François Legal <[email protected]> writes:
> Le Vendredi, Octobre 16, 2020 10:59 CEST, Philippe Gerum <[email protected]> a > écrit: > >> >> François Legal <[email protected]> writes: >> >> > Le Mercredi, Octobre 14, 2020 16:16 CEST, Greg Gallagher >> > <[email protected]> a écrit: >> > >> >> On Wed, Oct 14, 2020 at 5:37 AM Jan Kiszka <[email protected]> wrote: >> >> > >> >> > On 14.10.20 10:43, François Legal via Xenomai wrote: >> >> > > Anybody can help on this ? >> >> > > >> >> > >> >> > I'm unfortunately not familiar with the armv7 details of copy-from-user, >> >> > not too speak of how spectre contributed to it. Greg, Philippe, did you >> >> > come across this already? >> >> > >> >> > Jan >> >> > >> >> I'll take a look tonight but I haven't hit this in my testing. This >> >> was found on 4.4? Have you tried the 4.19 kernels? >> >> >> >> -Greg >> > >> > So I tried the same case on 4.19.121, with the same result, and I guess >> > for the same reason. >> > Could anybody explain why, on ARMv7, we need to copy the message header at >> > the syscall entry, and not let the xxxmsg routine do it on its own ? >> > Also, I could not find how those COBALT_SYSCALL32emu logic work. >> >> There is no way an armv7 system would run the sys32emu code in >> Cobalt. This code path is specific to architectures which support mixed >> ABI models. Only Cobalt/x86 supports this so far, issuing x86_32 >> syscalls to an x86_64 kernel. You may want to check >> CONFIG_XENO_ARCH_SYS3264, it is set to "def_bool n" in the Kconfig >> stuff. >> > > Maybe I don't use the right terms here, but what I can see from the code is > (in linux tree kernel/xenomai/posix/syscall32.c) > COBALT_SYSCALL32emu(sendmsg, handover, > (int fd, struct compat_msghdr __user *umsg, int flags)) > { > struct user_msghdr m; > int ret; > > ret = sys32_get_msghdr(&m, umsg); > > return ret ?: rtdm_fd_sendmsg(fd, &m, flags); > } > > And the problem regarding SPECTRE mitigation is with the "ret = > sys32_get_msghdr(&m, umsg);" line, as af_packet (in my case, but I > believe the other handlers should do the same) will also call > copy_from_user on the "msghdr" argument, and the SPECTRE mitigation > will check that this pointer is in the userland MM area. There is indeed a problem with this code passing the kernel memory address of a bounce buffer to RTDM handlers which would expect __user tagged memory instead. This ends up confusing any low-level copy_to/from_user routine which includes attack mitigation. rtnet_get_arg() does call such routine under the hood. This is something some Xenomai contributor may want to address. But, again, this sys32emu code cannot run for armv7 under the current stock implementation. So what we are discussing is purely hypothetical at this stage for this architecture, and should definitely never happen by construction if you are running armv7 (which does not make the original issue go away, that is granted). -- Philippe.
