From patchwork Wed Nov 4 21:18:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 11883311 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8098CC00A89 for ; Thu, 5 Nov 2020 05:29:31 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9B6432083B for ; Thu, 5 Nov 2020 05:29:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ZErOq6SG"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="vinXJDQm"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="Rmav60W+" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9B6432083B Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:To:From:Subject:References:Mime-Version:Message-Id: In-Reply-To:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=hR77fJKMUdZjRxbsgcKWeG5lukZBMygkBvb9ZooT/4Y=; b=ZErOq6SG/ow8IaWjhCy3jFCFn NwgFX6aKotLPoAxP4kdlseISTfZO/1j0XQaWYm1C1O3Fcf1iR3gi46LJDgjpASi0Hm1gNUmYq5rUp XmDvupw/bpza6is7Abrqssu6nkaeYhs7BXtwosUKf7MfYsUUWg4gvah+tX8TXjkQdGmbPF5c70TLc hjDJ8njSgq7GJSbNreq+prW2IC7PnxHBBwqB8Z7VeDgGxKUmGseaQF1MM/znguetELZJbKJwrmFzq yvor7D/M+ROTu4oNS32c3641ZANSPg9N0EUftrCGPoO01e/CHUuk/kzDy02E2JQeG5Jq4FfLfBOnk 17uLfVeDw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaXo5-0006Qk-Gh; Thu, 05 Nov 2020 05:27:33 +0000 Received: from casper.infradead.org ([2001:8b0:10b:1236::1]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaW7x-00016k-4i for linux-arm-kernel@merlin.infradead.org; Thu, 05 Nov 2020 03:39:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Type:Cc:To:From:Subject: References:Mime-Version:Message-Id:In-Reply-To:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=4D7Q2kZ3L7YBvRzuP8i1p6TftH53P5xo5cWP8p2xBcs=; b=vinXJDQm4ObFgetOlkwnXdpKNp s5r592Hd4T+awqMXfcTLoNbnJx3eHN61OYdXbht4uqOW7mTVtSGrVloG+EARDuo5bpdfDgBbziAgP TBtro0p78BSuGXrx5Y/+VIYj5iZceD4PJZDaREgEEtAiUgqW+XrGwcv8dV7EJ5lzlWX7VBNRckfeF SP0fqPf2Ci59B0Z/QCn4oskx2uv9ud7qU9ChXhQ1tn1hsQUzWl1PE1OBkuZECkwaiAV5rrb1qNU7B 6mlRAN7Yd2N21739uryXCkoQG0OwedVhkB7kmNHCltjvxztYGR3PpS28ge1+0oSss3svmB1eGoDb2 0F/quQbg==; Received: from mail-yb1-xb4a.google.com ([2607:f8b0:4864:20::b4a]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaQBn-0000pW-Hf for linux-arm-kernel@lists.infradead.org; Wed, 04 Nov 2020 21:19:34 +0000 Received: by mail-yb1-xb4a.google.com with SMTP id u11so120045ybh.6 for ; Wed, 04 Nov 2020 13:19:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:in-reply-to:message-id:mime-version:references:subject :from:to:cc; bh=4D7Q2kZ3L7YBvRzuP8i1p6TftH53P5xo5cWP8p2xBcs=; b=Rmav60W+RCIT2LWA2rZ8FJfCiKqCs+BcZaagAHdLyU7ZWJGfDkLcL8cb0d8pdgG60Z Z2JffzIBG6dSLtIZMiuMmzMdJOwM+8H1QmM2KiWAxHsGcK2pZ37irAwkaBH9ebMwd785 kgA5sLQ+wgPkXyeaewPpPM/J//nS+YODNqspdh6Ui5Sd/bvAG0GyFEp8Cfy4WmQ+rBgk dweykfNEfOxiGgawsm2cdgk1cw01rob6cov3VHHE1WMPWLeBBtlMMvRMd/+zY9MZEnPz Vr2pqDYoX5CjaCVFT5Q5a2k+UaOyizffKHEEPa/MZmNjwKbjDANXQJdJYstBK75O7m9N cz5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=4D7Q2kZ3L7YBvRzuP8i1p6TftH53P5xo5cWP8p2xBcs=; b=gR/ErfiTVYvxxlcnEPoRuVrOPAciOATkIQtk7lYxK2uYnK6zGlTnD5Y0yZsNgyKFhu xFDBWIZasSEmExFTHHYTGtpPlPQpnr5nXhrcezOWgIrZqFuK+DMAeBHnmZ5CXtAarJdz fylRsVo84ZME1qYpyHtYG0JIv90RZZDucJQCkyz/cuqgZJ96hBGNG8BspMfl+EWxi15p bov+c/aKpEO14ZRwGMvDFY5FKMaZYI4pSSrD7l2F77KXwh+udit85OQw1QUQD1Dnfk3h