Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Dispatch table is generated from abi.h, so a wrong SYS_* number silently
routes a handler to the wrong slot. SYS_get_mempolicy was defined as 239
and SYS_set_mempolicy as 238; the asm-generic numbers are 236 and 237.
Guest calls to the real 236/237 fell through to unimplemented-syscall
warning, while real 238/239 (migrate_pages, move_pages) silently invoked
the misplaced mempolicy handlers: get_mempolicy on slot 239 wrote to
whatever pointers the move_pages caller had loaded into x0/x1.
setfsuid (151) and setfsgid (152) were never wired. procps brackets its
/proc walks with setfsuid(uid) / setfsuid(0), so ps and top warned twice
on every refresh. Linux returns the previous fs{uid,gid} from these
calls; elfuse does not track fsuid separately from euid, so the stub
returns proc_get_{euid,egid}() and ignores the argument. procps observes
a stable cred snapshot on both brackets, which is what its
access-bracketing pattern needs. The glibc query idiom setfsuid(-1) also
reports the current euid, so permission-validation callers
(setfsuid(target); setfsuid(-1) != target) still detect a failed
transition correctly.
The cred fields in proc-identity.c are _Atomic uint32_t, so unbracketed
read in the stub is word-tear safe and matches the existing sc_geteuid
pattern; CRED_BRACKETED is reserved for mutating syscalls that need to
raise ATTN_BIT_CRED for sibling vCPUs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dispatch table is generated from abi.h, so a wrong SYS_* number silently routes a handler to the wrong slot. SYS_get_mempolicy was defined as 239 and SYS_set_mempolicy as 238; the asm-generic numbers are 236 and 237. Guest calls to the real 236/237 fell through to unimplemented-syscall warning, while real 238/239 (migrate_pages, move_pages) silently invoked the misplaced mempolicy handlers: get_mempolicy on slot 239 wrote to whatever pointers the move_pages caller had loaded into x0/x1.
setfsuid (151) and setfsgid (152) were never wired. procps brackets its /proc walks with setfsuid(uid) / setfsuid(0), so ps and top warned twice on every refresh. Linux returns the previous fs{uid,gid} from these calls; elfuse does not track fsuid separately from euid, so the stub returns proc_get_{euid,egid}() and ignores the argument. procps observes a stable cred snapshot on both brackets, which is what its access-bracketing pattern needs. The glibc query idiom setfsuid(-1) also reports the current euid, so permission-validation callers (setfsuid(target); setfsuid(-1) != target) still detect a failed transition correctly.
The cred fields in proc-identity.c are _Atomic uint32_t, so unbracketed read in the stub is word-tear safe and matches the existing sc_geteuid pattern; CRED_BRACKETED is reserved for mutating syscalls that need to raise ATTN_BIT_CRED for sibling vCPUs.
Summary by cubic
Corrected mempolicy syscall numbers and wired
setfsuid/setfsgid. This fixes wrong syscall dispatch and removes ps/top warnings during /proc walks.Bug Fixes
abi.hand dispatch; real 236/237 now handled, and 238/239 no longer hit the wrong handlers.New Features
setfsuid/setfsgidstubs that return current euid/egid without changing state; supports the-1query idiom.dispatch.tbland added credential tests;procps/proc walks now see a stable snapshot and stop warning.Written for commit faefa45. Summary will update on new commits.