Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs

From: Christophe Leroy
Date: Fri Nov 19 2021 - 11:35:13 EST

Next message: Andy Shevchenko: "Re: [PATCH 00/17] Add memberof(), split some headers, and slightly simplify code"
Previous message: Nicolas Dufresne: "Re: [RFC 0/5] arm64: imx8mm: Enable Hantro VPUs"
In reply to: Kees Cook: "Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs"
Next in thread: Kees Cook: "Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 19/11/2021 à 17:28, Kees Cook a écrit :

On Fri, Nov 19, 2021 at 08:46:27AM +0000, LEROY Christophe wrote:

Le 18/11/2021 à 21:36, Kees Cook a écrit :

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.

Add a struct_group() for the spe registers so that memset() can correctly reason
about the size:

In function 'fortify_memset_chk',
inlined from 'restore_user_regs.part.0' at arch/powerpc/kernel/signal_32.c:539:3:
>> include/linux/fortify-string.h:195:4: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
195 | __write_overflow_field();
| ^~~~~~~~~~~~~~~~~~~~~~~~

Reported-by: kernel test robot <lkp@xxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

Reviewed-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>

However, is it really worth adding that grouping ? Wouldn't it be
cleaner to handle evr[] and acc separately ? Now that we are using
unsafe variants of get/put user performance wouldn't be impacted.

I'm fine with whatever is desired here. I reworked an earlier version of
this patch based on mpe's feedback, so I can certain rework it again. :)

Well, with oddities like the below, it may not be straight forward. If the objective is to enable FORTIFY_SOURCE, maybe that's good enough.

Let see if Michael has any opinion.

I have some doubts about things like:

unsafe_copy_to_user(&frame->mc_vregs, current->thread.evr,
ELF_NEVRREG * sizeof(u32), failed);

Because as far as I can see, ELF_NEVRREG is 34 but mc_vregs is a table
of 33 u32 and is at the end of the structure:

struct mcontext {
elf_gregset_t mc_gregs;
elf_fpregset_t mc_fregs;
unsigned long mc_pad[2];
elf_vrregset_t mc_vregs __attribute__((__aligned__(16)));
};

typedef elf_vrreg_t elf_vrregset_t[ELF_NVRREG];

# define ELF_NEVRREG 34 /* includes acc (as 2) */
# define ELF_NVRREG 33 /* includes vscr */

I don't know these internals very well -- do you want me to change this
specifically somehow? With the BUILD_BUG_ON()s added, there's no binary
change here -- I wanted to make sure nothing was different in the
output.

Neither do I. I was just scared by what I saw while reviewing your patch. A cleanup is probably required but it can be another patch.

Christophe

Next message: Andy Shevchenko: "Re: [PATCH 00/17] Add memberof(), split some headers, and slightly simplify code"
Previous message: Nicolas Dufresne: "Re: [RFC 0/5] arm64: imx8mm: Enable Hantro VPUs"
In reply to: Kees Cook: "Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs"
Next in thread: Kees Cook: "Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]