Re: [musl] [PATCH 1/2] V3 resubmitting old statx patch with changes

[lolzery wowzery <wowzeryest@gmail.com>]

Hi,

Update: you've given me a lot to think about in my suggestions and
proposals to musl and, because you took time to respond to me and
explain things clearly, I feel much more compelled to put good effort
into making sure my changes are solid and indisputably beneficial (not
as in more=better kind of way but less=more but keeping in mind your
responses about musl's design.)

> statx is already in musl 1.2.5 (commit b817541f1cfd). If there are
> other problems than the ones I fixed when merging it and the
> stx_attributes field, please report them here rather than spending
> time trying to make a comprehensive changeset for a lot of things that
> might or might not actually be wrong.

I must have dyslexia or something because it turned out my efforts were a
wild goose chase for xstat, not statx! I'm so embarrassed, ha ha.

> > symbol
> > weakness problems,
>
> This sounds unlikely. It's more likely that you misunderstand how/why
> they're used. But I'm happy to look at your findings.

There are some symbol weakness inconsistencies with glibc I found in musl
but trying to track them all down by hand would be insane. I will get together
a tool to difference musl's and glibc symbols and list all changes to you one
of these days.

For reference, symbol weakness only affects what happens when linking two
libraries with same symbol names, which is used to override libc methods
for various necessary purposes. Glibc is the golden standard software is
built to link to, so, if anything, this will only help some software
work in musl.

> Can you clarify what you mean? There are some places where correctly
> atomic fallback is impossible and the fallback is best-effort only.
> This is generally only for missing O_CLOEXEC type functionality. If
> there are others, please report.

My original thinking was that my proposed solution of trying both the full
syscall and the fallback and seeing which work to handle seccomp would
introduce a race condition where the file is created between the two calls.

That thought is invalid now that I know we are not in the business of
supporting bad seccomp configurations.

> It's expected to fail catastrophically if seccomp filters modify
> syscall behavior in ways that make forward progress impossible (e.g.
> blocking close or something) or that lie about the cause of failure
> (the classic but badly wrong practice of using EPERM where ENOSYS was
> the correct code for syscalls not available in the sandbox). This is
> inherently not a supportable configuration.
>
> Generally musl always uses the oldest-possible syscall that can fully
> meet the requirements. If it has to try a new syscall first (like
> statx on 32-bit, since the legacy syscalls don't support full-range
> time_t and we don't know until after stat whether the times fit in 32
> bits), it falls back on ENOSYS. So as long as seccomp filters are
> using semantically correct error codes, things should generally work.
> But it's the responsibility of the seccomp filter authors to ensure
> they're doing this right.

Got it and thank you for the explanation. I now understand.

> It's never undefined. That's not how this works.
>
> If you're making out-of-tree bare-metal ports and don't want the
> overhead of having to add new syscalls like this, you can do something
> like define the SYS_* macros for them such that syscall_arch.h can
> statically catch that they're nonexistant (e.g. by given them values
> in some high range) and directly return -ENOSYS; then the code would
> collapse down as you want with the ENOSYS path being always-taken.
>
> Note that there is no way to emulate the nonzero flags for renameat2
> without race conditions. Since this is not standard/mandatory
> functionality, the right thing to do is just return an error for
> "unsupported flags", not try to emulate them.

Got it and thanks for explaining. Now that I've fixed my eyes and am
looking at statx, I see four main things to be fixed:
1. Remove the `#ifndef SYS_fstatat` because it's nonsensible
2. Add comments to explain things
3. Correctly validate the flags and EINVAL if unsupported by fallback
4. Zero all extraneous fields like __pad1 for future proofing.
5. The stx_rdev_major and stx_rdev_minor fields were not correctly filled in

Please do not make these 5 changes yourself yet as I might find more and
I have some great comments I want to add to explain why things are.

I also discovered and would like to do a very minor cleanup on
src/stat/fstatat.c, which has a duplicate copy of the struct statx for
no reason.

Additionally, I am working on a proper fallback and implementation for fstatx
and lstatx, which are the open-fd and symlink equivalents of statx. It will
properly use ioctl_iflags to polyfill the attributes field for fstatx.
This cannot be
done for lstatx, statx, or statatx as they accept a file name and no
equivalent to
ioctl_iflags exists which accepts a file name, so it requires an open file. RTM:

> These functions return information about a file, in the buffer
> pointed to by statbuf.  No permissions are required on the file
> itself, but—in the case of stat(), fstatat(), and lstat()—execute
> (search) permission is required on all of the directories in
>  pathname that lead to the file.

