During signal entry, the kernel pushes data onto the normal userspace
stack. On x86, the data pushed onto the user stack includes XSAVE state,
which has grown over time as new features and larger registers have been
added to the architecture.
MINSIGSTKSZ is a constant provided in the kernel signal.h headers and
typically distributed in lib-dev(el) packages, e.g. [1]. Its value is
compiled into programs and is part of the user/kernel ABI. The MINSIGSTKSZ
constant indicates to userspace how much data the kernel expects to push on
the user stack, [2][3].
However, this constant is much too small and does not reflect recent
additions to the architecture. For instance, when AVX-512 states are in
use, the signal frame size can be 3.5KB while MINSIGSTKSZ remains 2KB.
The bug report [4] explains this as an ABI issue. The small MINSIGSTKSZ can
cause user stack overflow when delivering a signal.
In this series, we suggest a couple of things:
1. Provide a variable minimum stack size to userspace, as a similar
approach to [5].
2. Avoid using a too-small alternate stack.
Changes from v6 [11]:
* Updated and fixed the documentation. (Borislav Petkov)
* Revised the AT_MINSIGSTKSZ comment. (Borislav Petkov)
Changes form v5 [10]:
* Fixed the overflow detection. (Andy Lutomirski)
* Reverted the AT_MINSIGSTKSZ removal on arm64. (Dave Martin)
* Added a documentation about the x86 AT_MINSIGSTKSZ.
* Supported the existing sigaltstack test to use the new aux vector.
Changes from v4 [9]:
* Moved the aux vector define to the generic header. (Carlos O'Donell)
Changes from v3 [8]:
* Updated the changelog. (Borislav Petkov)
* Revised the test messages again. (Borislav Petkov)
Changes from v2 [7]:
* Simplified the sigaltstack overflow prevention. (Jann Horn)
* Renamed fpstate size helper with cleanup. (Borislav Petkov)
* Cleaned up the signframe struct size defines. (Borislav Petkov)
* Revised the selftest messages. (Borislav Petkov)
* Revised a changelog. (Borislav Petkov)
Changes from v1 [6]:
* Took stack alignment into account for sigframe size. (Dave Martin)
[1]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/bits/sigstack.h;h=b9dca794da093dc4d41d39db9851d444e1b54d9b;hb=HEAD
[2]: https://www.gnu.org/software/libc/manual/html_node/Signal-Stack.html
[3]: https://man7.org/linux/man-pages/man2/sigaltstack.2.html
[4]: https://bugzilla.kernel.org/show_bug.cgi?id=153531
[5]: https://blog.linuxplumbersconf.org/2017/ocw/system/presentations/4671/original/plumbers-dm-2017.pdf
[6]: https://lore.kernel.org/lkml/[email protected]/
[7]: https://lore.kernel.org/lkml/[email protected]/
[8]: https://lore.kernel.org/lkml/[email protected]/
[9]: https://lore.kernel.org/lkml/[email protected]/
[10]: https://lore.kernel.org/lkml/[email protected]/
[11]: https://lore.kernel.org/lkml/[email protected]/
Chang S. Bae (6):
uapi: Define the aux vector AT_MINSIGSTKSZ
x86/signal: Introduce helpers to get the maximum signal frame size
x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ
selftest/sigaltstack: Use the AT_MINSIGSTKSZ aux vector if available
x86/signal: Detect and prevent an alternate signal stack overflow
selftest/x86/signal: Include test cases for validating sigaltstack
Documentation/x86/elf_auxvec.rst | 53 +++++++++
Documentation/x86/index.rst | 1 +
arch/x86/include/asm/elf.h | 4 +
arch/x86/include/asm/fpu/signal.h | 2 +
arch/x86/include/asm/sigframe.h | 2 +
arch/x86/include/uapi/asm/auxvec.h | 4 +-
arch/x86/kernel/cpu/common.c | 3 +
arch/x86/kernel/fpu/signal.c | 19 ++++
arch/x86/kernel/signal.c | 72 +++++++++++-
include/uapi/linux/auxvec.h | 3 +
tools/testing/selftests/sigaltstack/sas.c | 20 +++-
tools/testing/selftests/x86/Makefile | 2 +-
tools/testing/selftests/x86/sigaltstack.c | 128 ++++++++++++++++++++++
13 files changed, 300 insertions(+), 13 deletions(-)
create mode 100644 Documentation/x86/elf_auxvec.rst
create mode 100644 tools/testing/selftests/x86/sigaltstack.c
base-commit: 1e28eed17697bcf343c6743f0028cc3b5dd88bf0
--
2.17.1
The test measures the kernel's signal delivery with different (enough vs.
insufficient) stack sizes.
Signed-off-by: Chang S. Bae <[email protected]>
Reviewed-by: Len Brown <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
---
Changes from v3:
* Revised test messages again (Borislav Petkov)
Changes from v2:
* Revised test messages (Borislav Petkov)
---
tools/testing/selftests/x86/Makefile | 2 +-
tools/testing/selftests/x86/sigaltstack.c | 128 ++++++++++++++++++++++
2 files changed, 129 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/x86/sigaltstack.c
diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile
index 333980375bc7..65bba2ae86ee 100644
--- a/tools/testing/selftests/x86/Makefile
+++ b/tools/testing/selftests/x86/Makefile
@@ -13,7 +13,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_cc.sh $(CC) trivial_program.c -no-pie)
TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \
check_initial_reg_state sigreturn iopl ioperm \
test_vsyscall mov_ss_trap \
- syscall_arg_fault fsgsbase_restore
+ syscall_arg_fault fsgsbase_restore sigaltstack
TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \
test_FCMOV test_FCOMI test_FISTTP \
vdso_restorer
diff --git a/tools/testing/selftests/x86/sigaltstack.c b/tools/testing/selftests/x86/sigaltstack.c
new file mode 100644
index 000000000000..f689af75e979
--- /dev/null
+++ b/tools/testing/selftests/x86/sigaltstack.c
@@ -0,0 +1,128 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#define _GNU_SOURCE
+#include <signal.h>
+#include <stdio.h>
+#include <stdbool.h>
+#include <string.h>
+#include <err.h>
+#include <errno.h>
+#include <limits.h>
+#include <sys/mman.h>
+#include <sys/auxv.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <setjmp.h>
+
+/* sigaltstack()-enforced minimum stack */
+#define ENFORCED_MINSIGSTKSZ 2048
+
+#ifndef AT_MINSIGSTKSZ
+# define AT_MINSIGSTKSZ 51
+#endif
+
+static int nerrs;
+
+static bool sigalrm_expected;
+
+static unsigned long at_minstack_size;
+
+static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
+ int flags)
+{
+ struct sigaction sa;
+
+ memset(&sa, 0, sizeof(sa));
+ sa.sa_sigaction = handler;
+ sa.sa_flags = SA_SIGINFO | flags;
+ sigemptyset(&sa.sa_mask);
+ if (sigaction(sig, &sa, 0))
+ err(1, "sigaction");
+}
+
+static void clearhandler(int sig)
+{
+ struct sigaction sa;
+
+ memset(&sa, 0, sizeof(sa));
+ sa.sa_handler = SIG_DFL;
+ sigemptyset(&sa.sa_mask);
+ if (sigaction(sig, &sa, 0))
+ err(1, "sigaction");
+}
+
+static int setup_altstack(void *start, unsigned long size)
+{
+ stack_t ss;
+
+ memset(&ss, 0, sizeof(ss));
+ ss.ss_size = size;
+ ss.ss_sp = start;
+
+ return sigaltstack(&ss, NULL);
+}
+
+static jmp_buf jmpbuf;
+
+static void sigsegv(int sig, siginfo_t *info, void *ctx_void)
+{
+ if (sigalrm_expected) {
+ printf("[FAIL]\tWrong signal delivered: SIGSEGV (expected SIGALRM).");
+ nerrs++;
+ } else {
+ printf("[OK]\tSIGSEGV signal delivered.\n");
+ }
+
+ siglongjmp(jmpbuf, 1);
+}
+
+static void sigalrm(int sig, siginfo_t *info, void *ctx_void)
+{
+ if (!sigalrm_expected) {
+ printf("[FAIL]\tWrong signal delivered: SIGALRM (expected SIGSEGV).");
+ nerrs++;
+ } else {
+ printf("[OK]\tSIGALRM signal delivered.\n");
+ }
+}
+
+static void test_sigaltstack(void *altstack, unsigned long size)
+{
+ if (setup_altstack(altstack, size))
+ err(1, "sigaltstack()");
+
+ sigalrm_expected = (size > at_minstack_size) ? true : false;
+
+ sethandler(SIGSEGV, sigsegv, 0);
+ sethandler(SIGALRM, sigalrm, SA_ONSTACK);
+
+ if (!sigsetjmp(jmpbuf, 1)) {
+ printf("[RUN]\tTest an alternate signal stack of %ssufficient size.\n",
+ sigalrm_expected ? "" : "in");
+ printf("\tRaise SIGALRM. %s is expected to be delivered.\n",
+ sigalrm_expected ? "It" : "SIGSEGV");
+ raise(SIGALRM);
+ }
+
+ clearhandler(SIGALRM);
+ clearhandler(SIGSEGV);
+}
+
+int main(void)
+{
+ void *altstack;
+
+ at_minstack_size = getauxval(AT_MINSIGSTKSZ);
+
+ altstack = mmap(NULL, at_minstack_size + SIGSTKSZ, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
+ if (altstack == MAP_FAILED)
+ err(1, "mmap()");
+
+ if ((ENFORCED_MINSIGSTKSZ + 1) < at_minstack_size)
+ test_sigaltstack(altstack, ENFORCED_MINSIGSTKSZ + 1);
+
+ test_sigaltstack(altstack, at_minstack_size + SIGSTKSZ);
+
+ return nerrs == 0 ? 0 : 1;
+}
--
2.17.1
The kernel pushes context on to the userspace stack to prepare for the
user's signal handler. When the user has supplied an alternate signal
stack, via sigaltstack(2), it is easy for the kernel to verify that the
stack size is sufficient for the current hardware context.
