lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrVBYySbWteyRas-+UsNqsUijORaoyYS64RzRqXp3g4X=A@mail.gmail.com>
Date:	Wed, 2 Sep 2015 07:21:09 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	Stas Sergeev <stsp@...t.ru>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Raymond Jennings <shentino@...il.com>,
	Cyrill Gorcunov <gorcunov@...il.com>,
	Pavel Emelyanov <xemul@...allels.com>,
	Linux kernel <linux-kernel@...r.kernel.org>
Subject: Re: [regression] x86/signal/64: Fix SS handling for signals delivered
 to 64-bit programs breaks dosemu

On Wed, Sep 2, 2015 at 2:17 AM, Stas Sergeev <stsp@...t.ru> wrote:
> 02.09.2015 08:12, Andy Lutomirski пишет:
>
>> On Wed, Aug 19, 2015 at 9:30 AM, Stas Sergeev <stsp@...t.ru> wrote:
>>>
>>> 19.08.2015 18:46, Andy Lutomirski пишет:
>>>>
>>>> On Wed, Aug 19, 2015 at 2:35 AM, Stas Sergeev <stsp@...t.ru> wrote:
>>>>>>
>>>>>> Incidentally, I tried implementing the sigaction flag approach.  I
>>>>>> think it's no good.  When we return from a signal, there's no concept
>>>>>> of sigaction -- it's just sigreturn.  Sigreturn can't look up the
>>>>>> sigaction flags -- what if the signal handler calls sigaction itself.
>>>>>
>>>>> How about the SA_hyz flag that does the following:
>>>>> - Saves SS into sigcontext
>>>>> - Forces SS to USER_DS on signal delivery
>>>>> - Sets the uc_flags flag for sigreturn() to take care of the rest.
>>>>> You'll have both the control on every bit of action, and a simple
>>>>> detection logic: if SA_hyz didn't set the uc flag - it didn't work.
>>>>> You can even employ your lar heuristic here for the case when the
>>>>> aforementioned SA_hyz is not set. But please, please not when it is
>>>>> set! In fact, I wonder if you had in mind exactly that: using the
>>>>> lar heuristic only if the SA_hyz is not set. If so - I misunderstood.
>>>>> Just please don't add it when it is set.
>>>>
>>>> Hmm, interesting.  Maybe that would work for everything.  How's this
>>>> to make it concrete?
>>>>
>>>> Add a sigaction flag SA_RESTORE_SS.
>>>>
>>>> On signal delivery, always save SS into sigcontext->ss. if
>>>> SA_RESTORE_SS is set, then unconditionally switch HW SS to __USER_DS
>>>> and set UC_RESTORE_SS.  If SA_RESTORE_SS is clear, then leave HW SS
>>>> alone (i.e. preserve the old behavior).
>>>
>>> Either that, or employ the lar heuristic for the "not set" case
>>> (I think its not needed).
>>>
>>>> On signal return, if UC_RESTORE_SS is set, then restore
>>>> sigcontext->ss.  If not, then set SS to __USER_DS (as old kernels
>>>> did).
>>>>
>>>> This should change nothing at all (except the initial value of
>>>> sigcontext->ss / __pad0) on old kernels.
>>>
>>> Agreed.
>>>
>> Let me throw out one more possibility, just for completeness:
>>
>> We don't add any SA_xyz flags.  On signal delivery, we use the LAR
>> heuristic.  We always fill in sigcontext->ss, and we set a new
>> UC_SIGCONTEXT_SS flag to indicate that we support the new behavior.
>>
>> On sigreturn, we honor the sigcontext's ss, *unless* CS is 64 bit and
>> SS is invalid.  In the latter case, we replace the saved ss with
>> __USER_DS.
>
> But this is not a new proposal, see here:
> https://lkml.org/lkml/2015/8/13/436
> The very last sentence says exactly the same.
> I thought this is in the past. :)
>

True, but I still want to make sure I understand the alternatives
well, and we never really considered this approach.

>> This should work for old DOSEMU.  It's a bit gross, but it has the
>> nice benefit that everyone (even things that aren't DOSEMU) gain the
>> ability to catch signals thrown from bogus SS contexts, which probably
>> improves debugability.  It's also nice to not have the SA flag.
>
> Pros:
> - No new SA flag
> - May improve debugability in some unknown scenario where people
> do not want to just use the new flag to get their things improved
>
> Cons:
> - Does not allow to cleanly use siglongjmp(), as then there is a risk
> to jump to 64bit code with bad SS

What's the issue here?  I don't understand.

On musl, (sig)longjmp just restores rsp, rbx, rbp, and r12-r15, so it
won't be affected.  AFAIK all implementations of siglongjmp are likely
to call sigprocmask or similar, and that will clobber SS.  I'm not
aware of an implementation of siglongjmp that uses sigreturn.

> - Async signals can silently "validate" SS behind your back

True, and that's unfortunate.  But async signals without SA_SAVE_SS
set with the other approach have exactly the same problem.  At least
with the approach it won't happen in 32-bit or 16-bit code, as we'd
only do the heuristic SS fix on sigreturn when returning to 64-bit
code.

> - No way to extend that solution to later fixing the TLS problem

True.

> - Many ugly checks in the code, that are not always even obvious
> (eg you wanted to try verw instead, and there was a gotcha with
> NP bit)

Also true.  OTOH, there'll be a unit test.

>
> Is the new SA flag such a big deal here to even bother?

Not really, but given that the new behavior seems clearly better
behaved than the old, it would be nice to be able to have the good
behavior, or at least most of it, be the default.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