lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrWSr86vBo=Va-t687A1zEszZJZjG350+-2GCOhM-kLuSA@mail.gmail.com>
Date:	Wed, 9 Mar 2016 16:02:19 -0800
From:	Andy Lutomirski <luto@...capital.net>
To:	Ingo Molnar <mingo@...nel.org>
Cc:	Stas Sergeev <stsp@...t.ru>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>,
	Borislav Petkov <bp@...e.de>, Brian Gerst <brgerst@...il.com>,
	Oleg Nesterov <oleg@...hat.com>,
	Richard Weinberger <richard@....at>,
	Stas Sergeev <stsp@...rs.sourceforge.net>
Subject: Re: [PATCH] [Cleanup] x86: signal: unify the sigaltstack check with
 other arches

On Tue, Mar 8, 2016 at 8:20 AM, Ingo Molnar <mingo@...nel.org> wrote:
>
> * Stas Sergeev <stsp@...t.ru> wrote:
>
>> 25.02.2016 11:25, Ingo Molnar пишет:
>> >
>> > * Stas Sergeev <stsp@...t.ru> wrote:
>> >
>> >> Currently x86's get_sigframe() checks for "current->sas_ss_size"
>> >> to determine whether there is a need to switch to sigaltstack.
>> >> The common practice used by all other arches is to check for
>> >> sas_ss_flags(sp) == 0
>> >>
>> >> This patch makes the code consistent with other arches.
>> >> The slight complexity of the patch is added by the optimization on
>> >> !sigstack check that was requested by Andy Lutomirski: sas_ss_flags(sp)==0
>> >> already implies that we are not on a sigstack, so the code is shuffled
>> >> to avoid the duplicate checking.
>> >
>> > So this changelog is missing an analysis about what effect this change will have
>> > on applications. Can any type of user-space code see a change in behavior? If yes,
>> > what will happen and is that effect desirable?
>> This is a clean-up, and as such, there is no visible effect.
>> If there is - it is a bug.
>> The purpose of this patch is only to unify the x86 code with
>> what all the other arches do. It was initially the part of the
>> rejected series, but now it is just a clean-up.
>
> Ok, so AFAICS the relevant change is:
>
> -               if (current->sas_ss_size)
> -                       sp = current->sas_ss_sp + current->sas_ss_size;
> +               if (sas_ss_flags(sp) == 0)
> +                       sp = current->sas_ss_sp + current->sas_ss_size;
>
> and since sas_ss_flags() is defined as:
>
> static inline int sas_ss_flags(unsigned long sp)
> {
>         if (!current->sas_ss_size)
>                 return SS_DISABLE;
>
>         return on_sig_stack(sp) ? SS_ONSTACK : 0;
> }
>
> sas_ss_flags() returns 0 iff current->sas_ss_size && !on_sig_stack().
>
> But we already have on_sig_stack(sp) calculated. Why not write that as:
>
> +               if (current->sas_ss_size && !onsigstack)
> +                       sp = current->sas_ss_sp + current->sas_ss_size;
>
> and since we check '!onsigstack' in both branches, we might as well factor it out
> into a single condition ... and arrive to the exact code that we began with.

ISTM it's silly for us to be unconditionally computing onsigstack.
We're doing it because we need it later for this:

        /*
         * If we are on the alternate signal stack and would overflow it, don't.
         * Return an always-bogus address instead so we will die with SIGSEGV.
         */
        if (onsigstack && !likely(on_sig_stack(sp)))
                return (void __user *)-1L;

This seems basically useless to me.  Sure, it's nice to send SIGSEGV
if we overflow due to signal delivery.  But we're almost as likely to
overflow in the signal handler as we are to overflow during delivery,
and we don't even try to catch that.

Anyway, I think we should make two changes to the sig_on_stack thing:

1. If SS_AUTODISARM, then we're not on the stack, regardless of what sp says.

2. If !user_64bit_mode(regs) && (regs->ss & 0x4), then we're not on
the signal stack.  This will happen if we're running on an LDT stack
and we coincidentally have the ESP part of SS:ESP matching the signal
stack.

In general, the existing design is crap and it should always have
worked the way that Stas is proposing with SS_AUTODISARM.

--Andy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