Check if writing the hardware context to the alternate stack will exceed
it's size. If yes, then instead of corrupting user-data and proceeding with
the original signal handler, an immediate SIGSEGV signal is delivered.
Instead of calling on_sig_stack(), directly check the new stack pointer
whether in the bounds.
While the kernel allows new source code to discover and use a sufficient
alternate signal stack size, this check is still necessary to protect
binaries with insufficient alternate signal stack size from data
corruption.
Suggested-by: Jann Horn <[email protected]>
Signed-off-by: Chang S. Bae <[email protected]>
Reviewed-by: Len Brown <[email protected]>
Reviewed-by: Jann Horn <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: [email protected]
Cc: [email protected]
---
Changes from v5:
* Fixed the overflow check. (Andy Lutomirski)
* Updated the changelog.
Changes from v3:
* Updated the changelog (Borislav Petkov)
Changes from v2:
* Simplified the implementation (Jann Horn)
---
arch/x86/kernel/signal.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 0d24f64d0145..9a62604fbf63 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -242,7 +242,7 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
unsigned long math_size = 0;
unsigned long sp = regs->sp;
unsigned long buf_fx = 0;
- int onsigstack = on_sig_stack(sp);
+ bool onsigstack = on_sig_stack(sp);
int ret;
/* redzone */
@@ -251,8 +251,11 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
/* This is the X/Open sanctioned signal stack switching. */
if (ka->sa.sa_flags & SA_ONSTACK) {
- if (sas_ss_flags(sp) == 0)
+ if (sas_ss_flags(sp) == 0) {
sp = current->sas_ss_sp + current->sas_ss_size;
+ /* On the alternate signal stack */
+ onsigstack = true;
+ }
} else if (IS_ENABLED(CONFIG_X86_32) &&
!onsigstack &&
regs->ss != __USER_DS &&
@@ -272,7 +275,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
* If we are on the alternate signal stack and would overflow it, don't.
* Return an always-bogus address instead so we will die with SIGSEGV.
*/
- if (onsigstack && !likely(on_sig_stack(sp)))
+ if (onsigstack && unlikely(sp <= current->sas_ss_sp ||
+ sp - current->sas_ss_sp > current->sas_ss_size))
return (void __user *)-1L;
/* save i387 and extended state */
--
2.17.1
On Mon, Mar 15, 2021 at 11:52:14PM -0700, Chang S. Bae wrote:
> @@ -272,7 +275,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> * If we are on the alternate signal stack and would overflow it, don't.
> * Return an always-bogus address instead so we will die with SIGSEGV.
> */
> - if (onsigstack && !likely(on_sig_stack(sp)))
> + if (onsigstack && unlikely(sp <= current->sas_ss_sp ||
> + sp - current->sas_ss_sp > current->sas_ss_size))
> return (void __user *)-1L;
So clearly I'm missing something because trying to trigger the test case
in the bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=153531
on current tip/master doesn't work. Runs with MY_MINSIGSTKSZ under 2048
fail with:
tst-minsigstksz-2: sigaltstack: Cannot allocate memory
and above 2048 don't overwrite bytes below the stack.
So something else is missing. How did you test this patch?
Thx.
--
Regards/Gruss,
Boris.
SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer, HRB 36809, AG Nürnberg
On Mar 16, 2021, at 04:52, Borislav Petkov <[email protected]> wrote:
> On Mon, Mar 15, 2021 at 11:52:14PM -0700, Chang S. Bae wrote:
>> @@ -272,7 +275,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>> * If we are on the alternate signal stack and would overflow it, don't.
>> * Return an always-bogus address instead so we will die with SIGSEGV.
>> */
>> - if (onsigstack && !likely(on_sig_stack(sp)))
>> + if (onsigstack && unlikely(sp <= current->sas_ss_sp ||
>> + sp - current->sas_ss_sp > current->sas_ss_size))
>> return (void __user *)-1L;
>
> So clearly I'm missing something because trying to trigger the test case
> in the bugzilla:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=153531
>
> on current tip/master doesn't work. Runs with MY_MINSIGSTKSZ under 2048
> fail with:
>
> tst-minsigstksz-2: sigaltstack: Cannot allocate memory
>
> and above 2048 don't overwrite bytes below the stack.
>
> So something else is missing. How did you test this patch?
I suspect the AVX-512 states not enabled there.
When I ran it under a machine without AVX-512 like this, it didn’t show the
overwrite message:
$ cat /proc/cpuinfo | grep -m1 "model name”
model name : Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz
$ sudo dmesg | grep "Enabled xstate”
[ 0.000000] x86/fpu: Enabled xstate features 0x1f, context size is 960
bytes, using ‘compacted’ format.
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=2047
$ ./a.out
a.out: sigaltstack: Cannot allocate memory
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=2048
$ ./a.out
When do it again with AVX-512, it did show the message:
$ cat /proc/cpuinfo | grep -m1 "model name”
model name : Intel(R) Core(TM) i9-7940X CPU @ 3.10GHz
$ sudo dmesg | grep "Enabled xstate”
[ 0.000000] x86/fpu: Enabled xstate features 0xff, context size is 2560
bytes, using 'compacted' format.
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=2048
$ ./a.out
a.out: changed byte 1412 bytes below configured stack
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3490
$ ./a.out
a.out: changed byte 21 bytes below configured stack
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3491
$ ./a.out
Also, on the second machine, without this patch:
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3191
$ ./a.out
a.out: changed byte 319 bytes below configured stack
But with this patch, it gave segfault with a too-small size:
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3191
$ ./a.out
Segmentation fault (core dumped)
Thanks,
Chang
* Chang S. Bae <[email protected]> wrote:
> During signal entry, the kernel pushes data onto the normal userspace
> stack. On x86, the data pushed onto the user stack includes XSAVE state,
> which has grown over time as new features and larger registers have been
> added to the architecture.
