lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrXQZuvJQrHDMst6PPgtJxaS_sPk2JhwMiMDNPunq45YFg@mail.gmail.com>
Date:   Thu, 25 Mar 2021 21:56:53 -0700
From:   Andy Lutomirski <luto@...nel.org>
To:     Borislav Petkov <bp@...e.de>
Cc:     Andy Lutomirski <luto@...nel.org>,
        "Chang S. Bae" <chang.seok.bae@...el.com>,
        Andrew Cooper <andrew.cooper3@...rix.com>,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        Juergen Gross <jgross@...e.com>,
        Stefano Stabellini <sstabellini@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...nel.org>, X86 ML <x86@...nel.org>,
        Len Brown <len.brown@...el.com>,
        Dave Hansen <dave.hansen@...el.com>,
        "H. J. Lu" <hjl.tools@...il.com>,
        Dave Martin <Dave.Martin@....com>,
        Jann Horn <jannh@...gle.com>,
        Michael Ellerman <mpe@...erman.id.au>,
        "Carlos O'Donell" <carlos@...hat.com>,
        Tony Luck <tony.luck@...el.com>,
        "Ravi V. Shankar" <ravi.v.shankar@...el.com>,
        libc-alpha <libc-alpha@...rceware.org>,
        linux-arch <linux-arch@...r.kernel.org>,
        Linux API <linux-api@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v7 5/6] x86/signal: Detect and prevent an alternate signal
 stack overflow

On Thu, Mar 25, 2021 at 11:54 AM Borislav Petkov <bp@...e.de> wrote:
>
> On Thu, Mar 25, 2021 at 11:13:12AM -0700, Andy Lutomirski wrote:
> > diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> > index ea794a083c44..53781324a2d3 100644
> > --- a/arch/x86/kernel/signal.c
> > +++ b/arch/x86/kernel/signal.c
> > @@ -237,7 +237,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> >       unsigned long math_size = 0;
> >       unsigned long sp = regs->sp;
> >       unsigned long buf_fx = 0;
> > -     int onsigstack = on_sig_stack(sp);
> > +     bool already_onsigstack = on_sig_stack(sp);
> > +     bool entering_altstack = false;
> >       int ret;
> >
> >       /* redzone */
> > @@ -246,15 +247,25 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> >
> >       /* This is the X/Open sanctioned signal stack switching.  */
> >       if (ka->sa.sa_flags & SA_ONSTACK) {
> > -             if (sas_ss_flags(sp) == 0)
> > +             /*
> > +              * This checks already_onsigstack via sas_ss_flags().
> > +              * Sensible programs use SS_AUTODISARM, which disables
> > +              * that check, and programs that don't use
> > +              * SS_AUTODISARM get compatible but potentially
> > +              * bizarre behavior.
> > +              */
> > +             if (sas_ss_flags(sp) == 0) {
> >                       sp = current->sas_ss_sp + current->sas_ss_size;
> > +                     entering_altstack = true;
> > +             }
> >       } else if (IS_ENABLED(CONFIG_X86_32) &&
> > -                !onsigstack &&
> > +                !already_onsigstack &&
> >                  regs->ss != __USER_DS &&
> >                  !(ka->sa.sa_flags & SA_RESTORER) &&
> >                  ka->sa.sa_restorer) {
> >               /* This is the legacy signal stack switching. */
> >               sp = (unsigned long) ka->sa.sa_restorer;
> > +             entering_altstack = true;
> >       }
>
> What a mess this whole signal handling is. I need a course in signal
> handling to understand what's going on here...
>
> >
> >       sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
> > @@ -267,8 +278,16 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> >        * If we are on the alternate signal stack and would overflow it, don't.
> >        * Return an always-bogus address instead so we will die with SIGSEGV.
> >        */
> > -     if (onsigstack && !likely(on_sig_stack(sp)))
> > +     if (unlikely(entering_altstack &&
> > +                  (sp <= current->sas_ss_sp ||
> > +                   sp - current->sas_ss_sp > current->sas_ss_size))) {
>
> You could've simply done
>
>         if (unlikely(entering_altstack && !on_sig_stack(sp)))
>
> here.

Nope.  on_sig_stack() is a horrible kludge and won't work here.  We
could have something like __on_sig_stack() or sp_is_on_sig_stack() or
something, though.

>
>
> > +             if (show_unhandled_signals && printk_ratelimit()) {
> > +                     pr_info("%s[%d] overflowed sigaltstack",
> > +                             tsk->comm, task_pid_nr(tsk));
> > +             }
>
> Why do you even wanna issue that? It looks like callers will propagate
> an error value up and people don't look at dmesg all the time.

I figure that the people whose programs spontaneously crash should get
a hint why if they look at dmesg.  Maybe the message should say
"overflowed sigaltstack -- try noavx512"?

We really ought to have a SIGSIGFAIL signal that's sent, double-fault
style, when we fail to send a signal.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