Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752783AbdGEMUX (ORCPT <rfc822;w@1wt.eu>);
        Wed, 5 Jul 2017 08:20:23 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:56600 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751772AbdGEMUW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 Jul 2017 08:20:22 -0400
Message-ID: <1499257180.2707.34.camel@decadent.org.uk>
Subject: Re: [PATCH] mm: larger stack guard gap, between vmas
From: Ben Hutchings <ben@decadent.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@kernel.org>, Willy Tarreau <w@1wt.eu>,
        Hugh Dickins <hughd@google.com>, Oleg Nesterov <oleg@redhat.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>, Rik van Riel <riel@redhat.com>,
        Larry Woodman <lwoodman@redhat.com>,
        "Kirill A. Shutemov" <kirill@shutemov.name>,
        Tony Luck <tony.luck@intel.com>,
        "James E.J. Bottomley" <jejb@parisc-linux.org>,
        Helge Diller <deller@gmx.de>, James Hogan <james.hogan@imgtec.com>,
        Laura Abbott <labbott@redhat.com>, Greg KH <greg@kroah.com>,
        "security@kernel.org" <security@kernel.org>,
        linux-distros@vs.openwall.org,
        Qualys Security Advisory <qsa@qualys.com>,
        LKML <linux-kernel@vger.kernel.org>, Ximin Luo <infinity0@debian.org>
Date: Wed, 05 Jul 2017 13:19:40 +0100
In-Reply-To: <CA+55aFzjibuaV=GBZQN8KOaCpf1P3B1abJCYGaxEM9RVpf9fXg@mail.gmail.com>
References: <20170619142358.GA32654@1wt.eu>
         <1498009101.2655.6.camel@decadent.org.uk>
         <20170621092419.GA22051@dhcp22.suse.cz>
         <1498042057.2655.8.camel@decadent.org.uk>
         <1499126133.2707.20.camel@decadent.org.uk>
         <CA+55aFzMX72+Kb=zNgjCf6UfPt+C+e7WDp_rpbSLuOVx1k7iqg@mail.gmail.com>
         <20170704084122.GC14722@dhcp22.suse.cz>
         <20170704093538.GF14722@dhcp22.suse.cz> <20170704094728.GB22013@1wt.eu>
         <20170704104211.GG14722@dhcp22.suse.cz>
         <20170704113611.GA4732@decadent.org.uk>
         <1499209315.2707.29.camel@decadent.org.uk>
         <CA+55aFzjibuaV=GBZQN8KOaCpf1P3B1abJCYGaxEM9RVpf9fXg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512";
        protocol="application/pgp-signature"; boundary="=-WViZ0kOxfZ0leNCrlc6O"
X-Mailer: Evolution 3.22.6-1 
Mime-Version: 1.0
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2625
Lines: 70


--=-WViZ0kOxfZ0leNCrlc6O
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2017-07-04 at 16:31 -0700, Linus Torvalds wrote:
> On Tue, Jul 4, 2017 at 4:01 PM, Ben Hutchings <ben@decadent.org.uk>
> wrote:
> >=20
> > We have:
> >=20
> > bottom =3D 0xff803fff
> > sp =3D=C2=A0=C2=A0=C2=A0=C2=A0=C2=A00xffffb178
> >=20
> > The relevant mappings are:
> >=20
> > ff7fc000-ff7fd000 rwxp 00000000 00:00 0
> > fffdd000-ffffe000 rw-p 00000000 00:00
> > 0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[stack]
>=20
> Ugh. So that stack is actually 8MB in size, but the alloca() is about
> to use up almost all of it, and there's only about 28kB left between
> "bottom" and that 'rwx' mapping.
>=20
> Still, that rwx mapping is interesting: it is a single page, and it
> really is almost exactly 8MB below the stack.
>=20
> In fact, the top of stack (at 0xffffe000) is *exactly* 8MB+4kB from
> the top of that odd one-page allocation (0xff7fd000).
>=20
> Can you find out where that is allocated? Perhaps a breakpoint on
> mmap, with a condition to catch that particular one?
[...]

Found it, and it's now clear why only i386 is affected:
http://hg.openjdk.java.net/jdk8/jdk8/hotspot/file/tip/src/os/linux/vm/os_li=
nux.cpp#l4852
http://hg.openjdk.java.net/jdk8/jdk8/hotspot/file/tip/src/os_cpu/linux_x86/=
vm/os_linux_x86.cpp#l881

Ben.

--=20
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.

--=-WViZ0kOxfZ0leNCrlc6O
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAllc2VwACgkQ57/I7JWG
EQn6xRAAyZZ/A95S5hCQKVxjcxzIH9wothUVYo9uWfN/5vM6eH5aFNsz8JzyoVAC
QnLKkqXAn1Bgc4qo2KoivXl8PPcYEYK75MAPGhfuqFfWZGiJGX7feK2QlzLLHYDg
xACvRi/SurJC3qNDzKmDG4PHyYP4Qu9YUZ/OdxS5pl8CjaCaF0oaDpeUJKbLkiYK
zH/Gx4/zqEuN3nksrjgEVZeNoLbR14K+1M3mAlH3uqxe6AXqP+v3Q7X0GXVKNMa5
CnJlH9K5Rdgh457sacG4UDKTb5n5r+JKGhkGSagd0BU/edKT0ylYEYLsjA9KcEsc
LudkSvxxTqIA77mweX0JNPmP4d2fh4rONRKYEP7WncicAhPXyvjUAQyIWDctQtc/
RB62tyQSWhow/Wf2SnP6PuEBp3iy/XkOHh7YGr5prISY7Ld55CNls2L6P0A2vUnf
hfauoSVk0RBDvhiGs3FaFMoz9yP8TriPDGiois7oiG2smSVN1NTy7TDyBDSxhZ0O
vvKRBwpl5mInZRA7CwvGn2SC9ye6QroFzEfb00rH4ux4dy6vp2Yfc95XrIi24A0d
ckSkdROL3mCntve2CVebOxHgAFYeG2G4pSPKJGZj6iU6q5MapoChEDvRMSq6SQyp
GA6sZMus0VIfTAqIuu0drNijsitPiQHWvUi5clAXvCYjn6L1WB0=
=IOfo
-----END PGP SIGNATURE-----

--=-WViZ0kOxfZ0leNCrlc6O--