| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AA7AD300-2D6D-4D97-A8A5-B77B3F0537DD@intel.com>
Date: Thu, 25 Mar 2021 21:11:56 +0000
From: "Bae, Chang Seok" <chang.seok.bae@...el.com>
To: Borislav Petkov <bp@...e.de>
CC: Andy Lutomirski <luto@...nel.org>,
"Cooper, Andrew" <andrew.cooper3@...rix.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
"Gross, Jurgen" <jgross@...e.com>,
Stefano Stabellini <sstabellini@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>, X86 ML <x86@...nel.org>,
"Brown, Len" <len.brown@...el.com>,
"Hansen, Dave" <dave.hansen@...el.com>,
"H. J. Lu" <hjl.tools@...il.com>,
Dave Martin <Dave.Martin@....com>,
Jann Horn <jannh@...gle.com>,
Michael Ellerman <mpe@...erman.id.au>,
Carlos O'Donell <carlos@...hat.com>,
"Luck, Tony" <tony.luck@...el.com>,
"Shankar, Ravi V" <ravi.v.shankar@...el.com>,
libc-alpha <libc-alpha@...rceware.org>,
linux-arch <linux-arch@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v7 5/6] x86/signal: Detect and prevent an alternate signal
stack overflow
On Mar 25, 2021, at 11:54, Borislav Petkov <bp@...e.de> wrote:
> On Thu, Mar 25, 2021 at 11:13:12AM -0700, Andy Lutomirski wrote:
>> diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
>> index ea794a083c44..53781324a2d3 100644
>> --- a/arch/x86/kernel/signal.c
>> +++ b/arch/x86/kernel/signal.c
>> @@ -237,7 +237,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>> unsigned long math_size = 0;
>> unsigned long sp = regs->sp;
>> unsigned long buf_fx = 0;
>> - int onsigstack = on_sig_stack(sp);
>> + bool already_onsigstack = on_sig_stack(sp);
>> + bool entering_altstack = false;
>> int ret;
>>
>> /* redzone */
>> @@ -246,15 +247,25 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>>
>> /* This is the X/Open sanctioned signal stack switching. */
>> if (ka->sa.sa_flags & SA_ONSTACK) {
>> - if (sas_ss_flags(sp) == 0)
>> + /*
>> + * This checks already_onsigstack via sas_ss_flags().
>> + * Sensible programs use SS_AUTODISARM, which disables
>> + * that check, and programs that don't use
>> + * SS_AUTODISARM get compatible but potentially
>> + * bizarre behavior.
>> + */
>> + if (sas_ss_flags(sp) == 0) {
>> sp = current->sas_ss_sp + current->sas_ss_size;
>> + entering_altstack = true;
>> + }
>> } else if (IS_ENABLED(CONFIG_X86_32) &&
>> - !onsigstack &&
>> + !already_onsigstack &&
>> regs->ss != __USER_DS &&
>> !(ka->sa.sa_flags & SA_RESTORER) &&
>> ka->sa.sa_restorer) {
>> /* This is the legacy signal stack switching. */
>> sp = (unsigned long) ka->sa.sa_restorer;
>> + entering_altstack = true;
>> }
>
> What a mess this whole signal handling is. I need a course in signal
> handling to understand what's going on here...
>
>>
>> sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
>> @@ -267,8 +278,16 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
>> * If we are on the alternate signal stack and would overflow it, don't.
>> * Return an always-bogus address instead so we will die with SIGSEGV.
>> */
>> - if (onsigstack && !likely(on_sig_stack(sp)))
>> + if (unlikely(entering_altstack &&
>> + (sp <= current->sas_ss_sp ||
>> + sp - current->sas_ss_sp > current->sas_ss_size))) {
>
> You could've simply done
>
> if (unlikely(entering_altstack && !on_sig_stack(sp)))
>
> here.
But if sigaltstack()’ed with the SS_AUTODISARM flag, both on_sig_stack() and
sas_ss_flags() return 0 [1]. Then, segfault always here. v5 had the exact
issue before [2].
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/sched/signal.h#n576
[2] https://lore.kernel.org/lkml/CALCETrXuFrHUU-L=HMofTgEDZk9muPnVtK=EjsTHqQ01XhbRYg@mail.gmail.com/
Thanks,
Chang
Powered by blists - more mailing lists