| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <16A53D65-2460-49B3-892B-81EF8D7B12B9@intel.com>
Date: Tue, 16 Mar 2021 18:26:46 +0000
From: "Bae, Chang Seok" <chang.seok.bae@...el.com>
To: Borislav Petkov <bp@...e.de>
CC: Thomas Gleixner <tglx@...utronix.de>,
"mingo@...nel.org" <mingo@...nel.org>,
"luto@...nel.org" <luto@...nel.org>,
"x86@...nel.org" <x86@...nel.org>,
"Brown, Len" <len.brown@...el.com>,
"Hansen, Dave" <dave.hansen@...el.com>,
"hjl.tools@...il.com" <hjl.tools@...il.com>,
"Dave.Martin@....com" <Dave.Martin@....com>,
"jannh@...gle.com" <jannh@...gle.com>,
"mpe@...erman.id.au" <mpe@...erman.id.au>,
"carlos@...hat.com" <carlos@...hat.com>,
"Luck, Tony" <tony.luck@...el.com>,
"Shankar, Ravi V" <ravi.v.shankar@...el.com>,
"libc-alpha@...rceware.org" <libc-alpha@...rceware.org>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v7 5/6] x86/signal: Detect and prevent an alternate signal
stack overflow
On Mar 16, 2021, at 04:52, Borislav Petkov <bp@...e.de> wrote:
> On Mon, Mar 15, 2021 at 11:52:14PM -0700, Chang S. Bae wrote:
>> @@ -272,7 +275,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>> * If we are on the alternate signal stack and would overflow it, don't.
>> * Return an always-bogus address instead so we will die with SIGSEGV.
>> */
>> - if (onsigstack && !likely(on_sig_stack(sp)))
>> + if (onsigstack && unlikely(sp <= current->sas_ss_sp ||
>> + sp - current->sas_ss_sp > current->sas_ss_size))
>> return (void __user *)-1L;
>
> So clearly I'm missing something because trying to trigger the test case
> in the bugzilla:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=153531
>
> on current tip/master doesn't work. Runs with MY_MINSIGSTKSZ under 2048
> fail with:
>
> tst-minsigstksz-2: sigaltstack: Cannot allocate memory
>
> and above 2048 don't overwrite bytes below the stack.
>
> So something else is missing. How did you test this patch?
I suspect the AVX-512 states not enabled there.
When I ran it under a machine without AVX-512 like this, it didn’t show the
overwrite message:
$ cat /proc/cpuinfo | grep -m1 "model name”
model name : Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz
$ sudo dmesg | grep "Enabled xstate”
[ 0.000000] x86/fpu: Enabled xstate features 0x1f, context size is 960
bytes, using ‘compacted’ format.
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=2047
$ ./a.out
a.out: sigaltstack: Cannot allocate memory
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=2048
$ ./a.out
When do it again with AVX-512, it did show the message:
$ cat /proc/cpuinfo | grep -m1 "model name”
model name : Intel(R) Core(TM) i9-7940X CPU @ 3.10GHz
$ sudo dmesg | grep "Enabled xstate”
[ 0.000000] x86/fpu: Enabled xstate features 0xff, context size is 2560
bytes, using 'compacted' format.
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=2048
$ ./a.out
a.out: changed byte 1412 bytes below configured stack
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3490
$ ./a.out
a.out: changed byte 21 bytes below configured stack
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3491
$ ./a.out
Also, on the second machine, without this patch:
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3191
$ ./a.out
a.out: changed byte 319 bytes below configured stack
But with this patch, it gave segfault with a too-small size:
$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3191
$ ./a.out
Segmentation fault (core dumped)
Thanks,
Chang
Powered by blists - more mailing lists