Received: by 10.223.164.202 with SMTP id h10csp67119wrb; Fri, 10 Nov 2017 02:42:55 -0800 (PST) X-Google-Smtp-Source: ABhQp+TURV6IcbeXyxQFPPm3ddv1xhvKNldG2zR2cJ6MY6bw/Mqqk7Kc8TZd+hLfvVzQ4+PCLArv X-Received: by 10.99.36.133 with SMTP id k127mr3576191pgk.171.1510310575458; Fri, 10 Nov 2017 02:42:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510310575; cv=none; d=google.com; s=arc-20160816; b=EiuiNMMKaFTB0hqR+6k5a+lBu86omcDIVNaYcm2R2mPn1trK19bnFs2i9hK50w5q38 KXLY3BgTQH6juLsTTKG6eKJGAMeCwx/z++oSPitV6M4bJIiAVcpBQKqdj3WeRGzzS1sN WvuicWOdyUkeRW7AgxYwQNdsY0IYZ5Rf5C0N1GyYEE1g5aa/pMX3bDIfc2h2xi4zldJg A1mZiqVZutkmrQdhTt2VdTTB3n0+/RinKnuZQSevLqf8Z4jTFn4aQHx+72bIyExkPJby M/iSdDpPZ0KwIKMQFXNtek7KGZqzJesT+E2cxuyfnVSdP79B8aYU60rMHEQ44IoMYRsO SvlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:mime-version:user-agent:date:message-id:subject :from:cc:to:arc-authentication-results; bh=3tt3PD/wUIE8OCcbQUSWXcxwoeZ6CQmWgq0vlgAYzBg=; b=Y6HF2csoUrHcAEwxQYaFQzzuo7J1Zd8MuuXUba/FVzJmi3BPs/a8RPIyLA/3Ykfei/ K8CQGflBtaRC5DOmTXc5vzynZpr5NUrQEZwXSTOvRUMjg3BxoYk7xPZCbFVWBl94gd+M pa2XCTyXTaBaihNQDLYUXf+bQEbVzAwcvGlK3Jcm332x09ftS0OW9IRTMoYtJexmMGyh QZrgORwJoGgEnKHDQEhCMH4sTEs+uzw+txgSErwGz+92wN33ez68epW5rWhxutN6pq6T 9dtLX5rQyv+hQ5OSOsRbaJtd6eaA6QFDSHmah0BdhYE+/o39zpMQxshnrkMALIRRJt9q 7Uaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w27si9301125pfl.23.2017.11.10.02.42.44; Fri, 10 Nov 2017 02:42:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752848AbdKJKkh (ORCPT + 82 others); Fri, 10 Nov 2017 05:40:37 -0500 Received: from marcansoft.com ([212.63.210.85]:47962 "EHLO mail.marcansoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752451AbdKJKkf (ORCPT ); Fri, 10 Nov 2017 05:40:35 -0500 Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marcan@marcansoft.com) by mail.marcansoft.com (Postfix) with ESMTPSA id 986B143227; Fri, 10 Nov 2017 10:40:32 +0000 (UTC) To: luto@amacapital.net Cc: LKML , "kernel-hardening@lists.openwall.com" , x86@kernel.org From: Hector Martin 'marcan' Subject: vDSO maximum stack usage, stack probes, and -fstack-check Message-ID: Date: Fri, 10 Nov 2017 19:40:30 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: es-ES Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As far as I know, the vDSO specs (both Documentation/ABI/stable/vdso and `man 7 vdso`) make no mention of how much stack the vDSO functions are allowed to use. They just say "the usual C ABI", which makes no guarantees. It turns out that Go has been assuming that those functions use less than 104 bytes of stack space, because it calls them directly on its tiny stack allocations with no guard pages or other hardware overflow protection [1]. On most systems, this is fine. However, on my system the stars aligned and turned it into a nondeterministic crash. I use Gentoo Hardened, which builds its toolchain with -fstack-check on by default. It turns out that with the combination of GCC 6.4.0, -fstack-protect, linux-4.13.9-gentoo, and CONFIG_OPTIMIZE_INLINING=n, gcc decides to *not* inline vread_tsc (it's not marked inline, so it's perfectly within its right not to do that, though for some reason it does inline when CONFIG_OPTIMIZE_INLINING=y even though that nominally gives it greater freedom *not* to inline things marked inline). That turns __vdso_clock_gettime and __vdso_gettimeofday into non-leaf functions, and GCC then inserts a stack probe (full objdump at [2]): 0000000000000030 <__vdso_clock_gettime>: 30: 55 push %rbp 31: 48 89 e5 mov %rsp,%rbp 34: 48 81 ec 20 10 00 00 sub $0x1020,%rsp 3b: 48 83 0c 24 00 orq $0x0,(%rsp) 40: 48 81 c4 20 10 00 00 add $0x1020,%rsp That silently overflows the Go stack. "orq 0" does nothing as long as the page is mapped, but it's not atomic. It turns out that sometimes (pretty often on my box) that races another thread accessing the same location and corrupts memory. The stack probe sounds unnecessary, since it only calls vread_tsc and that can't ever skip over more than a page of stack. In fact I don't even know why it does the probe; I thought the point of stack probes was to poke the stack on allocations >4K to ensure the guard page isn't skipped, but none of these functions use more than a few bytes of stack space. Nonetheless, none of this is wrong per se; the current vDSO spec makes no guarantees about stack usage. The question is, should it? Should the vDSO spec set a hard limit on stack consumption that userspace can rely on, and perhaps inline everything and/or disable -fstack-check to avoid the stack probes? [1] https://github.com/golang/go/issues/20427#issuecomment-343255844 [2] https://marcan.st/paste/HCVuLG6T.txt -- Hector Martin "marcan" (marcan@marcan.st) Public Key: https://mrcn.st/pub From 1583685268919248909@xxx Fri Nov 10 13:19:26 +0000 2017 X-GM-THRID: 1583684726764159877 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread