Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3874666imm; Sun, 13 May 2018 22:16:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrBYJznynFP19zdELGOfcZMjXlieRywXv7iAzDaA56Pi/KIj4FIo65N0oQy4h6F0YjlThkY X-Received: by 2002:a17:902:bcc4:: with SMTP id o4-v6mr8074207pls.308.1526274999541; Sun, 13 May 2018 22:16:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526274999; cv=none; d=google.com; s=arc-20160816; b=Dvizyp3lctNsGf8eGynwlzXHP3YF2Ff1vi4PexCpxLr1tASPyyWJ0TpGtIpvbrhPHg udqL2I7klbR/Iw8K0AJ7GSaiu9vM0lz1APY1osF8cC0890rrn6s2BfMngcMPdXAUTAlA 7rTbxUt2q/wsfot8tW3whNhQc4/A3uCLTsPkWrswEf6sj6a8mjsZHDqr/XJAwO+Millv nZJvNXIICB5hK3Nm63hrT6L8OSswc3/ZcYPyrVpqm3uCoYud9TMXaHVGB3V6RKXLD6p3 h4+jjlr/e83wM8bINEnSQQ4zRLrdw0QruHjpgj2nwRUOeRqRIxMEQ/I9wBqCdDzNVx/4 kTPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=t7XzvvDliGgr70Gcfz/BX0WGqx/v5qX8iY+gMRGiCXI=; b=Owj4bU+diLy7z3AfQKLDH3NvYshW4iubOVbzqFg0FFeH8sfim1VSBcuXoueko9Eicq 6MqfbbEKr7NC95q4xZ0xpbgpCvCkwAClujIwTDTrz6SUo1JVGLiT/XelBX1Us/2khKw3 1orGEitoBNp2NeQlQruhRw/ls+xHy2Ru9jWEvbto1P7S6xPEQSUN7znZk40b7HnlCWga DAfau899KYQwWZIB5KjGHm9iCeZyWXRDigmqw9Zo1qzmDsRMzAl6rRDw5OH+hCZZtK3H +75RU68M93L83A6qcRLLJwym4ZUaF7qMJxgfAf+Oy9dV712o09kJXd/dExCBKjr6qZOL 7AfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bc2-v6si8537516plb.43.2018.05.13.22.16.23; Sun, 13 May 2018 22:16:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751934AbeENFQN (ORCPT + 99 others); Mon, 14 May 2018 01:16:13 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:34530 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750810AbeENFQM (ORCPT ); Mon, 14 May 2018 01:16:12 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 09B0C15AB; Sun, 13 May 2018 22:16:12 -0700 (PDT) Received: from salmiak (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 373BA3F23C; Sun, 13 May 2018 22:16:10 -0700 (PDT) Date: Mon, 14 May 2018 06:15:55 +0100 From: Mark Rutland To: Alexander Popov Cc: Andy Lutomirski , Laura Abbott , Kees Cook , Ard Biesheuvel , kernel-hardening@lists.openwall.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 2/2] arm64: Clear the stack Message-ID: <20180514051555.bpbydgr56hyffjch@salmiak> References: <20180502203326.9491-1-labbott@redhat.com> <20180502203326.9491-3-labbott@redhat.com> <20180503071917.xm2xvgagvzkworay@salmiak> <20180504110907.c2dw33kjmyybso6t@lakrids.cambridge.arm.com> <4badae50-be9b-2c6d-854b-57ab48664800@linux.com> <71199506-b46b-5f91-e489-e6450b6d1067@linux.com> <20180511161317.57k6prl54xjmsit3@lakrids.cambridge.arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 13, 2018 at 11:40:07AM +0300, Alexander Popov wrote: > It seems that previously I was very "lucky" to accidentally have those MIN_STACK_LEFT, > call trace depth and oops=panic together to experience a hang on stack overflow > during BUG(). > > > When I run my test in a loop _without_ VMAP_STACK, I manage to corrupt the neighbour > processes with BUG() handling overstepping the stack boundary. It's a pity, but > I have an idea. I think that in the absence of VMAP_STACK, there will always be cases where we *could* corrupt a neighbouring stack, but I agree that trying to minimize that possibility would be good. > In kernel/sched/core.c we already have: > > #ifdef CONFIG_SCHED_STACK_END_CHECK > if (task_stack_end_corrupted(prev)) > panic("corrupted stack end detected inside scheduler\n"); > #endif > > So what would you think if I do the following in check_alloca(): > > if (size >= stack_left) { > #if !defined(CONFIG_VMAP_STACK) && defined(CONFIG_SCHED_STACK_END_CHECK) > panic("alloca over the kernel stack boundary\n"); > #else > BUG(); > #endif Given this is already out-of-line, how about we always use panic(), regardless of VMAP_STACK and SCHED_STACK_END_CHECK? i.e. just if (unlikely(size >= stack_left)) panic("alloca over the kernel stack boundary"); If we have VMAP_STACK selected, and overflow during the panic, it's the same as if we overflowed during the BUG(). It's likely that panic() will use less stack space than BUG(), and the compiler can put the call in a slow path that shouldn't affect most calls, so in all cases it's likely preferable. Thanks, Mark.