>
> MINSIGSTKSZ is a constant provided in the kernel signal.h headers and
> typically distributed in lib-dev(el) packages, e.g. [1]. Its value is
> compiled into programs and is part of the user/kernel ABI. The MINSIGSTKSZ
> constant indicates to userspace how much data the kernel expects to push on
> the user stack, [2][3].
>
> However, this constant is much too small and does not reflect recent
> additions to the architecture. For instance, when AVX-512 states are in
> use, the signal frame size can be 3.5KB while MINSIGSTKSZ remains 2KB.
>
> The bug report [4] explains this as an ABI issue. The small MINSIGSTKSZ can
> cause user stack overflow when delivering a signal.
> uapi: Define the aux vector AT_MINSIGSTKSZ
> x86/signal: Introduce helpers to get the maximum signal frame size
> x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ
> selftest/sigaltstack: Use the AT_MINSIGSTKSZ aux vector if available
> x86/signal: Detect and prevent an alternate signal stack overflow
> selftest/x86/signal: Include test cases for validating sigaltstack
So this looks really complicated, is this justified?
Why not just internally round up sigaltstack size if it's too small?
This would be more robust, as it would fix applications that use
MINSIGSTKSZ but don't use the new AT_MINSIGSTKSZ facility.
I.e. does AT_MINSIGSTKSZ have any other uses than avoiding the
segfault if MINSIGSTKSZ is used to create a small signal stack?
Thanks,
Ingo
* Ingo Molnar <[email protected]> wrote:
>
> * Chang S. Bae <[email protected]> wrote:
>
> > During signal entry, the kernel pushes data onto the normal userspace
> > stack. On x86, the data pushed onto the user stack includes XSAVE state,
> > which has grown over time as new features and larger registers have been
> > added to the architecture.
> >
> > MINSIGSTKSZ is a constant provided in the kernel signal.h headers and
> > typically distributed in lib-dev(el) packages, e.g. [1]. Its value is
> > compiled into programs and is part of the user/kernel ABI. The MINSIGSTKSZ
> > constant indicates to userspace how much data the kernel expects to push on
> > the user stack, [2][3].
> >
> > However, this constant is much too small and does not reflect recent
> > additions to the architecture. For instance, when AVX-512 states are in
> > use, the signal frame size can be 3.5KB while MINSIGSTKSZ remains 2KB.
> >
> > The bug report [4] explains this as an ABI issue. The small MINSIGSTKSZ can
> > cause user stack overflow when delivering a signal.
>
> > uapi: Define the aux vector AT_MINSIGSTKSZ
> > x86/signal: Introduce helpers to get the maximum signal frame size
> > x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ
> > selftest/sigaltstack: Use the AT_MINSIGSTKSZ aux vector if available
> > x86/signal: Detect and prevent an alternate signal stack overflow
> > selftest/x86/signal: Include test cases for validating sigaltstack
>
> So this looks really complicated, is this justified?
>
> Why not just internally round up sigaltstack size if it's too small?
> This would be more robust, as it would fix applications that use
> MINSIGSTKSZ but don't use the new AT_MINSIGSTKSZ facility.
>
> I.e. does AT_MINSIGSTKSZ have any other uses than avoiding the
> segfault if MINSIGSTKSZ is used to create a small signal stack?
I.e. if the kernel sees a too small ->ss_size in sigaltstack() it
would ignore ->ss_sp and mmap() a new sigaltstack instead and use that
for the signal handler stack.
This would automatically make MINSIGSTKSZ - and other too small sizes
work today, and in the future.
But the question is, is there user-space usage of sigaltstacks that
relies on controlling or reading the contents of the stack?
longjmp using programs perhaps?
Thanks,
Ingo
On Wed, Mar 17, 2021 at 6:45 AM Ingo Molnar <[email protected]> wrote:
>
>
> * Ingo Molnar <[email protected]> wrote:
>
> >
> > * Chang S. Bae <[email protected]> wrote:
> >
> > > During signal entry, the kernel pushes data onto the normal userspace
> > > stack. On x86, the data pushed onto the user stack includes XSAVE state,
> > > which has grown over time as new features and larger registers have been
> > > added to the architecture.
> > >
> > > MINSIGSTKSZ is a constant provided in the kernel signal.h headers and
> > > typically distributed in lib-dev(el) packages, e.g. [1]. Its value is
> > > compiled into programs and is part of the user/kernel ABI. The MINSIGSTKSZ
> > > constant indicates to userspace how much data the kernel expects to push on
> > > the user stack, [2][3].
> > >
> > > However, this constant is much too small and does not reflect recent
> > > additions to the architecture. For instance, when AVX-512 states are in
> > > use, the signal frame size can be 3.5KB while MINSIGSTKSZ remains 2KB.
> > >
> > > The bug report [4] explains this as an ABI issue. The small MINSIGSTKSZ can
> > > cause user stack overflow when delivering a signal.
> >
> > > uapi: Define the aux vector AT_MINSIGSTKSZ
> > > x86/signal: Introduce helpers to get the maximum signal frame size
> > > x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ
> > > selftest/sigaltstack: Use the AT_MINSIGSTKSZ aux vector if available
> > > x86/signal: Detect and prevent an alternate signal stack overflow
> > > selftest/x86/signal: Include test cases for validating sigaltstack
> >
> > So this looks really complicated, is this justified?
> >
> > Why not just internally round up sigaltstack size if it's too small?
> > This would be more robust, as it would fix applications that use
> > MINSIGSTKSZ but don't use the new AT_MINSIGSTKSZ facility.
> >
> > I.e. does AT_MINSIGSTKSZ have any other uses than avoiding the
> > segfault if MINSIGSTKSZ is used to create a small signal stack?
>
> I.e. if the kernel sees a too small ->ss_size in sigaltstack() it
> would ignore ->ss_sp and mmap() a new sigaltstack instead and use that
> for the signal handler stack.
>
> This would automatically make MINSIGSTKSZ - and other too small sizes
> work today, and in the future.
>
> But the question is, is there user-space usage of sigaltstacks that
> relies on controlling or reading the contents of the stack?
>
> longjmp using programs perhaps?
For the legacy binary that requests a too-small sigaltstack, there are
several choices:
We could detect the too-small stack at sigaltstack(2) invocation and
return an error.
This results in two deal-killing problems:
First, some applications don't check the return value, so the check
would be fruitless.
Second, those that check and error-out may be programs that never
actually take the signal, and so we'd be causing a dusty binary to
exit, when it didn't exit on another system, or another kernel.
Or we could detect the too small stack at signal registration time.
This has the same two deal-killers as above.
Then there is the approach in this patch-set, which detects an
imminent stack overflow at run time.
It has neither of the two problems above, and the benefit that we now
prevent data corruption
that could have been happening on some systems already today. The
down side is that the dusty binary
that does request the too-small stack can now die at run time.
So your idea of recognizing the problem and conjuring up a sufficient
stack is compelling,
since it would likely "just work", no matter how dumb the program.
But where would the
the sufficient stack come from -- is this a new kernel buffer, or is
there a way to abscond
some user memory? I would expect a signal handler to look at the data
on its stack
and nobody else will look at that stack. But this is already an
unreasonable program for
allocating a special signal stack in the first place :-/ So yes, one
could imagine the signal
handler could longjump instead of gracefully completing, and if this
specially allocated
signal stack isn't where the user planned, that could be trouble.
Another idea we discussed was to detect the potential overflow at run-time,
and instead of killing the process, just push the signal onto the
regular user stack.
this might actually work, but it is sort of devious; and it would not
work in the case
where the user overflowed their regular stack already, which may be
the most (only?)
compelling reason that they allocated and declared a special
sigaltstack in the first place...
