* [PATCH 0/4] x86: fix syscall function type mismatches
@ 2019-09-13 21:00 Sami Tolvanen
2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
` (5 more replies)
0 siblings, 6 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
This patch set changes x64 and ia32 syscall wrappers and related
functions to use function types that match sys_call_ptr_t. This fixes
indirect call mismatches with Control-Flow Integrity (CFI) checking.
Sami Tolvanen (4):
x86: use the correct function type in SYSCALL_DEFINE0
x86: use the correct function type for sys32_(rt_)sigreturn
x86: use the correct function type for sys_ni_syscall
x86: fix function types in COND_SYSCALL
arch/x86/entry/syscall_32.c | 13 ++++++--
arch/x86/entry/syscall_64.c | 12 +++++--
arch/x86/entry/syscalls/syscall_32.tbl | 4 +--
arch/x86/ia32/ia32_signal.c | 4 +--
arch/x86/include/asm/syscall_wrapper.h | 44 ++++++++++++++++----------
5 files changed, 51 insertions(+), 26 deletions(-)
--
2.23.0.237.gc6a4ce50a0-goog
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0
2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen
@ 2019-09-13 21:00 ` Sami Tolvanen
2019-09-13 22:33 ` Andy Lutomirski
2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen
` (4 subsequent siblings)
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Although a syscall defined using SYSCALL_DEFINE0 doesn't accept
parameters, use the correct function type to avoid type mismatches
with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index e046a405743d..90eb70df0b18 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -48,12 +48,13 @@
* To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias
* named __ia32_sys_*()
*/
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
- asmlinkage long __x64_sys_##sname(void)
+
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#define COND_SYSCALL(name) \
cond_syscall(__x64_sys_##name); \
@@ -181,11 +182,11 @@
* macros to work correctly.
*/
#ifndef SYSCALL_DEFINE0
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- asmlinkage long __x64_sys_##sname(void)
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#endif
#ifndef COND_SYSCALL
--
2.23.0.237.gc6a4ce50a0-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn
2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen
2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-09-13 21:00 ` Sami Tolvanen
2019-09-13 22:44 ` Andy Lutomirski
2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
` (3 subsequent siblings)
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Use the correct function type to avoid tripping Control-Flow
Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/ia32/ia32_signal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 1cee10091b9f..878d8998ce6d 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -118,7 +118,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
return err;
}
-asmlinkage long sys32_sigreturn(void)
+asmlinkage long sys32_sigreturn(const struct pt_regs *__unused)
{
struct pt_regs *regs = current_pt_regs();
struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
@@ -144,7 +144,7 @@ asmlinkage long sys32_sigreturn(void)
return 0;
}
-asmlinkage long sys32_rt_sigreturn(void)
+asmlinkage long sys32_rt_sigreturn(const struct pt_regs *__unused)
{
struct pt_regs *regs = current_pt_regs();
struct rt_sigframe_ia32 __user *frame;
--
2.23.0.237.gc6a4ce50a0-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 3/4] x86: use the correct function type for sys_ni_syscall
2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen
2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen
@ 2019-09-13 21:00 ` Sami Tolvanen
2019-09-13 22:45 ` Andy Lutomirski
2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen
` (2 subsequent siblings)
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Use the correct function type for sys_ni_syscall in system
call tables to fix indirect call mismatches with Control-Flow
Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/entry/syscall_32.c | 13 ++++++++++---
arch/x86/entry/syscall_64.c | 12 +++++++++---
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++--
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c
index aa3336a7cb15..1cbdfff116d1 100644
--- a/arch/x86/entry/syscall_32.c
+++ b/arch/x86/entry/syscall_32.c
@@ -11,12 +11,19 @@
/* On X86_64, we use struct pt_regs * to pass parameters to syscalls */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
+extern asmlinkage long sys_ni_syscall(void);
+
+asmlinkage long __ia32_sys_ni_syscall(const struct pt_regs *__unused)
+{
+ return sys_ni_syscall();
+}
+
+#define __sys_ni_syscall __ia32_sys_ni_syscall
#else /* CONFIG_IA32_EMULATION */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
+#define __sys_ni_syscall sys_ni_syscall
#endif /* CONFIG_IA32_EMULATION */
#include <asm/syscalls_32.h>
@@ -29,6 +36,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] =
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_compat_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall,
#include <asm/syscalls_32.h>
};
diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c
index d5252bc1e380..0341b3e7fede 100644
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -4,11 +4,17 @@
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
+#include <linux/syscalls.h>
#include <asm/asm-offsets.h>
#include <asm/syscall.h>
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
+extern asmlinkage long sys_ni_syscall(void);
+
+asmlinkage long __x64_sys_ni_syscall(const struct pt_regs *__unused)
+{
+ return sys_ni_syscall();
+}
+
#define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
#include <asm/syscalls_64.h>
#undef __SYSCALL_64
@@ -20,6 +26,6 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = {
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall,
#include <asm/syscalls_64.h>
};
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index c00019abd076..9514f2fe456a 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -124,7 +124,7 @@
110 i386 iopl sys_iopl __ia32_sys_iopl
111 i386 vhangup sys_vhangup __ia32_sys_vhangup
112 i386 idle
-113 i386 vm86old sys_vm86old sys_ni_syscall
+113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall
114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4
115 i386 swapoff sys_swapoff __ia32_sys_swapoff
116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo
@@ -177,7 +177,7 @@
163 i386 mremap sys_mremap __ia32_sys_mremap
164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16
165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16
-166 i386 vm86 sys_vm86 sys_ni_syscall
+166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall
167 i386 query_module
168 i386 poll sys_poll __ia32_sys_poll
169 i386 nfsservctl
--
2.23.0.237.gc6a4ce50a0-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 4/4] x86: fix function types in COND_SYSCALL
2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen
` (2 preceding siblings ...)
2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
@ 2019-09-13 21:00 ` Sami Tolvanen
2019-09-13 22:46 ` Andy Lutomirski
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 21:00 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Define a weak function in COND_SYSCALL instead of a weak alias to
sys_ni_syscall, which has an incompatible type. This fixes indirect
call mismatches with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index 90eb70df0b18..9a595a544017 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -6,6 +6,8 @@
#ifndef _ASM_X86_SYSCALL_WRAPPER_H
#define _ASM_X86_SYSCALL_WRAPPER_H
+struct pt_regs;
+
/* Mapping of registers to parameters for syscalls on x86-64 and x32 */
#define SC_X86_64_REGS_TO_ARGS(x, ...) \
__MAP(x,__SC_ARGS \
@@ -56,9 +58,15 @@
SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
-#define COND_SYSCALL(name) \
- cond_syscall(__x64_sys_##name); \
- cond_syscall(__ia32_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ } \
+ asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\
+ { \
+ return sys_ni_syscall(); \
+ }
#define SYS_NI(name) \
SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \
@@ -190,7 +198,11 @@
#endif
#ifndef COND_SYSCALL
-#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ }
#endif
#ifndef SYS_NI
@@ -202,7 +214,6 @@
* For VSYSCALLS, we need to declare these three syscalls with the new
* pt_regs-based calling convention for in-kernel use.
*/
-struct pt_regs;
asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs);
asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs);
asmlinkage long __x64_sys_time(const struct pt_regs *regs);
--
2.23.0.237.gc6a4ce50a0-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0
2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-09-13 22:33 ` Andy Lutomirski
0 siblings, 0 replies; 35+ messages in thread
From: Andy Lutomirski @ 2019-09-13 22:33 UTC (permalink / raw)
To: Sami Tolvanen
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote:
>
> Although a syscall defined using SYSCALL_DEFINE0 doesn't accept
> parameters, use the correct function type to avoid type mismatches
> with Control-Flow Integrity (CFI) checking.
