Correct way of calling prctl(2) (was: Sashimi of prctl(2))

Correct way of calling prctl(2) (was: Sashimi of prctl(2))

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 2361 bytes --]

[Adding libc-alpha@ for some doubts]

Hi!

On Sun, May 26, 2024 at 01:27:43PM GMT, Alejandro Colomar wrote:
> On Sun, May 26, 2024 at 01:07:24PM GMT, Alejandro Colomar wrote:
> > I'm considering making sashimi of prctl(2), similar to what I did
> > recently to proc(5).  Another precedent is in ioctl(2).

I'll call the pages with names such as PR_CAP_AMBIENT(2const) and
PR_CAP_AMBIENT_RAISE(2const).

While doing that, I changed the prototypes in the SYNOPSIS to things
like

     int prctl(PR_CAP_AMBIENT, unsigned long op, ...);

and

     int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0, 0);

Which makes me wonder.  glibc implements prctl(2) as a variadic
function, so those 0s are actually of type (and more importantly of
width) 'int'.  This means a user passing 0 is leaving some parameters
uninitialized.

From what I can see, glibc does no magic to set unspecified parameters
to 0, so this means passing '0' results in Undefined Behavior.

I guess I should document these as 0L in the SYNOPSIS.

     int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0L, 0L);

All of the software I've seen out there using prctl(2) either pass 0 (as
the manual page had been suggesting), such as in shadow:
<https://github.com/shadow-maint/shadow/blob/71e28359d12491727b2e94c71d2e1e1682d45a02/lib/idmapping.c#L161>

	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {

or don't pass anything at all (coreutils does this):
<https://git.savannah.gnu.org/cgit/coreutils.git/tree/src/timeout.c#n449>

	if (prctl (PR_SET_DUMPABLE, 0) == 0)

Am I missing something or are all of those calls buggy?

Some prctl(2) calls report EINVAL when the unused arguments are nonzero,
while others simply ignore it, so maybe I can document the ones ignoring
the unused arguments as shorter calls:

     int prctl(PR_SET_DUMPABLE, unsigned long dumpable);

And document the ones that report errors as using 0L:

     int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0, 0);

(BTW, util-linux seems to have this one wrong:)

<https://sources.debian.org/src/util-linux/2.40.1-2/lib/caputils.c/?hl=123#L123>

	&& prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0)

What do you think about this?

Have a lovely day!
Alex

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Correct way of calling prctl(2) (was: Sashimi of prctl(2))

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 2889 bytes --]

[Adding linux-api@]

On Tue, May 28, 2024 at 11:24:13AM GMT, Alejandro Colomar wrote:
> [Adding libc-alpha@ for some doubts]
> 
> Hi!
> 
> On Sun, May 26, 2024 at 01:27:43PM GMT, Alejandro Colomar wrote:
> > On Sun, May 26, 2024 at 01:07:24PM GMT, Alejandro Colomar wrote:
> > > I'm considering making sashimi of prctl(2), similar to what I did
> > > recently to proc(5).  Another precedent is in ioctl(2).
> 
> I'll call the pages with names such as PR_CAP_AMBIENT(2const) and
> PR_CAP_AMBIENT_RAISE(2const).
> 
> While doing that, I changed the prototypes in the SYNOPSIS to things
> like
> 
>      int prctl(PR_CAP_AMBIENT, unsigned long op, ...);
> 
> and
> 
>      int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0, 0);
> 
> Which makes me wonder.  glibc implements prctl(2) as a variadic
> function, so those 0s are actually of type (and more importantly of
> width) 'int'.  This means a user passing 0 is leaving some parameters
> uninitialized.
> 
> From what I can see, glibc does no magic to set unspecified parameters
> to 0, so this means passing '0' results in Undefined Behavior.
> 
> I guess I should document these as 0L in the SYNOPSIS.
> 
>      int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0L, 0L);
> 
> All of the software I've seen out there using prctl(2) either pass 0 (as
> the manual page had been suggesting), such as in shadow:
> <https://github.com/shadow-maint/shadow/blob/71e28359d12491727b2e94c71d2e1e1682d45a02/lib/idmapping.c#L161>
> 
> 	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
> 
> or don't pass anything at all (coreutils does this):
> <https://git.savannah.gnu.org/cgit/coreutils.git/tree/src/timeout.c#n449>
> 
> 	if (prctl (PR_SET_DUMPABLE, 0) == 0)
> 
> Am I missing something or are all of those calls buggy?
> 
> Some prctl(2) calls report EINVAL when the unused arguments are nonzero,
> while others simply ignore it, so maybe I can document the ones ignoring
> the unused arguments as shorter calls:
> 
>      int prctl(PR_SET_DUMPABLE, unsigned long dumpable);
> 
> And document the ones that report errors as using 0L:
> 
>      int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0, 0);
> 
> (BTW, util-linux seems to have this one wrong:)
> 
> <https://sources.debian.org/src/util-linux/2.40.1-2/lib/caputils.c/?hl=123#L123>
> 
> 	&& prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0)