--
Len Brown, Intel Open Source Technology Center
* Len Brown <[email protected]> wrote:
> On Wed, Mar 17, 2021 at 6:45 AM Ingo Molnar <[email protected]> wrote:
> >
> >
> > * Ingo Molnar <[email protected]> wrote:
> >
> > >
> > > * Chang S. Bae <[email protected]> wrote:
> > >
> > > > During signal entry, the kernel pushes data onto the normal userspace
> > > > stack. On x86, the data pushed onto the user stack includes XSAVE state,
> > > > which has grown over time as new features and larger registers have been
> > > > added to the architecture.
> > > >
> > > > MINSIGSTKSZ is a constant provided in the kernel signal.h headers and
> > > > typically distributed in lib-dev(el) packages, e.g. [1]. Its value is
> > > > compiled into programs and is part of the user/kernel ABI. The MINSIGSTKSZ
> > > > constant indicates to userspace how much data the kernel expects to push on
> > > > the user stack, [2][3].
> > > >
> > > > However, this constant is much too small and does not reflect recent
> > > > additions to the architecture. For instance, when AVX-512 states are in
> > > > use, the signal frame size can be 3.5KB while MINSIGSTKSZ remains 2KB.
> > > >
> > > > The bug report [4] explains this as an ABI issue. The small MINSIGSTKSZ can
> > > > cause user stack overflow when delivering a signal.
> > >
> > > > uapi: Define the aux vector AT_MINSIGSTKSZ
> > > > x86/signal: Introduce helpers to get the maximum signal frame size
> > > > x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ
> > > > selftest/sigaltstack: Use the AT_MINSIGSTKSZ aux vector if available
> > > > x86/signal: Detect and prevent an alternate signal stack overflow
> > > > selftest/x86/signal: Include test cases for validating sigaltstack
> > >
> > > So this looks really complicated, is this justified?
> > >
> > > Why not just internally round up sigaltstack size if it's too small?
> > > This would be more robust, as it would fix applications that use
> > > MINSIGSTKSZ but don't use the new AT_MINSIGSTKSZ facility.
> > >
> > > I.e. does AT_MINSIGSTKSZ have any other uses than avoiding the
> > > segfault if MINSIGSTKSZ is used to create a small signal stack?
> >
> > I.e. if the kernel sees a too small ->ss_size in sigaltstack() it
> > would ignore ->ss_sp and mmap() a new sigaltstack instead and use that
> > for the signal handler stack.
> >
> > This would automatically make MINSIGSTKSZ - and other too small sizes
> > work today, and in the future.
> >
> > But the question is, is there user-space usage of sigaltstacks that
> > relies on controlling or reading the contents of the stack?
> >
> > longjmp using programs perhaps?
>
> For the legacy binary that requests a too-small sigaltstack, there are
> several choices:
>
> We could detect the too-small stack at sigaltstack(2) invocation and
> return an error.
> This results in two deal-killing problems:
> First, some applications don't check the return value, so the check
> would be fruitless.
> Second, those that check and error-out may be programs that never
> actually take the signal, and so we'd be causing a dusty binary to
> exit, when it didn't exit on another system, or another kernel.
>
> Or we could detect the too small stack at signal registration time.
> This has the same two deal-killers as above.
>
> Then there is the approach in this patch-set, which detects an
> imminent stack overflow at run time.
> It has neither of the two problems above, and the benefit that we now
> prevent data corruption
> that could have been happening on some systems already today. The
> down side is that the dusty binary
> that does request the too-small stack can now die at run time.
>
> So your idea of recognizing the problem and conjuring up a
> sufficient stack is compelling, since it would likely "just work",
> no matter how dumb the program. But where would the the sufficient
> stack come from -- is this a new kernel buffer, or is there a way to
> abscond some user memory? I would expect a signal handler to look
> at the data on its stack and nobody else will look at that stack.
> But this is already an unreasonable program for allocating a special
> signal stack in the first place :-/ So yes, one could imagine the
> signal handler could longjump instead of gracefully completing, and
> if this specially allocated signal stack isn't where the user
> planned, that could be trouble.
We could mmap() (implicitly) new anonymous memory - but I can see why
this is probably more trouble than worth...
> Another idea we discussed was to detect the potential overflow at
> run-time, and instead of killing the process, just push the signal
> onto the regular user stack. this might actually work, but it is
> sort of devious; and it would not work in the case where the user
> overflowed their regular stack already, which may be the most
> (only?) compelling reason that they allocated and declared a special
> sigaltstack in the first place...
Yeah, this doesn't sound deterministic enough.
Ok, thanks for the detailed answers - I withdraw my objections, let's
proceed with the approach you are proposing?
Thanks,
Ingo
On Tue, Mar 16, 2021 at 06:26:46PM +0000, Bae, Chang Seok wrote:
> I suspect the AVX-512 states not enabled there.
Ok, I found a machine which has AVX-512:
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x020: 'AVX-512 opmask'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x040: 'AVX-512 Hi256'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x080: 'AVX-512 ZMM_Hi256'
[ 0.000000] x86/fpu: Supporting XSAVE feature 0x200: 'Protection Keys User registers'
[ 0.000000] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 0.000000] x86/fpu: xstate_offset[5]: 832, xstate_sizes[5]: 64
[ 0.000000] x86/fpu: xstate_offset[6]: 896, xstate_sizes[6]: 512
[ 0.000000] x86/fpu: xstate_offset[7]: 1408, xstate_sizes[7]: 1024
[ 0.000000] x86/fpu: xstate_offset[9]: 2432, xstate_sizes[9]: 8
[ 0.000000] x86/fpu: Enabled xstate features 0x2e7, context size is 2440 bytes, using 'compacted' format.
and applied your patch and added a debug printk, see end of mail.
Then, I ran the test case:
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3453 -o tst-minsigstksz-2
$ ./tst-minsigstksz-2
tst-minsigstksz-2: changed byte 50 bytes below configured stack
Whoops.
And the debug print said:
[ 5395.252884] signal: get_sigframe: sp: 0x7f54ec39e7b8, sas_ss_sp: 0x7f54ec39e6ce, sas_ss_size 0xd7d
which tells me that, AFAICT, your check whether we have enough alt stack
doesn't seem to work in this case.
Thx.
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index a06cb107c0e8..a7396f7c3832 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -237,7 +237,7 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
unsigned long math_size = 0;
unsigned long sp = regs->sp;
unsigned long buf_fx = 0;
- int onsigstack = on_sig_stack(sp);
+ bool onsigstack = on_sig_stack(sp);
int ret;
/* redzone */
@@ -246,8 +246,11 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
/* This is the X/Open sanctioned signal stack switching. */
if (ka->sa.sa_flags & SA_ONSTACK) {
- if (sas_ss_flags(sp) == 0)
+ if (sas_ss_flags(sp) == 0) {
sp = current->sas_ss_sp + current->sas_ss_size;
+ /* On the alternate signal stack */
+ onsigstack = true;
+ }
} else if (IS_ENABLED(CONFIG_X86_32) &&
!onsigstack &&
regs->ss != __USER_DS &&
@@ -263,11 +266,16 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
sp = align_sigframe(sp - frame_size);
+ if (onsigstack)
+ pr_info("%s: sp: 0x%lx, sas_ss_sp: 0x%lx, sas_ss_size 0x%lx\n",
+ __func__, sp, current->sas_ss_sp, current->sas_ss_size);
+
/*
* If we are on the alternate signal stack and would overflow it, don't.
* Return an always-bogus address instead so we will die with SIGSEGV.
*/
- if (onsigstack && !likely(on_sig_stack(sp)))
+ if (onsigstack && unlikely(sp <= current->sas_ss_sp ||
+ sp - current->sas_ss_sp > current->sas_ss_size))
return (void __user *)-1L;
/* save i387 and extended state */
--
Regards/Gruss,
Boris.
SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer, HRB 36809, AG Nürnberg
On Mar 25, 2021, at 09:20, Borislav Petkov <[email protected]> wrote:
>
> $ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3453 -o tst-minsigstksz-2
> $ ./tst-minsigstksz-2
> tst-minsigstksz-2: changed byte 50 bytes below configured stack
>
> Whoops.
>
> And the debug print said:
>
> [ 5395.252884] signal: get_sigframe: sp: 0x7f54ec39e7b8, sas_ss_sp: 0x7f54ec39e6ce, sas_ss_size 0xd7d
>
> which tells me that, AFAICT, your check whether we have enough alt stack
> doesn't seem to work in this case.
Yes, in this case.
tst-minsigstksz-2.c has this code:
static void
handler (int signo)
{
/* Clear a bit of on-stack memory. */
volatile char buffer[256];
for (size_t i = 0; i < sizeof (buffer); ++i)
buffer[i] = 0;
handler_run = 1;
}
…
if (handler_run != 1)
errx (1, "handler did not run");
for (void *p = stack_buffer; p < stack_bottom; ++p)
if (*(unsigned char *) p != 0xCC)
errx (1, "changed byte %zd bytes below configured stack\n",
stack_bottom - p);
…
I think the message comes from the handler’s overwriting, not from the kernel.
The patch's check is to detect and prevent the kernel-induced overflow --
whether alt stack enough for signal delivery itself. The stack is possibly
not enough for the signal handler's use as the kernel does not know for it.
Thanks,
Chang
On Mon, Mar 15, 2021 at 11:57 PM Chang S. Bae <[email protected]> wrote:
>
> The kernel pushes context on to the userspace stack to prepare for the
> user's signal handler. When the user has supplied an alternate signal
> stack, via sigaltstack(2), it is easy for the kernel to verify that the
> stack size is sufficient for the current hardware context.
>
> Check if writing the hardware context to the alternate stack will exceed
> it's size. If yes, then instead of corrupting user-data and proceeding with
> the original signal handler, an immediate SIGSEGV signal is delivered.
>
> Instead of calling on_sig_stack(), directly check the new stack pointer
> whether in the bounds.
>
> While the kernel allows new source code to discover and use a sufficient
> alternate signal stack size, this check is still necessary to protect
> binaries with insufficient alternate signal stack size from data
> corruption.
This patch results in excessively complicated control and data flow.
> - int onsigstack = on_sig_stack(sp);
> + bool onsigstack = on_sig_stack(sp);
Here onsigstack means "we were already using the altstack".
> int ret;
>
> /* redzone */
> @@ -251,8 +251,11 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>
> /* This is the X/Open sanctioned signal stack switching. */
> if (ka->sa.sa_flags & SA_ONSTACK) {
> - if (sas_ss_flags(sp) == 0)
> + if (sas_ss_flags(sp) == 0) {
> sp = current->sas_ss_sp + current->sas_ss_size;
> + /* On the alternate signal stack */
> + onsigstack = true;
> + }
But now onsigstack is also true if we are using the legacy path to
*enter* the altstack. So now it's (was on altstack) || (entering
altstack via legacy path).
> } else if (IS_ENABLED(CONFIG_X86_32) &&
> !onsigstack &&
> regs->ss != __USER_DS &&
> @@ -272,7 +275,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> * If we are on the alternate signal stack and would overflow it, don't.
> * Return an always-bogus address instead so we will die with SIGSEGV.
> */
> - if (onsigstack && !likely(on_sig_stack(sp)))
> + if (onsigstack && unlikely(sp <= current->sas_ss_sp ||
> + sp - current->sas_ss_sp > current->sas_ss_size))
And now we fail if ((was on altstack) || (entering altstack via legacy
path)) && (new sp is out of bounds).
The condition we actually want is that, if we are entering the
altstack and we don't fit, we should fail. This is tricky because of
the autodisarm stuff and the possibility of nonlinear stack segments,
so it's not even clear to me exactly what we should be doing. I
propose:
> return (void __user *)-1L;
Can we please log something (if (show_unhandled_signals ||
printk_ratelimit()) that says that we overflowed the altstack?
How about:
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index ea794a083c44..53781324a2d3 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -237,7 +237,8 @@ get_sigframe(struct k_sigaction *ka, struct
pt_regs *regs, size_t frame_size,
unsigned long math_size = 0;
unsigned long sp = regs->sp;
unsigned long buf_fx = 0;
- int onsigstack = on_sig_stack(sp);
+ bool already_onsigstack = on_sig_stack(sp);
+ bool entering_altstack = false;
int ret;
/* redzone */
@@ -246,15 +247,25 @@ get_sigframe(struct k_sigaction *ka, struct
pt_regs *regs, size_t frame_size,
/* This is the X/Open sanctioned signal stack switching. */
if (ka->sa.sa_flags & SA_ONSTACK) {
- if (sas_ss_flags(sp) == 0)
+ /*
+ * This checks already_onsigstack via sas_ss_flags().
+ * Sensible programs use SS_AUTODISARM, which disables
+ * that check, and programs that don't use
+ * SS_AUTODISARM get compatible but potentially
+ * bizarre behavior.
+ */
+ if (sas_ss_flags(sp) == 0) {
sp = current->sas_ss_sp + current->sas_ss_size;
+ entering_altstack = true;
+ }
} else if (IS_ENABLED(CONFIG_X86_32) &&
- !onsigstack &&
+ !already_onsigstack &&
regs->ss != __USER_DS &&
!(ka->sa.sa_flags & SA_RESTORER) &&
ka->sa.sa_restorer) {
/* This is the legacy signal stack switching. */
sp = (unsigned long) ka->sa.sa_restorer;
+ entering_altstack = true;
}
sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
@@ -267,8 +278,16 @@ get_sigframe(struct k_sigaction *ka, struct
pt_regs *regs, size_t frame_size,
* If we are on the alternate signal stack and would overflow it, don't.
* Return an always-bogus address instead so we will die with SIGSEGV.
*/
- if (onsigstack && !likely(on_sig_stack(sp)))
+ if (unlikely(entering_altstack &&
+ (sp <= current->sas_ss_sp ||
+ sp - current->sas_ss_sp > current->sas_ss_size))) {
+ if (show_unhandled_signals && printk_ratelimit()) {
+ pr_info("%s[%d] overflowed sigaltstack",
+ tsk->comm, task_pid_nr(tsk));
+ }
+
return (void __user *)-1L;
+ }
/* save i387 and extended state */
ret = copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size);
Apologies for whitespace damage. I attached it, too.
On Thu, Mar 25, 2021 at 11:13:12AM -0700, Andy Lutomirski wrote:
> diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> index ea794a083c44..53781324a2d3 100644
> --- a/arch/x86/kernel/signal.c
> +++ b/arch/x86/kernel/signal.c
> @@ -237,7 +237,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> unsigned long math_size = 0;
> unsigned long sp = regs->sp;
> unsigned long buf_fx = 0;
> - int onsigstack = on_sig_stack(sp);
> + bool already_onsigstack = on_sig_stack(sp);
> + bool entering_altstack = false;
> int ret;
>
> /* redzone */
> @@ -246,15 +247,25 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>
> /* This is the X/Open sanctioned signal stack switching. */
> if (ka->sa.sa_flags & SA_ONSTACK) {
> - if (sas_ss_flags(sp) == 0)
> + /*
> + * This checks already_onsigstack via sas_ss_flags().
> + * Sensible programs use SS_AUTODISARM, which disables
> + * that check, and programs that don't use
> + * SS_AUTODISARM get compatible but potentially
> + * bizarre behavior.