Acked-by: Andy Lutomirski <luto@kernel.org>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn
2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen
@ 2019-09-13 22:44 ` Andy Lutomirski
2019-09-13 23:29 ` Sami Tolvanen
0 siblings, 1 reply; 35+ messages in thread
From: Andy Lutomirski @ 2019-09-13 22:44 UTC (permalink / raw)
To: Sami Tolvanen
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote:
>
> Use the correct function type to avoid tripping Control-Flow
> Integrity (CFI) checking.
>
> Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
> ---
> arch/x86/ia32/ia32_signal.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
> index 1cee10091b9f..878d8998ce6d 100644
> --- a/arch/x86/ia32/ia32_signal.c
> +++ b/arch/x86/ia32/ia32_signal.c
> @@ -118,7 +118,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
> return err;
> }
>
> -asmlinkage long sys32_sigreturn(void)
> +asmlinkage long sys32_sigreturn(const struct pt_regs *__unused)
> {
> struct pt_regs *regs = current_pt_regs();
> struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
> @@ -144,7 +144,7 @@ asmlinkage long sys32_sigreturn(void)
> return 0;
> }
>
> -asmlinkage long sys32_rt_sigreturn(void)
> +asmlinkage long sys32_rt_sigreturn(const struct pt_regs *__unused)
> {
> struct pt_regs *regs = current_pt_regs();
> struct rt_sigframe_ia32 __user *frame;
Shouldn't these be COMPAT_SYSCALL_DEFINE0?
I think you should pick this patch up and add it to your series:
https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/syscalls&id=07daeef08d26728c120ecbe57a55cb5714810b84
with the obvious type fixup, of course. And then write a little patch
to use COMPAT_SYSCALL_DEFINE0 for rt_sigreturn and sigreturn.
> --
> 2.23.0.237.gc6a4ce50a0-goog
>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall
2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
@ 2019-09-13 22:45 ` Andy Lutomirski
2019-09-13 23:26 ` Sami Tolvanen
0 siblings, 1 reply; 35+ messages in thread
From: Andy Lutomirski @ 2019-09-13 22:45 UTC (permalink / raw)
To: Sami Tolvanen
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote:
>
> Use the correct function type for sys_ni_syscall in system
> call tables to fix indirect call mismatches with Control-Flow
> Integrity (CFI) checking.
Should this be SYSCALL_DEFINE0?
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL
2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen
@ 2019-09-13 22:46 ` Andy Lutomirski
2019-09-13 23:28 ` Sami Tolvanen
0 siblings, 1 reply; 35+ messages in thread
From: Andy Lutomirski @ 2019-09-13 22:46 UTC (permalink / raw)
To: Sami Tolvanen
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 2:00 PM Sami Tolvanen <samitolvanen@google.com> wrote:
>
> Define a weak function in COND_SYSCALL instead of a weak alias to
> sys_ni_syscall, which has an incompatible type. This fixes indirect
> call mismatches with Control-Flow Integrity (CFI) checking.
>
Didn't you just fix the type of sys_ni_syscall? What am I missing here?
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall
2019-09-13 22:45 ` Andy Lutomirski
@ 2019-09-13 23:26 ` Sami Tolvanen
2019-09-14 0:27 ` Andy Lutomirski
0 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 23:26 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin,
Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 3:45 PM Andy Lutomirski <luto@kernel.org> wrote:
> Should this be SYSCALL_DEFINE0?
It can be, and that would also fix the issue. However, it does result
in unnecessary error injection to be hooked up here, which is why
arm64 preferred to avoid the macro when I fixed it there. S390 uses
SYSCALL_DEFINE0 for this though and since sys_ni_syscall always
returns -ENOSYS, it shouldn't be a huge problem. Thoughts?
Sami
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL
2019-09-13 22:46 ` Andy Lutomirski
@ 2019-09-13 23:28 ` Sami Tolvanen
2019-09-14 0:28 ` Andy Lutomirski
0 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 23:28 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin,
Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 3:46 PM Andy Lutomirski <luto@kernel.org> wrote:
> Didn't you just fix the type of sys_ni_syscall? What am I missing here?
The other patch fixes indirect call type mismatches when the function
is called through the syscall table. However, cond_syscall creates an
alias to the actual sys_ni_syscall function defined in
kernel/sys_ni.c, which still has the wrong type.
Sami
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn
2019-09-13 22:44 ` Andy Lutomirski
@ 2019-09-13 23:29 ` Sami Tolvanen
0 siblings, 0 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-13 23:29 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Thomas Gleixner, Ingo Molnar, Borislav Petkov, H . Peter Anvin,
Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 3:44 PM Andy Lutomirski <luto@kernel.org> wrote:
> Shouldn't these be COMPAT_SYSCALL_DEFINE0?
Sure, that would work too.
> I think you should pick this patch up and add it to your series:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/syscalls&id=07daeef08d26728c120ecbe57a55cb5714810b84
>
> with the obvious type fixup, of course. And then write a little patch
> to use COMPAT_SYSCALL_DEFINE0 for rt_sigreturn and sigreturn.
Thanks. I'll do that and send v2 next week once I get some more
feedback on the other patches.
Sami
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall
2019-09-13 23:26 ` Sami Tolvanen
@ 2019-09-14 0:27 ` Andy Lutomirski
2019-09-16 20:43 ` Will Deacon
0 siblings, 1 reply; 35+ messages in thread
From: Andy Lutomirski @ 2019-09-14 0:27 UTC (permalink / raw)
To: Sami Tolvanen
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML, will.deacon
> On Sep 13, 2019, at 4:26 PM, Sami Tolvanen <samitolvanen@google.com> wrote:
>
>> On Fri, Sep 13, 2019 at 3:45 PM Andy Lutomirski <luto@kernel.org> wrote:
>> Should this be SYSCALL_DEFINE0?
>
> It can be, and that would also fix the issue. However, it does result
> in unnecessary error injection to be hooked up here, which is why
> arm64 preferred to avoid the macro when I fixed it there. S390 uses
> SYSCALL_DEFINE0 for this though and since sys_ni_syscall always
> returns -ENOSYS, it shouldn't be a huge problem. Thoughts?
>
I don’t see why all syscalls except these few should have error injection hooked up. It’s also IMO nicer from a maintenance perspective to have all syscalls use the same macros.
Will, is there something I’m missing?
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL
2019-09-13 23:28 ` Sami Tolvanen
@ 2019-09-14 0:28 ` Andy Lutomirski
2019-09-17 22:44 ` Sami Tolvanen
0 siblings, 1 reply; 35+ messages in thread
From: Andy Lutomirski @ 2019-09-14 0:28 UTC (permalink / raw)
To: Sami Tolvanen
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
> On Sep 13, 2019, at 4:28 PM, Sami Tolvanen <samitolvanen@google.com> wrote:
>
>> On Fri, Sep 13, 2019 at 3:46 PM Andy Lutomirski <luto@kernel.org> wrote:
>> Didn't you just fix the type of sys_ni_syscall? What am I missing here?
>
> The other patch fixes indirect call type mismatches when the function
> is called through the syscall table. However, cond_syscall creates an
> alias to the actual sys_ni_syscall function defined in
> kernel/sys_ni.c, which still has the wrong type.
>
Ah, I get it. Doesn’t this cause a little bit of code bloat, though? What if you made __x86_ni_syscall, etc (possibly using the *DEFINE_SYSCALL0 macros) and then generate weak aliases to those?