And another problem is the definition of PR_CAP_AMBIENT_RAISE (and
similar macros), which are defined as ints:

$ grepc PR_CAP_AMBIENT_RAISE /usr/include/
/usr/include/linux/prctl.h:# define PR_CAP_AMBIENT_RAISE		2

but they should be defined as unsigned longs.  (This is a Linux UAPI
problem.)

> 
> What do you think about this?
> 
> Have a lovely day!
> Alex

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH v1 0/2] uapi/linux/prctl: Use the L and UL integer suffixes for certain constants

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 578 bytes --]


Alejandro Colomar (2):
  uapi/linux/prctl: Use the L integer suffix for enumerations of width
    long
  uapi/linux/prctl: Use the UL integer suffix for bit fields of width
    long

 include/uapi/linux/prctl.h | 186 ++++++++++++++++++-------------------
 1 file changed, 93 insertions(+), 93 deletions(-)

Range-diff against v0:
-:  ------------ > 1:  eb1cdf3e2f33 uapi/linux/prctl: Use the L integer suffix for enumerations of width long
-:  ------------ > 2:  16f5bd565191 uapi/linux/prctl: Use the UL integer suffix for bit fields of width long
-- 
2.45.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH v1 1/2] uapi/linux/prctl: Use the L integer suffix for enumerations of width long

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 10750 bytes --]

The prctl(2) wrapper provided by glibc uses a variadic argument list.
This means that the arguments *must* have the right type (and more
importantly, the right width).  To avoid the user having to cast these
constants, provide them with the appropriate width, that of a long.

Having the width of a long is sufficient, and we don't need UL.  Let's
reserve that suffix for bit fields, which need to be unsigned to avoid
easily triggering undefined (or implementation-defined) behavior.

Link: <https://inbox.sourceware.org/libc-alpha/x6r3yc6l34g4k5g3tm6ywecdqux54xlpid7bp2fa7hvm43luc7@6fjgaxgm5uyj/T/>
Cc: <linux-api@vger.kernel.org>
Cc: <linux-man@vger.kernel.org>
Cc: <libc-alpha@sourceware.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
 include/uapi/linux/prctl.h | 126 ++++++++++++++++++-------------------
 1 file changed, 63 insertions(+), 63 deletions(-)

diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index 35791791a879..60e14adb8d20 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -16,8 +16,8 @@
 /* Get/set unaligned access control bits (if meaningful) */
 #define PR_GET_UNALIGN	  5
 #define PR_SET_UNALIGN	  6
-# define PR_UNALIGN_NOPRINT	1	/* silently fix up unaligned user accesses */
-# define PR_UNALIGN_SIGBUS	2	/* generate SIGBUS on unaligned user access */
+# define PR_UNALIGN_NOPRINT	1L	/* silently fix up unaligned user accesses */
+# define PR_UNALIGN_SIGBUS	2L	/* generate SIGBUS on unaligned user access */
 
