From: Martin Cermak Date: Tue, 17 Jun 2025 11:51:48 +0000 (+0200) Subject: Wrap linux specific mseal syscall X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9775bc496e4b6f80dec993e5d147356ebbe29fe3;p=thirdparty%2Fvalgrind.git Wrap linux specific mseal syscall mseal takes address, size and flags. Flags are reserved for future use. Modern CPUs support memory permissions such as RW and NX bits. The mseal syscall takes address and size parameters to additionally protect memory mapping against modifications. FTR: https://docs.kernel.org/userspace-api/mseal.html Declare a sys_mseal wrapper in priv_syswrap-linux.h and hook it for {amd64,arm,arm64,mips64,nanomips,ppc32,ppc64,riscv64,s390x,x86}-linux using LINX_ with PRE handler in syswrap-linux.c https://bugs.kde.org/show_bug.cgi?id=505228 --- diff --git a/NEWS b/NEWS index 041d7afdf..97e4b3b41 100644 --- a/NEWS +++ b/NEWS @@ -41,6 +41,7 @@ are not entered into bugzilla tend to get forgotten about or ignored. 504919 Hide "client tried to modify addresses" warnings when -q (quiet) set 504936 Add FreeBSD amd64 sysarch subcommands AMD64_SET_TLSBASE and AMD64_GET_TLSBASE +505228 Wrap linux specific mseal syscall To see details of a given bug, visit https://bugs.kde.org/show_bug.cgi?id=XXXXXX diff --git a/coregrind/m_syswrap/priv_syswrap-linux.h b/coregrind/m_syswrap/priv_syswrap-linux.h index 966eae543..ed8cb4ed5 100644 --- a/coregrind/m_syswrap/priv_syswrap-linux.h +++ b/coregrind/m_syswrap/priv_syswrap-linux.h @@ -355,6 +355,9 @@ DECL_TEMPLATE(linux, sys_pidfd_getfd); // Since Linux 6.6 DECL_TEMPLATE(linux, sys_fchmodat2); +// Since Linux 6.10 +DECL_TEMPLATE(linux, sys_mseal); + /* --------------------------------------------------------------------- Wrappers for sockets and ipc-ery. These are split into standalone procedures because x86-linux hides them inside multiplexors diff --git a/coregrind/m_syswrap/syswrap-amd64-linux.c b/coregrind/m_syswrap/syswrap-amd64-linux.c index c22683192..292e969fc 100644 --- a/coregrind/m_syswrap/syswrap-amd64-linux.c +++ b/coregrind/m_syswrap/syswrap-amd64-linux.c @@ -904,6 +904,7 @@ static SyscallTableEntry syscall_table[] = { LINXY(__NR_cachestat, sys_cachestat), // 451 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_(__NR_mseal, sys_mseal), // 462 }; SyscallTableEntry* ML_(get_linux_syscall_entry) ( UInt sysno ) diff --git a/coregrind/m_syswrap/syswrap-arm-linux.c b/coregrind/m_syswrap/syswrap-arm-linux.c index 05cd1e4b6..6d7db0425 100644 --- a/coregrind/m_syswrap/syswrap-arm-linux.c +++ b/coregrind/m_syswrap/syswrap-arm-linux.c @@ -1075,6 +1075,7 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_cachestat, sys_cachestat), // 451 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_(__NR_mseal, sys_mseal), // 462 }; diff --git a/coregrind/m_syswrap/syswrap-arm64-linux.c b/coregrind/m_syswrap/syswrap-arm64-linux.c index 28cb3647c..2d6b45f91 100644 --- a/coregrind/m_syswrap/syswrap-arm64-linux.c +++ b/coregrind/m_syswrap/syswrap-arm64-linux.c @@ -855,6 +855,7 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_cachestat, sys_cachestat), // 