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 3/4] x86: use the correct function type for sys_ni_syscall
2019-09-14 0:27 ` Andy Lutomirski
@ 2019-09-16 20:43 ` Will Deacon
0 siblings, 0 replies; 35+ messages in thread
From: Will Deacon @ 2019-09-16 20:43 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Sami Tolvanen, Andy Lutomirski, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, H . Peter Anvin, Kees Cook, X86 ML, LKML,
will.deacon, mark.rutland
On Fri, Sep 13, 2019 at 05:27:40PM -0700, Andy Lutomirski wrote:
> > On Sep 13, 2019, at 4:26 PM, Sami Tolvanen <samitolvanen@google.com> wrote:
> >> On Fri, Sep 13, 2019 at 3:45 PM Andy Lutomirski <luto@kernel.org> wrote:
> >> Should this be SYSCALL_DEFINE0?
> >
> > It can be, and that would also fix the issue. However, it does result
> > in unnecessary error injection to be hooked up here, which is why
> > arm64 preferred to avoid the macro when I fixed it there. S390 uses
> > SYSCALL_DEFINE0 for this though and since sys_ni_syscall always
> > returns -ENOSYS, it shouldn't be a huge problem. Thoughts?
> >
>
> I don’t see why all syscalls except these few should have error injection
> hooked up. It’s also IMO nicer from a maintenance perspective to have all
> syscalls use the same macros.
>
> Will, is there something I’m missing?
There was a reasonable request from Mark (CC'd) not to allow error injection
for unimplemented system calls, so that's why we took the approach that we
did. There was also a vague plan to fix this for everybody [1] but evidently
nobody found the time :(
Will
[1] https://lore.kernel.org/lkml/20190524215821.GA37129@google.com/T/#m6519b2aad06d8c384de1f55256f08687c83d8796
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 4/4] x86: fix function types in COND_SYSCALL
2019-09-14 0:28 ` Andy Lutomirski
@ 2019-09-17 22:44 ` Sami Tolvanen
0 siblings, 0 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-17 22:44 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
On Fri, Sep 13, 2019 at 5:28 PM Andy Lutomirski <luto@amacapital.net> wrote:
> Ah, I get it. Doesn’t this cause a little bit of code bloat, though?
A little bit yes, a few extra functions for syscalls that are not
otherwise implemented.
> What if you made __x86_ni_syscall, etc (possibly using the *DEFINE_SYSCALL0 macros) and then generate weak aliases to those?
That would be convenient, but COND_SYSCALL is used in kernel/sys_ni.c,
and we can't create an alias to a function defined elsewhere:
$ cat test.c
long b(void);
long a(void) __attribute__((alias("b")));
$ gcc -c test.c
test.c:2:6: error: ‘a’ aliased to undefined symbol ‘b’
long a(void) __attribute__((alias("b")));
^
Curiously, when we use inline assembly to create the alias (similarly
to the current cond_syscall), gcc just quietly drops the alias if the
function is not defined.
Sami
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH v2 0/5] x86: fix syscall function type mismatches
2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen
` (3 preceding siblings ...)
2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen
@ 2019-09-18 22:46 ` Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
` (4 more replies)
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
5 siblings, 5 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
This patch set changes x86 syscall wrappers and related functions to
use function types that match sys_call_ptr_t. This fixes indirect call
mismatches with Control-Flow Integrity (CFI) checking.
Changes since v1:
- Use SYSCALL_DEFINE0 for __x64_sys_ni_syscall.
- Include Andy's COMPAT_SYSCALL_DEFINE0 patch and use the macro
for (rt_)sigreturn.
Andy Lutomirski (1):
x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0
Sami Tolvanen (4):
x86: use the correct function type in SYSCALL_DEFINE0
x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
x86: use the correct function type for sys_ni_syscall
x86: fix function types in COND_SYSCALL
arch/x86/entry/syscall_32.c | 8 +--
arch/x86/entry/syscall_64.c | 14 +++--
arch/x86/entry/syscalls/syscall_32.tbl | 8 +--
arch/x86/ia32/ia32_signal.c | 5 +-
arch/x86/include/asm/syscall_wrapper.h | 76 ++++++++++++++++++++------
5 files changed, 78 insertions(+), 33 deletions(-)
--
2.23.0.351.gc4317032e6-goog
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
@ 2019-09-18 22:46 ` Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen
` (3 subsequent siblings)
4 siblings, 0 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Although a syscall defined using SYSCALL_DEFINE0 doesn't accept
parameters, use the correct function type to avoid type mismatches
with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
---
arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index e046a405743d..90eb70df0b18 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -48,12 +48,13 @@
* To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias
* named __ia32_sys_*()
*/
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
- asmlinkage long __x64_sys_##sname(void)
+
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#define COND_SYSCALL(name) \
cond_syscall(__x64_sys_##name); \
@@ -181,11 +182,11 @@
* macros to work correctly.
*/
#ifndef SYSCALL_DEFINE0
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- asmlinkage long __x64_sys_##sname(void)
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#endif
#ifndef COND_SYSCALL
--
2.23.0.351.gc4317032e6-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-09-18 22:46 ` Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen
` (2 subsequent siblings)
4 siblings, 0 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
From: Andy Lutomirski <luto@kernel.org>
x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was
no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can
use it for rt_sigreturn.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/include/asm/syscall_wrapper.h | 32 ++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index 90eb70df0b18..3dab04841494 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -28,13 +28,21 @@
* kernel/sys_ni.c and SYS_NI in kernel/time/posix-stubs.c to cover this
* case as well.
*/
+#define __IA32_COMPAT_SYS_STUB0(x, name) \
+ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs);\
+ ALLOW_ERROR_INJECTION(__ia32_compat_sys_##name, ERRNO); \
+ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs)\
+ { \
+ return __se_compat_sys_##name(); \
+ }
+
#define __IA32_COMPAT_SYS_STUBx(x, name, ...) \
asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs);\
ALLOW_ERROR_INJECTION(__ia32_compat_sys##name, ERRNO); \
asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs)\
{ \
return __se_compat_sys##name(SC_IA32_REGS_TO_ARGS(x,__VA_ARGS__));\
- } \
+ }
#define __IA32_SYS_STUBx(x, name, ...) \
asmlinkage long __ia32_sys##name(const struct pt_regs *regs); \
@@ -76,15 +84,24 @@
* of the x86-64-style parameter ordering of x32 syscalls. The syscalls common
* with x86_64 obviously do not need such care.
*/
+#define __X32_COMPAT_SYS_STUB0(x, name, ...) \
+ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs);\
+ ALLOW_ERROR_INJECTION(__x32_compat_sys_##name, ERRNO); \
+ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs)\
+ { \
+ return __se_compat_sys_##name();\
+ }
+
#define __X32_COMPAT_SYS_STUBx(x, name, ...) \
asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs);\
ALLOW_ERROR_INJECTION(__x32_compat_sys##name, ERRNO); \
asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs)\
{ \
return __se_compat_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\
- } \
+ }
#else /* CONFIG_X86_X32 */
+#define __X32_COMPAT_SYS_STUB0(x, name)
#define __X32_COMPAT_SYS_STUBx(x, name, ...)
#endif /* CONFIG_X86_X32 */
@@ -95,6 +112,17 @@
* mapping of registers to parameters, we need to generate stubs for each
* of them.
*/
+#define COMPAT_SYSCALL_DEFINE0(name) \
+ static long __se_compat_sys_##name(void); \
+ static inline long __do_compat_sys_##name(void); \
+ __IA32_COMPAT_SYS_STUB0(x, name) \
+ __X32_COMPAT_SYS_STUB0(x, name) \
+ static long __se_compat_sys_##name(void) \
+ { \
+ return __do_compat_sys_##name(); \
+ } \
+ static inline long __do_compat_sys_##name(void)
+
#define COMPAT_SYSCALL_DEFINEx(x, name, ...) \
static long __se_compat_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
--
2.23.0.351.gc4317032e6-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-09-18 22:46 ` Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen
4 siblings, 0 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn syscalls to
replace sys32_sigreturn and sys32_rt_sigreturn. This fixes indirect
call mismatches with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++--
arch/x86/ia32/ia32_signal.c | 5 +++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 3fe02546aed3..2de75fda1d20 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -130,7 +130,7 @@
116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo
117 i386 ipc sys_ipc __ia32_compat_sys_ipc
118 i386 fsync sys_fsync __ia32_sys_fsync
-119 i386 sigreturn sys_sigreturn sys32_sigreturn
+119 i386 sigreturn sys_sigreturn __ia32_compat_sys_sigreturn
120 i386 clone sys_clone __ia32_compat_sys_x86_clone
121 i386 setdomainname sys_setdomainname __ia32_sys_setdomainname
122 i386 uname sys_newuname __ia32_sys_newuname
@@ -184,7 +184,7 @@
170 i386 setresgid sys_setresgid16 __ia32_sys_setresgid16
171 i386 getresgid sys_getresgid16 __ia32_sys_getresgid16
172 i386 prctl sys_prctl __ia32_sys_prctl
-173 i386 rt_sigreturn sys_rt_sigreturn sys32_rt_sigreturn
+173 i386 rt_sigreturn sys_rt_sigreturn __ia32_compat_sys_rt_sigreturn
174 i386 rt_sigaction sys_rt_sigaction __ia32_compat_sys_rt_sigaction
175 i386 rt_sigprocmask sys_rt_sigprocmask __ia32_compat_sys_rt_sigprocmask
176 i386 rt_sigpending sys_rt_sigpending __ia32_compat_sys_rt_sigpending
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 1cee10091b9f..30416d7f19d4 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -21,6 +21,7 @@
#include <linux/personality.h>
#include <linux/compat.h>
#include <linux/binfmts.h>
+#include <linux/syscalls.h>
#include <asm/ucontext.h>
#include <linux/uaccess.h>
#include <asm/fpu/internal.h>
@@ -118,7 +119,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
return err;
}
-asmlinkage long sys32_sigreturn(void)
+COMPAT_SYSCALL_DEFINE0(sigreturn)
{
struct pt_regs *regs = current_pt_regs();
struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
@@ -144,7 +145,7 @@ asmlinkage long sys32_sigreturn(void)
return 0;
}
-asmlinkage long sys32_rt_sigreturn(void)
+COMPAT_SYSCALL_DEFINE0(rt_sigreturn)
{
struct pt_regs *regs = current_pt_regs();
struct rt_sigframe_ia32 __user *frame;
--
2.23.0.351.gc4317032e6-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
` (2 preceding siblings ...)
2019-09-18 22:46 ` [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen
@ 2019-09-18 22:46 ` Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen
4 siblings, 0 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Use the correct function type for sys_ni_syscall in system
call tables to fix indirect call mismatches with Control-Flow
Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/entry/syscall_32.c | 8 +++-----
arch/x86/entry/syscall_64.c | 14 ++++++++++----
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++--
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c
index aa3336a7cb15..7d17b3addbbb 100644
--- a/arch/x86/entry/syscall_32.c
+++ b/arch/x86/entry/syscall_32.c
@@ -10,13 +10,11 @@
#ifdef CONFIG_IA32_EMULATION
/* On X86_64, we use struct pt_regs * to pass parameters to syscalls */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
-
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
-
+#define __sys_ni_syscall __ia32_sys_ni_syscall
#else /* CONFIG_IA32_EMULATION */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
+#define __sys_ni_syscall sys_ni_syscall
#endif /* CONFIG_IA32_EMULATION */
#include <asm/syscalls_32.h>
@@ -29,6 +27,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] =
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_compat_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall,
#include <asm/syscalls_32.h>
};
diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c
index b1bf31713374..adf619a856e8 100644
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -4,11 +4,17 @@
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
+#include <linux/syscalls.h>
#include <asm/asm-offsets.h>
#include <asm/syscall.h>
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
+extern asmlinkage long sys_ni_syscall(void);
+
+SYSCALL_DEFINE0(ni_syscall)
+{
+ return sys_ni_syscall();
+}
+
#define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
#define __SYSCALL_X32(nr, sym, qual) __SYSCALL_64(nr, sym, qual)
#include <asm/syscalls_64.h>
@@ -23,7 +29,7 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = {
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall,
#include <asm/syscalls_64.h>
};
@@ -40,7 +46,7 @@ asmlinkage const sys_call_ptr_t x32_sys_call_table[__NR_syscall_x32_max+1] = {
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_x32_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_x32_max] = &__x64_sys_ni_syscall,
#include <asm/syscalls_64.h>
};
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 2de75fda1d20..15908eb9b17e 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -124,7 +124,7 @@
110 i386 iopl sys_iopl __ia32_sys_iopl
111 i386 vhangup sys_vhangup __ia32_sys_vhangup
112 i386 idle
-113 i386 vm86old sys_vm86old sys_ni_syscall
+113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall
114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4
115 i386 swapoff sys_swapoff __ia32_sys_swapoff
116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo
@@ -177,7 +177,7 @@
163 i386 mremap sys_mremap __ia32_sys_mremap
164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16
165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16
-166 i386 vm86 sys_vm86 sys_ni_syscall
+166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall
167 i386 query_module
168 i386 poll sys_poll __ia32_sys_poll
169 i386 nfsservctl
--
2.23.0.351.gc4317032e6-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v2 5/5] x86: fix function types in COND_SYSCALL
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
` (3 preceding siblings ...)
2019-09-18 22:46 ` [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
@ 2019-09-18 22:46 ` Sami Tolvanen
4 siblings, 0 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-09-18 22:46 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Define a weak function in COND_SYSCALL instead of a weak alias to
sys_ni_syscall, which has an incompatible type. This fixes indirect
call mismatches with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index 3dab04841494..e2389ce9bf58 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -6,6 +6,8 @@
#ifndef _ASM_X86_SYSCALL_WRAPPER_H
#define _ASM_X86_SYSCALL_WRAPPER_H
+struct pt_regs;
+
/* Mapping of registers to parameters for syscalls on x86-64 and x32 */
#define SC_X86_64_REGS_TO_ARGS(x, ...) \
__MAP(x,__SC_ARGS \
@@ -64,9 +66,15 @@
SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
-#define COND_SYSCALL(name) \
- cond_syscall(__x64_sys_##name); \
- cond_syscall(__ia32_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ } \
+ asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\
+ { \
+ return sys_ni_syscall(); \
+ }
#define SYS_NI(name) \
SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \
@@ -218,7 +226,11 @@
#endif
#ifndef COND_SYSCALL
-#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ }
#endif
#ifndef SYS_NI
@@ -230,7 +242,6 @@
* For VSYSCALLS, we need to declare these three syscalls with the new
* pt_regs-based calling convention for in-kernel use.
*/
-struct pt_regs;
asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs);
asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs);
asmlinkage long __x64_sys_time(const struct pt_regs *regs);
--
2.23.0.351.gc4317032e6-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches
2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen
` (4 preceding siblings ...)
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
@ 2019-10-08 22:40 ` Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
` (5 more replies)
5 siblings, 6 replies; 35+ messages in thread
From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
This patch set changes x86 syscall wrappers and related functions to
use function types that match sys_call_ptr_t. This fixes indirect call
mismatches with Control-Flow Integrity (CFI) checking.
Changes since v1:
- Use SYSCALL_DEFINE0 for __x64_sys_ni_syscall.
- Include Andy's COMPAT_SYSCALL_DEFINE0 patch and use the macro
for (rt_)sigreturn.