 /* Get/set whether or not to drop capabilities on setuid() away from
  * uid 0 (as per security/commoncap.c) */
@@ -27,8 +27,8 @@
 /* Get/set floating-point emulation control bits (if meaningful) */
 #define PR_GET_FPEMU  9
 #define PR_SET_FPEMU 10
-# define PR_FPEMU_NOPRINT	1	/* silently emulate fp operations accesses */
-# define PR_FPEMU_SIGFPE	2	/* don't emulate fp operations, send SIGFPE instead */
+# define PR_FPEMU_NOPRINT	1L	/* silently emulate fp operations accesses */
+# define PR_FPEMU_SIGFPE	2L	/* don't emulate fp operations, send SIGFPE instead */
 
 /* Get/set floating-point exception mode (if meaningful) */
 #define PR_GET_FPEXC	11
@@ -39,18 +39,18 @@
 # define PR_FP_EXC_UND		0x040000	/* floating point underflow */
 # define PR_FP_EXC_RES		0x080000	/* floating point inexact result */
 # define PR_FP_EXC_INV		0x100000	/* floating point invalid operation */
-# define PR_FP_EXC_DISABLED	0	/* FP exceptions disabled */
-# define PR_FP_EXC_NONRECOV	1	/* async non-recoverable exc. mode */
-# define PR_FP_EXC_ASYNC	2	/* async recoverable exception mode */
-# define PR_FP_EXC_PRECISE	3	/* precise exception mode */
+# define PR_FP_EXC_DISABLED	0L	/* FP exceptions disabled */
+# define PR_FP_EXC_NONRECOV	1L	/* async non-recoverable exc. mode */
+# define PR_FP_EXC_ASYNC	2L	/* async recoverable exception mode */
+# define PR_FP_EXC_PRECISE	3L	/* precise exception mode */
 
 /* Get/set whether we use statistical process timing or accurate timestamp
  * based process timing */
 #define PR_GET_TIMING   13
 #define PR_SET_TIMING   14
-# define PR_TIMING_STATISTICAL  0       /* Normal, traditional,
+# define PR_TIMING_STATISTICAL  0L      /* Normal, traditional,
                                                    statistical process timing */
-# define PR_TIMING_TIMESTAMP    1       /* Accurate timestamp based
+# define PR_TIMING_TIMESTAMP    1L      /* Accurate timestamp based
                                                    process timing */
 
 #define PR_SET_NAME    15		/* Set process name */
@@ -59,9 +59,9 @@
 /* Get/set process endian */
 #define PR_GET_ENDIAN	19
 #define PR_SET_ENDIAN	20
-# define PR_ENDIAN_BIG		0
-# define PR_ENDIAN_LITTLE	1	/* True little endian mode */
-# define PR_ENDIAN_PPC_LITTLE	2	/* "PowerPC" pseudo little endian */
+# define PR_ENDIAN_BIG		0L
+# define PR_ENDIAN_LITTLE	1L	/* True little endian mode */
+# define PR_ENDIAN_PPC_LITTLE	2L	/* "PowerPC" pseudo little endian */
 
 /* Get/set process seccomp mode */
 #define PR_GET_SECCOMP	21
@@ -74,8 +74,8 @@
 /* Get/set the process' ability to use the timestamp counter instruction */
 #define PR_GET_TSC 25
 #define PR_SET_TSC 26
-# define PR_TSC_ENABLE		1	/* allow the use of the timestamp counter */
-# define PR_TSC_SIGSEGV		2	/* throw a SIGSEGV instead of reading the TSC */
+# define PR_TSC_ENABLE		1L	/* allow the use of the timestamp counter */
+# define PR_TSC_SIGSEGV		2L	/* throw a SIGSEGV instead of reading the TSC */
 
 /* Get/set securebits (as per security/commoncap.c) */
 #define PR_GET_SECUREBITS 27
@@ -96,12 +96,12 @@
  * This influences when the process gets killed on a memory corruption.
  */
 #define PR_MCE_KILL	33
-# define PR_MCE_KILL_CLEAR   0
-# define PR_MCE_KILL_SET     1
+# define PR_MCE_KILL_CLEAR   0L
+# define PR_MCE_KILL_SET     1L
 
-# define PR_MCE_KILL_LATE    0
-# define PR_MCE_KILL_EARLY   1
-# define PR_MCE_KILL_DEFAULT 2
+# define PR_MCE_KILL_LATE    0L
+# define PR_MCE_KILL_EARLY   1L
+# define PR_MCE_KILL_DEFAULT 2L
 
 #define PR_MCE_KILL_GET 34
 
@@ -109,21 +109,21 @@
  * Tune up process memory map specifics.
  */
 #define PR_SET_MM		35
-# define PR_SET_MM_START_CODE		1
-# define PR_SET_MM_END_CODE		2
-# define PR_SET_MM_START_DATA		3
-# define PR_SET_MM_END_DATA		4
-# define PR_SET_MM_START_STACK		5
-# define PR_SET_MM_START_BRK		6
-# define PR_SET_MM_BRK			7
-# define PR_SET_MM_ARG_START		8
-# define PR_SET_MM_ARG_END		9
-# define PR_SET_MM_ENV_START		10
-# define PR_SET_MM_ENV_END		11
-# define PR_SET_MM_AUXV			12
-# define PR_SET_MM_EXE_FILE		13
-# define PR_SET_MM_MAP			14
-# define PR_SET_MM_MAP_SIZE		15
+# define PR_SET_MM_START_CODE		1L
+# define PR_SET_MM_END_CODE		2L
+# define PR_SET_MM_START_DATA		3L
+# define PR_SET_MM_END_DATA		4L
+# define PR_SET_MM_START_STACK		5L
+# define PR_SET_MM_START_BRK		6L
+# define PR_SET_MM_BRK			7L
+# define PR_SET_MM_ARG_START		8L
+# define PR_SET_MM_ARG_END		9L
+# define PR_SET_MM_ENV_START		10L
+# define PR_SET_MM_ENV_END		11L
+# define PR_SET_MM_AUXV			12L
+# define PR_SET_MM_EXE_FILE		13L
+# define PR_SET_MM_MAP			14L
+# define PR_SET_MM_MAP_SIZE		15L
 
 /*
  * This structure provides new memory descriptor
@@ -193,10 +193,10 @@ struct prctl_mm_map {
 
 /* Control the ambient capability set */
 #define PR_CAP_AMBIENT			47
-# define PR_CAP_AMBIENT_IS_SET		1
-# define PR_CAP_AMBIENT_RAISE		2
-# define PR_CAP_AMBIENT_LOWER		3
-# define PR_CAP_AMBIENT_CLEAR_ALL	4
+# define PR_CAP_AMBIENT_IS_SET		1L
+# define PR_CAP_AMBIENT_RAISE		2L
+# define PR_CAP_AMBIENT_LOWER		3L
+# define PR_CAP_AMBIENT_CLEAR_ALL	4L
 
 /* arm64 Scalable Vector Extension controls */
 /* Flag values must be kept in sync with ptrace NT_ARM_SVE interface */
@@ -211,9 +211,9 @@ struct prctl_mm_map {
 #define PR_GET_SPECULATION_CTRL		52
 #define PR_SET_SPECULATION_CTRL		53
 /* Speculation control variants */
-# define PR_SPEC_STORE_BYPASS		0
-# define PR_SPEC_INDIRECT_BRANCH	1
-# define PR_SPEC_L1D_FLUSH		2
+# define PR_SPEC_STORE_BYPASS		0L
+# define PR_SPEC_INDIRECT_BRANCH	1L
+# define PR_SPEC_L1D_FLUSH		2L
 /* Return and control values for PR_SET/GET_SPECULATION_CTRL */
 # define PR_SPEC_NOT_AFFECTED		0
 # define PR_SPEC_PRCTL			(1UL << 0)
@@ -251,11 +251,11 @@ struct prctl_mm_map {
 
 /* Dispatch syscalls to a userspace handler */
 #define PR_SET_SYSCALL_USER_DISPATCH	59
-# define PR_SYS_DISPATCH_OFF		0
-# define PR_SYS_DISPATCH_ON		1
+# define PR_SYS_DISPATCH_OFF		0L
+# define PR_SYS_DISPATCH_ON		1L
 /* The control values for the user space selector when dispatch is enabled */
-# define SYSCALL_DISPATCH_FILTER_ALLOW	0
-# define SYSCALL_DISPATCH_FILTER_BLOCK	1
+# define SYSCALL_DISPATCH_FILTER_ALLOW	0L
+# define SYSCALL_DISPATCH_FILTER_BLOCK	1L
 
