From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS17314 8.43.84.0/22 X-Spam-Status: No, score=-3.4 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,URIBL_BLACK shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id A156D1F8C6 for ; Wed, 7 Jul 2021 17:27:00 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id BEB4D395CCBB for ; Wed, 7 Jul 2021 17:26:59 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BEB4D395CCBB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1625678819; bh=M7scva4Hnu+hjIgVOH5vgN6BGDt7ucs95UQhAa5/C9o=; h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=S5wTEGhMV96EUYzcTIR+W769d2A+ErndGmIMM/0Y1ajaTMp+s9cQx4RRDNb4Pm1Qd 0V2bK9S9dV4qUGNjeFpTAHPQ6GjUVXdm0FwAMxc6ey/Dz6TkledKuRWOes3MN7rhqf aGbK/hjbUM9n426DpFuW9uhmVyYK1/2y0C3LX/gI= Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by sourceware.org (Postfix) with ESMTPS id DDF693857020 for ; Wed, 7 Jul 2021 17:26:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org DDF693857020 Received: by mail-pl1-x630.google.com with SMTP id x3so1450420pll.5 for ; Wed, 07 Jul 2021 10:26:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=M7scva4Hnu+hjIgVOH5vgN6BGDt7ucs95UQhAa5/C9o=; b=CAcT2U/uIm/xfrsm7VOrqYzeteQG2aMaN/B+fob8duHvjCxLXZCmFgGSzSu2NREzmO Hl+uTHlcS8iTpjd5TDr3Wgs22CutNuBBM5t6N47MKf3exlhK1KbSR/dlg8pw2qExGN6r g3SaxdQYao2/79x9Jn/c4t6bc7YQGM7QisfQ2valWz1E8aS42JGtZ0X1+D8SPI0t7xF8 uQQL93xkE7rFe3cv1cDWKS8ljocjlQVmX0KVpYfNmVKsoiN4zyf6jJWXhjNicSA3D0cc +kmSYGJngIXjzcJpjW78J2MXZzeIAcFbH14InitU0TirEC14PlfUJpQt2kqTaFbQfcsH +6gA== X-Gm-Message-State: AOAM5311IMEfiiQs23A/X9hPXtA+0B34ITTh2UZ9bLZvW5cZo2rZo98+ 3lLOg/NvaCt0pDKvnVy1vEk3WtYWLyvMQg== X-Google-Smtp-Source: ABdhPJxRlmiGoEi/qLw7FrfXwX62k6cQ0jo/AVImEQt2hF5llZ5FQjLbvlQSo+cFlyVwEELfdpCwIw== X-Received: by 2002:a17:902:c00b:b029:129:c3:aeb7 with SMTP id v11-20020a170902c00bb029012900c3aeb7mr21921442plx.39.1625678798774; Wed, 07 Jul 2021 10:26:38 -0700 (PDT) Received: from [192.168.1.108] ([177.194.59.218]) by smtp.gmail.com with ESMTPSA id 18sm6653593pje.22.2021.07.07.10.26.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Jul 2021 10:26:38 -0700 (PDT) Subject: Re: [PATCH v7 1/4] support: Add support_stack_alloc To: Florian Weimer References: <20210706145839.1658623-1-adhemerval.zanella@linaro.org> <20210706145839.1658623-2-adhemerval.zanella@linaro.org> <87k0m2a0na.fsf@oldenburg.str.redhat.com> <87eeca2ggn.fsf@oldenburg.str.redhat.com> Message-ID: <75c75184-e799-bf89-e3fc-49a48f150591@linaro.org> Date: Wed, 7 Jul 2021 14:26:35 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <87eeca2ggn.fsf@oldenburg.str.redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Adhemerval Zanella via Libc-alpha Reply-To: Adhemerval Zanella Cc: Adhemerval Zanella via Libc-alpha Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" On 07/07/2021 14:15, Florian Weimer wrote: > * Adhemerval Zanella: > >> On 07/07/2021 07:17, Florian Weimer wrote: >>> * Adhemerval Zanella via Libc-alpha: >>> >>>> The code to allocate a stack from xsigstack is refactored so it can >>>> be more generic. The new support_stack_alloc() also set PROT_EXEC >>>> if DEFAULT_STACK_PERMS has PF_X. This is required on some >>>> architectures (hppa for instance) and trying to access the rtld >>>> global from testsuite will require more intrusive refactoring >>>> in the ldsodefs.h header. >>> >>> DEFAULT_STACK_PERMS is misnamed, it's really HISTORIC_STACK_PERMS. >>> All architectures override it to RW permissions in the toolchain >>> (maybe with the exception of Hurd, which uses trampolines for nested >>> functions). >> >> This is in fact two different