lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 24 Nov 2020 21:47:47 +0100
From:   Jann Horn <jannh@...gle.com>
To:     "Bae, Chang Seok" <chang.seok.bae@...el.com>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...e.de>,
        Andy Lutomirski <luto@...nel.org>,
        "the arch/x86 maintainers" <x86@...nel.org>,
        "Brown, Len" <len.brown@...el.com>,
        "Hansen, Dave" <dave.hansen@...el.com>,
        "H.J. Lu" <hjl.tools@...il.com>, Dave Martin <Dave.Martin@....com>,
        Michael Ellerman <mpe@...erman.id.au>,
        "Luck, Tony" <tony.luck@...el.com>,
        "Shankar, Ravi V" <ravi.v.shankar@...el.com>,
        "libc-alpha@...rceware.org" <libc-alpha@...rceware.org>,
        linux-arch <linux-arch@...r.kernel.org>,
        Linux API <linux-api@...r.kernel.org>,
        kernel list <linux-kernel@...r.kernel.org>,
        Hiroshi Shimamoto <h-shimamoto@...jp.nec.com>
Subject: Re: [PATCH v2 3/4] x86/signal: Prevent an alternate stack overflow
 before a signal delivery

On Tue, Nov 24, 2020 at 9:43 PM Bae, Chang Seok
<chang.seok.bae@...el.com> wrote:
> > On Nov 24, 2020, at 10:41, Jann Horn <jannh@...gle.com> wrote:
> > On Tue, Nov 24, 2020 at 7:22 PM Bae, Chang Seok
> > <chang.seok.bae@...el.com> wrote:
> >>> On Nov 20, 2020, at 15:04, Jann Horn <jannh@...gle.com> wrote:
> >>> On Thu, Nov 19, 2020 at 8:40 PM Chang S. Bae <chang.seok.bae@...el.com> wrote:
> >>>>
> >>>> diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> >>>> index ee6f1ceaa7a2..cee41d684dc2 100644
> >>>> --- a/arch/x86/kernel/signal.c
> >>>> +++ b/arch/x86/kernel/signal.c
> >>>> @@ -251,8 +251,13 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> >>>>
> >>>>       /* This is the X/Open sanctioned signal stack switching.  */
> >>>>       if (ka->sa.sa_flags & SA_ONSTACK) {
> >>>> -               if (sas_ss_flags(sp) == 0)
> >>>> +               if (sas_ss_flags(sp) == 0) {
> >>>> +                       /* If the altstack might overflow, die with SIGSEGV: */
> >>>> +                       if (!altstack_size_ok(current))
> >>>> +                               return (void __user *)-1L;
> >>>> +
> >>>>                       sp = current->sas_ss_sp + current->sas_ss_size;
> >>>> +               }
> >>>
> >>> A couple lines further down, we have this (since commit 14fc9fbc700d):
> >>>
> >>>       /*
> >>>        * If we are on the alternate signal stack and would overflow it, don't.
> >>>        * Return an always-bogus address instead so we will die with SIGSEGV.
> >>>        */
> >>>       if (onsigstack && !likely(on_sig_stack(sp)))
> >>>               return (void __user *)-1L;
> >>>
> >>> Is that not working?
> >>
> >> onsigstack is set at the beginning here. If a signal hits under normal stack,
> >> this flag is not set. Then it will miss the overflow.
> >>
> >> The added check allows to detect the sigaltstack overflow (always).
> >
> > Ah, I think I understand what you're trying to do. But wouldn't the
> > better approach be to ensure that the existing on_sig_stack() check is
> > also used if we just switched to the signal stack? Something like:
> >
> > diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> > index be0d7d4152ec..2f57842fb4d6 100644
> > --- a/arch/x86/kernel/signal.c
> > +++ b/arch/x86/kernel/signal.c
> > @@ -237,7 +237,7 @@ get_sigframe(struct k_sigaction *ka, struct
> > pt_regs *regs, size_t frame_size,
> >        unsigned long math_size = 0;
> >        unsigned long sp = regs->sp;
> >        unsigned long buf_fx = 0;
> > -       int onsigstack = on_sig_stack(sp);
> > +       bool onsigstack = on_sig_stack(sp);
> >        int ret;
> >
> >        /* redzone */
> > @@ -246,8 +246,10 @@ get_sigframe(struct k_sigaction *ka, struct
> > pt_regs *regs, size_t frame_size,
> >
> >        /* This is the X/Open sanctioned signal stack switching.  */
> >        if (ka->sa.sa_flags & SA_ONSTACK) {
> > -               if (sas_ss_flags(sp) == 0)
> > +               if (sas_ss_flags(sp) == 0) {
> >                        sp = current->sas_ss_sp + current->sas_ss_size;
> > +                       onsigstack = true;
> > +               }
> >        } else if (IS_ENABLED(CONFIG_X86_32) &&
> >                   !onsigstack &&
> >                   regs->ss != __USER_DS &&
>
> Yeah, but wouldn't it better to avoid overwriting user data if we can? The old
> check raises segfault *after* overwritten.

Where is that overwrite happening? Between the point where your check
happens, and the point where the old check is, the only calls are to
fpu__alloc_mathframe() and align_sigframe(), right?
fpu__alloc_mathframe() just does some size calculations and doesn't
write anything. align_sigframe() also just does size calculations. Am
I missing something?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