I swear I've spent the last 5 hours digging into the nitty gritty
depths of these
little-documented methods to ensure musl will have proper fallbacks.

QUESTION: The glibc wrapper for statx explicitly sets the errno to ENOSYS
upon successful execution of its fallback to fstat64 (yes you read that right.)
I swore I misread something or this was a bug until quadruple checking
that this is works-as-intended over the next 2 hours. Will check around
glibc more tomorrow but what should musl's policy be about this (and
perhaps other works-as-intended POSIX violations around glibc?) I'm
personally strongly leaning towards do-what-glibc-does for compatibility

> OK, please send.

Working hard to keep my changes small, localized, and important.

Jack









On Thu, Apr 25, 2024 at 8:25 AM Rich Felker <dalias@libc.org> wrote:
>
> On Wed, Apr 24, 2024 at 07:55:32PM -0400, lolzery wowzery wrote:
> > Hi all! I'm new to git over email, new to musl, and I want to really
> > get into contributing to musl. So, I'd really appreciate any
> > tips/comments/info for a newbie like me!
> >
> > Please do not merge these changes yet. There's numerous problems with
> > this code above and beyond the issues you pointed out,
>
> statx is already in musl 1.2.5 (commit b817541f1cfd). If there are
> other problems than the ones I fixed when merging it and the
> stx_attributes field, please report them here rather than spending
> time trying to make a comprehensive changeset for a lot of things that
> might or might not actually be wrong.
>
> > and each of
> > those issues led me down successive rabbit holes all over the musl
> > source code and I've ended up opening a sizable can of worms,
> > including io race condition bugs in fallback conditions,
>
> Can you clarify what you mean? There are some places where correctly
> atomic fallback is impossible and the fallback is best-effort only.
> This is generally only for missing O_CLOEXEC type functionality. If
> there are others, please report.
>
> > symbol
> > weakness problems,
>
> This sounds unlikely. It's more likely that you misunderstand how/why
> they're used. But I'm happy to look at your findings.
>
> > header/struct misorganization, and bugs in syscall
> > support detection making musl silently/unexpectedly fail under certain
> > seccomp configurations.
>
> It's expected to fail catastrophically if seccomp filters modify
> syscall behavior in ways that make forward progress impossible (e.g.
> blocking close or something) or that lie about the cause of failure
> (the classic but badly wrong practice of using EPERM where ENOSYS was
> the correct code for syscalls not available in the sandbox). This is
> inherently not a supportable configuration.
>
> Generally musl always uses the oldest-possible syscall that can fully
> meet the requirements. If it has to try a new syscall first (like
> statx on 32-bit, since the legacy syscalls don't support full-range
> time_t and we don't know until after stat whether the times fit in 32
> bits), it falls back on ENOSYS. So as long as seccomp filters are
> using semantically correct error codes, things should generally work.
> But it's the responsibility of the seccomp filter authors to ensure
> they're doing this right.
>
> > Also, let me cite the earlier patch from tony.ambardar@gmail.com about
> > renameat2. My patch will include a full proper renameat2
> > implementation with validation and fallback and will compile on
> > systems where SYS_renameat2 is undefined (using exclusively the
> > fallback.)
>
> It's never undefined. That's not how this works.
>
> If you're making out-of-tree bare-metal ports and don't want the
> overhead of having to add new syscalls like this, you can do something
> like define the SYS_* macros for them such that syscall_arch.h can
> statically catch that they're nonexistant (e.g. by given them values
> in some high range) and directly return -ENOSYS; then the code would
> collapse down as you want with the ENOSYS path being always-taken.
>
> Note that there is no way to emulate the nonzero flags for renameat2
> without race conditions. Since this is not standard/mandatory
> functionality, the right thing to do is just return an error for
> "unsupported flags", not try to emulate them.
>
> > I recognize I probably sound like an over-eager-beaver fussing over
> > fools-gold as I'm new and none of you know me. (That's the assumption
> > I myself would make if a new guy showed up claiming to have lots of
> > bug fixes and stuff.) So, please suspend your disbelief for a short
> > while until I can give my full report and all fixes tomorrow for
> > everyone to review. Give me a chance to prove my commitment to musl
> > and watch as I uphold my pledge to maintain my areas of the code in
> > musl and keep them ship-shape.
> >
> > Have a great day everyone and really looking forwards to sharing my
> > full report tomorrow!,
>
> OK, please send.
>
> Rich