From: Adhemerval Zanella via Libc-alpha <libc-alpha@sourceware.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: Adhemerval Zanella via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [PATCH v7 1/4] support: Add support_stack_alloc
Date: Wed, 7 Jul 2021 14:26:35 -0300 [thread overview]
Message-ID: <75c75184-e799-bf89-e3fc-49a48f150591@linaro.org> (raw)
In-Reply-To: <87eeca2ggn.fsf@oldenburg.str.redhat.com>
On 07/07/2021 14:15, Florian Weimer wrote:
> * Adhemerval Zanella:
>
>> On 07/07/2021 07:17, Florian Weimer wrote:
>>> * Adhemerval Zanella via Libc-alpha:
>>>
>>>> The code to allocate a stack from xsigstack is refactored so it can
>>>> be more generic. The new support_stack_alloc() also set PROT_EXEC
>>>> if DEFAULT_STACK_PERMS has PF_X. This is required on some
>>>> architectures (hppa for instance) and trying to access the rtld
>>>> global from testsuite will require more intrusive refactoring
>>>> in the ldsodefs.h header.
>>>
>>> DEFAULT_STACK_PERMS is misnamed, it's really HISTORIC_STACK_PERMS.
>>> All architectures override it to RW permissions in the toolchain
>>> (maybe with the exception of Hurd, which uses trampolines for nested
>>> functions).
>>
>> This is in fact two different requirements, this gnulib thread gives
>> a nice summary about the permission required from trampolines [1].
>> Another requirement is how Linux layout the signal return code for the
>> signal handler stack. It seems that hppa still requires executable
>> stacks, since tst-xsigstack does fails without a executable stack even
>> on a recent 5.10.46-1 kernel.
>
> Ugh, okay.
>
>>> I have a cstack_allocate version that handles this. It can only be done
>>> from within glibc proper because we do not export the stack execution
>>> status directly. But I think it's out of scope for glibc 2.34 by now.
>>
>> We can in theory access the ldsodes.h fields directly and then
>> use GL (dl_stack_flags) information to set the stack executable or not.
>> The problem is ldsodefs.h is quite convoluted and it would require more
>> refactoring to use outside libc.so code. But I agree with you that
>> having less hacky way to obtain this information is better.
>>
>> So are you ok with the current approach or being conservative and use
>> DEFAULT_STACK_PERMS on libsupport?
>
> DEFAULT_STACK_PERMS with a comment is fine.
I have added:
/* Some architecture still requires executable stack for the signal return
trampoline, although PF_X could be overridden if PT_GNU_STACK is present.
However since there is glibc does not export such information with a
proper ABI, it uses the historical permissions. */
>
> I will resubmit my cstack_allocate patches for glibc 2.35 patches, and
> they will fully handle executable stacks.
I think once we get cstack_allocate we might use on 'support_stack_alloc'
instead.
>
>>>> + /* The guard bands need to be large enough to intercept offset
>>>> + accesses from a stack address that might otherwise hit another
>>>> + mapping. Make them at least twice as big as the stack itself, to
>>>> + defend against an offset by the entire size of a large
>>>> + stack-allocated array. The minimum is 1MiB, which is arbitrarily
>>>> + chosen to be larger than any "typical" wild pointer offset.
>>>> + Again, no matter what the number is, round it up to a whole
>>>> + number of pages. */
>>>> + size_t guardsize = roundup (MAX (2 * stacksize, 1024 * 1024), pagesize);
>>>> + size_t alloc_size = guardsize + stacksize + guardsize;
>>>> + /* Use MAP_NORESERVE so that RAM will not be wasted on the guard
>>>> + bands; touch all the pages of the actual stack before returning,
>>>> + so we know they are allocated. */
>>>> + void *alloc_base = xmmap (0,
>>>> + alloc_size,
>>>> + PROT_NONE,
>>>> + MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|MAP_STACK,
>>>> + -1);
>>>> + /* PF_X can be overridden if PT_GNU_STACK is present. */
>>>> + int prot = PROT_READ | PROT_WRITE
>>>> + | (DEFAULT_STACK_PERMS & PF_X ? PROT_EXEC : 0);
>>>> + xmprotect (alloc_base + guardsize, stacksize, prot);
>>>> + memset (alloc_base + guardsize, 0xA5, stacksize);
>>>> + return (struct support_stack) { alloc_base + guardsize, stacksize, guardsize };
>>>
>>> This doesn't handle different stack growth directions.
