Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp264852pxm;
        Wed, 2 Mar 2022 14:57:40 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzXjhFey9fy8OPpz1ISR77SK6gb+aLZ+uoPFY2+7nRihlTemtLDhuwvLX+JUBKUBThPLwty
X-Received: by 2002:a17:902:b60f:b0:151:a83a:5402 with SMTP id b15-20020a170902b60f00b00151a83a5402mr164542pls.21.1646261859815;
        Wed, 02 Mar 2022 14:57:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1646261859; cv=none;
        d=google.com; s=arc-20160816;
        b=C5DAnMAOiLr1tJki9sCefj6VMlt28bAMDp+HKBVbk90Vmvo7c5b1ArhnEsEmcOeHhz
         0uVEENFJyZTEr3QPpBgV3DUvafe6MZDhUeVS58GPAKsAoKUyhLw85nmt8TBgPdjvg2Do
         ugJsGO0ygvEUEgt1jo6zXc/fF0JASJ8kOf8qYQyJ6+6c05Jj/zMqx08DQ87Rr5NQaRcT
         /rFhgtiFbU/vcLxry6eRM3VgtfRD6O1D3SHRdOpxsLWQUT4AwYKVycchYzrkdSkFYOim
         L5Oct+LQJQsd7Kk3HRklTpA9KB3Ul4Tv/XpmzmaL6hhh5s82CHlk/375N+6t5wkh/kMH
         NxuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:subject:to
         :organization:from:content-language:mime-version:date:message-id;
        bh=IHbaPXrw/MFIprqmOHWSlqHB99MRVjQxZb+az7ukjOU=;
        b=BHjPgKz8PYY+xa0d57JQ2YwzbRqnQC0WAvkPkCizfeobBxg4lrJpSeIbBJ6l00tAiV
         XhpH0tEZ0PA9Pl4ZYtygIFi8zbkXjat+4AHvBw/gVpr6X5bLK4zX8+j+J1rSg4M2OMUI
         m2dBpvQcgv5CuPGy/SgsCHgXyoshoGfO5wAjCaslNBJQjIeWuwaf9aTye9nsUH/dZdVs
         qB8dSXl9ZWQ5QudRojLjGKyOBq+tIAJo8hOVf+6b1uk5FkdSjELn74hdqDkbH5X5t8A7
         FcT2JbIP3Tm5Qeo0M3Zmrljy5OZTUyi0P+K0r7pKf3XzwvgfMOz26vuRgNZLvOQx0Dqa
         kVOg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id f18-20020a631012000000b003758cfa5e78si333068pgl.100.2022.03.02.14.57.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 02 Mar 2022 14:57:39 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 96ED911863F;
	Wed,  2 Mar 2022 14:44:12 -0800 (PST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243363AbiCBPJD (ORCPT <rfc822;anothersharkwizard@gmail.com>
        + 99 others); Wed, 2 Mar 2022 10:09:03 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50022 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235010AbiCBPJA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Mar 2022 10:09:00 -0500
X-Greylist: delayed 496 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 02 Mar 2022 07:08:15 PST
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9474A60AA6
        for <linux-kernel@vger.kernel.org>; Wed,  2 Mar 2022 07:08:14 -0800 (PST)
Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
         client-signature RSA-PSS (2048 bits) client-digest SHA256)
        (Client CN "mail.riseup.net", Issuer "R3" (not verified))
        by mx1.riseup.net (Postfix) with ESMTPS id 4K7y2k2NJxzF74l
        for <linux-kernel@vger.kernel.org>; Wed,  2 Mar 2022 06:59:58 -0800 (PST)
X-Riseup-User-ID: 45BFFCFB4AB6A46B24AA5A9D0C6FD4FD300E827376533DDFC5C9F0806F4E0E5A
Received: from [127.0.0.1] (localhost [127.0.0.1])
         by fews1.riseup.net (Postfix) with ESMTPSA id 4K7y2k0h9kz5w0N
        for <linux-kernel@vger.kernel.org>; Wed,  2 Mar 2022 06:59:58 -0800 (PST)
Message-ID: <2fb2902d-f844-d018-aa4c-94009886ad1d@torproject.org>
Date:   Wed, 2 Mar 2022 08:59:56 -0600
MIME-Version: 1.0
Content-Language: en-US
From:   Jim Newsome <jnewsome@torproject.org>
Organization: The Tor Project, Inc
To:     linux-kernel@vger.kernel.org
Subject: sigaltstack from signal handler succeeds but is overwritten on
 sigreturn
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Context: I recently came across this behavior while developing [shadow], 
where we're using seccomp to trap syscalls to an LD_PRELOAD'd signal 
handler, as a fallback for syscalls we weren't able to intercept more 
efficiently at the libc API level via LD_PRELOAD. When a new thread is 
created, we do some self-initialization on its first intercepted 
syscall, including setting up a signal stack with sigaltstack. When the 
first syscall is trapped via seccomp, this initialization happens in the 
sigsys signal handler, and the sigaltstack configuration is lost on 
return. We can work around this behavior by initializing explicitly 
immediately after returning from clone in the child thread (which is 
probably a better design anyway), but it took a while to figure out what 
was going wrong.

[shadow]: https://github.com/shadow/shadow

Here is a simplified demonstration of the issue: 
https://godbolt.org/z/Mrxe119oj

 From the [sigaltstack man page], I'd only expect sigreturn to restore 
the sigaltstack configuration if there was already a sigaltstack 
configured for the thread on entry to the handler, and it had 
SS_AUTODISARM set.

[sigaltstack man page]: 
https://man7.org/linux/man-pages/man2/sigaltstack.2.html

I discovered this on x86-64 Ubuntu and their modified kernel 
5.13.0-30-generic and am not currently set up to try reproducing on a 
vanilla kernel, but if I'm reading the source correctly, this behavior 
exists in the latest kernel, at least on x86-64. The x86-64 [sigreturn] 
always calls [restore_altstack], which always restores the old 
sigaltstack config.

[sigreturn]: 
https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/arch/x86/kernel/signal.c#L656

[restore_altstack]: 
https://github.com/torvalds/linux/blob/a4fd49cdb5495f36a35bd27b69b3806e383c719b/kernel/signal.c#L4246

Is this unconditional restore intended? If so, maybe it could be 
documented more explicitly in the sigaltstack and/or sigreturn man pages?