 /* Set/get enabled arm64 pointer authentication keys */
 #define PR_PAC_SET_ENABLED_KEYS		60
@@ -263,14 +263,14 @@ struct prctl_mm_map {
 
 /* Request the scheduler to share a core */
 #define PR_SCHED_CORE			62
-# define PR_SCHED_CORE_GET		0
-# define PR_SCHED_CORE_CREATE		1 /* create unique core_sched cookie */
-# define PR_SCHED_CORE_SHARE_TO		2 /* push core_sched cookie to pid */
-# define PR_SCHED_CORE_SHARE_FROM	3 /* pull core_sched cookie to pid */
-# define PR_SCHED_CORE_MAX		4
-# define PR_SCHED_CORE_SCOPE_THREAD		0
-# define PR_SCHED_CORE_SCOPE_THREAD_GROUP	1
-# define PR_SCHED_CORE_SCOPE_PROCESS_GROUP	2
+# define PR_SCHED_CORE_GET		0L
+# define PR_SCHED_CORE_CREATE		1L /* create unique core_sched cookie */
+# define PR_SCHED_CORE_SHARE_TO		2L /* push core_sched cookie to pid */
+# define PR_SCHED_CORE_SHARE_FROM	3L /* pull core_sched cookie to pid */
+# define PR_SCHED_CORE_MAX		4L
+# define PR_SCHED_CORE_SCOPE_THREAD		0L
+# define PR_SCHED_CORE_SCOPE_THREAD_GROUP	1L
+# define PR_SCHED_CORE_SCOPE_PROCESS_GROUP	2L
 
 /* arm64 Scalable Matrix Extension controls */
 /* Flag values must be in sync with SVE versions */
@@ -289,7 +289,7 @@ struct prctl_mm_map {
 #define PR_GET_MDWE			66
 
 #define PR_SET_VMA		0x53564d41
-# define PR_SET_VMA_ANON_NAME		0
+# define PR_SET_VMA_ANON_NAME		0L
 
 #define PR_GET_AUXV			0x41555856
 
@@ -307,19 +307,19 @@ struct prctl_mm_map {
 # define PR_RISCV_V_VSTATE_CTRL_MASK		0x1f
 
 #define PR_RISCV_SET_ICACHE_FLUSH_CTX	71
-# define PR_RISCV_CTX_SW_FENCEI_ON	0
-# define PR_RISCV_CTX_SW_FENCEI_OFF	1
-# define PR_RISCV_SCOPE_PER_PROCESS	0
-# define PR_RISCV_SCOPE_PER_THREAD	1
+# define PR_RISCV_CTX_SW_FENCEI_ON	0L
+# define PR_RISCV_CTX_SW_FENCEI_OFF	1L
+# define PR_RISCV_SCOPE_PER_PROCESS	0L
+# define PR_RISCV_SCOPE_PER_THREAD	1L
 
 /* PowerPC Dynamic Execution Control Register (DEXCR) controls */
 #define PR_PPC_GET_DEXCR		72
 #define PR_PPC_SET_DEXCR		73
 /* DEXCR aspect to act on */
-# define PR_PPC_DEXCR_SBHE		0 /* Speculative branch hint enable */
-# define PR_PPC_DEXCR_IBRTPD		1 /* Indirect branch recurrent target prediction disable */
-# define PR_PPC_DEXCR_SRAPD		2 /* Subroutine return address prediction disable */
-# define PR_PPC_DEXCR_NPHIE		3 /* Non-privileged hash instruction enable */
+# define PR_PPC_DEXCR_SBHE		0L /* Speculative branch hint enable */
+# define PR_PPC_DEXCR_IBRTPD		1L /* Indirect branch recurrent target prediction disable */
+# define PR_PPC_DEXCR_SRAPD		2L /* Subroutine return address prediction disable */
+# define PR_PPC_DEXCR_NPHIE		3L /* Non-privileged hash instruction enable */
 /* Action to apply / return */
 # define PR_PPC_DEXCR_CTRL_EDITABLE	 0x1 /* Aspect can be modified with PR_PPC_SET_DEXCR */
 # define PR_PPC_DEXCR_CTRL_SET		 0x2 /* Set the aspect for this process */
-- 
2.45.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH v1 2/2] uapi/linux/prctl: Use the UL integer suffix for bit fields of width long

