Re: [PATCH v7 2/6] syscall.h: add syscall_set_arguments()

[Dmitry V. Levin]

On Tue, Apr 08, 2025 at 05:38:03PM -0700, Nathan Chancellor wrote:
> On Wed, Apr 09, 2025 at 01:36:11AM +0300, Dmitry V. Levin wrote:
> > On Tue, Apr 08, 2025 at 02:31:31PM -0700, Nathan Chancellor wrote:
> > > On Mon, Mar 03, 2025 at 01:20:09PM +0200, Dmitry V. Levin wrote:
> > > > +static inline void syscall_set_arguments(struct task_struct *task,
> > > > +					 struct pt_regs *regs,
> > > > +					 const unsigned long *args)
> > > > +{
> > > > +	regs->orig_a0 = args[0];
> > > > +	args++;
> > > > +	memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> > > > +}
> > > 
> > > This upsets the compiletime fortify checks, as I see a warning after
> > > syscall_set_arguments() starts being used in kernel/ptrace.c later in
> > > the series.
> > > 
> > >   $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux- allmodconfig kernel/ptrace.o
> > >   In file included from include/linux/string.h:392,
> > >                    from include/linux/bitmap.h:13,
> > >                    from include/linux/cpumask.h:12,
> > >                    from arch/riscv/include/asm/processor.h:55,
> > >                    from include/linux/sched.h:13,
> > >                    from kernel/ptrace.c:13:
> > >   In function 'fortify_memcpy_chk',
> > >       inlined from 'syscall_set_arguments.isra' at arch/riscv/include/asm/syscall.h:82:2:
> > >   include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
> > >     571 |                         __write_overflow_field(p_size_field, size);
> > >         |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >   cc1: all warnings being treated as errors
> > 
> > I certainly tested the series on riscv64, but somehow I haven't seen this
> > compiler diagnostics before.
> 
> Maybe CONFIG_FORTIFY_SOURCE was not enabled? This comes from the
> kernel's fortified memcpy checking function, fortify_memcpy_chk(), not
> necessarily the compiler itself.
> 
> > > diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> > > index a5281cdf2b10..70ec19dc8506 100644
> > > --- a/arch/riscv/include/asm/syscall.h
> > > +++ b/arch/riscv/include/asm/syscall.h
> > > @@ -78,8 +78,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
> > >                                          const unsigned long *args)
> > >  {
> > >         regs->orig_a0 = args[0];
> > > -       args++;
> > > -       memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> > > +       regs->a1 = args[1];
> > > +       regs->a2 = args[2];
> > > +       regs->a3 = args[3];
> > > +       regs->a4 = args[4];
> > > +       regs->a5 = args[5];
> > >  }
> > 
> > I don't mind eliminating the memcpy() altogether, but
> > I'd like to note that syscall_set_arguments() is an exact mirror
> > of syscall_get_arguments(), so if the intentional overwrite in
> > syscall_set_arguments() is not acceptable, then the intentional
> > overread in syscall_get_arguments() shouldn't be acceptable either.
> 
> Yes, I noticed the symmetry too but I was only looking at it from the
> overwrite perspective, not the overread one. That reminded me to double
> check what fortify_memcpy_chk() actually checks for and I remembered
> that the overread version of this warning is hidden under W=1 (I guess
> because it happens more frequently).
> 
>   $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux- W=1 allmodconfig kernel/ptrace.o
>   In file included from include/linux/string.h:392,
>                    from include/linux/bitmap.h:13,
>                    from include/linux/cpumask.h:12,
>                    from arch/riscv/include/asm/processor.h:55,
>                    from include/linux/sched.h:13,
>                    from kernel/ptrace.c:13:
>   In function 'fortify_memcpy_chk',
>       inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:73:2:
>   include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
>     580 |                         __read_overflow2_field(q_size_field, size);
>         |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   cc1: all warnings being treated as errors
> 
> So memcpy() should indeed be eliminated from both, which obviously
> clears up the warnings.
> 
> Cheers,
> Nathan
> 
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index a5281cdf2b10..34313387f977 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -69,8 +69,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
>  					 unsigned long *args)
>  {
>  	args[0] = regs->orig_a0;
> -	args++;
> -	memcpy(args, &regs->a1, 5 * sizeof(args[0]));
> +	args[1] = regs->a1;
> +	args[2] = regs->a2;
> +	args[3] = regs->a3;
> +	args[4] = regs->a4;
> +	args[5] = regs->a5;
>  }
>  
>  static inline void syscall_set_arguments(struct task_struct *task,
> @@ -78,8 +81,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  					 const unsigned long *args)
>  {
>  	regs->orig_a0 = args[0];
> -	args++;
> -	memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
> +	regs->a1 = args[1];
> +	regs->a2 = args[2];
> +	regs->a3 = args[3];
> +	regs->a4 = args[4];
> +	regs->a5 = args[5];
>  }
>  
>  static inline int syscall_get_arch(struct task_struct *task)

Looks good, thanks.  How do we proceed from this point?


-- 
ldv