lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 May 2016 09:35:41 -0700 From: Andy Lutomirski <luto@...capital.net> To: Stas Sergeev <stsp@...t.ru> Cc: Thomas Gleixner <tglx@...utronix.de>, Shuah Khan <shuahkh@....samsung.com>, Pavel Emelyanov <xemul@...allels.com>, X86 ML <x86@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, Linux API <linux-api@...r.kernel.org>, Jason Low <jason.low2@...com>, "Eric W. Biederman" <ebiederm@...ssion.com>, Josh Triplett <josh@...htriplett.org>, Aleksa Sarai <cyphar@...har.com>, Paul Moore <pmoore@...hat.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Sasha Levin <sasha.levin@...cle.com>, Denys Vlasenko <dvlasenk@...hat.com>, Al Viro <viro@...iv.linux.org.uk>, "Amanieu d'Antras" <amanieu@...il.com>, Borislav Petkov <bp@...en8.de>, Konstantin Khlebnikov <khlebnikov@...dex-team.ru>, Heinrich Schuchardt <xypron.glpk@....de>, Tejun Heo <tj@...nel.org>, Brian Gerst <brgerst@...il.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Palmer Dabbelt <palmer@...belt.com>, Frederic Weisbecker <fweisbec@...il.com>, Andrea Arcangeli <aarcange@...hat.com>, Vladimir Davydov <vdavydov@...allels.com>, Oleg Nesterov <oleg@...hat.com>, Richard Weinberger <richard@....at>, "H. Peter Anvin" <hpa@...or.com>, Peter Zijlstra <peterz@...radead.org> Subject: Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack On May 14, 2016 4:18 AM, "Stas Sergeev" <stsp@...t.ru> wrote: > > 14.05.2016 07:18, Andy Lutomirski пишет: > >> On May 8, 2016 7:05 PM, "Stas Sergeev" <stsp@...t.ru> wrote: >>> >>> 09.05.2016 04:32, Andy Lutomirski пишет: >>> >>>> On May 7, 2016 7:38 AM, "Stas Sergeev" <stsp@...t.ru> wrote: >>>>> >>>>> 03.05.2016 20:31, Andy Lutomirski пишет: >>>>> >>>>>> If a signal stack is set up with SS_AUTODISARM, then the kernel >>>>>> inherently avoids incorrectly resetting the signal stack if signals >>>>>> recurse: the signal stack will be reset on the first signal >>>>>> delivery. This means that we don't need check the stack pointer >>>>>> when delivering signals if SS_AUTODISARM is set. >>>>>> >>>>>> This will make segmented x86 programs more robust: currently there's >>>>>> a hole that could be triggered if ESP/RSP appears to point to the >>>>>> signal stack but actually doesn't due to a nonzero SS base. >>>>>> >>>>>> Signed-off-by: Stas Sergeev <stsp@...t.ru> >>>>>> Cc: Al Viro <viro@...iv.linux.org.uk> >>>>>> Cc: Aleksa Sarai <cyphar@...har.com> >>>>>> Cc: Amanieu d'Antras <amanieu@...il.com> >>>>>> Cc: Andrea Arcangeli <aarcange@...hat.com> >>>>>> Cc: Andrew Morton <akpm@...ux-foundation.org> >>>>>> Cc: Andy Lutomirski <luto@...capital.net> >>>>>> Cc: Borislav Petkov <bp@...en8.de> >>>>>> Cc: Brian Gerst <brgerst@...il.com> >>>>>> Cc: Denys Vlasenko <dvlasenk@...hat.com> >>>>>> Cc: Eric W. Biederman <ebiederm@...ssion.com> >>>>>> Cc: Frederic Weisbecker <fweisbec@...il.com> >>>>>> Cc: H. Peter Anvin <hpa@...or.com> >>>>>> Cc: Heinrich Schuchardt <xypron.glpk@....de> >>>>>> Cc: Jason Low <jason.low2@...com> >>>>>> Cc: Josh Triplett <josh@...htriplett.org> >>>>>> Cc: Konstantin Khlebnikov <khlebnikov@...dex-team.ru> >>>>>> Cc: Linus Torvalds <torvalds@...ux-foundation.org> >>>>>> Cc: Oleg Nesterov <oleg@...hat.com> >>>>>> Cc: Palmer Dabbelt <palmer@...belt.com> >>>>>> Cc: Paul Moore <pmoore@...hat.com> >>>>>> Cc: Pavel Emelyanov <xemul@...allels.com> >>>>>> Cc: Peter Zijlstra <peterz@...radead.org> >>>>>> Cc: Richard Weinberger <richard@....at> >>>>>> Cc: Sasha Levin <sasha.levin@...cle.com> >>>>>> Cc: Shuah Khan <shuahkh@....samsung.com> >>>>>> Cc: Tejun