|
|
Subscribe / Log in / New account

Seccomp and deep argument inspection

Seccomp and deep argument inspection

Posted Jun 11, 2020 7:05 UTC (Thu) by brauner (subscriber, #109349)
Parent article: Seccomp and deep argument inspection

If I may fill in some history how we ended up with esyscalls. The versioning-by-size (vbs) idea behind extensible syscalls has already been expressed in sched_setattr() and perf_event_open() for a long time (with some ABI quirks). When I did clone3() we quickly shifted to a design that would allow for it to be easily extended or re-versioned. So I added a local and simple version of the later copy_struct_from_user() similar to what was done in other places to clone3() in 7f192e3cd316ba58c88dfa26796cf7 that implemented vbs. 

+noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
+                                             struct clone_args __user *uargs,
+                                             size_t size)
+{
+       struct clone_args args;
+
+       if (unlikely(size > PAGE_SIZE))
+               return -E2BIG;
+
+       if (unlikely(size < sizeof(struct clone_args)))
+               return -EINVAL;
+
+       if (unlikely(!access_ok(uargs, size)))
+               return -EFAULT;
+
+       if (size > sizeof(struct clone_args)) {
+               unsigned char __user *addr;
+               unsigned char __user *end;
+               unsigned char val;
+
+               addr = (void __user *)uargs + sizeof(struct clone_args);
+               end = (void __user *)uargs + size;
+
+               for (; addr < end; addr++) {
+                       if (get_user(val, addr))
+                               return -EFAULT;
+                       if (val)
+                               return -E2BIG;
+               }
+
+               size = sizeof(struct clone_args);
+       }
+
+       if (copy_from_user(&args, uargs, size))
+               return -EFAULT;
At the same time, Aleksa was working on openat2() and copied the vbs logic from clone3() at which point we realized that it would probably make sense to add a copy_struct_from_user() that would implement vbs and expose it to the kernel in general. This logic was pulled in e524d16e7e324039f2a9f82e302f0a39ac7d5812 before openat2() landed. Then all the current custom vbs implementations were replaced by this (At least the ones where it could easily be done.) and the openat2() patchset switched over to it as well.

to post comments

Seccomp and deep argument inspection

Posted Jun 11, 2020 17:42 UTC (Thu) by Jandar (subscriber, #85683) [Link] (1 responses)

> + if (unlikely(size < sizeof(struct clone_args)))
> + return -EINVAL;

Doesn't this mean old user-space compiled with a than smaller struct ceases to work?

Seccomp and deep argument inspection

Posted Jun 11, 2020 21:40 UTC (Thu) by brauner (subscriber, #109349) [Link]

This used to be the code before the first extension. Now it checks fir the minimal size aka the size of the first supported struct.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds