Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752588AbdGFAXc (ORCPT ); Wed, 5 Jul 2017 20:23:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:48688 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752440AbdGFAXb (ORCPT ); Wed, 5 Jul 2017 20:23:31 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A1C7E22C8D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org MIME-Version: 1.0 In-Reply-To: <1499298642.2707.59.camel@decadent.org.uk> References: <1499126133.2707.20.camel@decadent.org.uk> <20170704084122.GC14722@dhcp22.suse.cz> <20170704093538.GF14722@dhcp22.suse.cz> <20170704094728.GB22013@1wt.eu> <20170704104211.GG14722@dhcp22.suse.cz> <20170704113611.GA4732@decadent.org.uk> <1499209315.2707.29.camel@decadent.org.uk> <1499257180.2707.34.camel@decadent.org.uk> <20170705142354.GB21220@dhcp22.suse.cz> <1499283163.2707.52.camel@decadent.org.uk> <1499298642.2707.59.camel@decadent.org.uk> From: Andy Lutomirski Date: Wed, 5 Jul 2017 17:23:08 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] mm: larger stack guard gap, between vmas To: Ben Hutchings Cc: Andy Lutomirski , Linus Torvalds , Michal Hocko , Willy Tarreau , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , Larry Woodman , "Kirill A. Shutemov" , Tony Luck , "James E.J. Bottomley" , Helge Diller , James Hogan , Laura Abbott , Greg KH , "security@kernel.org" , Qualys Security Advisory , LKML , Ximin Luo Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1973 Lines: 40 On Wed, Jul 5, 2017 at 4:50 PM, Ben Hutchings wrote: > On Wed, 2017-07-05 at 13:53 -0700, Andy Lutomirski wrote: >> On Jul 5, 2017, at 12:32 PM, Ben Hutchings wrote: >> > On Wed, 2017-07-05 at 10:23 -0700, Andy Lutomirski wrote: > [...] >> > > - As a hardening feature, if the stack would expand within 64k or >> > > whatever of a non-MAP_FIXED mapping, refuse to expand it. (This might >> > > have to be a non-hinted mapping, not just a non-MAP_FIXED mapping.) >> > > The idea being that, if you deliberately place a mapping under the >> > > stack, you know what you're doing. If you're like LibreOffice and do >> > > something daft and are thus exploitable, you're on your own. >> > > - As a hardening measure, don't let mmap without MAP_FIXED position >> > > something within 64k or whatever of the bottom of the stack unless a >> > > MAP_FIXED mapping is between them. >> > >> > Having tested patches along these lines, I think the above would avoid >> > the reported regressions. >> > >> >> FWIW, even this last part may be problematic. It'll break anything >> that tries to allocate many small MAP_GROWSDOWN stacks on 32- >> bit. Hopefully nothing does this, but maybe Java does. > > glibc (NPTL) does not. Java (at least Hotspot in OpenJDK 6,7, 8) does > not. LinuxThreads *does* and is used by uclibc. dietlibc *does*. I > would be surprised if either was used for applications with very many > threads, but then this issue has thrown up a lot of surprises. > Ugh. But yeah, I'd be a bit surprised to see heavily threaded apps using LinuxThreads or dietlibc. LinuxThreads still uses modify_ldt(), right? modify_ldt() performance is abysmal, and I have no intention of even trying to optimize it. Anyhow, you *can't* have more than 8192 threads if you use modify_ldt() for TLS because you run out of LDT slots. 8192 * 64k fits in 32 bits with room to spare, so this is unlikely to be a showstopper. --Andy