UUI3/+1ggUNrTZnlcHm/lY6m575NfRFzOTQA1Y9dLVSDhOSSvQraEhrc9iIH9DWkifBU RBFA== X-Gm-Message-State: AOAM532cinp259y3DIRhrlSwQARAvJjpgcLgRyE5CkPMPmhx8rlbOEc8 oAYgsmxGFe6QXECpYBcAlLeIyDE= X-Google-Smtp-Source: ABdhPJxCMjn3XEy0/8f51pRz3bV7jkfFqDLqs9/bfY94sEGmhkUmhkE3HKdEBSeU0CZpyiHs8RCZHYQ= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:0:7220:84ff:fe09:385a]) (user=pcc job=sendgmr) by 2002:a25:b851:: with SMTP id b17mr7525251ybm.15.1604524708250; Wed, 04 Nov 2020 13:18:28 -0800 (PST) Date: Wed, 4 Nov 2020 13:18:08 -0800 In-Reply-To: Message-Id: <039adb228822eb1f0c90cbfc716fc28fa298c58e.1604523707.git.pcc@google.com> Mime-Version: 1.0 References: X-Mailer: git-send-email 2.29.1.341.ge80a0c044ae-goog Subject: [PATCH v14 5/8] signal: clear non-uapi flag bits when passing/returning sa_flags From: Peter Collingbourne To: Catalin Marinas , Evgenii Stepanov , Kostya Serebryany , Vincenzo Frascino , Dave Martin , Will Deacon , Oleg Nesterov , "Eric W. Biederman" , "James E.J. Bottomley" X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201104_211931_821256_0FCA39AB X-CRM114-Status: GOOD ( 22.06 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrey Konovalov , Helge Deller , Kevin Brodsky , linux-api@vger.kernel.org, David Spickett , Peter Collingbourne , Linux ARM , Richard Henderson Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Previously we were not clearing non-uapi flag bits in sigaction.sa_flags when storing the userspace-provided sa_flags or when returning them via oldact. Start doing so. This allows userspace to detect missing support for flag bits and allows the kernel to use non-uapi bits internally, as we are already doing in arch/x86 for two flag bits. Now that this change is in place, we no longer need the code in arch/x86 that was hiding these bits from userspace, so remove it. This is technically a userspace-visible behavior change for sigaction, as the unknown bits returned via oldact.sa_flags are no longer set. However, we are free to define the behavior for unknown bits exactly because their behavior is currently undefined, so for now we can define the meaning of each of them to be "clear the bit in oldact.sa_flags unless the bit becomes known in the future". Furthermore, this behavior is consistent with OpenBSD [1], illumos [2] and XNU [3] (FreeBSD [4] and NetBSD [5] fail the syscall if unknown bits are set). So there is some precedent for this behavior in other kernels, and in particular in XNU, which is probably the most popular kernel among those that I looked at, which means that this change is less likely to be a compatibility issue. Link: [1] https://github.com/openbsd/src/blob/f634a6a4b5bf832e9c1de77f7894ae2625e74484/sys/kern/kern_sig.c#L278 Link: [2] https://github.com/illumos/illumos-gate/blob/76f19f5fdc974fe5be5c82a556e43a4df93f1de1/usr/src/uts/common/syscall/sigaction.c#L86 Link: [3] https://github.com/apple/darwin-xnu/blob/a449c6a3b8014d9406c2ddbdc81795da24aa7443/bsd/kern/kern_sig.c#L480 Link: [4] https://github.com/freebsd/freebsd/blob/eded70c37057857c6e23fae51f86b8f8f43cd2d0/sys/kern/kern_sig.c#L699 Link: [5] https://github.com/NetBSD/src/blob/3365779becdcedfca206091a645a0e8e22b2946e/sys/kern/sys_sig.c#L473 Signed-off-by: Peter Collingbourne Reviewed-by: Dave Martin Link: https://linux-review.googlesource.com/id/I35aab6f5be932505d90f3b3450c083b4db1eca86 Acked-by: "Eric W. Biederman" --- v10: - rename SA_UAPI_FLAGS -> UAPI_SA_FLAGS - refactor how we define it to avoid mentioning flags more than once arch/arm/include/asm/signal.h | 2 ++ arch/parisc/include/asm/signal.h | 2 ++ arch/x86/kernel/signal_compat.c | 7 ------- include/linux/signal_types.h | 12 ++++++++++++ kernel/signal.c | 10 ++++++++++ 5 files changed, 26 insertions(+), 7 deletions(-) diff --git a/arch/arm/include/asm/signal.h b/arch/arm/include/asm/signal.h index 65530a042009..430be7774402 100644 --- a/arch/arm/include/asm/signal.h +++ b/arch/arm/include/asm/signal.h @@ -17,6 +17,8 @@ typedef struct { unsigned long sig[_NSIG_WORDS]; } sigset_t; +#define __ARCH_UAPI_SA_FLAGS (SA_THIRTYTWO | SA_RESTORER) + #define __ARCH_HAS_SA_RESTORER #include diff --git a/arch/parisc/include/asm/signal.h b/arch/parisc/include/asm/signal.h index 715c96ba2ec8..30dd1e43ef88 100644 --- a/arch/parisc/include/asm/signal.h +++ b/arch/parisc/include/asm/signal.h @@ -21,6 +21,8 @@ typedef struct { unsigned long sig[_NSIG_WORDS]; } sigset_t; +#define __ARCH_UAPI_SA_FLAGS _SA_SIGGFAULT + #include #endif /* !__ASSEMBLY */ diff --git a/arch/x86/kernel/signal_compat.c b/arch/x86/kernel/signal_compat.c index a7f3e12cfbdb..ddfd919be46c 100644 --- a/arch/x86/kernel/signal_compat.c +++ b/arch/x86/kernel/signal_compat.c @@ -165,16 +165,9 @@ void sigaction_compat_abi(struct k_sigaction *act, struct k_sigaction *oact) { signal_compat_build_tests(); - /* Don't leak in-kernel non-uapi flags to user-space */ - if (oact) - oact->sa.sa_flags &= ~(SA_IA32_ABI | SA_X32_ABI); - if (!act) return; - /* Don't let flags to be set from userspace */ - act->sa.sa_flags &= ~(SA_IA32_ABI | SA_X32_ABI); - if (in_ia32_syscall()) act->sa.sa_flags |= SA_IA32_ABI; if (in_x32_syscall()) diff --git a/include/linux/signal_types.h b/include/linux/signal_types.h index f8a90ae9c6ec..a7887ad84d36 100644 --- a/include/linux/signal_types.h +++ b/include/linux/signal_types.h @@ -68,4 +68,16 @@ struct ksignal { int sig; }; +#ifndef __ARCH_UAPI_SA_FLAGS +#ifdef SA_RESTORER +#define __ARCH_UAPI_SA_FLAGS SA_RESTORER +#else +#define __ARCH_UAPI_SA_FLAGS 0 +#endif +#endif + +#define UAPI_SA_FLAGS \ + (SA_NOCLDSTOP | SA_NOCLDWAIT | SA_SIGINFO | SA_ONSTACK | SA_RESTART | \ + SA_NODEFER | SA_RESETHAND | __ARCH_UAPI_SA_FLAGS) + #endif /* _LINUX_SIGNAL_TYPES_H */ diff --git a/kernel/signal.c b/kernel/signal.c index 74e7315c24db..832b654dee8c 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -3964,6 +3964,16 @@ int do_sigaction(int sig, struct k_sigaction *act, struct k_sigaction *oact) if (oact) *oact = *k; + /* + * Clear unknown flag bits in order to allow userspace to detect missing + * support for flag bits and to allow the kernel to use non-uapi bits + * internally. + */ + if (act) + act->sa.sa_flags &= UAPI_SA_FLAGS; + if (oact) + oact->sa.sa_flags &= UAPI_SA_FLAGS; + sigaction_compat_abi(act, oact); if (act) {