> + */
> + if (sas_ss_flags(sp) == 0) {
> sp = current->sas_ss_sp + current->sas_ss_size;
> + entering_altstack = true;
> + }
> } else if (IS_ENABLED(CONFIG_X86_32) &&
> - !onsigstack &&
> + !already_onsigstack &&
> regs->ss != __USER_DS &&
> !(ka->sa.sa_flags & SA_RESTORER) &&
> ka->sa.sa_restorer) {
> /* This is the legacy signal stack switching. */
> sp = (unsigned long) ka->sa.sa_restorer;
> + entering_altstack = true;
> }
What a mess this whole signal handling is. I need a course in signal
handling to understand what's going on here...
>
> sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
> @@ -267,8 +278,16 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> * If we are on the alternate signal stack and would overflow it, don't.
> * Return an always-bogus address instead so we will die with SIGSEGV.
> */
> - if (onsigstack && !likely(on_sig_stack(sp)))
> + if (unlikely(entering_altstack &&
> + (sp <= current->sas_ss_sp ||
> + sp - current->sas_ss_sp > current->sas_ss_size))) {
You could've simply done
if (unlikely(entering_altstack && !on_sig_stack(sp)))
here.
> + if (show_unhandled_signals && printk_ratelimit()) {
> + pr_info("%s[%d] overflowed sigaltstack",
> + tsk->comm, task_pid_nr(tsk));
> + }
Why do you even wanna issue that? It looks like callers will propagate
an error value up and people don't look at dmesg all the time.
Btw, s/tsk/current/g
IOW, this builds:
---
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index a06cb107c0e8..c00e932b5f18 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -234,10 +234,11 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
void __user **fpstate)
{
/* Default to using normal stack */
+ bool already_onsigstack = on_sig_stack(regs->sp);
+ bool entering_altstack = false;
unsigned long math_size = 0;
unsigned long sp = regs->sp;
unsigned long buf_fx = 0;
- int onsigstack = on_sig_stack(sp);
int ret;
/* redzone */
@@ -246,15 +247,24 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
/* This is the X/Open sanctioned signal stack switching. */
if (ka->sa.sa_flags & SA_ONSTACK) {
- if (sas_ss_flags(sp) == 0)
+ /*
+ * This checks already_onsigstack via sas_ss_flags(). Sensible
+ * programs use SS_AUTODISARM, which disables that check, and
+ * programs that don't use SS_AUTODISARM get compatible but
+ * potentially bizarre behavior.
+ */
+ if (sas_ss_flags(sp) == 0) {
sp = current->sas_ss_sp + current->sas_ss_size;
+ entering_altstack = true;
+ }
} else if (IS_ENABLED(CONFIG_X86_32) &&
- !onsigstack &&
+ !already_onsigstack &&
regs->ss != __USER_DS &&
!(ka->sa.sa_flags & SA_RESTORER) &&
ka->sa.sa_restorer) {
/* This is the legacy signal stack switching. */
sp = (unsigned long) ka->sa.sa_restorer;
+ entering_altstack = true;
}
sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
@@ -267,8 +277,14 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
* If we are on the alternate signal stack and would overflow it, don't.
* Return an always-bogus address instead so we will die with SIGSEGV.
*/
- if (onsigstack && !likely(on_sig_stack(sp)))
+ if (unlikely(entering_altstack && !on_sig_stack(sp))) {
+
+ if (show_unhandled_signals && printk_ratelimit())
+ pr_info("%s[%d] overflowed sigaltstack",
+ current->comm, task_pid_nr(current));
+
return (void __user *)-1L;
+ }
/* save i387 and extended state */
ret = copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size);
--
Regards/Gruss,
Boris.
SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer, HRB 36809, AG Nürnberg
* Chang Seok via Libc-alpha Bae:
> On Mar 25, 2021, at 09:20, Borislav Petkov <[email protected]> wrote:
>>
>> $ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3453 -o tst-minsigstksz-2
>> $ ./tst-minsigstksz-2
>> tst-minsigstksz-2: changed byte 50 bytes below configured stack
>>
>> Whoops.
>>
>> And the debug print said:
>>
>> [ 5395.252884] signal: get_sigframe: sp: 0x7f54ec39e7b8, sas_ss_sp: 0x7f54ec39e6ce, sas_ss_size 0xd7d
>>
>> which tells me that, AFAICT, your check whether we have enough alt stack
>> doesn't seem to work in this case.
>
> Yes, in this case.
>
> tst-minsigstksz-2.c has this code:
>
> static void
> handler (int signo)
> {
> /* Clear a bit of on-stack memory. */
> volatile char buffer[256];
> for (size_t i = 0; i < sizeof (buffer); ++i)
> buffer[i] = 0;
> handler_run = 1;
> }
> …
>
> if (handler_run != 1)
> errx (1, "handler did not run");
>
> for (void *p = stack_buffer; p < stack_bottom; ++p)
> if (*(unsigned char *) p != 0xCC)
> errx (1, "changed byte %zd bytes below configured stack\n",
> stack_bottom - p);
> …
>
> I think the message comes from the handler’s overwriting, not from the kernel.
>
> The patch's check is to detect and prevent the kernel-induced overflow --
> whether alt stack enough for signal delivery itself. The stack is possibly
> not enough for the signal handler's use as the kernel does not know for it.
Ahh, right. When I wrote the test, I didn't know which turn the
kernel would eventually take, so the test is quite arbitrary.
The glibc dynamic loader uses XSAVE/XSAVEC as well, so you can
probably double the practical stack requirement if lazy binding is in
use and can be triggered from the signal handler. Estimating stack
sizes is hard.
On Mar 25, 2021, at 11:54, Borislav Petkov <[email protected]> wrote:
> On Thu, Mar 25, 2021 at 11:13:12AM -0700, Andy Lutomirski wrote:
>> diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
>> index ea794a083c44..53781324a2d3 100644
>> --- a/arch/x86/kernel/signal.c
>> +++ b/arch/x86/kernel/signal.c
>> @@ -237,7 +237,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>> unsigned long math_size = 0;
>> unsigned long sp = regs->sp;
>> unsigned long buf_fx = 0;
>> - int onsigstack = on_sig_stack(sp);
>> + bool already_onsigstack = on_sig_stack(sp);
>> + bool entering_altstack = false;
>> int ret;
>>
>> /* redzone */
>> @@ -246,15 +247,25 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>>
>> /* This is the X/Open sanctioned signal stack switching. */
>> if (ka->sa.sa_flags & SA_ONSTACK) {
>> - if (sas_ss_flags(sp) == 0)
>> + /*
>> + * This checks already_onsigstack via sas_ss_flags().
>> + * Sensible programs use SS_AUTODISARM, which disables
>> + * that check, and programs that don't use
>> + * SS_AUTODISARM get compatible but potentially
>> + * bizarre behavior.
>> + */
>> + if (sas_ss_flags(sp) == 0) {
>> sp = current->sas_ss_sp + current->sas_ss_size;
>> + entering_altstack = true;
>> + }
>> } else if (IS_ENABLED(CONFIG_X86_32) &&
>> - !onsigstack &&
>> + !already_onsigstack &&
>> regs->ss != __USER_DS &&
>> !(ka->sa.sa_flags & SA_RESTORER) &&
>> ka->sa.sa_restorer) {
>> /* This is the legacy signal stack switching. */
>> sp = (unsigned long) ka->sa.sa_restorer;
>> + entering_altstack = true;
>> }
>
> What a mess this whole signal handling is. I need a course in signal
> handling to understand what's going on here...
>
>>
>> sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
>> @@ -267,8 +278,16 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>> * If we are on the alternate signal stack and would overflow it, don't.
>> * Return an always-bogus address instead so we will die with SIGSEGV.
>> */
>> - if (onsigstack && !likely(on_sig_stack(sp)))
>> + if (unlikely(entering_altstack &&
>> + (sp <= current->sas_ss_sp ||
>> + sp - current->sas_ss_sp > current->sas_ss_size))) {
>
> You could've simply done
>
> if (unlikely(entering_altstack && !on_sig_stack(sp)))
>
> here.
