| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrXQZuvJQrHDMst6PPgtJxaS_sPk2JhwMiMDNPunq45YFg@mail.gmail.com>
Date: Thu, 25 Mar 2021 21:56:53 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Borislav Petkov <bp@...e.de>
Cc: Andy Lutomirski <luto@...nel.org>,
"Chang S. Bae" <chang.seok.bae@...el.com>,
Andrew Cooper <andrew.cooper3@...rix.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>,
Stefano Stabellini <sstabellini@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>, X86 ML <x86@...nel.org>,
Len Brown <len.brown@...el.com>,
Dave Hansen <dave.hansen@...el.com>,
"H. J. Lu" <hjl.tools@...il.com>,
Dave Martin <Dave.Martin@....com>,
Jann Horn <jannh@...gle.com>,
Michael Ellerman <mpe@...erman.id.au>,
"Carlos O'Donell" <carlos@...hat.com>,
Tony Luck <tony.luck@...el.com>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
libc-alpha <libc-alpha@...rceware.org>,
linux-arch <linux-arch@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v7 5/6] x86/signal: Detect and prevent an alternate signal
stack overflow
On Thu, Mar 25, 2021 at 11:54 AM Borislav Petkov <bp@...e.de> wrote:
>
> On Thu, Mar 25, 2021 at 11:13:12AM -0700, Andy Lutomirski wrote:
> > diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> > index ea794a083c44..53781324a2d3 100644
> > --- a/arch/x86/kernel/signal.c
> > +++ b/arch/x86/kernel/signal.c
> > @@ -237,7 +237,8 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> > unsigned long math_size = 0;
> > unsigned long sp = regs->sp;
> > unsigned long buf_fx = 0;
> > - int onsigstack = on_sig_stack(sp);
> > + bool already_onsigstack = on_sig_stack(sp);
> > + bool entering_altstack = false;
> > int ret;
> >
> > /* redzone */
> > @@ -246,15 +247,25 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> >
> > /* This is the X/Open sanctioned signal stack switching. */
> > if (ka->sa.sa_flags & SA_ONSTACK) {
> > - if (sas_ss_flags(sp) == 0)
> > + /*
> > + * This checks already_onsigstack via sas_ss_flags().
> > + * Sensible programs use SS_AUTODISARM, which disables
> > + * that check, and programs that don't use
> > + * SS_AUTODISARM get compatible but potentially
> > + * bizarre behavior.
> > + */
> > + if (sas_ss_flags(sp) == 0) {
> > sp = current->sas_ss_sp + current->sas_ss_size;
> > + entering_altstack = true;
> > + }
> > } else if (IS_ENABLED(CONFIG_X86_32) &&
> > - !onsigstack &&
> > + !already_onsigstack &&
> > regs->ss != __USER_DS &&
> > !(ka->sa.sa_flags & SA_RESTORER) &&
> > ka->sa.sa_restorer) {
> > /* This is the legacy signal stack switching. */
> > sp = (unsigned long) ka->sa.sa_restorer;
> > + entering_altstack = true;
> > }
>
> What a mess this whole signal handling is. I need a course in signal
> handling to understand what's going on here...
>
> >
> > sp = fpu__alloc_mathframe(sp, IS_ENABLED(CONFIG_X86_32),
> > @@ -267,8 +278,16 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, size_t frame_size,
> > * If we are on the alternate signal stack and would overflow it, don't.
> > * Return an always-bogus address instead so we will die with SIGSEGV.
> > */
> > - if (onsigstack && !likely(on_sig_stack(sp)))
> > + if (unlikely(entering_altstack &&
> > + (sp <= current->sas_ss_sp ||
> > + sp - current->sas_ss_sp > current->sas_ss_size))) {
>
> You could've simply done
>
> if (unlikely(entering_altstack && !on_sig_stack(sp)))
>
> here.
Nope. on_sig_stack() is a horrible kludge and won't work here. We
could have something like __on_sig_stack() or sp_is_on_sig_stack() or
something, though.
>
>
> > + if (show_unhandled_signals && printk_ratelimit()) {
> > + pr_info("%s[%d] overflowed sigaltstack",
> > + tsk->comm, task_pid_nr(tsk));
> > + }
>
> Why do you even wanna issue that? It looks like callers will propagate
> an error value up and people don't look at dmesg all the time.
I figure that the people whose programs spontaneously crash should get
a hint why if they look at dmesg. Maybe the message should say
"overflowed sigaltstack -- try noavx512"?
We really ought to have a SIGSIGFAIL signal that's sent, double-fault
style, when we fail to send a signal.
Powered by blists - more mailing lists