[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <570EC3F6.9000407@list.ru>
Date: Thu, 14 Apr 2016 01:11:02 +0300
From: Stas Sergeev <stsp@...t.ru>
To: Andy Lutomirski <luto@...capital.net>,
Ingo Molnar <mingo@...nel.org>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>,
Borislav Petkov <bp@...e.de>, Brian Gerst <brgerst@...il.com>,
Oleg Nesterov <oleg@...hat.com>,
Richard Weinberger <richard@....at>,
Stas Sergeev <stsp@...rs.sourceforge.net>
Subject: Re: [PATCH] [Cleanup] x86: signal: unify the sigaltstack check with
other arches
10.03.2016 03:02, Andy Lutomirski пишет:
> On Tue, Mar 8, 2016 at 8:20 AM, Ingo Molnar <mingo@...nel.org> wrote:
>> * Stas Sergeev <stsp@...t.ru> wrote:
>>
>>> 25.02.2016 11:25, Ingo Molnar пишет:
>>>> * Stas Sergeev <stsp@...t.ru> wrote:
>>>>
>>>>> Currently x86's get_sigframe() checks for "current->sas_ss_size"
>>>>> to determine whether there is a need to switch to sigaltstack.
>>>>> The common practice used by all other arches is to check for
>>>>> sas_ss_flags(sp) == 0
>>>>>
>>>>> This patch makes the code consistent with other arches.
>>>>> The slight complexity of the patch is added by the optimization on
>>>>> !sigstack check that was requested by Andy Lutomirski: sas_ss_flags(sp)==0
>>>>> already implies that we are not on a sigstack, so the code is shuffled
>>>>> to avoid the duplicate checking.
>>>> So this changelog is missing an analysis about what effect this change will have
>>>> on applications. Can any type of user-space code see a change in behavior? If yes,
>>>> what will happen and is that effect desirable?
>>> This is a clean-up, and as such, there is no visible effect.
>>> If there is - it is a bug.
>>> The purpose of this patch is only to unify the x86 code with
>>> what all the other arches do. It was initially the part of the
>>> rejected series, but now it is just a clean-up.
>> Ok, so AFAICS the relevant change is:
>>
>> - if (current->sas_ss_size)
>> - sp = current->sas_ss_sp + current->sas_ss_size;
>> + if (sas_ss_flags(sp) == 0)
>> + sp = current->sas_ss_sp + current->sas_ss_size;
>>
>> and since sas_ss_flags() is defined as:
>>
>> static inline int sas_ss_flags(unsigned long sp)
>> {
>> if (!current->sas_ss_size)
>> return SS_DISABLE;
>>
>> return on_sig_stack(sp) ? SS_ONSTACK : 0;
>> }
>>
>> sas_ss_flags() returns 0 iff current->sas_ss_size && !on_sig_stack().
>>
>> But we already have on_sig_stack(sp) calculated. Why not write that as:
>>
>> + if (current->sas_ss_size && !onsigstack)
>> + sp = current->sas_ss_sp + current->sas_ss_size;
>>
>> and since we check '!onsigstack' in both branches, we might as well factor it out
>> into a single condition ... and arrive to the exact code that we began with.
> ISTM it's silly for us to be unconditionally computing onsigstack.
> We're doing it because we need it later for this:
>
> /*
> * If we are on the alternate signal stack and would overflow it, don't.
> * Return an always-bogus address instead so we will die with SIGSEGV.
> */
> if (onsigstack && !likely(on_sig_stack(sp)))
> return (void __user *)-1L;
>
> This seems basically useless to me. Sure, it's nice to send SIGSEGV
> if we overflow due to signal delivery. But we're almost as likely to
> overflow in the signal handler as we are to overflow during delivery,
> and we don't even try to catch that.
>
> Anyway, I think we should make two changes to the sig_on_stack thing:
>
> 1. If SS_AUTODISARM, then we're not on the stack, regardless of what sp says.
>
> 2. If !user_64bit_mode(regs) && (regs->ss & 0x4), then we're not on
> the signal stack. This will happen if we're running on an LDT stack
> and we coincidentally have the ESP part of SS:ESP matching the signal
> stack.
>
> In general, the existing design is crap and it should always have
> worked the way that Stas is proposing with SS_AUTODISARM.
Andy, so can I use your Acked-by to this patch?
I think 2 is an entirely separate problem and can be implemented
later. Do you have any objections to the patch in its current form?
Do you think that 1 should be implemented, or can we agree that
it is not possible/unsafe? Please, state your optinion explicitly, because
I am completely puzzled with why this patch cannot be applied.
Powered by blists - more mailing lists