Received: by 10.223.164.202 with SMTP id h10csp1192718wrb; Tue, 7 Nov 2017 23:50:35 -0800 (PST) X-Google-Smtp-Source: ABhQp+RFvayufkZUe+VzuuP4tigdtWmq3lWo+EH1hbtN9pkILscFiLFZrqCcPJ5B568oRV5KJOXp X-Received: by 10.99.125.89 with SMTP id m25mr1476128pgn.1.1510127434781; Tue, 07 Nov 2017 23:50:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510127434; cv=none; d=google.com; s=arc-20160816; b=M5Qzm8h1o7Nqjig0GpXuO/7DwC2Xa8NH6lNRkYb/Gnr9Qd5HnZKnR1YdyTSlnMV+a2 7Ol9v3C4a0UXHnbN7URiEbjqByqfIk1Hq6buZ2JIzFP6KaRdHhG5gWGwnISzQUpCi216 PRrxNJoWGSszaNsleiWEs9vn4KLhiw7yyMoe/mklIDrrMudz9M6FPDaS2kVVjaiV1vgI jybMwaz0LtlYl9fO0gipdlUxaYhsZniydaf7k3ERm7s3chw0q+wl5cFy8frr5qoy9OC2 A9qgbHijd5F09eXWnM8p6T0kFaMzKx6p04G68FzvmqP+fVZ/S8Lk3tWyclvrFWlsnP6Z ogqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dmarc-filter :arc-authentication-results; bh=S2vTpvQ26guITHWWHWudIhxbEzgQnkT5a3QUvYZwFEU=; b=FykHTFN7E1rXVGFa0nqny/BopnE0A/su6uWlE9MdHnFlfpdEPfCYKwQ3B44OrcfRuM yllf0RQhCG2hRrNdlFu1YC/kvHNEKue7cr/VSi04amTCkt+LDO4hQr5ozPAi9pDXpwzY Xchd2phg2xTTqWOP2ix92RFygib8YJSsRAO5biM+R0EHigS26H4FBwekgjgSjCYL3cfY Hfw3lM00UIonQhxSqc/huPCvXj/l5FQwYuzgyuzZNWfYzND5dnZ9yV3+f9yRwF4B0YGT BzAN8t7UVbiusyfuFR8JgNzeRN46BCmqd6gXUWfhUQrDjIDhC4DLBBxTjK9WAoU0aBI1 qHpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w6si3098300pgb.291.2017.11.07.23.50.22; Tue, 07 Nov 2017 23:50:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753936AbdKHGS0 (ORCPT + 91 others); Wed, 8 Nov 2017 01:18:26 -0500 Received: from mx1.redhat.com ([209.132.183.28]:33324 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751261AbdKHGSX (ORCPT ); Wed, 8 Nov 2017 01:18:23 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B47ED64DF; Wed, 8 Nov 2017 06:18:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B47ED64DF Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer@redhat.com Received: from oldenburg.str.redhat.com (ovpn-116-28.ams2.redhat.com [10.36.116.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 830645DA84; Wed, 8 Nov 2017 06:18:18 +0000 (UTC) Subject: Re: POWER: Unexpected fault when writing to brk-allocated memory To: Michael Ellerman , "Kirill A. Shutemov" , Kees Cook Cc: linux-arch@vger.kernel.org, Dave Hansen , Peter Zijlstra , Linus Torvalds , Ingo Molnar , Linux Kernel Mailing List , Nicholas Piggin , Andy Lutomirski , linux-mm , "Aneesh Kumar K.V" , Andrew Morton , linuxppc-dev@lists.ozlabs.org, Thomas Gleixner , "Kirill A. Shutemov" References: <20171106174707.19f6c495@roar.ozlabs.ibm.com> <24b93038-76f7-33df-d02e-facb0ce61cd2@redhat.com> <20171106192524.12ea3187@roar.ozlabs.ibm.com> <546d4155-5b7c-6dba-b642-29c103e336bc@redhat.com> <20171107160705.059e0c2b@roar.ozlabs.ibm.com> <20171107111543.ep57evfxxbwwlhdh@node.shutemov.name> <20171107114422.bgnm5k6w2zqjoazc@node.shutemov.name> <7fc1641b-361c-2ee2-c510-f7c64d173bf8@redhat.com> <20171107131616.342goolaujjsnjge@node.shutemov.name> <87vail2tgr.fsf@concordia.ellerman.id.au> From: Florian Weimer Message-ID: <9d5c86e9-d011-76b4-6357-b6009a201cdb@redhat.com> Date: Wed, 8 Nov 2017 07:18:17 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <87vail2tgr.fsf@concordia.ellerman.id.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 08 Nov 2017 06:18:23 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/08/2017 07:08 AM, Michael Ellerman wrote: > "Kirill A. Shutemov" writes: > >> On Tue, Nov 07, 2017 at 02:05:42PM +0100, Florian Weimer wrote: >>> On 11/07/2017 12:44 PM, Kirill A. Shutemov wrote: >>>> On Tue, Nov 07, 2017 at 12:26:12PM +0100, Florian Weimer wrote: >>>>> On 11/07/2017 12:15 PM, Kirill A. Shutemov wrote: >>>>> >>>>>>> First of all, using addr and MAP_FIXED to develop our heuristic can >>>>>>> never really give unchanged ABI. It's an in-band signal. brk() is a >>>>>>> good example that steadily keeps incrementing address, so depending >>>>>>> on malloc usage and address space randomization, you will get a brk() >>>>>>> that ends exactly at 128T, then the next one will be > >>>>>>> DEFAULT_MAP_WINDOW, and it will switch you to 56 bit address space. >>>>>> >>>>>> No, it won't. You will hit stack first. >>>>> >>>>> That's not actually true on POWER in some cases. See the process maps I >>>>> posted here: >>>>> >>>>> >>>> >>>> Hm? I see that in all three cases the [stack] is the last mapping. >>>> Do I miss something? >>> >>> Hah, I had not noticed. Occasionally, the order of heap and stack is >>> reversed. This happens in approximately 15% of the runs. >> >> Heh. I guess ASLR on Power is too fancy :) > > Fancy implies we're doing it on purpose :P > >> That's strange layout. It doesn't give that much (relatively speaking) >> virtual address space for both stack and heap to grow. > > I'm pretty sure it only happens when you're running an ELF interpreter > directly, because of Kees patch which changed the logic to load ELF > interpreters in the mmap region, vs PIE binaries which go to > ELF_ET_DYN_BASE. (eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only > for PIE")) From that commit: + * There are effectively two types of ET_DYN + * binaries: programs (i.e. PIE: ET_DYN with INTERP) + * and loaders (ET_DYN without INTERP, since they + * _are_ the ELF interpreter). The loaders must Note that the comment is a bit misleading: statically linked PIE binaries are ET_DYN without INTERP, too. So any oddity which is observable today with an explicitly ld.so invocation only will gain more relevance once we get static PIE support in user space because it will then affect regular applications, too. (Well, statically linked ones.) In this sense, process layouts which cause premature brk failure or insufficient stack allocations are real bugs. Thanks, Florian From 1583483365561735250@xxx Wed Nov 08 07:50:16 +0000 2017 X-GM-THRID: 1583404961130869946 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread