lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150521102708.GA17009@gmail.com>
Date:	Thu, 21 May 2015 12:27:08 +0200
From:	Ingo Molnar <mingo@...nel.org>
To:	Josh Poimboeuf <jpoimboe@...hat.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andy Lutomirski <luto@...capital.net>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>, Michal Marek <mmarek@...e.cz>,
	Peter Zijlstra <peterz@...radead.org>, X86 ML <x86@...nel.org>,
	live-patching@...r.kernel.org,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Andy Lutomirski <luto@...nel.org>,
	Denys Vlasenko <dvlasenk@...hat.com>,
	Brian Gerst <brgerst@...il.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Borislav Petkov <bp@...en8.de>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v4 0/3] Compile-time stack frame pointer validation


* Josh Poimboeuf <jpoimboe@...hat.com> wrote:

> On Wed, May 20, 2015 at 09:59:18AM -0700, Linus Torvalds wrote:
> > On Wed, May 20, 2015 at 9:25 AM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
> > > On Wed, May 20, 2015 at 09:03:37AM -0700, Andy Lutomirski wrote:
> > >>
> > >> I've never quite understood what the '?' means.
> > >
> > > It basically means "here's a function address we found on the 
> > > stack, which may or may not have been called."  It's needed 
> > > because stack walking isn't currently 100% reliable.
> > 
> > It is often quite interesting and helpful, because it shows stale 
> > data on the stack, giving clues about what happened just before.
> > 
> > Now, I'd like gcc to generally be better about not wasting so much 
> > stack frame, so in that sense I'd like to see fewer '?" entries 
> > just from a code quality standpoint, but when debugging those 
> > things, the downside of "noise" is often cancelled by the upside 
> > of "ahh, it happens after calling X".
> > 
> > So the "perfect stack frames" is actually not as great a thing as 
> > some people want to make it seem.
> 
> Ok, I can see how looking at stale stack data could be useful for 
> some of the really tough problems.

And note that the tough problems are actually the ones where we need 
that information the most. So any stack backtrace printing method must 
be biased towards helping the difficult scenarios - not the trivial 
crashes. That is one of the reasons why we are always printing the 
question marks.

> But right now, the meaning of '?' is ambiguous.  It could be stale 
> data, or it could be part of a frame for the current stack which was 
> skipped due to missing frame pointers or an exception.

Yes, of course. That's not a big problem as the actual symbolic 
information will tell us a lot, which allows us to reconstruct the 
real call chain, plus allows us to see any 'recent execution activity' 
that might be on the stack as stale entries.

> If we can somehow make the stack unwinder reliable, then it would at 
> least allow us to remove the ambiguity of the '?' entries.  And it 
> would reduce the "noise" for the majority of issues where we don't 
> care about stale stack data, and can simply ignore it.

Yes, but note the above consideration - the probability distribution 
of kernel bugs tends to have a _very_ long tail, with bugs that 
sometimes take years to trigger and fix. Kernel developers upstream 
and at distros tend to spend a disproportionately large amount of time 
staring at difficult to decode bugs.

For that reason it is far more important to still stay maintainable 
with those kinds of difficult bugs, than to make the resolution of 
trivial, unambiguous crashes a tiny bit easier by printing fewer 
'distractions'...

Also, note that the '?' entries have another role: they cross-check 
the unwinder.

If you think we'll be able to do a perfect unwinder then think again: 
debug info _will_ be messed up periodically, either by us or by 
tooling, because right now no kernel code or other functionality 
relies on perfect unwinding.

So this is not like C++ exception handling where broken unwinding will 
break the code. This is something that is literally only visible in 
kernel logs currently, as a slight anomaly.

So any x86 stack unwinder code must be fundamentally based on the idea 
and expectation that stack unwinding is always going to be somewhat 
imperfect and somewhat statistical.

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