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 7043 bytes --]

The prctl(2) wrapper provided by glibc uses a variadic argument list.
This means that the arguments *must* have the right type (and more
importantly, the right width).  To avoid the user having to cast these
constants, provide them with the appropriate width, that of a long.

These are bit fields, and bitwise operations are dangerous on signed
integers, so let's make sure they are unsigned.

Link: <https://inbox.sourceware.org/libc-alpha/x6r3yc6l34g4k5g3tm6ywecdqux54xlpid7bp2fa7hvm43luc7@6fjgaxgm5uyj/T/>
Cc: <linux-api@vger.kernel.org>
Cc: <linux-man@vger.kernel.org>
Cc: <libc-alpha@sourceware.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
 include/uapi/linux/prctl.h | 60 +++++++++++++++++++-------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index 60e14adb8d20..c016c316f3c5 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -33,12 +33,12 @@
 /* Get/set floating-point exception mode (if meaningful) */
 #define PR_GET_FPEXC	11
 #define PR_SET_FPEXC	12
-# define PR_FP_EXC_SW_ENABLE	0x80	/* Use FPEXC for FP exception enables */
-# define PR_FP_EXC_DIV		0x010000	/* floating point divide by zero */
-# define PR_FP_EXC_OVF		0x020000	/* floating point overflow */
-# define PR_FP_EXC_UND		0x040000	/* floating point underflow */
-# define PR_FP_EXC_RES		0x080000	/* floating point inexact result */
-# define PR_FP_EXC_INV		0x100000	/* floating point invalid operation */
+# define PR_FP_EXC_SW_ENABLE	0x80UL	/* Use FPEXC for FP exception enables */
+# define PR_FP_EXC_DIV		0x010000UL	/* floating point divide by zero */
+# define PR_FP_EXC_OVF		0x020000UL	/* floating point overflow */
+# define PR_FP_EXC_UND		0x040000UL	/* floating point underflow */
+# define PR_FP_EXC_RES		0x080000UL	/* floating point inexact result */
+# define PR_FP_EXC_INV		0x100000UL	/* floating point invalid operation */
 # define PR_FP_EXC_DISABLED	0L	/* FP exceptions disabled */
 # define PR_FP_EXC_NONRECOV	1L	/* async non-recoverable exc. mode */
 # define PR_FP_EXC_ASYNC	2L	/* async recoverable exception mode */
@@ -188,8 +188,8 @@ struct prctl_mm_map {
 
 #define PR_SET_FP_MODE		45
 #define PR_GET_FP_MODE		46
-# define PR_FP_MODE_FR		(1 << 0)	/* 64b FP registers */
-# define PR_FP_MODE_FRE		(1 << 1)	/* 32b compatibility */
+# define PR_FP_MODE_FR		(1UL << 0)	/* 64b FP registers */
+# define PR_FP_MODE_FRE		(1UL << 1)	/* 32b compatibility */
 
 /* Control the ambient capability set */
 #define PR_CAP_AMBIENT			47
@@ -201,11 +201,11 @@ struct prctl_mm_map {
 /* arm64 Scalable Vector Extension controls */
 /* Flag values must be kept in sync with ptrace NT_ARM_SVE interface */
 #define PR_SVE_SET_VL			50	/* set task vector length */
-# define PR_SVE_SET_VL_ONEXEC		(1 << 18) /* defer effect until exec */
+# define PR_SVE_SET_VL_ONEXEC		(1UL << 18) /* defer effect until exec */
 #define PR_SVE_GET_VL			51	/* get task vector length */
 /* Bits common to PR_SVE_SET_VL and PR_SVE_GET_VL */
-# define PR_SVE_VL_LEN_MASK		0xffff
-# define PR_SVE_VL_INHERIT		(1 << 17) /* inherit across exec */
+# define PR_SVE_VL_LEN_MASK		0xffffUL
+# define PR_SVE_VL_INHERIT		(1UL << 17) /* inherit across exec */
 
