Page MenuHomeFreeBSD
Differential D46403

Introduce vfcntl(), a va_list variant of fcntl()
AcceptedPublic
Actions

Authored by arichardson on Wed, Aug 21, 9:12 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Sep 12, 7:20 PM
Unknown Object (File)
Thu, Sep 12, 7:10 PM
Unknown Object (File)
Sun, Sep 8, 5:26 PM
Unknown Object (File)
Sat, Sep 7, 10:55 AM
Unknown Object (File)
Sat, Sep 7, 12:17 AM
Unknown Object (File)
Wed, Sep 4, 1:05 PM
Unknown Object (File)
Tue, Sep 3, 8:07 AM
Unknown Object (File)
Mon, Sep 2, 4:32 PM
View All 9 Files
Subscribers
None

Details

Reviewers
kib
jrtc27
jhb
emaste
imp
brooks
Summary

Certain libraries (e.g. epoll-shim) interpose libc's fcntl and there
is currently no portable way to interpose a variadic function without
relying on undefined behaviour. Adding a variant of fcntl that takes a
va_list instead of variadic arguments allows safely interposing fcntl.

While we can get away with reading a non-existent variadic argument on
all currently supported architectures (we just read garbage from the
next argument register or the stack), this is not possible for
architectures that pass pointers/integers in different registers or ones
that perform bounds checks on variadic arguments (e.g. CHERI). For
CHERI architectures, CheriBSD carries a downstream patch to only read
an argument for cmd values that expect one (and needs to take care to
read the correct type as well to avoid bounds errors).

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 59131
Build 56018: arc lint + arc unit

Event Timeline

arichardson requested review of this revision.Wed, Aug 21, 9:12 PM
arichardson created this revision.
Harbormaster completed remote builds in B59131: Diff 142327.Wed, Aug 21, 9:12 PM
brooks accepted this revision.Wed, Aug 21, 10:27 PM
This revision is now accepted and ready to land.Wed, Aug 21, 10:27 PM
jrtc27 added a comment.Wed, Aug 21, 10:32 PM

there
is currently no portable way to interpose a variadic function without
relying on undefined behaviour

That's not entirely true, but it requires you to know how many arguments were passed in every possible case, what types they are, va_arg them in turn and call the interposed function with those arguments (or more). Whereas interposing a function that takes the va_list itself means you only need to interpret the arguments in the cases where you actually want to inspect at them.

lib/libsys/fcntl.2
42

Should be mentioned in the description?

jrtc27 added inline comments.Wed, Aug 21, 10:34 PM
lib/libsys/fcntl.2
42

In particular, you'll want to document the state of ap after the call like vprintf so the ownership, clobbering and whether va_end is needed from the caller are all defined.

kib added a comment.Wed, Aug 21, 10:36 PM

Could it be simplified by providing an fcntl variant that takes the third arg unconditionally, instead?

arichardson added a comment.Wed, Aug 21, 10:56 PM
In D46403#1057619, @kib wrote:

Could it be simplified by providing an fcntl variant that takes the third arg unconditionally, instead?

I would also be happy with that approach, just assumed this variant would be more flexible. Would the unconditional one look like this: fcntl2(int, int, __intptr_t)?

arichardson added a comment.Wed, Aug 21, 10:58 PM
In D46403#1057607, @jrtc27 wrote:

there
is currently no portable way to interpose a variadic function without
relying on undefined behaviour

That's not entirely true, but it requires you to know how many arguments were passed in every possible case, what types they are, va_arg them in turn and call the interposed function with those arguments (or more). Whereas interposing a function that takes the va_list itself means you only need to interpret the arguments in the cases where you actually want to inspect at them.

I can reword this "no portable way (without reimplementing the argument parsing logic)" if you prefer?

lib/libsys/fcntl.2
42

That's fair I can add those - I just assumed that va_end is always required for such calls unless specified otherwise.

kib added a comment.Wed, Aug 21, 11:00 PM
In D46403#1057647, @arichardson wrote:
In D46403#1057619, @kib wrote:

Could it be simplified by providing an fcntl variant that takes the third arg unconditionally, instead?

I would also be happy with that approach, just assumed this variant would be more flexible. Would the unconditional one look like this: fcntl2(int, int, __intptr_t)?

The actual syscall takes three args unconditionally, so there is no point in adding more complications IMO. By existing conventions, the function perhaps should be called fcntl3.

arichardson added a comment.Thu, Aug 22, 5:48 AM
In D46403#1057654, @kib wrote:
In D46403#1057647, @arichardson wrote:
In D46403#1057619, @kib wrote:

Could it be simplified by providing an fcntl variant that takes the third arg unconditionally, instead?

I would also be happy with that approach, just assumed this variant would be more flexible. Would the unconditional one look like this: fcntl2(int, int, __intptr_t)?

The actual syscall takes three args unconditionally, so there is no point in adding more complications IMO. By existing conventions, the function perhaps should be called fcntl3.

Actually, I just remembered this would not help with the interposing of fcntl since the interposer would still need to extract the variadic argument.

jrtc27 added a comment.Thu, Aug 22, 5:51 AM
In D46403#1057695, @arichardson wrote:
In D46403#1057654, @kib wrote:
In D46403#1057647, @arichardson wrote:
In D46403#1057619, @kib wrote:

Could it be simplified by providing an fcntl variant that takes the third arg unconditionally, instead?

I would also be happy with that approach, just assumed this variant would be more flexible. Would the unconditional one look like this: fcntl2(int, int, __intptr_t)?

The actual syscall takes three args unconditionally, so there is no point in adding more complications IMO. By existing conventions, the function perhaps should be called fcntl3.

Actually, I just remembered this would not help with the interposing of fcntl since the interposer would still need to extract the variadic argument.

Well, fcntl would call fcntl3, and you can then interpose the latter, just as with vfcntl.

arichardson added a comment.Thu, Aug 22, 5:38 PM
In D46403#1057696, @jrtc27 wrote:
In D46403#1057695, @arichardson wrote:
In D46403#1057654, @kib wrote:
In D46403#1057647, @arichardson wrote:
In D46403#1057619, @kib wrote:

Could it be simplified by providing an fcntl variant that takes the third arg unconditionally, instead?

I would also be happy with that approach, just assumed this variant would be more flexible. Would the unconditional one look like this: fcntl2(int, int, __intptr_t)?

The actual syscall takes three args unconditionally, so there is no point in adding more complications IMO. By existing conventions, the function perhaps should be called fcntl3.

Actually, I just remembered this would not help with the interposing of fcntl since the interposer would still need to extract the variadic argument.

Well, fcntl would call fcntl3, and you can then interpose the latter, just as with vfcntl.

Fair, that would work - I am happy with either approach and will try to prototype the fcntl3 approach that in epoll-shim.

Revision Contents
Changeset List

PathSize
lib/
libc/
sys/
4 lines
30 lines
libsys/
3 lines
sys/
sys/
1 line

Diff 142327

View Options

lib/libc/sys/Symbol.map

Loading...
View Options

lib/libc/sys/fcntl.c

Loading...
View Options

lib/libsys/fcntl.2

Loading...
View Options

sys/sys/fcntl.h

Loading...