| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Apr 2021 13:30:43 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Borislav Petkov <bp@...en8.de>
Cc: "Bae, Chang Seok" <chang.seok.bae@...el.com>,
Andy Lutomirski <luto@...nel.org>,
"Cooper, Andrew" <andrew.cooper3@...rix.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
"Gross, Jurgen" <jgross@...e.com>,
Stefano Stabellini <sstabellini@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>, X86 ML <x86@...nel.org>,
"Brown, Len" <len.brown@...el.com>,
"Hansen, Dave" <dave.hansen@...el.com>,
"H. J. Lu" <hjl.tools@...il.com>,
Dave Martin <Dave.Martin@....com>,
Jann Horn <jannh@...gle.com>,
Michael Ellerman <mpe@...erman.id.au>,
Carlos O'Donell <carlos@...hat.com>,
"Luck, Tony" <tony.luck@...el.com>,
"Shankar, Ravi V" <ravi.v.shankar@...el.com>,
libc-alpha <libc-alpha@...rceware.org>,
linux-arch <linux-arch@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v7 5/6] x86/signal: Detect and prevent an alternate
signal stack overflow
* Borislav Petkov:
> On Mon, Apr 12, 2021 at 10:30:23PM +0000, Bae, Chang Seok wrote:
>> On Mar 26, 2021, at 03:30, Borislav Petkov <bp@...en8.de> wrote:
>> > On Thu, Mar 25, 2021 at 09:56:53PM -0700, Andy Lutomirski wrote:
>> >> We really ought to have a SIGSIGFAIL signal that's sent, double-fault
>> >> style, when we fail to send a signal.
>> >
>> > Yeap, we should be able to tell userspace that we couldn't send a
>> > signal, hohumm.
>>
>> Hi Boris,
>>
>> Let me clarify some details as preparing to include this in a revision.
>>
>> So, IIUC, a number needs to be assigned for this new SIGFAIL. At a glance, not
>> sure which one to pick there in signal.h -- 1-31 fully occupied and the rest
>> for 33 different real-time signals.
>>
>> Also, perhaps, force_sig(SIGFAIL) here, instead of return -1 -- to die with
>> SIGSEGV.
>
> I think this needs to be decided together with userspace people so that
> they can act accordingly and whether it even makes sense to them.
>
> Florian, any suggestions?
Is this discussion about better behavior (at least diagnostics) for
existing applications, without any code changes? Or an alternative
programming model?
Does noavx512 acutally reduce the XSAVE size to AVX2 levels? Or would
you need noxsave?
One possibility is that the sigaltstack size check prevents application
from running which work just fine today because all they do is install a
stack overflow handler, and stack overflow does not actually happen. So
if sigaltstack fails and the application checks the result of the system
call, it probably won't run at all. Shifting the diagnostic to the
pointer where the signal would have to be delivered is perhaps the only
thing that can be done.
As for SIGFAIL in particular, I don't think there are any leftover
signal numbers. It would need a prctl to assign the signal number, and
I'm not sure if there is a useful programming model because signals do
not really compose well even today. SIGFAIL adds another point where
libraries need to collaborate, and we do not have a mechanism for that.
(This is about what Rich Felker termed “library-safe code”, proper
maintenance of process-wide resources such as the current directory.)
Thanks,
Florian
Powered by blists - more mailing lists