 /* Per task speculation control */
 #define PR_GET_SPECULATION_CTRL		52
@@ -215,7 +215,7 @@ struct prctl_mm_map {
 # define PR_SPEC_INDIRECT_BRANCH	1L
 # define PR_SPEC_L1D_FLUSH		2L
 /* Return and control values for PR_SET/GET_SPECULATION_CTRL */
-# define PR_SPEC_NOT_AFFECTED		0
+# define PR_SPEC_NOT_AFFECTED		0UL
 # define PR_SPEC_PRCTL			(1UL << 0)
 # define PR_SPEC_ENABLE			(1UL << 1)
 # define PR_SPEC_DISABLE		(1UL << 2)
@@ -240,10 +240,10 @@ struct prctl_mm_map {
 # define PR_MTE_TCF_ASYNC		(1UL << 2)
 # define PR_MTE_TCF_MASK		(PR_MTE_TCF_SYNC | PR_MTE_TCF_ASYNC)
 /* MTE tag inclusion mask */
-# define PR_MTE_TAG_SHIFT		3
+# define PR_MTE_TAG_SHIFT		3UL
 # define PR_MTE_TAG_MASK		(0xffffUL << PR_MTE_TAG_SHIFT)
 /* Unused; kept only for source compatibility */
-# define PR_MTE_TCF_SHIFT		1
+# define PR_MTE_TCF_SHIFT		1UL
 
 /* Control reclaim behavior when allocating memory */
 #define PR_SET_IO_FLUSHER		57
@@ -275,11 +275,11 @@ struct prctl_mm_map {
 /* arm64 Scalable Matrix Extension controls */
 /* Flag values must be in sync with SVE versions */
 #define PR_SME_SET_VL			63	/* set task vector length */
-# define PR_SME_SET_VL_ONEXEC		(1 << 18) /* defer effect until exec */
+# define PR_SME_SET_VL_ONEXEC		(1UL << 18) /* defer effect until exec */
 #define PR_SME_GET_VL			64	/* get task vector length */
 /* Bits common to PR_SME_SET_VL and PR_SME_GET_VL */
-# define PR_SME_VL_LEN_MASK		0xffff
-# define PR_SME_VL_INHERIT		(1 << 17) /* inherit across exec */
+# define PR_SME_VL_LEN_MASK		0xffffUL
+# define PR_SME_VL_INHERIT		(1UL << 17) /* inherit across exec */
 
 /* Memory deny write / execute */
 #define PR_SET_MDWE			65
@@ -298,13 +298,13 @@ struct prctl_mm_map {
 
 #define PR_RISCV_V_SET_CONTROL		69
 #define PR_RISCV_V_GET_CONTROL		70
-# define PR_RISCV_V_VSTATE_CTRL_DEFAULT		0
-# define PR_RISCV_V_VSTATE_CTRL_OFF		1
-# define PR_RISCV_V_VSTATE_CTRL_ON		2
-# define PR_RISCV_V_VSTATE_CTRL_INHERIT		(1 << 4)
-# define PR_RISCV_V_VSTATE_CTRL_CUR_MASK	0x3
-# define PR_RISCV_V_VSTATE_CTRL_NEXT_MASK	0xc
-# define PR_RISCV_V_VSTATE_CTRL_MASK		0x1f
+# define PR_RISCV_V_VSTATE_CTRL_DEFAULT		0UL
+# define PR_RISCV_V_VSTATE_CTRL_OFF		1UL
+# define PR_RISCV_V_VSTATE_CTRL_ON		2UL
+# define PR_RISCV_V_VSTATE_CTRL_INHERIT		(1UL << 4)
+# define PR_RISCV_V_VSTATE_CTRL_CUR_MASK	0x3UL
+# define PR_RISCV_V_VSTATE_CTRL_NEXT_MASK	0xcUL
+# define PR_RISCV_V_VSTATE_CTRL_MASK		0x1fUL
 