requirements, this gnulib thread gives >> a nice summary about the permission required from trampolines [1]. >> Another requirement is how Linux layout the signal return code for the >> signal handler stack. It seems that hppa still requires executable >> stacks, since tst-xsigstack does fails without a executable stack even >> on a recent 5.10.46-1 kernel. > > Ugh, okay. > >>> I have a cstack_allocate version that handles this. It can only be done >>> from within glibc proper because we do not export the stack execution >>> status directly. But I think it's out of scope for glibc 2.34 by now. >> >> We can in theory access the ldsodes.h fields directly and then >> use GL (dl_stack_flags) information to set the stack executable or not. >> The problem is ldsodefs.h is quite convoluted and it would require more >> refactoring to use outside libc.so code. But I agree with you that >> having less hacky way to obtain this information is better. >> >> So are you ok with the current approach or being conservative and use >> DEFAULT_STACK_PERMS on libsupport? > > DEFAULT_STACK_PERMS with a comment is fine. I have added: /* Some architecture still requires executable stack for the signal return trampoline, although PF_X could be overridden if PT_GNU_STACK is present. However since there is glibc does not export such information with a proper ABI, it uses the historical permissions. */ > > I will resubmit my cstack_allocate patches for glibc 2.35 patches, and > they will fully handle executable stacks. I think once we get cstack_allocate we might use on 'support_stack_alloc' instead. > >>>> + /* The guard bands need to be large enough to intercept offset >>>> + accesses from a stack address that might otherwise hit another >>>> + mapping. Make them at least twice as big as the stack itself, to >>>> + defend against an offset by the entire size of a large >>>> + stack-allocated array. The minimum is 1MiB, which is arbitrarily >>>> + chosen to be larger than any "typical" wild pointer offset. >>>> + Again, no matter what the number is, round it up to a whole >>>> + number of pages. */ >>>> + size_t guardsize = roundup (MAX (2 * stacksize, 1024 * 1024), pagesize); >>>> + size_t alloc_size = guardsize + stacksize + guardsize; >>>> + /* Use MAP_NORESERVE so that RAM will not be wasted on the guard >>>> + bands; touch all the pages of the actual stack before returning, >>>> + so we know they are allocated. */ >>>> + void *alloc_base = xmmap (0, >>>> + alloc_size, >>>> + PROT_NONE, >>>> + MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|MAP_STACK, >>>> + -1); >>>> + /* PF_X can be overridden if PT_GNU_STACK is present. */ >>>> + int prot = PROT_READ | PROT_WRITE >>>> + | (DEFAULT_STACK_PERMS & PF_X ? PROT_EXEC : 0); >>>> + xmprotect (alloc_base + guardsize, stacksize, prot); >>>> + memset (alloc_base + guardsize, 0xA5, stacksize); >>>> + return (struct support_stack) { alloc_base + guardsize, stacksize, guardsize }; >>> >>> This doesn't handle different stack growth directions. >>> >> >> At least for the usages of the routine it does not require any adjustment: >> xsigaltstack and xclone will handle it. I saw no regression for >> tst-xsigaltstack and tst-clone_range. > > Huh, I would expect the guard area to be outside of the stack region > returned by stack allocation. That's how the cstack_allocate API does > it. If the current tests expect something else, then the approach in > the patch is okay (with a comment for DEFAULT_STACK_PERMS). It seems that at least for hppa, sigaltstack already handles it. For clone(), xclone does the adjustment explicitly.