Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752566AbdGDKvh (ORCPT ); Tue, 4 Jul 2017 06:51:37 -0400 Received: from mx2.suse.de ([195.135.220.15]:45044 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752531AbdGDKvf (ORCPT ); Tue, 4 Jul 2017 06:51:35 -0400 Date: Tue, 4 Jul 2017 12:51:25 +0200 From: Michal Hocko To: Linus Torvalds Cc: Ben Hutchings , Hugh Dickins , Willy Tarreau , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , Larry Woodman , "Kirill A. Shutemov" , Tony Luck , "James E.J. Bottomley" , Helge Diller , James Hogan , Laura Abbott , Greg KH , "security@kernel.org" , linux-distros@vs.openwall.org, Qualys Security Advisory , LKML Subject: Re: [PATCH] mm: larger stack guard gap, between vmas Message-ID: <20170704105125.GI14722@dhcp22.suse.cz> References: <20170619142358.GA32654@1wt.eu> <1498009101.2655.6.camel@decadent.org.uk> <20170621092419.GA22051@dhcp22.suse.cz> <1498042057.2655.8.camel@decadent.org.uk> <1499126133.2707.20.camel@decadent.org.uk> <20170704084122.GC14722@dhcp22.suse.cz> <20170704093538.GF14722@dhcp22.suse.cz> <20170704104652.GH14722@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline In-Reply-To: <20170704104652.GH14722@dhcp22.suse.cz> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2852 Lines: 119 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue 04-07-17 12:46:52, Michal Hocko wrote: [...] > Tested with the attached program. Err, attached now for real. -- Michal Hocko SUSE Labs --BOKacYhQ+x31HxR3 Content-Type: text/x-csrc; charset=us-ascii Content-Disposition: attachment; filename="stack_crash.c" #include #include #include #include #include #include #include #include #include #include #define PAGE_SIZE sysconf(_SC_PAGESIZE) #define PAGE_MASK (~(PAGE_SIZE-1)) #define GAP (20UL<<20) #define SIGNAL_STACK_SIZE (1UL<<20) #define MAPING_PROT PROT_NONE void recurse(void) { void * ptr = alloca(10); recurse(); } #define MAPPED_LEN PAGE_SIZE static unsigned long mapped_addr; void segv_handler(int sig, siginfo_t *info, void *data) { unsigned long addr = (unsigned long)info->si_addr; unsigned long mmap_end = mapped_addr + MAPPED_LEN; unsigned long diff; char cmd[128]; #ifndef CONFIG_STACK_GROWSUP diff = addr - mmap_end; #else diff = mmap_addr - addr; #endif printf("address:0x%lx aligned:0x%lx mapped:[%lx,%lx] diff:%ld\n", addr, addr & PAGE_MASK, mapped_addr, mapped_addr+PAGE_SIZE, (long)diff); snprintf(cmd, sizeof(cmd) - 1, "cat /proc/%d/smaps | grep -A5 -B21 -A20 '\\[stack\\]'", getpid()); system(cmd); abort(); } int main(int argc, char **argv) { void *addr; stack_t signal_stack; struct sigaction segv_sig = {.sa_sigaction = segv_handler, .sa_flags = SA_ONSTACK|SA_SIGINFO}; int stack_top; unsigned long mmap_gap = GAP; struct rlimit rlim = {.rlim_cur = 2*GAP, .rlim_max = RLIM_INFINITY}; unsigned long stack_addr = (unsigned long)&stack_top; if (argc > 1) { char *endptr; mmap_gap = strtoul(argv[1], &endptr, 0); if (*endptr) { fprintf(stderr, "Unrecognized mmap gap %s\n", argv[1]); return 1; } } #ifndef CONFIG_STACK_GROWSUP mapped_addr = stack_addr-mmap_gap; #else mapped_addr = stack_addr+mmap_gap; #endif mapped_addr &= PAGE_MASK; addr = mmap((void *)mapped_addr, MAPPED_LEN, MAPING_PROT, MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0); if (addr == MAP_FAILED) { perror("mmap:"); return 1; } printf("Stack top:0x%lx mmap:0x%lx\n", stack_addr, mapped_addr); /* Make sure that our SEGV handler will have a stack to run on */ signal_stack.ss_sp = malloc(SIGNAL_STACK_SIZE); if (!signal_stack.ss_sp) { perror("alternate stack allocation"); return 1; } signal_stack.ss_size = SIGNAL_STACK_SIZE; signal_stack.ss_flags = 0; if (sigaltstack(&signal_stack, NULL) == -1) { perror("sigaltstack"); return 1; } sigaction(SIGSEGV, &segv_sig, NULL); sigaction(SIGBUS, &segv_sig, NULL); setrlimit(RLIMIT_STACK, &rlim); recurse(); /* Should never return */ return 1; } --BOKacYhQ+x31HxR3--