 #define PR_RISCV_SET_ICACHE_FLUSH_CTX	71
 # define PR_RISCV_CTX_SW_FENCEI_ON	0L
@@ -321,11 +321,11 @@ struct prctl_mm_map {
 # define PR_PPC_DEXCR_SRAPD		2L /* Subroutine return address prediction disable */
 # define PR_PPC_DEXCR_NPHIE		3L /* Non-privileged hash instruction enable */
 /* Action to apply / return */
-# define PR_PPC_DEXCR_CTRL_EDITABLE	 0x1 /* Aspect can be modified with PR_PPC_SET_DEXCR */
-# define PR_PPC_DEXCR_CTRL_SET		 0x2 /* Set the aspect for this process */
-# define PR_PPC_DEXCR_CTRL_CLEAR	 0x4 /* Clear the aspect for this process */
-# define PR_PPC_DEXCR_CTRL_SET_ONEXEC	 0x8 /* Set the aspect on exec */
-# define PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC	0x10 /* Clear the aspect on exec */
-# define PR_PPC_DEXCR_CTRL_MASK		0x1f
+# define PR_PPC_DEXCR_CTRL_EDITABLE	 0x1UL /* Aspect can be modified with PR_PPC_SET_DEXCR */
+# define PR_PPC_DEXCR_CTRL_SET		 0x2UL /* Set the aspect for this process */
+# define PR_PPC_DEXCR_CTRL_CLEAR	 0x4UL /* Clear the aspect for this process */
+# define PR_PPC_DEXCR_CTRL_SET_ONEXEC	 0x8UL /* Set the aspect on exec */
+# define PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC	0x10UL /* Clear the aspect on exec */
+# define PR_PPC_DEXCR_CTRL_MASK		0x1fUL
 
 #endif /* _LINUX_PRCTL_H */
-- 
2.45.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Correct way of calling prctl(2) (was: Sashimi of prctl(2))

[Xi Ruoyao]

On Tue, 2024-05-28 at 11:24 +0200, Alejandro Colomar wrote:
> From what I can see, glibc does no magic to set unspecified parameters
> to 0, so this means passing '0' results in Undefined Behavior.

On most targets where Glibc implements prctl in assembly (not C), the C
standard does not apply at all so there's no Undefined Behavior. 
There's just "expected" and "unexpected" behaviors.

So on 32-bit targets (both long and int are 32-bit) there's no problem.

On targets like riscv64 and loongarch64 the ABI mandates a sign-
extension on parameters narrower than a GPR, so there's no problem as
well.

x86_64 does not have such a guarantee (as said
in https://gcc.gnu.org/PR46942) so yes passing '0' may leave the high 32
bits of the parameter uninitialized and cause problems (at least in
theory).

-- 
Xi Ruoyao <xry111@xry111.site>
School of Aerospace Science and Technology, Xidian University

Re: [PATCH v1 0/2] uapi/linux/prctl: Use the L and UL integer suffixes for certain constants

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

[TO += Andrew, Palmer]

Hi Andrew, Palmer,

On Tue, May 28, 2024 at 01:48:05PM GMT, Alejandro Colomar wrote:
> 
> Alejandro Colomar (2):
>   uapi/linux/prctl: Use the L integer suffix for enumerations of width
>     long
>   uapi/linux/prctl: Use the UL integer suffix for bit fields of width
>     long

Ping.  

Have a lovely day!
Alex

>  include/uapi/linux/prctl.h | 186 ++++++++++++++++++-------------------
>  1 file changed, 93 insertions(+), 93 deletions(-)
> 
> Range-diff against v0:
> -:  ------------ > 1:  eb1cdf3e2f33 uapi/linux/prctl: Use the L integer suffix for enumerations of width long
> -:  ------------ > 2:  16f5bd565191 uapi/linux/prctl: Use the UL integer suffix for bit fields of width long
> -- 
> 2.45.1
> 



-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]