Heo <tj@...nel.org> >>>>>> Cc: Thomas Gleixner <tglx@...utronix.de> >>>>>> Cc: Vladimir Davydov <vdavydov@...allels.com> >>>>>> Cc: linux-api@...r.kernel.org >>>>>> Cc: linux-kernel@...r.kernel.org >>>>>> Signed-off-by: Andy Lutomirski <luto@...nel.org> >>>>>> --- >>>>>> include/linux/sched.h | 12 ++++++++++++ >>>>>> 1 file changed, 12 insertions(+) >>>>>> >>>>>> diff --git a/include/linux/sched.h b/include/linux/sched.h >>>>>> index 2950c5cd3005..8f03a93348b9 100644 >>>>>> --- a/include/linux/sched.h >>>>>> +++ b/include/linux/sched.h >>>>>> @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) >>>>>> */ >>>>>> static inline int on_sig_stack(unsigned long sp) >>>>>> { >>>>>> + /* >>>>>> + * If the signal stack is AUTODISARM then, by construction, we >>>>>> + * can't be on the signal stack unless user code deliberately set >>>>>> + * SS_AUTODISARM when we were already on the it. >>>>> >>>>> "on the it" -> "on it". >>>>> >>>>> Anyway, I am a bit puzzled with this patch. >>>>> You say "unless user code deliberately set >>>>> >>>>> SS_AUTODISARM when we were already on the it" >>>>> so what happens in case it actually does? >>>>> >>>> Stack corruption. Don't do that. >>> >>> Only after your change, I have to admit. :) >>> >>> >>>>> Without your patch: if user sets up the same sas - no stack switch. >>>>> if user sets up different sas - stack switch on nested signal. >>>>> >>>>> With your patch: stack switch in any case, so if user >>>>> set up same sas - stack corruption by nested signal. >>>>> >>>>> Or am I missing the intention? >>>> >>>> The intention is to make everything completely explicit. With >>>> SS_AUTODISARM, the kernel knows directly whether you're on the signal >>>> stack, and there should be no need to look at sp. If you set >>>> SS_AUTODISARM and get a signal, the signal stack gets disarmed. If >>>> you take a nested signal, it's delivered normally. When you return >>>> all the way out, the signal stack is re-armed. >>>> >>>> For DOSEMU, this means that no 16-bit register state can possibly >>>> cause a signal to be delivered wrong, because the register state when >>>> a signal is raised won't affect delivery, which seems like a good >>>> thing to me. >>> >>> Yes, but doesn't affect dosemu1 which doesn't use SS_AUTODISARM. >>> So IMHO the SS check should still be added, even if not for dosemu2. >>> >>> >>>> If this behavior would be problematic for you, can you explain why? >>> >>> Only theoretically: if someone sets SS_AUTODISARM inside a >>> sighandler. Since this doesn't give EPERM, I wouldn't deliberately >>> make it a broken scenario (esp if it wasn't before the particular change). >>> Ideally it would give EPERM, but we can't, so doesn't matter much. >>> I just wanted to warn about the possible regression. >> >> I suppose we could return an error if you are on the sigstack when >> setting SS_AUTODISARM, although I was hoping to avoid yet more special >> cases. > > Hmm. > How about extending the generic check then? > Currently it is roughly: > if (on_sig_stack(sp)) return -EPERM; > > and we could do: > if (on_sig_stack(sp) || on_new_sas(new_sas, sp)) return -EPERM; > > Looks like it will close the potential hole opened by your commit > without introducing the special case for SS_AUTODISARM. > What do you think? > It's still a wee bit ugly. Also, doesn't that change existing behavior for the existing non-AUTODISARM case? Also, we'd have to make sure that sigreturn doesn't trigger this check. My inclination would be leave it alone.
Powered by blists - more mailing lists