Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752651AbdGEXv0 (ORCPT ); Wed, 5 Jul 2017 19:51:26 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:60486 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752307AbdGEXvY (ORCPT ); Wed, 5 Jul 2017 19:51:24 -0400 Message-ID: <1499298642.2707.59.camel@decadent.org.uk> Subject: Re: [PATCH] mm: larger stack guard gap, between vmas From: Ben Hutchings To: Andy Lutomirski Cc: Andy Lutomirski , Linus Torvalds , Michal Hocko , Willy Tarreau , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , Larry Woodman , "Kirill A. Shutemov" , Tony Luck , "James E.J. Bottomley" , Helge Diller , James Hogan , Laura Abbott , Greg KH , "security@kernel.org" , Qualys Security Advisory , LKML , Ximin Luo Date: Thu, 06 Jul 2017 00:50:42 +0100 In-Reply-To: References: <1499126133.2707.20.camel@decadent.org.uk> <20170704084122.GC14722@dhcp22.suse.cz> <20170704093538.GF14722@dhcp22.suse.cz> <20170704094728.GB22013@1wt.eu> <20170704104211.GG14722@dhcp22.suse.cz> <20170704113611.GA4732@decadent.org.uk> <1499209315.2707.29.camel@decadent.org.uk> <1499257180.2707.34.camel@decadent.org.uk> <20170705142354.GB21220@dhcp22.suse.cz> <1499283163.2707.52.camel@decadent.org.uk> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-EX2syD0hQMDU3dXvk4VN" X-Mailer: Evolution 3.22.6-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2708 Lines: 67 --=-EX2syD0hQMDU3dXvk4VN Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2017-07-05 at 13:53 -0700, Andy Lutomirski wrote: > On Jul 5, 2017, at 12:32 PM, Ben Hutchings wrote: > > On Wed, 2017-07-05 at 10:23 -0700, Andy Lutomirski wrote: [...] > > > =C2=A0- As a hardening feature, if the stack would expand within 64k = or > > > whatever of a non-MAP_FIXED mapping, refuse to expand it.=C2=A0=C2=A0= (This might > > > have to be a non-hinted mapping, not just a non-MAP_FIXED mapping.) > > > The idea being that, if you deliberately place a mapping under the > > > stack, you know what you're doing.=C2=A0=C2=A0If you're like LibreOff= ice and do > > > something daft and are thus exploitable, you're on your own. > > > =C2=A0- As a hardening measure, don't let mmap without MAP_FIXED posi= tion > > > something within 64k or whatever of the bottom of the stack unless a > > > MAP_FIXED mapping is between them. > >=20 > > Having tested patches along these lines, I think the above would avoid > > the reported regressions. > >=20 >=20 > FWIW, even this last part may be problematic.=C2=A0=C2=A0It'll break anyt= hing > that tries to allocate many small MAP_GROWSDOWN stacks on 32- > bit.=C2=A0=C2=A0Hopefully nothing does this, but maybe Java does. glibc (NPTL) does not. Java (at least Hotspot in OpenJDK 6,7, 8) does not. LinuxThreads *does* and is used by uclibc. dietlibc *does*. I would be surprised if either was used for applications with very many threads, but then this issue has thrown up a lot of surprises. Ben. --=20 Ben Hutchings Man invented language to satisfy his deep need to complain. - Lily Tomlin --=-EX2syD0hQMDU3dXvk4VN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAllde1IACgkQ57/I7JWG EQmuIxAAwYkkW+1fAVZuqdqFZXERgyYOLG6Ymxr087gEG5tS4pF7jJUNYJ3GdxUe BPosSX16vOtvJf4JTQHxH6l1QIzhz2clYzymdHZoySeQydlkeVLXeJApkeDjOeX5 ASkOJMxYNXJRDcc65/VONjltJt8XOQgT3b4OU5fnLE1Rdxa8nx8P+Z2+JZbqnSrk Wu0FTFDDEOaa96uPDn3qRrbnXVd/gykhNkJ46pH6V2YtEqkIX+I8NrF9gQJE++b9 LoUiSEEP9VM/U+oZSOXpD9Dvy3agmLXQ0xKh77UdBTVFc5SCHXPYHWl4diAVl+84 lMR996urM8Mg7wauej0HQbHXjuq3gMJYlhzk6zR75OmgkAkSVd4D71qN5KdoQaxV GP7g57gG53hiduZ/+s0qSJm3YuF4PjZ4IC4u5HXiSBQD4rsSr59nVeaOuJcKAXWr SstijaiSahiAGYr9hc59tWuRj21i1A1shj+JNLFJhrbUq1PObwg++CTBc+EYQ/FQ uVnCRM2Na8ABjt/h12JvpIahV7VSBrTZyBcMp1K2moqJzF+S9Pg27ucGf/sAADMK NpVc1yQbAbP26C2EcFsGRuiEFNW+H+azhsXXfD376apmKvJzuKpWquBiP7SHIbsg 7VE0xrVxC2qpOZ72/EtIRSVuMWWGtGau/eBlG3LuvUlDZNSQEGc= =g1gc -----END PGP SIGNATURE----- --=-EX2syD0hQMDU3dXvk4VN--