451 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_(__NR_mseal, sys_mseal), // 462 }; diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c index be936ecbe..0db871778 100644 --- a/coregrind/m_syswrap/syswrap-linux.c +++ b/coregrind/m_syswrap/syswrap-linux.c @@ -4296,6 +4296,15 @@ PRE(sys_membarrier) PRE_REG_READ1(int, "membarrier", int, flags); } +PRE(sys_mseal) +{ + /* int mseal(void *addr, size_t len, unsigned long flags) */ + PRINT("sys_mseal ( %#" FMT_REGWORD "x, %" FMT_REGWORD "u, %#" FMT_REGWORD "x, )", ARG1, ARG2, ARG3); + PRE_REG_READ3(int, "mseal", void *, addr, vki_size_t, len, int, flags); + if (!ML_(valid_client_addr)(ARG1, ARG2, tid, "mseal")) + SET_STATUS_Failure(VKI_ENOMEM); +} + PRE(sys_syncfs) { *flags |= SfMayBlock; diff --git a/coregrind/m_syswrap/syswrap-mips32-linux.c b/coregrind/m_syswrap/syswrap-mips32-linux.c index d16a9a4bc..5edae82c3 100644 --- a/coregrind/m_syswrap/syswrap-mips32-linux.c +++ b/coregrind/m_syswrap/syswrap-mips32-linux.c @@ -1182,6 +1182,7 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_cachestat, sys_cachestat), // 451 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_(__NR_mseal, sys_mseal), // 462 }; SyscallTableEntry* ML_(get_linux_syscall_entry) (UInt sysno) diff --git a/coregrind/m_syswrap/syswrap-mips64-linux.c b/coregrind/m_syswrap/syswrap-mips64-linux.c index fe1f3db7f..63e4b111e 100644 --- a/coregrind/m_syswrap/syswrap-mips64-linux.c +++ b/coregrind/m_syswrap/syswrap-mips64-linux.c @@ -838,6 +838,7 @@ static SyscallTableEntry syscall_main_table[] = { LINXY (__NR_cachestat, sys_cachestat), LINX_ (__NR_fchmodat2, sys_fchmodat2), LINXY (__NR_userfaultfd, sys_userfaultfd), + LINX_ (__NR_mseal, sys_mseal), }; SyscallTableEntry * ML_(get_linux_syscall_entry) ( UInt sysno ) diff --git a/coregrind/m_syswrap/syswrap-nanomips-linux.c b/coregrind/m_syswrap/syswrap-nanomips-linux.c index 87153737d..b392ad1ad 100644 --- a/coregrind/m_syswrap/syswrap-nanomips-linux.c +++ b/coregrind/m_syswrap/syswrap-nanomips-linux.c @@ -842,6 +842,7 @@ static SyscallTableEntry syscall_main_table[] = { LINX_ (__NR_landlock_restrict_self, sys_landlock_restrict_self), LINXY (__NR_cachestat, sys_cachestat), LINX_ (__NR_fchmodat2, sys_fchmodat2), + LINX_ (__NR_mseal, sys_mseal), }; SyscallTableEntry* ML_(get_linux_syscall_entry) (UInt sysno) diff --git a/coregrind/m_syswrap/syswrap-ppc32-linux.c b/coregrind/m_syswrap/syswrap-ppc32-linux.c index bc180b8b1..9d02a0258 100644 --- a/coregrind/m_syswrap/syswrap-ppc32-linux.c +++ b/coregrind/m_syswrap/syswrap-ppc32-linux.c @@ -1081,6 +1081,7 @@ static SyscallTableEntry syscall_table[] = { LINXY(__NR_cachestat, sys_cachestat), // 451 LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_ (__NR_mseal, sys_mseal), // 462 }; SyscallTableEntry* ML_(get_linux_syscall_entry) ( UInt sysno ) diff --git a/coregrind/m_syswrap/syswrap-ppc64-linux.c b/coregrind/m_syswrap/syswrap-ppc64-linux.c index 6e97358e8..94385a4fa 100644 --- a/coregrind/m_syswrap/syswrap-ppc64-linux.c +++ b/coregrind/m_syswrap/syswrap-ppc64-linux.c @@ -1048,6 +1048,7 @@ static SyscallTableEntry syscall_table[] = { LINXY (__NR_cachestat, sys_cachestat), // 451 LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_ (__NR_mseal, sys_mseal), // 462 }; SyscallTableEntry* ML_(get_linux_syscall_entry) ( UInt sysno ) diff --git a/coregrind/m_syswrap/syswrap-riscv64-linux.c b/coregrind/m_syswrap/syswrap-riscv64-linux.c index 7a1ff0751..68ccd0ea4 100644 --- a/coregrind/m_syswrap/syswrap-riscv64-linux.c +++ b/coregrind/m_syswrap/syswrap-riscv64-linux.c @@ -599,6 +599,7 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_memfd_secret, sys_memfd_secret), /* 447 */ LINXY(__NR_cachestat, sys_cachestat), /* 451 */ LINX_(__NR_fchmodat2, sys_fchmodat2), /* 452 */ + LINX_(__NR_mseal, sys_mseal), /* 462 */ }; SyscallTableEntry* ML_(get_linux_syscall_entry)(UInt sysno) diff --git a/coregrind/m_syswrap/syswrap-s390x-linux.c b/coregrind/m_syswrap/syswrap-s390x-linux.c index f4ceae461..a6770399d 100644 --- a/coregrind/m_syswrap/syswrap-s390x-linux.c +++ b/coregrind/m_syswrap/syswrap-s390x-linux.c @@ -890,6 +890,7 @@ static SyscallTableEntry syscall_table[] = { LINXY (__NR_cachestat, sys_cachestat), // 451 LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_ (__NR_mseal, sys_mseal), // 462 }; SyscallTableEntry* ML_(get_linux_syscall_entry) ( UInt sysno ) diff --git a/coregrind/m_syswrap/syswrap-x86-linux.c b/coregrind/m_syswrap/syswrap-x86-linux.c index 662780588..4b5b5fb15 100644 --- a/coregrind/m_syswrap/syswrap-x86-linux.c +++ b/coregrind/m_syswrap/syswrap-x86-linux.c @@ -1676,6 +1676,7 @@ static SyscallTableEntry syscall_table[] = { LINXY(__NR_cachestat, sys_cachestat), // 451 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 + LINX_(__NR_mseal, sys_mseal), // 462 }; SyscallTableEntry* ML_(get_linux_syscall_entry) ( UInt sysno ) diff --git a/include/vki/vki-scnums-mips32-linux.h b/include/vki/vki-scnums-mips32-linux.h index d4f8de15a..53f6499aa 100644 --- a/include/vki/vki-scnums-mips32-linux.h +++ b/include/vki/vki-scnums-mips32-linux.h @@ -460,6 +460,7 @@ #define __NR_set_mempolicy_home_node (__NR_Linux + 450) #define __NR_cachestat (__NR_Linux + 451) #define __NR_fchmodat2 (__NR_Linux + 452) +#define __NR_mseal (__NR_Linux + 462) /* * Offset of the last Linux o32 flavoured syscall */ diff --git a/include/vki/vki-scnums-mips64-linux.h b/include/vki/vki-scnums-mips64-linux.h index c5291e31c..91f578345 100644 --- a/include/vki/vki-scnums-mips64-linux.h +++ b/include/vki/vki-scnums-mips64-linux.h @@ -401,6 +401,7 @@ #define __NR_lsm_get_self_attr (__NR_Linux + 459) #define __NR_lsm_set_self_attr (__NR_Linux + 460) #define __NR_lsm_list_modules (__NR_Linux + 461) +#define __NR_mseal (__NR_Linux + 462) #elif defined(VGABI_N32) diff --git a/include/vki/vki-scnums-shared-linux.h b/include/vki/vki-scnums-shared-linux.h index 616f8052d..32ef8ac13 100644 --- a/include/vki/vki-scnums-shared-linux.h +++ b/include/vki/vki-scnums-shared-linux.h @@ -56,5 +56,6 @@ #define __NR_cachestat 451 #define __NR_fchmodat2 452 +#define __NR_mseal 462 #endif