Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752566AbdGDKvh (ORCPT <rfc822;w@1wt.eu>);
        Tue, 4 Jul 2017 06:51:37 -0400
Received: from mx2.suse.de ([195.135.220.15]:45044 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752531AbdGDKvf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Jul 2017 06:51:35 -0400
Date: Tue, 4 Jul 2017 12:51:25 +0200
From: Michal Hocko <mhocko@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ben Hutchings <ben@decadent.org.uk>, Hugh Dickins <hughd@google.com>,
        Willy Tarreau <w@1wt.eu>, Oleg Nesterov <oleg@redhat.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>, Rik van Riel <riel@redhat.com>,
        Larry Woodman <lwoodman@redhat.com>,
        "Kirill A. Shutemov" <kirill@shutemov.name>,
        Tony Luck <tony.luck@intel.com>,
        "James E.J. Bottomley" <jejb@parisc-linux.org>,
        Helge Diller <deller@gmx.de>, James Hogan <james.hogan@imgtec.com>,
        Laura Abbott <labbott@redhat.com>, Greg KH <greg@kroah.com>,
        "security@kernel.org" <security@kernel.org>,
        linux-distros@vs.openwall.org,
        Qualys Security Advisory <qsa@qualys.com>,
        LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: larger stack guard gap, between vmas
Message-ID: <20170704105125.GI14722@dhcp22.suse.cz>
References: <CA+55aFx6j4na3BVRC2aQuf-kNp1jzGahN8To_SFpNu+H=gopJA@mail.gmail.com>
 <20170619142358.GA32654@1wt.eu>
 <1498009101.2655.6.camel@decadent.org.uk>
 <20170621092419.GA22051@dhcp22.suse.cz>
 <1498042057.2655.8.camel@decadent.org.uk>
 <1499126133.2707.20.camel@decadent.org.uk>
 <CA+55aFzMX72+Kb=zNgjCf6UfPt+C+e7WDp_rpbSLuOVx1k7iqg@mail.gmail.com>
 <20170704084122.GC14722@dhcp22.suse.cz>
 <20170704093538.GF14722@dhcp22.suse.cz>
 <20170704104652.GH14722@dhcp22.suse.cz>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="BOKacYhQ+x31HxR3"
Content-Disposition: inline
In-Reply-To: <20170704104652.GH14722@dhcp22.suse.cz>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2852
Lines: 119


--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue 04-07-17 12:46:52, Michal Hocko wrote:
[...]
> Tested with the attached program.

Err, attached now for real.
-- 
Michal Hocko
SUSE Labs

--BOKacYhQ+x31HxR3
Content-Type: text/x-csrc; charset=us-ascii
Content-Disposition: attachment; filename="stack_crash.c"

#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <alloca.h>
#include <signal.h>
#include <stdlib.h>

#define PAGE_SIZE sysconf(_SC_PAGESIZE)
#define PAGE_MASK (~(PAGE_SIZE-1))
#define GAP (20UL<<20)
#define SIGNAL_STACK_SIZE (1UL<<20)

#define MAPING_PROT PROT_NONE

void recurse(void)
{
	void * ptr = alloca(10);
	recurse();
}

#define MAPPED_LEN PAGE_SIZE
static unsigned long mapped_addr;

void segv_handler(int sig, siginfo_t *info, void *data)
{
	unsigned long addr = (unsigned long)info->si_addr;
	unsigned long mmap_end = mapped_addr + MAPPED_LEN;
	unsigned long diff;
	char cmd[128];

#ifndef CONFIG_STACK_GROWSUP
	diff = addr - mmap_end;
#else
	diff = mmap_addr - addr;
#endif
	printf("address:0x%lx aligned:0x%lx mapped:[%lx,%lx] diff:%ld\n", addr, addr & PAGE_MASK, mapped_addr, mapped_addr+PAGE_SIZE, (long)diff);	
	snprintf(cmd, sizeof(cmd) - 1, "cat /proc/%d/smaps | grep -A5 -B21 -A20 '\\[stack\\]'", getpid());
	system(cmd);
	abort();
}

int main(int argc, char **argv)
{
	void *addr;
	stack_t signal_stack;
	struct sigaction segv_sig = {.sa_sigaction = segv_handler, .sa_flags = SA_ONSTACK|SA_SIGINFO};
	int stack_top;
	unsigned long mmap_gap = GAP;
	struct rlimit rlim = {.rlim_cur = 2*GAP, .rlim_max = RLIM_INFINITY};
	unsigned long stack_addr = (unsigned long)&stack_top;

	if (argc > 1) {
		char *endptr;
		mmap_gap = strtoul(argv[1], &endptr, 0);
		if (*endptr) {
			fprintf(stderr, "Unrecognized mmap gap %s\n", argv[1]);
			return 1;
		}
	}
		
#ifndef CONFIG_STACK_GROWSUP
	mapped_addr = stack_addr-mmap_gap;
#else
	mapped_addr = stack_addr+mmap_gap;
#endif
	mapped_addr &= PAGE_MASK;
	addr = mmap((void *)mapped_addr, MAPPED_LEN,
			MAPING_PROT,
			MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0);
	if (addr == MAP_FAILED) {
		perror("mmap:");
		return 1;
	}
	printf("Stack top:0x%lx mmap:0x%lx\n", stack_addr, mapped_addr);

	/* Make sure that our SEGV handler will have a stack to run on */
	signal_stack.ss_sp = malloc(SIGNAL_STACK_SIZE);
	if (!signal_stack.ss_sp) {
		perror("alternate stack allocation");
		return 1;
	}
	signal_stack.ss_size = SIGNAL_STACK_SIZE;
	signal_stack.ss_flags = 0;
	if (sigaltstack(&signal_stack, NULL) == -1) {
		perror("sigaltstack");
		return 1;
	}
	sigaction(SIGSEGV, &segv_sig, NULL);
	sigaction(SIGBUS, &segv_sig, NULL);

	setrlimit(RLIMIT_STACK, &rlim);
	recurse();
	/* Should never return */
	return 1;
}

--BOKacYhQ+x31HxR3--