Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752651AbdGEXv0 (ORCPT <rfc822;w@1wt.eu>);
        Wed, 5 Jul 2017 19:51:26 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:60486 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1752307AbdGEXvY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 Jul 2017 19:51:24 -0400
Message-ID: <1499298642.2707.59.camel@decadent.org.uk>
Subject: Re: [PATCH] mm: larger stack guard gap, between vmas
From: Ben Hutchings <ben@decadent.org.uk>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Michal Hocko <mhocko@kernel.org>, Willy Tarreau <w@1wt.eu>,
        Hugh Dickins <hughd@google.com>, Oleg Nesterov <oleg@redhat.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>, Rik van Riel <riel@redhat.com>,
        Larry Woodman <lwoodman@redhat.com>,
        "Kirill A. Shutemov" <kirill@shutemov.name>,
        Tony Luck <tony.luck@intel.com>,
        "James E.J. Bottomley" <jejb@parisc-linux.org>,
        Helge Diller <deller@gmx.de>, James Hogan <james.hogan@imgtec.com>,
        Laura Abbott <labbott@redhat.com>, Greg KH <greg@kroah.com>,
        "security@kernel.org" <security@kernel.org>,
        Qualys Security Advisory <qsa@qualys.com>,
        LKML <linux-kernel@vger.kernel.org>, Ximin Luo <infinity0@debian.org>
Date: Thu, 06 Jul 2017 00:50:42 +0100
In-Reply-To: <D57F8BB2-D669-43E3-AF99-BDFD506D8AC7@amacapital.net>
References: <1499126133.2707.20.camel@decadent.org.uk>
         <CA+55aFzMX72+Kb=zNgjCf6UfPt+C+e7WDp_rpbSLuOVx1k7iqg@mail.gmail.com>
         <20170704084122.GC14722@dhcp22.suse.cz>
         <20170704093538.GF14722@dhcp22.suse.cz> <20170704094728.GB22013@1wt.eu>
         <20170704104211.GG14722@dhcp22.suse.cz>
         <20170704113611.GA4732@decadent.org.uk>
         <1499209315.2707.29.camel@decadent.org.uk>
         <CA+55aFzjibuaV=GBZQN8KOaCpf1P3B1abJCYGaxEM9RVpf9fXg@mail.gmail.com>
         <1499257180.2707.34.camel@decadent.org.uk>
         <20170705142354.GB21220@dhcp22.suse.cz>
         <CALCETrW5P8ZhuOJ4bL0x+hx52RdFkG4_x0qAQofrdBi2JavxmA@mail.gmail.com>
         <CA+55aFwn3bbfxXMTafQVXz0nx5hWTUzQFdaqOFvJSY96Muc3VA@mail.gmail.com>
         <CALCETrUMsnV=jWJBtFxfJPdnoszLvkXwT8NuaQnOQOoUOpVjCw@mail.gmail.com>
         <1499283163.2707.52.camel@decadent.org.uk>
         <D57F8BB2-D669-43E3-AF99-BDFD506D8AC7@amacapital.net>
Content-Type: multipart/signed; micalg="pgp-sha512";
        protocol="application/pgp-signature"; boundary="=-EX2syD0hQMDU3dXvk4VN"
X-Mailer: Evolution 3.22.6-1 
Mime-Version: 1.0
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2708
Lines: 67


--=-EX2syD0hQMDU3dXvk4VN
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, 2017-07-05 at 13:53 -0700, Andy Lutomirski wrote:
> On Jul 5, 2017, at 12:32 PM, Ben Hutchings <ben@decadent.org.uk> wrote:
> > On Wed, 2017-07-05 at 10:23 -0700, Andy Lutomirski wrote:
[...]
> > > =C2=A0- As a hardening feature, if the stack would expand within 64k =
or
> > > whatever of a non-MAP_FIXED mapping, refuse to expand it.=C2=A0=C2=A0=
(This might
> > > have to be a non-hinted mapping, not just a non-MAP_FIXED mapping.)
> > > The idea being that, if you deliberately place a mapping under the
> > > stack, you know what you're doing.=C2=A0=C2=A0If you're like LibreOff=
ice and do
> > > something daft and are thus exploitable, you're on your own.
> > > =C2=A0- As a hardening measure, don't let mmap without MAP_FIXED posi=
tion
> > > something within 64k or whatever of the bottom of the stack unless a
> > > MAP_FIXED mapping is between them.
> >=20
> > Having tested patches along these lines, I think the above would avoid
> > the reported regressions.
> >=20
>=20
> FWIW, even this last part may be problematic.=C2=A0=C2=A0It'll break anyt=
hing
> that tries to allocate many small MAP_GROWSDOWN stacks on 32-
> bit.=C2=A0=C2=A0Hopefully nothing does this, but maybe Java does.

glibc (NPTL) does not.  Java (at least Hotspot in OpenJDK 6,7, 8) does
not.  LinuxThreads *does* and is used by uclibc.  dietlibc *does*.  I
would be surprised if either was used for applications with very many
threads, but then this issue has thrown up a lot of surprises.

Ben.

--=20
Ben Hutchings
Man invented language to satisfy his deep need to complain. - Lily
Tomlin


--=-EX2syD0hQMDU3dXvk4VN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAllde1IACgkQ57/I7JWG
EQmuIxAAwYkkW+1fAVZuqdqFZXERgyYOLG6Ymxr087gEG5tS4pF7jJUNYJ3GdxUe
BPosSX16vOtvJf4JTQHxH6l1QIzhz2clYzymdHZoySeQydlkeVLXeJApkeDjOeX5
ASkOJMxYNXJRDcc65/VONjltJt8XOQgT3b4OU5fnLE1Rdxa8nx8P+Z2+JZbqnSrk
Wu0FTFDDEOaa96uPDn3qRrbnXVd/gykhNkJ46pH6V2YtEqkIX+I8NrF9gQJE++b9
LoUiSEEP9VM/U+oZSOXpD9Dvy3agmLXQ0xKh77UdBTVFc5SCHXPYHWl4diAVl+84
lMR996urM8Mg7wauej0HQbHXjuq3gMJYlhzk6zR75OmgkAkSVd4D71qN5KdoQaxV
GP7g57gG53hiduZ/+s0qSJm3YuF4PjZ4IC4u5HXiSBQD4rsSr59nVeaOuJcKAXWr
SstijaiSahiAGYr9hc59tWuRj21i1A1shj+JNLFJhrbUq1PObwg++CTBc+EYQ/FQ
uVnCRM2Na8ABjt/h12JvpIahV7VSBrTZyBcMp1K2moqJzF+S9Pg27ucGf/sAADMK
NpVc1yQbAbP26C2EcFsGRuiEFNW+H+azhsXXfD376apmKvJzuKpWquBiP7SHIbsg
7VE0xrVxC2qpOZ72/EtIRSVuMWWGtGau/eBlG3LuvUlDZNSQEGc=
=g1gc
-----END PGP SIGNATURE-----

--=-EX2syD0hQMDU3dXvk4VN--