But if sigaltstack()’ed with the SS_AUTODISARM flag, both on_sig_stack() and
sas_ss_flags() return 0 [1]. Then, segfault always here. v5 had the exact
issue before [2].
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/sched/signal.h#n576
[2] https://lore.kernel.org/lkml/CALCETrXuFrHUU-L=HMofTgEDZk9muPnVtK=EjsTHqQ01XhbRYg@mail.gmail.com/
Thanks,
Chang
On Thu, Mar 25, 2021 at 09:11:56PM +0000, Bae, Chang Seok wrote:
> But if sigaltstack()’ed with the SS_AUTODISARM flag, both on_sig_stack() and
> sas_ss_flags() return 0 [1]. Then, segfault always here. v5 had the exact
> issue before [2].
Ah, there's that SS_AUTODISARM check above it which I missed, sorry.
I guess we can do a __on_sig_stack() helper or so which does the stack
check only without the SS_AUTODISARM. Just for readability's sake in
what is already a pretty messy function.
Thx.
--
Regards/Gruss,
Boris.
SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer, HRB 36809, AG Nürnberg
On Thu, Mar 25, 2021 at 11:54 AM Borislav Petkov <[email protected]> wrote:
>
> On Thu, Mar 25, 2021 at 11:13:12AM -0700, Andy Lutomirski wrote:
> > diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> > index ea794a083c44..53781324a2d3 100644
> > --- a/arch/x86/kernel/signal.c
> > +++ b/arch/x86/kernel/signal.c
> > @@ -237,7 +237,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> > unsigned long math_size = 0;
> > unsigned long sp = regs->sp;
> > unsigned long buf_fx = 0;
> > - int onsigstack = on_sig_stack(sp);
> > + bool already_onsigstack = on_sig_stack(sp);
> > + bool entering_altstack = false;
> > int ret;
> >
> > /* redzone */
> > @@ -246,15 +247,25 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> >
> > /* This is the X/Open sanctioned signal stack switching. */
> > if (ka->sa.sa_flags & SA_ONSTACK) {
> > - if (sas_ss_flags(sp) == 0)
> > + /*
> > + * This checks already_onsigstack via sas_ss_flags().
> > + * Sensible programs use SS_AUTODISARM, which disables
> > + * that check, and programs that don't use
> > + * SS_AUTODISARM get compatible but potentially
> > + * bizarre behavior.
> > + */
> > + if (sas_ss_flags(sp) == 0) {
> > sp = current->sas_ss_sp + current->sas_ss_size;
> > + entering_altstack = true;
> > + }
> > } else if (IS_ENABLED(CONFIG_X86_32) &&
> > - !onsigstack &&
> > + !already_onsigstack &&
> > regs->ss != __USER_DS &&
> > !(ka->sa.sa_flags & SA_RESTORER) &&
> > ka->sa.sa_restorer) {
> > /* This is the legacy signal stack switching. */
> > sp = (unsigned long) ka->sa.sa_restorer;
> > + entering_altstack = true;
> > }
>
> What a mess this whole signal handling is. I need a course in signal
> handling to understand what's going on here...
>
> >
> > sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
> > @@ -267,8 +278,16 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> > * If we are on the alternate signal stack and would overflow it, don't.
> > * Return an always-bogus address instead so we will die with SIGSEGV.
> > */
> > - if (onsigstack && !likely(on_sig_stack(sp)))
> > + if (unlikely(entering_altstack &&
> > + (sp <= current->sas_ss_sp ||
> > + sp - current->sas_ss_sp > current->sas_ss_size))) {
>
> You could've simply done
>
> if (unlikely(entering_altstack && !on_sig_stack(sp)))
>
> here.
Nope. on_sig_stack() is a horrible kludge and won't work here. We
could have something like __on_sig_stack() or sp_is_on_sig_stack() or
something, though.
>
>
> > + if (show_unhandled_signals && printk_ratelimit()) {
> > + pr_info("%s[%d] overflowed sigaltstack",
> > + tsk->comm, task_pid_nr(tsk));
> > + }
>
> Why do you even wanna issue that? It looks like callers will propagate
> an error value up and people don't look at dmesg all the time.
I figure that the people whose programs spontaneously crash should get
a hint why if they look at dmesg. Maybe the message should say
"overflowed sigaltstack -- try noavx512"?
We really ought to have a SIGSIGFAIL signal that's sent, double-fault
style, when we fail to send a signal.
I forgot to mention why I cc'd all you fine Xen folk:
On Thu, Mar 25, 2021 at 11:13 AM Andy Lutomirski <[email protected]> wrote:
>
> > } else if (IS_ENABLED(CONFIG_X86_32) &&
> > !onsigstack &&
> > regs->ss != __USER_DS &&
This bit here seems really dubious on Xen PV. Honestly it seems
dubious everywhere, but especially on Xen PV.
--Andy
On Thu, Mar 25, 2021 at 09:56:53PM -0700, Andy Lutomirski wrote:
> Nope. on_sig_stack() is a horrible kludge and won't work here. We
> could have something like __on_sig_stack() or sp_is_on_sig_stack() or
> something, though.
Yeah, see my other reply. Ack to either of those carved out helpers.
> I figure that the people whose programs spontaneously crash should get
> a hint why if they look at dmesg. Maybe the message should say
> "overflowed sigaltstack -- try noavx512"?
I guess, as long as it is ratelimited. I mean, we can remove it later if
it starts gettin' annoying.
> We really ought to have a SIGSIGFAIL signal that's sent, double-fault
> style, when we fail to send a signal.
Yeap, we should be able to tell userspace that we couldn't send a
signal, hohumm.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
On Mar 26, 2021, at 03:30, Borislav Petkov <[email protected]> wrote:
> On Thu, Mar 25, 2021 at 09:56:53PM -0700, Andy Lutomirski wrote:
>> We really ought to have a SIGSIGFAIL signal that's sent, double-fault
>> style, when we fail to send a signal.
>
> Yeap, we should be able to tell userspace that we couldn't send a
> signal, hohumm.
Hi Boris,
Let me clarify some details as preparing to include this in a revision.
So, IIUC, a number needs to be assigned for this new SIGFAIL. At a glance, not
sure which one to pick there in signal.h -- 1-31 fully occupied and the rest
for 33 different real-time signals.
Also, perhaps, force_sig(SIGFAIL) here, instead of return -1 -- to die with
SIGSEGV.
Thanks,
Chang
On Mon, Apr 12, 2021 at 10:30:23PM +0000, Bae, Chang Seok wrote:
> On Mar 26, 2021, at 03:30, Borislav Petkov <[email protected]> wrote:
> > On Thu, Mar 25, 2021 at 09:56:53PM -0700, Andy Lutomirski wrote:
> >> We really ought to have a SIGSIGFAIL signal that's sent, double-fault
> >> style, when we fail to send a signal.
> >
> > Yeap, we should be able to tell userspace that we couldn't send a
> > signal, hohumm.
>
> Hi Boris,
>
> Let me clarify some details as preparing to include this in a revision.
>
> So, IIUC, a number needs to be assigned for this new SIGFAIL. At a glance, not
> sure which one to pick there in signal.h -- 1-31 fully occupied and the rest
> for 33 different real-time signals.
>
> Also, perhaps, force_sig(SIGFAIL) here, instead of return -1 -- to die with
> SIGSEGV.
I think this needs to be decided together with userspace people so that
they can act accordingly and whether it even makes sense to them.
Florian, any suggestions?
Subthread starts here:
https://lkml.kernel.org/r/CALCETrXQZuvJQrHDMst6PPgtJxaS_sPk2JhwMiMDNPunq45YFg@mail.gmail.com
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
* Borislav Petkov:
> On Mon, Apr 12, 2021 at 10:30:23PM +0000, Bae, Chang Seok wrote:
>> On Mar 26, 2021, at 03:30, Borislav Petkov <[email protected]> wrote:
>> > On Thu, Mar 25, 2021 at 09:56:53PM -0700, Andy Lutomirski wrote:
>> >> We really ought to have a SIGSIGFAIL signal that's sent, double-fault
>> >> style, when we fail to send a signal.
