomp.h>
> 
>  #endif /* _ASM_SECCOMP_H */
> 
> 
> Thanks,
> Xiongfeng
> 
>>
>> Thanks,
>> Yury
>>
>>>  #endif
>>>         do {
>>>
>>>
>>> Thanks,
>>> Xiongfeng
>>>
>>
>> .
>>
> 
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
> 
> .
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel