Proper handling of unknown flags in system calls
As noted by various commenters on our earlier article, "Flags as a system call API design pattern", there is an important step that is required when equipping a system call with a flags argument. If the kernel does not take care to return an error if unknown flags are set, it is setting the stage for a number of compatibility problems in the future. Unfortunately, the history of Linux (and Unix) system call development shows that this lesson has been hard to learn.
In particular, a system call flags argument (or indeed any input structure argument that has a bit-flags field) should always include a check of the following form in its implementation:
if (flags & ~(FL_XXX | FL_YYY)) return -EINVAL;
Here, FL_XXX and FL_YYY form the hypothetical set of flags that the system call understands, and the effect of this check is to deliver an error when the caller specifies any bit value other than one in the set. Checks like this future-proof the API against the day when the system call understands additional flags. Suppose that the system call adds a new flag, FL_ZZZ, and adjusts its check to:
if (flags & ~(FL_XXX | FL_YYY | FL_ZZZ)) return -EINVAL;
A user-space application is now able to check whether it is running on a kernel where the system call supports FL_ZZZ by checking for an EINVAL error when making the system call. This allows the application to flexibly deal with system call differences across kernel versions.
Although implementing flags checks such as the above inside the kernel might seem simple and obvious, it turns out that dozens of system calls don't make this check, including clock_nanosleep(), clone(), epoll_ctl(), fcntl(F_SETFL), mmap(), msgrcv(), msgsnd(), open(), recv(), send(), sigaction(), splice(), unshare(), and many others.
Most of those system calls have been around for several years. In more recent times, most new system calls that have a flags argument include the required check. However, such checks are missing even in a few system calls added in recent kernel versions, such as as open_by_handle_at() (2.6.39), recvmmsg() (2.6.33), and sendmmsg() (3.0). In each of those recent cases, the implementer was presumably emulating the lack of checking that was done in the corresponding earlier system call (open(), recv(), send()). However, the failure to add the checks represents a missed opportunity to improve on the original API.
For each of the system calls that lack a check on the flags argument, user-space applications have no easy way of detecting what API flags a particular kernel version supports. Furthermore, failure to implement such checks in the kernel can also complicate the lives of kernel developers, as a couple of examples demonstrate.
When the kernel fails to check that only valid bits are passed in flags, user-space applications can, with impunity, place random garbage in the "unused" bits of flags. If a kernel developer then decides to make use of one of the hitherto unused bits, this may lead to surprising breakage in user-space applications, which in turn may require the kernel developer to write suboptimal implementations of new user-space API features. One recent example of this was in the implementation of the EPOLLWAKEUP flag, where avoiding user-space breakage meant that the kernel silently ignored this flag if the caller did not have the CAP_BLOCK_SUSPEND capability. Ideally, of course, the kernel would have informed the caller by returning an error from the call. Consequently, applications that want to be absolutely sure that the call will succeed must explicitly check beforehand that they have the CAP_BLOCK_SUSPEND capability.
An even more recent example was in the implementation of the O_TMPFILE flag for open(), where the flag definition incorporated the O_DIRECTORY flag, with the goal that older kernels that do not support O_TMPFILE would give an error if the flag was specified in a call to open(). This was necessary, because applications that create temporary files are often security conscious, and need to know whether their requests to create hidden temporary files have been honored. Without this fix, the O_TMPFILE flag would be silently ignored on older kernels, and an application might end up creating a visible file. An unpleasant side effect of that implementation is that user-space applications must check for two different errors from open() in order to determine whether they are running on a kernel that doesn't support O_TMPFILE.
Finally, it is worth mentioning that a few system calls have added the required flags check after the call was first implemented. Two examples are the ancient system calls umount2() (check added in Linux 2.6.34) and swapon() (check added in Linux 3.4). In addition, the mremap() call, which first appeared in Linux 2.0, added the check in Linux 2.4, and the timerfd_settime() system call, which first appeared in Linux 2.6.25, added the check in Linux 2.6.29.
However, the addition of flags checks to these system calls represents an exception to the general rule that such checks cannot be added after the fact, because doing so would break existing applications that happen to pass random garbage in the "unused" bits of flags. With umount2() and swapon(), the change was possible presumably because there are few users of these system calls other than the mount and swapon commands, and those programs could be modified if the kernel change caused them to break. In the case of timerfd_settime(), the change was made soon after the initial implementation, when there were likely to have been few users of the interface. And in the case of mremap(), the change was made at the time of a major kernel version change (from 2.2 to 2.4), when such ABI changes were occasionally permitted; with the contemporary 10-week release cycle, such changes are not permitted.
Thus if the check on
unused flag bits is not included in the initial implementation, it is
often impossible to add it later. The clear conclusion is that any
addition of flag bits to a system call should come with the proper checks
from the outset.
| Index entries for this article | |
|---|---|
| Kernel | Development model/Patterns |
| Kernel | System calls |
| GuestArticles | Kerrisk, Michael |
Posted Feb 27, 2014 11:30 UTC (Thu)
by epa (subscriber, #39769)
[Link] (3 responses)
When a new flag is added to clone() it can continue to be ignored with api_level 0 and only have effect with 1 and above.
I imagine that the standard C library would call api_level as soon as the process is created.
Posted Feb 27, 2014 12:52 UTC (Thu)
by HelloWorld (guest, #56129)
[Link]
Posted Mar 2, 2014 23:58 UTC (Sun)
by andreasb (guest, #80258)
[Link] (1 responses)
Linked libraries would be the obvious biggest problem. Also, if you want to use a new flag for one syscall in your program and have to raise api_level for that, you'd have to audit the complete source for any syscalls incompatible with that api_level.
Posted Mar 3, 2014 10:31 UTC (Mon)
by epa (subscriber, #39769)
[Link]
Posted Feb 27, 2014 22:31 UTC (Thu)
by cesarb (subscriber, #6266)
[Link] (3 responses)
Note: I am joking.
Posted Feb 28, 2014 10:17 UTC (Fri)
by renox (guest, #23785)
[Link] (2 responses)
That's said, it's still possible: two bits for the GC(in case one isn't enough), two bits for the 'OS compatibility' (in case one isn't enough), it remains 60-bit for the real address which is more than enough.
Note: I am *not* joking.
Posted Feb 28, 2014 22:50 UTC (Fri)
by cesarb (subscriber, #6266)
[Link]
Whatever bits the userspace program is using for GC or other tagging already have to be masked out before passing the pointer to the kernel, so it does not matter if the same bits are used for userspace tags and system call flags. They won't conflict. That said, I stand by my proposal being a joke (though my jokes being taken seriously has happened before). It only works if the address space is split right in the middle; it would work for x86-64 and for 32-bit architectures with a 2G/2G split, but would not work for 32-bit architectures with a 3G/1G split, where there are valid userspace pointers with the high bit set. It's also an horribly ugly kludge.
Posted Jul 18, 2014 22:25 UTC (Fri)
by jengelh (guest, #33263)
[Link]
Unless I am mistaken, AddressSanitizer already does something like that to keep state.
https://code.google.com/p/address-sanitizer/wiki/AddressS...
Posted Feb 28, 2014 14:41 UTC (Fri)
by paulj (subscriber, #341)
[Link]
Posted Feb 28, 2014 15:13 UTC (Fri)
by davecb (subscriber, #1574)
[Link] (2 responses)
We had exactly this problem on Solaris. David J. Brown of spec-1170 fame went through and removed all the edge-cases from our implementation, over a number of years.
We offered a "next version" guarantee and provided a tool, "appcert". If your program passed appcert but didn't run on the next release of Solaris, it was Sun's fault and we were on the hook to fix it. Think of it as "validate once, run forever"
Mostly, people failed appcert, but a few passed and blew up, thus exposing new bugs for us before they shipped their product.