>> >
>> > Yeap, we should be able to tell userspace that we couldn't send a
>> > signal, hohumm.
>>
>> Hi Boris,
>>
>> Let me clarify some details as preparing to include this in a revision.
>>
>> So, IIUC, a number needs to be assigned for this new SIGFAIL. At a glance, not
>> sure which one to pick there in signal.h -- 1-31 fully occupied and the rest
>> for 33 different real-time signals.
>>
>> Also, perhaps, force_sig(SIGFAIL) here, instead of return -1 -- to die with
>> SIGSEGV.
>
> I think this needs to be decided together with userspace people so that
> they can act accordingly and whether it even makes sense to them.
>
> Florian, any suggestions?
Is this discussion about better behavior (at least diagnostics) for
existing applications, without any code changes? Or an alternative
programming model?
Does noavx512 acutally reduce the XSAVE size to AVX2 levels? Or would
you need noxsave?
One possibility is that the sigaltstack size check prevents application
from running which work just fine today because all they do is install a
stack overflow handler, and stack overflow does not actually happen. So
if sigaltstack fails and the application checks the result of the system
call, it probably won't run at all. Shifting the diagnostic to the
pointer where the signal would have to be delivered is perhaps the only
thing that can be done.
As for SIGFAIL in particular, I don't think there are any leftover
signal numbers. It would need a prctl to assign the signal number, and
I'm not sure if there is a useful programming model because signals do
not really compose well even today. SIGFAIL adds another point where
libraries need to collaborate, and we do not have a mechanism for that.
(This is about what Rich Felker termed “library-safe code”, proper
maintenance of process-wide resources such as the current directory.)
Thanks,
Florian
On Wed, Apr 14, 2021 at 01:30:43PM +0200, Florian Weimer wrote:
> Is this discussion about better behavior (at least diagnostics) for
> existing applications, without any code changes? Or an alternative
> programming model?
Former.
> Does noavx512 acutally reduce the XSAVE size to AVX2 levels?
Yeah.
> Or would you need noxsave?
I don't think so.
> One possibility is that the sigaltstack size check prevents application
> from running which work just fine today because all they do is install a
> stack overflow handler, and stack overflow does not actually happen.
So sigaltstack(2) says in the NOTES:
Functions called from a signal handler executing on an alternate signal stack
will also use the alternate signal stack. (This also applies to any handlers
invoked for other signals while the process is executing on the alternate signal
stack.) Unlike the standard stack, the system does not automatically extend the
alternate signal stack. Exceeding the allocated size of the alternate signal
stack will lead to unpredictable results.
> So if sigaltstack fails and the application checks the result of the
> system call, it probably won't run at all. Shifting the diagnostic to
> the pointer where the signal would have to be delivered is perhaps the
> only thing that can be done.
So using the example from the same manpage:
The most common usage of an alternate signal stack is to handle the SIGSEGV sig‐
nal that is generated if the space available for the normal process stack is ex‐
hausted: in this case, a signal handler for SIGSEGV cannot be invoked on the
process stack; if we wish to handle it, we must use an alternate signal stack.
and considering these "unpredictable results" would it make sense or
even be at all possible to return SIGFAIL from that SIGSEGV signal
handler which should run on the sigaltstack but that sigaltstack
overflows?
I think we wanna be able to tell the process through that previously
registered SIGSEGV handler which is supposed to run on the sigaltstack,
that that stack got overflowed.
Or is this use case obsolete and this is not what people do at all?
> As for SIGFAIL in particular, I don't think there are any leftover
> signal numbers. It would need a prctl to assign the signal number, and
> I'm not sure if there is a useful programming model because signals do
> not really compose well even today. SIGFAIL adds another point where
> libraries need to collaborate, and we do not have a mechanism for that.
> (This is about what Rich Felker termed “library-safe code”, proper
> maintenance of process-wide resources such as the current directory.)
Oh fun.
I guess if Linux goes and does something, people would adopt it and
it'll become standard. :-P
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
* Borislav Petkov:
>> One possibility is that the sigaltstack size check prevents application
>> from running which work just fine today because all they do is install a
>> stack overflow handler, and stack overflow does not actually happen.
>
> So sigaltstack(2) says in the NOTES:
>
> Functions called from a signal handler executing on an alternate signal stack
> will also use the alternate signal stack. (This also applies to any handlers
> invoked for other signals while the process is executing on the alternate signal
> stack.) Unlike the standard stack, the system does not automatically extend the
> alternate signal stack. Exceeding the allocated size of the alternate signal
> stack will lead to unpredictable results.
>
>> So if sigaltstack fails and the application checks the result of the
>> system call, it probably won't run at all. Shifting the diagnostic to
>> the pointer where the signal would have to be delivered is perhaps the
>> only thing that can be done.
>
> So using the example from the same manpage:
>
> The most common usage of an alternate signal stack is to handle the SIGSEGV sig‐
> nal that is generated if the space available for the normal process stack is ex‐
> hausted: in this case, a signal handler for SIGSEGV cannot be invoked on the
> process stack; if we wish to handle it, we must use an alternate signal stack.
>
> and considering these "unpredictable results" would it make sense or
> even be at all possible to return SIGFAIL from that SIGSEGV signal
> handler which should run on the sigaltstack but that sigaltstack
> overflows?
>
> I think we wanna be able to tell the process through that previously
> registered SIGSEGV handler which is supposed to run on the sigaltstack,
> that that stack got overflowed.
Just to be clear, I'm worried about the case where an application
installs a stack overflow handler, but stack overflow does not regularly
happen at run time. GNU m4 is an example. Today, for most m4 scripts,
it's totally fine to have an alternative signal stack which is too
small. If the kernel returned an error for the sigaltstack call, m4
wouldn't start anymore, independently of the script. Which is worse
than memory corruption with some scripts, I think.
> Or is this use case obsolete and this is not what people do at all?
It's widely used in currently-maintained software. It's the only way to
recover from stack overflows without boundary checks on every function
call.
Does the alternative signal stack actually have to contain the siginfo_t
data? I don't think it has to be contiguous. Maybe the kernel could
allocate and map something behind the processes back if the sigaltstack
region is too small?
And for the stack overflow handler, the kernel could treat SIGSEGV with
a sigaltstack region that is too small like the SIG_DFL handler. This
would make m4 work again.
Thanks,
Florian
On Mon, May 03, 2021 at 07:30:21AM +0200, Florian Weimer wrote:
> Just to be clear, I'm worried about the case where an application
> installs a stack overflow handler, but stack overflow does not regularly
> happen at run time. GNU m4 is an example. Today, for most m4 scripts,
> it's totally fine to have an alternative signal stack which is too
> small. If the kernel returned an error for the sigaltstack call, m4
> wouldn't start anymore, independently of the script. Which is worse
> than memory corruption with some scripts, I think.
Oh lovely.
>
> > Or is this use case obsolete and this is not what people do at all?
>
> It's widely used in currently-maintained software. It's the only way to
> recover from stack overflows without boundary checks on every function
> call.
>
> Does the alternative signal stack actually have to contain the siginfo_t
> data? I don't think it has to be contiguous. Maybe the kernel could
> allocate and map something behind the processes back if the sigaltstack
> region is too small?
So there's an attempt floating around to address this:
https://lkml.kernel.org/r/[email protected]
esp patch 3.
I'd appreciate having a look and sanity-checking this whether it makes
sense and could be useful this way...
> And for the stack overflow handler, the kernel could treat SIGSEGV with
> a sigaltstack region that is too small like the SIG_DFL handler. This
> would make m4 work again.
/me searches a bit about SIG_DFL...
Do you mean that the default action in this case should be what SIGSEGV
does by default - to dump core?
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette