[OE-core] pseudo: host user contamination

Joshua Watt jpewhacker at gmail.com
Sat Mar 24 20:22:47 UTC 2018 

On Sat, Mar 24, 2018 at 2:50 PM, Seebs <seebs at seebs.net> wrote:
> On Sat, 24 Mar 2018 12:42:45 -0700
> Andre McCurdy <armccurdy at gmail.com> wrote:
>
>> Right. The musl example is to show how it's possible to transparently
>> intercept and pass on any call to the syscall() ABI without
>> interpreting anything.
>
> Yes, if you don't need to interpret things, and aren't making
> additional other unrelated system calls after doing so.
>
>> Those details are all taken care of within the libc implementation of
>> syscall(). It's not something we need to care about at all in a
>> wrapper for it.
>
> I don't think that's correct.
>
> musl's call sequence:
>         real_syscall() // sets a3
>         return
>
> pseudo's call sequence:
>         various_setup()
>         real_syscall() // sets a3
>         other system calls // also set a3
>         return
>
> In the case where pseudo is actually *disabled*, we just return
> right away after the real call. In every other case, we're making
> other calls some of which imply system calls, and those system calls
> could potentially overwrite things that the libc implementation of
> syscall took care of. (Mutex and signal mask operations.)
>
> So for that to work, I would in principle have to stash the value
> stored in, for instance, "a3", wait until after the other system calls,
> and then restore it. Unless *only* syscall() itself actually sets
> that register, and other system calls don't, and nothing else is
> using it either.

I don't think that is true. libc's syscall() must conform to the *C*
ABI for the system... if the kernel does things that aren't in line
with the C ABI (like return things in registers that aren't expected,
fail to preserve registers that require preservation, or whatever),
wouldn't the libc syscall() be *required* to paper over it so that it
looks like a valid C call? Otherwise, it could never be safely called
from C code.

So as long as pseudo's replacement of syscall() conformed to the C
ABI, and pseudo calls the libc syscall() (which conforms to the C ABI)
as the real syscall, I think everything should be OK.

That of course doesn't deal with the reentrancy, signal masks, mutexs,
etc. IMHO, the number of syscalls we would actually consider doing
this for is necessarily pretty limited, so perhaps it would just need
some careful evaluation?

>
> -s
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list