>>>
>>
>> At least for the usages of the routine it does not require any adjustment:
>> xsigaltstack and xclone will handle it. I saw no regression for
>> tst-xsigaltstack and tst-clone_range.
>
> Huh, I would expect the guard area to be outside of the stack region
> returned by stack allocation. That's how the cstack_allocate API does
> it. If the current tests expect something else, then the approach in
> the patch is okay (with a comment for DEFAULT_STACK_PERMS).
It seems that at least for hppa, sigaltstack already handles it. For clone(),
xclone does the adjustment explicitly.
next prev parent reply other threads:[~2021-07-07 17:27 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-06 14:58 [PATCH v7 0/4] Add close_range, closefrom, and posix_spawn_file_actions_closefrom_np Adhemerval Zanella via Libc-alpha
2021-07-06 14:58 ` [PATCH v7 1/4] support: Add support_stack_alloc Adhemerval Zanella via Libc-alpha
2021-07-07 10:17 ` Florian Weimer via Libc-alpha
2021-07-07 12:17 ` Adhemerval Zanella via Libc-alpha
2021-07-07 17:15 ` Florian Weimer via Libc-alpha
2021-07-07 17:26 ` Adhemerval Zanella via Libc-alpha [this message]
2021-07-08 5:43 ` Florian Weimer via Libc-alpha
2021-07-08 12:33 ` Adhemerval Zanella via Libc-alpha
2021-07-06 14:58 ` [PATCH v7 2/4] linux: Add close_range Adhemerval Zanella via Libc-alpha
2021-07-07 10:22 ` Florian Weimer via Libc-alpha
2021-07-07 12:51 ` Adhemerval Zanella via Libc-alpha
2021-07-07 12:53 ` Florian Weimer via Libc-alpha
2021-07-06 14:58 ` [PATCH v7 3/4] io: Add closefrom [BZ #10353] Adhemerval Zanella via Libc-alpha
2021-07-07 10:39 ` Florian Weimer via Libc-alpha
2021-07-07 12:55 ` Adhemerval Zanella via Libc-alpha
2021-07-06 14:58 ` [PATCH v7 4/4] posix: Add posix_spawn_file_actions_addclosefrom_np Adhemerval Zanella via Libc-alpha
2021-07-08 14:34 ` Florian Weimer via Libc-alpha
2021-07-08 16:12 ` Adhemerval Zanella via Libc-alpha
2021-07-08 21:54 ` H.J. Lu via Libc-alpha
2021-07-08 23:23 ` Adhemerval Zanella via Libc-alpha
2021-07-06 19:28 ` [PATCH v7 0/4] Add close_range, closefrom, and posix_spawn_file_actions_closefrom_np DJ Delorie via Libc-alpha
2021-07-06 19:33 ` Adhemerval Zanella via Libc-alpha
2021-07-06 19:38 ` Adhemerval Zanella via Libc-alpha
2021-07-06 19:47 ` DJ Delorie via Libc-alpha
2021-07-06 20:23 ` Adhemerval Zanella via Libc-alpha
2021-07-06 20:30 ` DJ Delorie via Libc-alpha
2021-07-06 21:33 ` DJ Delorie via Libc-alpha
2021-07-07 2:14 ` Adhemerval Zanella via Libc-alpha
2021-07-07 2:26 ` DJ Delorie via Libc-alpha
2021-07-06 19:42 ` DJ Delorie via Libc-alpha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75c75184-e799-bf89-e3fc-49a48f150591@linaro.org \
--to=libc-alpha@sourceware.org \
--cc=adhemerval.zanella@linaro.org \
--cc=fweimer@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).