Re: [PATCH 1/3] arm64: ptrace: Add is_syscall_success to handle compat

On Mon, Apr 19, 2021 at 01:19:33PM +0100, Will Deacon wrote: > On Fri, Apr 16, 2021 at 02:34:41PM +0100, Mark Rutland wrote: > > I think this is a problem we created for ourselves back in commit: > > > > 15956689a0e60aa0 ("arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return) > > > > AFAICT, the perf regs samples are the only place this matters, since for > > ptrace the compat regs are implicitly truncated to compat_ulong_t, and > > audit expects the non-truncated return value. Other architectures don't > > truncate here, so I think we're setting ourselves up for a game of > > whack-a-mole to truncate and extend wherever we need to. > > > > Given that, I suspect it'd be better to do something like the below. > > > > Will, thoughts? > > I think perf is one example, but this is also visible to userspace via the > native ptrace interface and I distinctly remember needing this for some > versions of arm64 strace to work correctly when tracing compat tasks. FWIW, you've convinced me on your approach (more on that below), but when I went digging here this didn't seem to be exposed via ptrace -- for any task tracing a compat task, the GPRs are exposed via compat_gpr_{get,set}(), which always truncate to compat_ulong_t, giving the lower 32 bits. See task_user_regset_view() for where we get the regset. Am I missing something, or are you thinking of another issue you fixed at the same time?

> So I do think that clearing the upper bits on the return path is the right > approach, but it sounds like we need some more work to handle syscall(-1) > and audit (what exactly is the problem here after these patches have been > applied?) From digging a bit more, I think I agree, and I think these patches are sufficient for audit. I have some comments I'll leave separately. The remaining issues are wherever we assign a signed value to a compat GPR without explicit truncation. That'll leak via perf sampling the user regs, but I haven't managed to convince myself whether that causes any functional change in behaviour for audit, seccomp, or syscall tracing. Since we mostly use compat_ulong_t for intermediate values in compat code, it does look like this is only an issue for x0 where we assign an error value, e.g. the -ENOSYS case in el0_svc_common. I'll go see if I can find any more. With those fixed up we can remove the x0 truncation from entry.S, which'd be nice too.