Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752783AbdGEMUX (ORCPT ); Wed, 5 Jul 2017 08:20:23 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:56600 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751772AbdGEMUW (ORCPT ); Wed, 5 Jul 2017 08:20:22 -0400 Message-ID: <1499257180.2707.34.camel@decadent.org.uk> Subject: Re: [PATCH] mm: larger stack guard gap, between vmas From: Ben Hutchings To: Linus Torvalds Cc: Michal Hocko , Willy Tarreau , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , Larry Woodman , "Kirill A. Shutemov" , Tony Luck , "James E.J. Bottomley" , Helge Diller , James Hogan , Laura Abbott , Greg KH , "security@kernel.org" , linux-distros@vs.openwall.org, Qualys Security Advisory , LKML , Ximin Luo Date: Wed, 05 Jul 2017 13:19:40 +0100 In-Reply-To: References: <20170619142358.GA32654@1wt.eu> <1498009101.2655.6.camel@decadent.org.uk> <20170621092419.GA22051@dhcp22.suse.cz> <1498042057.2655.8.camel@decadent.org.uk> <1499126133.2707.20.camel@decadent.org.uk> <20170704084122.GC14722@dhcp22.suse.cz> <20170704093538.GF14722@dhcp22.suse.cz> <20170704094728.GB22013@1wt.eu> <20170704104211.GG14722@dhcp22.suse.cz> <20170704113611.GA4732@decadent.org.uk> <1499209315.2707.29.camel@decadent.org.uk> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-WViZ0kOxfZ0leNCrlc6O" X-Mailer: Evolution 3.22.6-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2625 Lines: 70 --=-WViZ0kOxfZ0leNCrlc6O Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2017-07-04 at 16:31 -0700, Linus Torvalds wrote: > On Tue, Jul 4, 2017 at 4:01 PM, Ben Hutchings > wrote: > >=20 > > We have: > >=20 > > bottom =3D 0xff803fff > > sp =3D=C2=A0=C2=A0=C2=A0=C2=A0=C2=A00xffffb178 > >=20 > > The relevant mappings are: > >=20 > > ff7fc000-ff7fd000 rwxp 00000000 00:00 0 > > fffdd000-ffffe000 rw-p 00000000 00:00 > > 0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[stack] >=20 > Ugh. So that stack is actually 8MB in size, but the alloca() is about > to use up almost all of it, and there's only about 28kB left between > "bottom" and that 'rwx' mapping. >=20 > Still, that rwx mapping is interesting: it is a single page, and it > really is almost exactly 8MB below the stack. >=20 > In fact, the top of stack (at 0xffffe000) is *exactly* 8MB+4kB from > the top of that odd one-page allocation (0xff7fd000). >=20 > Can you find out where that is allocated? Perhaps a breakpoint on > mmap, with a condition to catch that particular one? [...] Found it, and it's now clear why only i386 is affected: http://hg.openjdk.java.net/jdk8/jdk8/hotspot/file/tip/src/os/linux/vm/os_li= nux.cpp#l4852 http://hg.openjdk.java.net/jdk8/jdk8/hotspot/file/tip/src/os_cpu/linux_x86/= vm/os_linux_x86.cpp#l881 Ben. --=20 Ben Hutchings Anthony's Law of Force: Don't force it, get a larger hammer. --=-WViZ0kOxfZ0leNCrlc6O Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAllc2VwACgkQ57/I7JWG EQn6xRAAyZZ/A95S5hCQKVxjcxzIH9wothUVYo9uWfN/5vM6eH5aFNsz8JzyoVAC QnLKkqXAn1Bgc4qo2KoivXl8PPcYEYK75MAPGhfuqFfWZGiJGX7feK2QlzLLHYDg xACvRi/SurJC3qNDzKmDG4PHyYP4Qu9YUZ/OdxS5pl8CjaCaF0oaDpeUJKbLkiYK zH/Gx4/zqEuN3nksrjgEVZeNoLbR14K+1M3mAlH3uqxe6AXqP+v3Q7X0GXVKNMa5 CnJlH9K5Rdgh457sacG4UDKTb5n5r+JKGhkGSagd0BU/edKT0ylYEYLsjA9KcEsc LudkSvxxTqIA77mweX0JNPmP4d2fh4rONRKYEP7WncicAhPXyvjUAQyIWDctQtc/ RB62tyQSWhow/Wf2SnP6PuEBp3iy/XkOHh7YGr5prISY7Ld55CNls2L6P0A2vUnf hfauoSVk0RBDvhiGs3FaFMoz9yP8TriPDGiois7oiG2smSVN1NTy7TDyBDSxhZ0O vvKRBwpl5mInZRA7CwvGn2SC9ye6QroFzEfb00rH4ux4dy6vp2Yfc95XrIi24A0d ckSkdROL3mCntve2CVebOxHgAFYeG2G4pSPKJGZj6iU6q5MapoChEDvRMSq6SQyp GA6sZMus0VIfTAqIuu0drNijsitPiQHWvUi5clAXvCYjn6L1WB0= =IOfo -----END PGP SIGNATURE----- --=-WViZ0kOxfZ0leNCrlc6O--