Andy Lutomirski (1):
x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0
Sami Tolvanen (4):
x86: use the correct function type in SYSCALL_DEFINE0
x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
x86: use the correct function type for sys_ni_syscall
x86: fix function types in COND_SYSCALL
arch/x86/entry/syscall_32.c | 8 +--
arch/x86/entry/syscall_64.c | 14 +++--
arch/x86/entry/syscalls/syscall_32.tbl | 8 +--
arch/x86/ia32/ia32_signal.c | 5 +-
arch/x86/include/asm/syscall_wrapper.h | 76 ++++++++++++++++++++------
5 files changed, 78 insertions(+), 33 deletions(-)
--
2.23.0.581.g78d2f28ef7-goog
^ permalink raw reply [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
@ 2019-10-08 22:40 ` Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen
` (4 subsequent siblings)
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Although a syscall defined using SYSCALL_DEFINE0 doesn't accept
parameters, use the correct function type to avoid type mismatches
with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
---
arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index e046a405743d..90eb70df0b18 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -48,12 +48,13 @@
* To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias
* named __ia32_sys_*()
*/
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
- asmlinkage long __x64_sys_##sname(void)
+
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#define COND_SYSCALL(name) \
cond_syscall(__x64_sys_##name); \
@@ -181,11 +182,11 @@
* macros to work correctly.
*/
#ifndef SYSCALL_DEFINE0
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- asmlinkage long __x64_sys_##sname(void)
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#endif
#ifndef COND_SYSCALL
--
2.23.0.581.g78d2f28ef7-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-10-08 22:40 ` Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: " tip-bot2 for Andy Lutomirski
2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen
` (3 subsequent siblings)
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
From: Andy Lutomirski <luto@kernel.org>
x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was
no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can
use it for rt_sigreturn.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/include/asm/syscall_wrapper.h | 32 ++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index 90eb70df0b18..3dab04841494 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -28,13 +28,21 @@
* kernel/sys_ni.c and SYS_NI in kernel/time/posix-stubs.c to cover this
* case as well.
*/
+#define __IA32_COMPAT_SYS_STUB0(x, name) \
+ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs);\
+ ALLOW_ERROR_INJECTION(__ia32_compat_sys_##name, ERRNO); \
+ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs)\
+ { \
+ return __se_compat_sys_##name(); \
+ }
+
#define __IA32_COMPAT_SYS_STUBx(x, name, ...) \
asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs);\
ALLOW_ERROR_INJECTION(__ia32_compat_sys##name, ERRNO); \
asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs)\
{ \
return __se_compat_sys##name(SC_IA32_REGS_TO_ARGS(x,__VA_ARGS__));\
- } \
+ }
#define __IA32_SYS_STUBx(x, name, ...) \
asmlinkage long __ia32_sys##name(const struct pt_regs *regs); \
@@ -76,15 +84,24 @@
* of the x86-64-style parameter ordering of x32 syscalls. The syscalls common
* with x86_64 obviously do not need such care.
*/
+#define __X32_COMPAT_SYS_STUB0(x, name, ...) \
+ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs);\
+ ALLOW_ERROR_INJECTION(__x32_compat_sys_##name, ERRNO); \
+ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs)\
+ { \
+ return __se_compat_sys_##name();\
+ }
+
#define __X32_COMPAT_SYS_STUBx(x, name, ...) \
asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs);\
ALLOW_ERROR_INJECTION(__x32_compat_sys##name, ERRNO); \
asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs)\
{ \
return __se_compat_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\
- } \
+ }
#else /* CONFIG_X86_X32 */
+#define __X32_COMPAT_SYS_STUB0(x, name)
#define __X32_COMPAT_SYS_STUBx(x, name, ...)
#endif /* CONFIG_X86_X32 */
@@ -95,6 +112,17 @@
* mapping of registers to parameters, we need to generate stubs for each
* of them.
*/
+#define COMPAT_SYSCALL_DEFINE0(name) \
+ static long __se_compat_sys_##name(void); \
+ static inline long __do_compat_sys_##name(void); \
+ __IA32_COMPAT_SYS_STUB0(x, name) \
+ __X32_COMPAT_SYS_STUB0(x, name) \
+ static long __se_compat_sys_##name(void) \
+ { \
+ return __do_compat_sys_##name(); \
+ } \
+ static inline long __do_compat_sys_##name(void)
+
#define COMPAT_SYSCALL_DEFINEx(x, name, ...) \
static long __se_compat_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
--
2.23.0.581.g78d2f28ef7-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-10-08 22:40 ` Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
` (2 subsequent siblings)
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn syscalls to
replace sys32_sigreturn and sys32_rt_sigreturn. This fixes indirect
call mismatches with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++--
arch/x86/ia32/ia32_signal.c | 5 +++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 3fe02546aed3..2de75fda1d20 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -130,7 +130,7 @@
116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo
117 i386 ipc sys_ipc __ia32_compat_sys_ipc
118 i386 fsync sys_fsync __ia32_sys_fsync
-119 i386 sigreturn sys_sigreturn sys32_sigreturn
+119 i386 sigreturn sys_sigreturn __ia32_compat_sys_sigreturn
120 i386 clone sys_clone __ia32_compat_sys_x86_clone
121 i386 setdomainname sys_setdomainname __ia32_sys_setdomainname
122 i386 uname sys_newuname __ia32_sys_newuname
@@ -184,7 +184,7 @@
170 i386 setresgid sys_setresgid16 __ia32_sys_setresgid16
171 i386 getresgid sys_getresgid16 __ia32_sys_getresgid16
172 i386 prctl sys_prctl __ia32_sys_prctl
-173 i386 rt_sigreturn sys_rt_sigreturn sys32_rt_sigreturn
+173 i386 rt_sigreturn sys_rt_sigreturn __ia32_compat_sys_rt_sigreturn
174 i386 rt_sigaction sys_rt_sigaction __ia32_compat_sys_rt_sigaction
175 i386 rt_sigprocmask sys_rt_sigprocmask __ia32_compat_sys_rt_sigprocmask
176 i386 rt_sigpending sys_rt_sigpending __ia32_compat_sys_rt_sigpending
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 1cee10091b9f..30416d7f19d4 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -21,6 +21,7 @@
#include <linux/personality.h>
#include <linux/compat.h>
#include <linux/binfmts.h>
+#include <linux/syscalls.h>
#include <asm/ucontext.h>
#include <linux/uaccess.h>
#include <asm/fpu/internal.h>
@@ -118,7 +119,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
return err;
}
-asmlinkage long sys32_sigreturn(void)
+COMPAT_SYSCALL_DEFINE0(sigreturn)
{
struct pt_regs *regs = current_pt_regs();
struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
@@ -144,7 +145,7 @@ asmlinkage long sys32_sigreturn(void)
return 0;
}
-asmlinkage long sys32_rt_sigreturn(void)
+COMPAT_SYSCALL_DEFINE0(rt_sigreturn)
{
struct pt_regs *regs = current_pt_regs();
struct rt_sigframe_ia32 __user *frame;
--
2.23.0.581.g78d2f28ef7-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
` (2 preceding siblings ...)
