Re: [RFC PATCH for 4.18 1/2] rseq: validate rseq_cs fields are < TASK_SIZE

[Andy Lutomirski]

> On Jun 28, 2018, at 5:18 PM, Linus Torvalds <torva...@linux-foundation.org> 
> wrote:
> 
>> On Thu, Jun 28, 2018 at 4:30 PM Andy Lutomirski <l...@kernel.org> wrote:
>> 
>> The idea is that, if someone screws up and sticks a number like
>> 0xbaadf00d00045678 into their rseq abort_ip in a 32-bit x86 program
>> (when they actually mean 0x00045678), we want to something consistent.
> 
> I think the "something consistent" is perfectly fine with just "it won't 
> work".
> 
> Make it do
> 
>        if (rseq_cs->abort_ip != (unsigned long)rseq_cs->abort_ip)
>                return -EINVAL;
> 
> at abort time.

You sure?  Because, unless I remember wrong, a 32-bit user program on a 64-bit 
kernel will actually work at least most of the time even if high bits are set. 
I’m okay with straight-up promising “will always work” or “will never work”, 
but “sometimes” is bad.

> 
> Done.
> 
> If it's a 32-bit kernel, the above will reject the thing, and if it's
> a 64-bit kernel, it will be a no-op, but the abort won't work in a
> 32-bit caller.
> 
> Problem solved.
> 
>             Linus