| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Feb 2022 11:00:32 +0000
From: Christophe Leroy <christophe.leroy@...roup.eu>
To: Michael Ellerman <mpe@...erman.id.au>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
Tulio Magno Quites Machado Filho <tuliom@...ux.ibm.com>
Subject: Re: [PATCH 1/2] powerpc/signal: Fix handling of SA_RESTORER sigaction
flag
Le 04/02/2022 à 11:22, Michael Ellerman a écrit :
> Christophe Leroy <christophe.leroy@...roup.eu> writes:
>> powerpc advertises support of SA_RESTORER sigaction flag.
>>
>> Make it the truth.
>>
>> Cc: stable@...r.kernel.org
>> Signed-off-by: Christophe Leroy <christophe.leroy@...roup.eu>
>> ---
>> arch/powerpc/kernel/signal_32.c | 8 ++++++--
>> arch/powerpc/kernel/signal_64.c | 4 +++-
>> 2 files changed, 9 insertions(+), 3 deletions(-)
>
> Hi Christophe,
>
> I dug into the history a bit on this.
>
> The 32-bit port originally did not define SA_RESTORER in
> include/asm-ppc/signal.h, but it was added in 2.1.79.
>
> https://github.com/mpe/linux-fullhistory/commit/4e7e9c0d54ff5725a73d2210a950f8bc0f225073
>
> That commit added SA_RESTORER to the header, added code to get/set it in
> sys_sigaction(), but didn't add any code to use it for signal delivery.
>
>
> The 64-bit port was merged with SA_RESTORER already defined in
> include/asm-ppc64/signal.h:
>
> https://github.com/mpe/linux-fullhistory/commit/c3aa9878533e724f639852c3d951e6a169e04081
>
> Similarly there was code to set/get it in sys_sigaction(), but no code
> to use it for signal delivery.
>
>
> Later the two ports were merged, and the headers were moved and
> disintegrated into uapi, so we end up today with SA_RESTORER defined in
> arch/powerpc/include/uapi/asm/signal.h, but no code to use it.
>
> So essentially we've had SA_RESTORER defined since ancient kernels, but
> never actually supported using it for anything.
>
>
> One problem with enabling it now is there's no way for userspace to
> determine if it's on a fixed kernel or not. That makes it unusable for
> userspace, unless it does version checks, or is happy to break on all
> old kernels (not likely). We could solve that by defining
> SA_RESTORER_FIXED or something, but that's slightly gross.
>
> It's also described in the man page as "Not intended for application
> use", ie. it's intended for use by libc. I'm not sure there's any value
> in adding support for it to the kernel unless we know there's interest
> from glibc/musl in using it.
>
> So my inclination is that we should *not* add support for it, rather we
> should leave it unimplemented and remove SA_RESTORER from the header.
> There's precedent in riscv for not supporting it at all.
>
Nowadays, stacks are mapped noexec, so the fallback stack trampoline
cannot work anymore. If a process doesn't want exec stack and doesn't
want to map the VDSO, the SA_RESTORER is the only alternative to get
signal working.
On several architectures including arm64 and s390 only VDSO and
SA_RESTORER are supported, on stack signal trampoline is not supported
anymore.
So my idea was to first implement SA_RESTORER and then as a second step
to retire the on stack signal trampoline which has become useless with
noexec stacks.
See
https://elixir.bootlin.com/linux/v5.17-rc1/source/arch/arm64/kernel/signal.c#L761
or
https://elixir.bootlin.com/linux/v5.17-rc1/source/arch/s390/kernel/signal.c#L337
Christophe
Powered by blists - more mailing lists