2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen
@ 2019-10-08 22:40 ` Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen
2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Use the correct function type for sys_ni_syscall in system
call tables to fix indirect call mismatches with Control-Flow
Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/entry/syscall_32.c | 8 +++-----
arch/x86/entry/syscall_64.c | 14 ++++++++++----
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++--
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c
index aa3336a7cb15..7d17b3addbbb 100644
--- a/arch/x86/entry/syscall_32.c
+++ b/arch/x86/entry/syscall_32.c
@@ -10,13 +10,11 @@
#ifdef CONFIG_IA32_EMULATION
/* On X86_64, we use struct pt_regs * to pass parameters to syscalls */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
-
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
-
+#define __sys_ni_syscall __ia32_sys_ni_syscall
#else /* CONFIG_IA32_EMULATION */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
+#define __sys_ni_syscall sys_ni_syscall
#endif /* CONFIG_IA32_EMULATION */
#include <asm/syscalls_32.h>
@@ -29,6 +27,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] =
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_compat_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall,
#include <asm/syscalls_32.h>
};
diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c
index b1bf31713374..adf619a856e8 100644
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -4,11 +4,17 @@
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
+#include <linux/syscalls.h>
#include <asm/asm-offsets.h>
#include <asm/syscall.h>
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
+extern asmlinkage long sys_ni_syscall(void);
+
+SYSCALL_DEFINE0(ni_syscall)
+{
+ return sys_ni_syscall();
+}
+
#define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
#define __SYSCALL_X32(nr, sym, qual) __SYSCALL_64(nr, sym, qual)
#include <asm/syscalls_64.h>
@@ -23,7 +29,7 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = {
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall,
#include <asm/syscalls_64.h>
};
@@ -40,7 +46,7 @@ asmlinkage const sys_call_ptr_t x32_sys_call_table[__NR_syscall_x32_max+1] = {
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_x32_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_x32_max] = &__x64_sys_ni_syscall,
#include <asm/syscalls_64.h>
};
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 2de75fda1d20..15908eb9b17e 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -124,7 +124,7 @@
110 i386 iopl sys_iopl __ia32_sys_iopl
111 i386 vhangup sys_vhangup __ia32_sys_vhangup
112 i386 idle
-113 i386 vm86old sys_vm86old sys_ni_syscall
+113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall
114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4
115 i386 swapoff sys_swapoff __ia32_sys_swapoff
116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo
@@ -177,7 +177,7 @@
163 i386 mremap sys_mremap __ia32_sys_mremap
164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16
165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16
-166 i386 vm86 sys_vm86 sys_ni_syscall
+166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall
167 i386 query_module
168 i386 poll sys_poll __ia32_sys_poll
169 i386 nfsservctl
--
2.23.0.581.g78d2f28ef7-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
` (3 preceding siblings ...)
2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
@ 2019-10-08 22:40 ` Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Fix " tip-bot2 for Sami Tolvanen
2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski
5 siblings, 1 reply; 35+ messages in thread
From: Sami Tolvanen @ 2019-10-08 22:40 UTC (permalink / raw)
To: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook
Cc: x86, linux-kernel, Sami Tolvanen
Define a weak function in COND_SYSCALL instead of a weak alias to
sys_ni_syscall, which has an incompatible type. This fixes indirect
call mismatches with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index 3dab04841494..e2389ce9bf58 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -6,6 +6,8 @@
#ifndef _ASM_X86_SYSCALL_WRAPPER_H
#define _ASM_X86_SYSCALL_WRAPPER_H
+struct pt_regs;
+
/* Mapping of registers to parameters for syscalls on x86-64 and x32 */
#define SC_X86_64_REGS_TO_ARGS(x, ...) \
__MAP(x,__SC_ARGS \
@@ -64,9 +66,15 @@
SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
-#define COND_SYSCALL(name) \
- cond_syscall(__x64_sys_##name); \
- cond_syscall(__ia32_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ } \
+ asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\
+ { \
+ return sys_ni_syscall(); \
+ }
#define SYS_NI(name) \
SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \
@@ -218,7 +226,11 @@
#endif
#ifndef COND_SYSCALL
-#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ }
#endif
#ifndef SYS_NI
@@ -230,7 +242,6 @@
* For VSYSCALLS, we need to declare these three syscalls with the new
* pt_regs-based calling convention for in-kernel use.
*/
-struct pt_regs;
asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs);
asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs);
asmlinkage long __x64_sys_time(const struct pt_regs *regs);
--
2.23.0.581.g78d2f28ef7-goog
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
` (4 preceding siblings ...)
2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen
@ 2019-10-10 18:17 ` Andy Lutomirski
2019-10-11 10:50 ` Ingo Molnar
5 siblings, 1 reply; 35+ messages in thread
From: Andy Lutomirski @ 2019-10-10 18:17 UTC (permalink / raw)
To: Sami Tolvanen
Cc: Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
On Tue, Oct 8, 2019 at 3:41 PM Sami Tolvanen <samitolvanen@google.com> wrote:
>
> This patch set changes x86 syscall wrappers and related functions to
> use function types that match sys_call_ptr_t. This fixes indirect call
> mismatches with Control-Flow Integrity (CFI) checking.
tglx, I'm pretty happy with this series. Do you need anything else
from me or do you want to just pick it up in -tip?
--Andy
>
> Changes since v1:
> - Use SYSCALL_DEFINE0 for __x64_sys_ni_syscall.
> - Include Andy's COMPAT_SYSCALL_DEFINE0 patch and use the macro
> for (rt_)sigreturn.
>
> Andy Lutomirski (1):
> x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0
>
> Sami Tolvanen (4):
> x86: use the correct function type in SYSCALL_DEFINE0
> x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
> x86: use the correct function type for sys_ni_syscall
> x86: fix function types in COND_SYSCALL
>
> arch/x86/entry/syscall_32.c | 8 +--
> arch/x86/entry/syscall_64.c | 14 +++--
> arch/x86/entry/syscalls/syscall_32.tbl | 8 +--
> arch/x86/ia32/ia32_signal.c | 5 +-
> arch/x86/include/asm/syscall_wrapper.h | 76 ++++++++++++++++++++------
> 5 files changed, 78 insertions(+), 33 deletions(-)
>
> --
> 2.23.0.581.g78d2f28ef7-goog
>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches
2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski
@ 2019-10-11 10:50 ` Ingo Molnar
0 siblings, 0 replies; 35+ messages in thread
From: Ingo Molnar @ 2019-10-11 10:50 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Sami Tolvanen, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
H . Peter Anvin, Kees Cook, X86 ML, LKML
* Andy Lutomirski <luto@kernel.org> wrote:
> On Tue, Oct 8, 2019 at 3:41 PM Sami Tolvanen <samitolvanen@google.com> wrote:
> >
> > This patch set changes x86 syscall wrappers and related functions to
> > use function types that match sys_call_ptr_t. This fixes indirect call
> > mismatches with Control-Flow Integrity (CFI) checking.
>
> tglx, I'm pretty happy with this series. Do you need anything else
> from me or do you want to just pick it up in -tip?
Thomas is on vacation - I've picked up the series, it looks good!
I've added your Acked-by to the #3,#4,#5 patches as well.
Thanks,
Ingo
^ permalink raw reply [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Fix function types in COND_SYSCALL
2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen
@ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen
0 siblings, 0 replies; 35+ messages in thread
From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw)
To: linux-tip-commits
Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin,
Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, linux-kernel
The following commit has been merged into the x86/entry branch of tip:
Commit-ID: 6e4847640c6aebcaa2d9b3686cecc91b41f09269
Gitweb: https://git.kernel.org/tip/6e4847640c6aebcaa2d9b3686cecc91b41f09269
Author: Sami Tolvanen <samitolvanen@google.com>
AuthorDate: Tue, 08 Oct 2019 15:40:49 -07:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Fri, 11 Oct 2019 12:49:19 +02:00
syscalls/x86: Fix function types in COND_SYSCALL
Define a weak function in COND_SYSCALL instead of a weak alias to
sys_ni_syscall(), which has an incompatible type. This fixes indirect
call mismatches with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H . Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191008224049.115427-6-samitolvanen@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index 3dab048..e2389ce 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -6,6 +6,8 @@
#ifndef _ASM_X86_SYSCALL_WRAPPER_H
#define _ASM_X86_SYSCALL_WRAPPER_H
+struct pt_regs;
+
/* Mapping of registers to parameters for syscalls on x86-64 and x32 */
#define SC_X86_64_REGS_TO_ARGS(x, ...) \
__MAP(x,__SC_ARGS \
@@ -64,9 +66,15 @@
SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
-#define COND_SYSCALL(name) \
- cond_syscall(__x64_sys_##name); \
- cond_syscall(__ia32_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ } \
+ asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\
+ { \
+ return sys_ni_syscall(); \
+ }
#define SYS_NI(name) \
SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \
@@ -218,7 +226,11 @@
#endif
#ifndef COND_SYSCALL
-#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name)
+#define COND_SYSCALL(name) \
+ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \
+ { \
+ return sys_ni_syscall(); \
+ }
#endif
#ifndef SYS_NI
@@ -230,7 +242,6 @@
* For VSYSCALLS, we need to declare these three syscalls with the new
* pt_regs-based calling convention for in-kernel use.
