lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160310102618.GB21593@gmail.com>
Date:	Thu, 10 Mar 2016 11:26:18 +0100
From:	Ingo Molnar <mingo@...nel.org>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	Stas Sergeev <stsp@...t.ru>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>,
	Borislav Petkov <bp@...e.de>, Brian Gerst <brgerst@...il.com>,
	Oleg Nesterov <oleg@...hat.com>,
	Richard Weinberger <richard@....at>,
	Stas Sergeev <stsp@...rs.sourceforge.net>
Subject: Re: [PATCH] [Cleanup] x86: signal: unify the sigaltstack check with
 other arches


* Andy Lutomirski <luto@...capital.net> wrote:

> On Tue, Mar 8, 2016 at 8:20 AM, Ingo Molnar <mingo@...nel.org> wrote:
> >
> > * Stas Sergeev <stsp@...t.ru> wrote:
> >
> >> 25.02.2016 11:25, Ingo Molnar пишет:
> >> >
> >> > * Stas Sergeev <stsp@...t.ru> wrote:
> >> >
> >> >> Currently x86's get_sigframe() checks for "current->sas_ss_size"
> >> >> to determine whether there is a need to switch to sigaltstack.
> >> >> The common practice used by all other arches is to check for
> >> >> sas_ss_flags(sp) == 0
> >> >>
> >> >> This patch makes the code consistent with other arches.
> >> >> The slight complexity of the patch is added by the optimization on
> >> >> !sigstack check that was requested by Andy Lutomirski: sas_ss_flags(sp)==0
> >> >> already implies that we are not on a sigstack, so the code is shuffled
> >> >> to avoid the duplicate checking.
> >> >
> >> > So this changelog is missing an analysis about what effect this change will have
> >> > on applications. Can any type of user-space code see a change in behavior? If yes,
> >> > what will happen and is that effect desirable?
> >> This is a clean-up, and as such, there is no visible effect.
> >> If there is - it is a bug.
> >> The purpose of this patch is only to unify the x86 code with
> >> what all the other arches do. It was initially the part of the
> >> rejected series, but now it is just a clean-up.
> >
> > Ok, so AFAICS the relevant change is:
> >
> > -               if (current->sas_ss_size)
> > -                       sp = current->sas_ss_sp + current->sas_ss_size;
> > +               if (sas_ss_flags(sp) == 0)
> > +                       sp = current->sas_ss_sp + current->sas_ss_size;
> >
> > and since sas_ss_flags() is defined as:
> >
> > static inline int sas_ss_flags(unsigned long sp)
> > {
> >         if (!current->sas_ss_size)
> >                 return SS_DISABLE;
> >
> >         return on_sig_stack(sp) ? SS_ONSTACK : 0;
> > }
> >
> > sas_ss_flags() returns 0 iff current->sas_ss_size && !on_sig_stack().
> >
> > But we already have on_sig_stack(sp) calculated. Why not write that as:
> >
> > +               if (current->sas_ss_size && !onsigstack)
> > +                       sp = current->sas_ss_sp + current->sas_ss_size;
> >
> > and since we check '!onsigstack' in both branches, we might as well factor it out
> > into a single condition ... and arrive to the exact code that we began with.
> 
> ISTM it's silly for us to be unconditionally computing onsigstack.
> We're doing it because we need it later for this:
> 
>         /*
>          * If we are on the alternate signal stack and would overflow it, don't.
>          * Return an always-bogus address instead so we will die with SIGSEGV.
>          */
>         if (onsigstack && !likely(on_sig_stack(sp)))
>                 return (void __user *)-1L;
> 
> This seems basically useless to me.  Sure, it's nice to send SIGSEGV
> if we overflow due to signal delivery.  But we're almost as likely to
> overflow in the signal handler as we are to overflow during delivery,
> and we don't even try to catch that.

Ok, I was just put off by the code size difference - but no strong opinion from 
me, I'd certainly be fine with (as a first step) harmonizing the implementation 
with other architectures. I withdraw my objection.

> Anyway, I think we should make two changes to the sig_on_stack thing:
> 
> 1. If SS_AUTODISARM, then we're not on the stack, regardless of what sp says.
> 
> 2. If !user_64bit_mode(regs) && (regs->ss & 0x4), then we're not on
> the signal stack.  This will happen if we're running on an LDT stack
> and we coincidentally have the ESP part of SS:ESP matching the signal
> stack.
> 
> In general, the existing design is crap and it should always have
> worked the way that Stas is proposing with SS_AUTODISARM.

Ok, no objections here either.

Thanks,

	Ingo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