Linux could do something similar: announce an addition is coming in the next release and ship a test tool to detect breakage. Obviously one would also ship another optional tool to let a broken app keep running (;-))
In the specific case of flags, it's easy to write an interposer (interceptor) that checks the flags. Easy, in this case, was on the
order of 30 seconds ...
The same kind of interposer can be used to fix the flags, for people who don't have the source code for a buggy program they still want to run.
If anyone wants the mkinterposer script or a complete set of interposers, send me mail.
--dave
Posted Feb 28, 2014 18:42 UTC (Fri)
by mm7323 (subscriber, #87386)
[Link] (1 responses)
Posted Feb 28, 2014 19:46 UTC (Fri)
by davecb (subscriber, #1574)
[Link]
Adding a library and one more call/return is harmless, and can be added to a regression-test suite with LD_PRELOAD=/path/to/intrerposer.so.1
As it happens, we fell in love with shared libraries and built several tools, including apptrace, a standard-library strace equivalent, a shared library profiler and a transaction performance monitor, all lightweight and non-crash-inducing.
Posted Mar 3, 2014 8:01 UTC (Mon)
by dlang (guest, #313)
[Link] (3 responses)
In this case, I think the firewalls were doing the right thing. they didn't know what this bit meant and so had no idea what the effect of allowing it would be.
You need to think of this sort of situation when you talk about how to handl unknown flags.
Posted Mar 5, 2014 14:29 UTC (Wed)
by mkerrisk (subscriber, #1978)
[Link] (2 responses)
(Just as background for others, and to make sure that we're talking about the same thing, I presume we are talking about this: http://tools.ietf.org/search/rfc3360#section-3 )
Someone else also mentioned this example to me. I haven't thought about it at length, but it seems to me that this case is different in kind. The problem there is that *a third party* is mediating the conversation between two end-points. In that case, things get more tricky. But, the case of a direct two-party user-space-to-kernel conversation is simpler, and I think the "check for invalid flags" rule always applies.
Posted Mar 5, 2014 14:31 UTC (Wed)
by dlang (guest, #313)
[Link] (1 responses)
Posted Mar 5, 2014 15:22 UTC (Wed)
by mkerrisk (subscriber, #1978)
[Link]
Distinguish between old and new programs
Distinguish between old and new programs
> the kernel silently ignored this flag if the caller did not have the CAP_BLOCK_SUSPEND capability
on all future developer generations to come.
Distinguish between old and new programs
Distinguish between old and new programs
Hidden flag
Hidden flag
Hidden flag
Hidden flag
Proper handling of unknown flags in system calls
Catching misuse, and "standardizing after the fact"
$cat open.c
/*
* open -- intercept calls to open to catch flag errors
* Generated by mkinterposer from a template by David Collier-Brown.
* This is free software, copyright is disclaimed by the author.
*/
#define MASK 0xDEADBEEF
#include <dlfcn.h> /* For dlopen(). */
#include <link.h>
#include <assert.h> /* For assert() macro. */
#include <fcntl.h> /* For open(). */
#include <sys/stat.h> /* For open(). */
#include <sys/types.h> /* For open(). */
/*
* open -- intercept open
*/
int open(const char *pathname, int flags) {
int open(const char *pathname, int flags, mode_t mode) {
static void *actual = NULL;
if (actual == NULL) {
actual = dlsym(RTLD_NEXT, "open");
assert(actual != NULL);
}
assert((flags & MASK) == 0);
return ((int (*)(const char *, int))actual)(pathname, flags);
}
davecb@spamcop.net
Catching misuse, and "standardizing after the fact"
Catching misuse, and "standardizing after the fact"
Proper handling of unknown flags in system calls
Proper handling of unknown flags in system calls
> marked as 'reserved' for years, so suitably paranoid firewalls
> either dropped packets with it, or zeroed it out. This caused
> grief when the bit was redefined to mean something new and large
> portions of the Internet couldn't use it.
Proper handling of unknown flags in system calls
Proper handling of unknown flags in system calls