*/
-struct pt_regs;
asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs);
asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs);
asmlinkage long __x64_sys_time(const struct pt_regs *regs);
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Use the correct function type for sys_ni_syscall
2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
@ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen
0 siblings, 0 replies; 35+ messages in thread
From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw)
To: linux-tip-commits
Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin,
Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, linux-kernel
The following commit has been merged into the x86/entry branch of tip:
Commit-ID: f48f01a92cca09e86d46c91d8edf9d5a71c61727
Gitweb: https://git.kernel.org/tip/f48f01a92cca09e86d46c91d8edf9d5a71c61727
Author: Sami Tolvanen <samitolvanen@google.com>
AuthorDate: Tue, 08 Oct 2019 15:40:48 -07:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00
syscalls/x86: Use the correct function type for sys_ni_syscall
Use the correct function type for sys_ni_syscall() in system
call tables to fix indirect call mismatches with Control-Flow
Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H . Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191008224049.115427-5-samitolvanen@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/entry/syscall_32.c | 8 +++-----
arch/x86/entry/syscall_64.c | 14 ++++++++++----
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++--
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c
index aa3336a..7d17b3a 100644
--- a/arch/x86/entry/syscall_32.c
+++ b/arch/x86/entry/syscall_32.c
@@ -10,13 +10,11 @@
#ifdef CONFIG_IA32_EMULATION
/* On X86_64, we use struct pt_regs * to pass parameters to syscalls */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
-
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
-
+#define __sys_ni_syscall __ia32_sys_ni_syscall
#else /* CONFIG_IA32_EMULATION */
#define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
+#define __sys_ni_syscall sys_ni_syscall
#endif /* CONFIG_IA32_EMULATION */
#include <asm/syscalls_32.h>
@@ -29,6 +27,6 @@ __visible const sys_call_ptr_t ia32_sys_call_table[__NR_syscall_compat_max+1] =
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_compat_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall,
#include <asm/syscalls_32.h>
};
diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c
index b1bf317..adf619a 100644
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -4,11 +4,17 @@
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
+#include <linux/syscalls.h>
#include <asm/asm-offsets.h>
#include <asm/syscall.h>
-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */
-extern asmlinkage long sys_ni_syscall(const struct pt_regs *);
+extern asmlinkage long sys_ni_syscall(void);
+
+SYSCALL_DEFINE0(ni_syscall)
+{
+ return sys_ni_syscall();
+}
+
#define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *);
#define __SYSCALL_X32(nr, sym, qual) __SYSCALL_64(nr, sym, qual)
#include <asm/syscalls_64.h>
@@ -23,7 +29,7 @@ asmlinkage const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = {
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall,
#include <asm/syscalls_64.h>
};
@@ -40,7 +46,7 @@ asmlinkage const sys_call_ptr_t x32_sys_call_table[__NR_syscall_x32_max+1] = {
* Smells like a compiler bug -- it doesn't work
* when the & below is removed.
*/
- [0 ... __NR_syscall_x32_max] = &sys_ni_syscall,
+ [0 ... __NR_syscall_x32_max] = &__x64_sys_ni_syscall,
#include <asm/syscalls_64.h>
};
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 2de75fd..15908eb 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -124,7 +124,7 @@
110 i386 iopl sys_iopl __ia32_sys_iopl
111 i386 vhangup sys_vhangup __ia32_sys_vhangup
112 i386 idle
-113 i386 vm86old sys_vm86old sys_ni_syscall
+113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall
114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4
115 i386 swapoff sys_swapoff __ia32_sys_swapoff
116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo
@@ -177,7 +177,7 @@
163 i386 mremap sys_mremap __ia32_sys_mremap
164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16
165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16
-166 i386 vm86 sys_vm86 sys_ni_syscall
+166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall
167 i386 query_module
168 i386 poll sys_poll __ia32_sys_poll
169 i386 nfsservctl
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen
@ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen
0 siblings, 0 replies; 35+ messages in thread
From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw)
To: linux-tip-commits
Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin,
Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, linux-kernel
The following commit has been merged into the x86/entry branch of tip:
Commit-ID: 00198a6eaf66609de5e4de9163bb42c7ca9dd7b7
Gitweb: https://git.kernel.org/tip/00198a6eaf66609de5e4de9163bb42c7ca9dd7b7
Author: Sami Tolvanen <samitolvanen@google.com>
AuthorDate: Tue, 08 Oct 2019 15:40:47 -07:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00
syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn() syscalls to
replace sys32_sigreturn() and sys32_rt_sigreturn(). This fixes indirect
call mismatches with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H . Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191008224049.115427-4-samitolvanen@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++--
arch/x86/ia32/ia32_signal.c | 5 +++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 3fe0254..2de75fd 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -130,7 +130,7 @@
116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo
117 i386 ipc sys_ipc __ia32_compat_sys_ipc
118 i386 fsync sys_fsync __ia32_sys_fsync
-119 i386 sigreturn sys_sigreturn sys32_sigreturn
+119 i386 sigreturn sys_sigreturn __ia32_compat_sys_sigreturn
120 i386 clone sys_clone __ia32_compat_sys_x86_clone
121 i386 setdomainname sys_setdomainname __ia32_sys_setdomainname
122 i386 uname sys_newuname __ia32_sys_newuname
@@ -184,7 +184,7 @@
170 i386 setresgid sys_setresgid16 __ia32_sys_setresgid16
171 i386 getresgid sys_getresgid16 __ia32_sys_getresgid16
172 i386 prctl sys_prctl __ia32_sys_prctl
-173 i386 rt_sigreturn sys_rt_sigreturn sys32_rt_sigreturn
+173 i386 rt_sigreturn sys_rt_sigreturn __ia32_compat_sys_rt_sigreturn
174 i386 rt_sigaction sys_rt_sigaction __ia32_compat_sys_rt_sigaction
175 i386 rt_sigprocmask sys_rt_sigprocmask __ia32_compat_sys_rt_sigprocmask
176 i386 rt_sigpending sys_rt_sigpending __ia32_compat_sys_rt_sigpending
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 1cee100..30416d7 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -21,6 +21,7 @@
#include <linux/personality.h>
#include <linux/compat.h>
#include <linux/binfmts.h>
+#include <linux/syscalls.h>
#include <asm/ucontext.h>
#include <linux/uaccess.h>
#include <asm/fpu/internal.h>
@@ -118,7 +119,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
return err;
}
-asmlinkage long sys32_sigreturn(void)
+COMPAT_SYSCALL_DEFINE0(sigreturn)
{
struct pt_regs *regs = current_pt_regs();
struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
@@ -144,7 +145,7 @@ badframe:
return 0;
}
-asmlinkage long sys32_rt_sigreturn(void)
+COMPAT_SYSCALL_DEFINE0(rt_sigreturn)
{
struct pt_regs *regs = current_pt_regs();
struct rt_sigframe_ia32 __user *frame;
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0
2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-10-11 11:22 ` tip-bot2 for Andy Lutomirski
0 siblings, 0 replies; 35+ messages in thread
From: tip-bot2 for Andy Lutomirski @ 2019-10-11 11:22 UTC (permalink / raw)
To: linux-tip-commits
Cc: Andy Lutomirski, Sami Tolvanen, Borislav Petkov, H . Peter Anvin,
Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, linux-kernel
The following commit has been merged into the x86/entry branch of tip:
Commit-ID: cf3b83e19d7c928e05a5d193c375463182c6029a
Gitweb: https://git.kernel.org/tip/cf3b83e19d7c928e05a5d193c375463182c6029a
Author: Andy Lutomirski <luto@kernel.org>
AuthorDate: Tue, 08 Oct 2019 15:40:46 -07:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00
syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0
x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was
no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can
use it for rt_sigreturn.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H . Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191008224049.115427-3-samitolvanen@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/include/asm/syscall_wrapper.h | 32 +++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index 90eb70d..3dab048 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -28,13 +28,21 @@
* kernel/sys_ni.c and SYS_NI in kernel/time/posix-stubs.c to cover this
* case as well.
