Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems #10981

Merged
merged 1 commit into from
Nov 12, 2024
Merged

fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems #10981

merged 1 commit into from
Nov 12, 2024

Conversation

xbt573
Copy link
Contributor

@xbt573 xbt573 commented Nov 10, 2024

I found out that unix.Syscall(..., uintptr(unsafe.Pointer(&return_value))) returns very big value.
If syscall returns 128 (not verity, just example) on other systems, it returns 549755813888 on s390x, so fsverity.IsEnabled is almost incorrect. Note that 128 << 32 == 549755813888.

This happens because s390x is Big Endian, whereas other ones are Little Endian.
One fix is to change attr variable type to int32 , but this won't work if containerd is compiled against or used on system where C int is not 4 bytes wide.

This PR includes change of attr variable type to int32.

@k8s-ci-robot
Copy link

Hi @xbt573. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dosubot dosubot bot added the kind/bug label Nov 10, 2024
@AkihiroSuda AkihiroSuda added the cherry-pick/2.0.x Change to be cherry picked to release/2.0 branch label Nov 10, 2024
mikebrow
mikebrow reviewed Nov 11, 2024
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't c long int64 on 64 bit systems.. Should this be platform dependent?

https://github.com/torvalds/linux/blame/master/include/uapi/linux/fs.h#L223-L224

@xbt573
Copy link
Contributor Author

xbt573 commented Nov 11, 2024

https://github.com/torvalds/linux/blame/master/include/uapi/linux/fs.h#L223-L224

Oh, didn't see this one. Then int32 assumption is very incorrect, but as we see int64 or long doesn't work with big endian machines.
Is there other ways to work around this issue for big endian machines?

@mikebrow
Copy link
Member

https://github.com/torvalds/linux/blame/master/include/uapi/linux/fs.h#L223-L224

Oh, didn't see this one. Then int32 assumption is very incorrect, but as we see int64 or long doesn't work with big endian machines. Is there other ways to work around this issue for big endian machines?

we can build and check goos on a per platform basis

@xbt573
Copy link
Contributor Author

xbt573 commented Nov 12, 2024

I checked all possible output flags for FS_IOC_GETFLAGS and their total bitwise OR value is 4076863487, which is less than uint32 maximum limit. Also, getting all extended attributes enabled is probably impossible, all i managed to get is 252 without verity and 1048576 with it.

--S-iadAc------------- 252
--------------------V- 1048576

Also, i asked about this on Golang issue tracker and got this response: golang/go#70302 (comment)

If this is OK we can change attr variable to uint32 and merge it. I tested it briefly on s390x and it worked as expected:

[xbt573@localhost xd]$ lsattr test
--------------------V- test
[xbt573@localhost xd]$ ./xd test
1048576

#define FS_VERITY_FL			0x00100000 /* Verity protected inode */
// 0x00100000 == 1048576

mikebrow
mikebrow approved these changes Nov 12, 2024
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mikebrow mikebrow added this pull request to the merge queue Nov 12, 2024
@mikebrow
Copy link
Member

mikebrow commented Nov 12, 2024
edited
Loading

I checked all possible output flags for FS_IOC_GETFLAGS and their total bitwise OR value is 4076863487, which is less than uint32 maximum limit. Also, getting all extended attributes enabled is probably impossible, all i managed to get is 252 without verity and 1048576 with it.

--S-iadAc------------- 252
--------------------V- 1048576

Also, i asked about this on Golang issue tracker and got this response: golang/go#70302 (comment)

If this is OK we can change attr variable to uint32 and merge it. I tested it briefly on s390x and it worked as expected:

[xbt573@localhost xd]$ lsattr test
--------------------V- test
[xbt573@localhost xd]$ ./xd test
1048576

#define FS_VERITY_FL			0x00100000 /* Verity protected inode */
// 0x00100000 == 1048576

thx was that s390x system 32 or 64bit.. presume the later and can move along but would be nice to know if we have an endian issue with go int to c long on 32bit and or 64bit..

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 12, 2024
@estesp estesp added this pull request to the merge queue Nov 12, 2024
Merged via the queue into containerd:main with commit 9f8dfdc Nov 12, 2024
56 checks passed
@QuLogic
Copy link

QuLogic commented Nov 13, 2024

Isn't c long int64 on 64 bit systems.. Should this be platform dependent?

https://github.com/torvalds/linux/blame/master/include/uapi/linux/fs.h#L223-L224

See the note in the man page: https://man7.org/linux/man-pages/man2/ioctl_iflags.2.html#NOTES

@estesp estesp mentioned this pull request Nov 14, 2024
Merged
@estesp
Copy link
Member

estesp commented Nov 14, 2024

/cherrypick release/2.0

@estesp estesp added cherry-picked/2.0.x PR commits are cherry picked into the release/2.0 branch and removed cherry-pick/2.0.x Change to be cherry picked to release/2.0 branch labels Nov 14, 2024
@k8s-infra-cherrypick-robot
Copy link

@estesp: new pull request created: #11005

In response to this:

/cherrypick release/2.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Nov 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@estesp estesp estesp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@mikebrow mikebrow mikebrow approved these changes

Assignees
No one assigned
Labels
cherry-picked/2.0.x PR commits are cherry picked into the release/2.0 branch kind/bug needs-ok-to-test size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@xbt573 @k8s-ci-robot @mikebrow @QuLogic @estesp @k8s-infra-cherrypick-robot @AkihiroSuda