*/
+#define __IA32_COMPAT_SYS_STUB0(x, name) \
+ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs);\
+ ALLOW_ERROR_INJECTION(__ia32_compat_sys_##name, ERRNO); \
+ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs)\
+ { \
+ return __se_compat_sys_##name(); \
+ }
+
#define __IA32_COMPAT_SYS_STUBx(x, name, ...) \
asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs);\
ALLOW_ERROR_INJECTION(__ia32_compat_sys##name, ERRNO); \
asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs)\
{ \
return __se_compat_sys##name(SC_IA32_REGS_TO_ARGS(x,__VA_ARGS__));\
- } \
+ }
#define __IA32_SYS_STUBx(x, name, ...) \
asmlinkage long __ia32_sys##name(const struct pt_regs *regs); \
@@ -76,15 +84,24 @@
* of the x86-64-style parameter ordering of x32 syscalls. The syscalls common
* with x86_64 obviously do not need such care.
*/
+#define __X32_COMPAT_SYS_STUB0(x, name, ...) \
+ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs);\
+ ALLOW_ERROR_INJECTION(__x32_compat_sys_##name, ERRNO); \
+ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs)\
+ { \
+ return __se_compat_sys_##name();\
+ }
+
#define __X32_COMPAT_SYS_STUBx(x, name, ...) \
asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs);\
ALLOW_ERROR_INJECTION(__x32_compat_sys##name, ERRNO); \
asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs)\
{ \
return __se_compat_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\
- } \
+ }
#else /* CONFIG_X86_X32 */
+#define __X32_COMPAT_SYS_STUB0(x, name)
#define __X32_COMPAT_SYS_STUBx(x, name, ...)
#endif /* CONFIG_X86_X32 */
@@ -95,6 +112,17 @@
* mapping of registers to parameters, we need to generate stubs for each
* of them.
*/
+#define COMPAT_SYSCALL_DEFINE0(name) \
+ static long __se_compat_sys_##name(void); \
+ static inline long __do_compat_sys_##name(void); \
+ __IA32_COMPAT_SYS_STUB0(x, name) \
+ __X32_COMPAT_SYS_STUB0(x, name) \
+ static long __se_compat_sys_##name(void) \
+ { \
+ return __do_compat_sys_##name(); \
+ } \
+ static inline long __do_compat_sys_##name(void)
+
#define COMPAT_SYSCALL_DEFINEx(x, name, ...) \
static long __se_compat_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [tip: x86/entry] syscalls/x86: Use the correct function type in SYSCALL_DEFINE0
2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
@ 2019-10-11 11:22 ` tip-bot2 for Sami Tolvanen
0 siblings, 0 replies; 35+ messages in thread
From: tip-bot2 for Sami Tolvanen @ 2019-10-11 11:22 UTC (permalink / raw)
To: linux-tip-commits
Cc: Sami Tolvanen, Andy Lutomirski, Borislav Petkov, H . Peter Anvin,
Kees Cook, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, linux-kernel
The following commit has been merged into the x86/entry branch of tip:
Commit-ID: 8661d769ab77c675b5eb6c3351a372b9fbc1bf40
Gitweb: https://git.kernel.org/tip/8661d769ab77c675b5eb6c3351a372b9fbc1bf40
Author: Sami Tolvanen <samitolvanen@google.com>
AuthorDate: Tue, 08 Oct 2019 15:40:45 -07:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Fri, 11 Oct 2019 12:49:18 +02:00
syscalls/x86: Use the correct function type in SYSCALL_DEFINE0
Although a syscall defined using SYSCALL_DEFINE0 doesn't accept
parameters, use the correct function type to avoid type mismatches
with Control-Flow Integrity (CFI) checking.
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H . Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20191008224049.115427-2-samitolvanen@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/include/asm/syscall_wrapper.h | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index e046a40..90eb70d 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -48,12 +48,13 @@
* To keep the naming coherent, re-define SYSCALL_DEFINE0 to create an alias
* named __ia32_sys_*()
*/
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
- asmlinkage long __x64_sys_##sname(void)
+
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#define COND_SYSCALL(name) \
cond_syscall(__x64_sys_##name); \
@@ -181,11 +182,11 @@
* macros to work correctly.
*/
#ifndef SYSCALL_DEFINE0
-#define SYSCALL_DEFINE0(sname) \
- SYSCALL_METADATA(_##sname, 0); \
- asmlinkage long __x64_sys_##sname(void); \
- ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
- asmlinkage long __x64_sys_##sname(void)
+#define SYSCALL_DEFINE0(sname) \
+ SYSCALL_METADATA(_##sname, 0); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused);\
+ ALLOW_ERROR_INJECTION(__x64_sys_##sname, ERRNO); \
+ asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused)
#endif
#ifndef COND_SYSCALL
^ permalink raw reply related [flat|nested] 35+ messages in thread
end of thread, other threads:[~2019-10-11 11:22 UTC | newest]
Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-13 21:00 [PATCH 0/4] x86: fix syscall function type mismatches Sami Tolvanen
2019-09-13 21:00 ` [PATCH 1/4] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
2019-09-13 22:33 ` Andy Lutomirski
2019-09-13 21:00 ` [PATCH 2/4] x86: use the correct function type for sys32_(rt_)sigreturn Sami Tolvanen
2019-09-13 22:44 ` Andy Lutomirski
2019-09-13 23:29 ` Sami Tolvanen
2019-09-13 21:00 ` [PATCH 3/4] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
2019-09-13 22:45 ` Andy Lutomirski
2019-09-13 23:26 ` Sami Tolvanen
2019-09-14 0:27 ` Andy Lutomirski
2019-09-16 20:43 ` Will Deacon
2019-09-13 21:00 ` [PATCH 4/4] x86: fix function types in COND_SYSCALL Sami Tolvanen
2019-09-13 22:46 ` Andy Lutomirski
2019-09-13 23:28 ` Sami Tolvanen
2019-09-14 0:28 ` Andy Lutomirski
2019-09-17 22:44 ` Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
2019-09-18 22:46 ` [PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 1/5] x86: use the correct function type in SYSCALL_DEFINE0 Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 2/5] x86/syscalls: Wire up COMPAT_SYSCALL_DEFINE0 Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: " tip-bot2 for Andy Lutomirski
2019-10-08 22:40 ` [RESEND PATCH v2 3/5] x86: use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 4/5] x86: use the correct function type for sys_ni_syscall Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Use " tip-bot2 for Sami Tolvanen
2019-10-08 22:40 ` [RESEND PATCH v2 5/5] x86: fix function types in COND_SYSCALL Sami Tolvanen
2019-10-11 11:22 ` [tip: x86/entry] syscalls/x86: Fix " tip-bot2 for Sami Tolvanen
2019-10-10 18:17 ` [RESEND PATCH v2 0/5] x86: fix syscall function type mismatches Andy Lutomirski
2019-10-11 10:50 ` Ingo Molnar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).