From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <david.laight@aculab.com>
Received: from eu-smtp-delivery-151.mimecast.com
 (eu-smtp-delivery-151.mimecast.com [185.58.85.151])
 by sourceware.org (Postfix) with ESMTP id 5EC173833026
 for <libc-alpha@sourceware.org>; Thu, 22 Apr 2021 08:46:22 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5EC173833026
Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) (Using
 TLS) by relay.mimecast.com with ESMTP id
 uk-mta-80-mYnYClkmMvq7hiPeIZodaQ-1; Thu, 22 Apr 2021 09:46:19 +0100
X-MC-Unique: mYnYClkmMvq7hiPeIZodaQ-1
Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by
 AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP
 Server (TLS) id 15.0.1497.2; Thu, 22 Apr 2021 09:46:14 +0100
Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by
 AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id
 15.00.1497.015; Thu, 22 Apr 2021 09:46:14 +0100
From: David Laight <David.Laight@ACULAB.COM>
To: "'Chang S. Bae'" <chang.seok.bae@intel.com>, "bp@suse.de" <bp@suse.de>,
 "tglx@linutronix.de" <tglx@linutronix.de>, "mingo@kernel.org"
 <mingo@kernel.org>, "luto@kernel.org" <luto@kernel.org>, "x86@kernel.org"
 <x86@kernel.org>
CC: "len.brown@intel.com" <len.brown@intel.com>, "dave.hansen@intel.com"
 <dave.hansen@intel.com>, "hjl.tools@gmail.com" <hjl.tools@gmail.com>,
 "Dave.Martin@arm.com" <Dave.Martin@arm.com>, "jannh@google.com"
 <jannh@google.com>, "mpe@ellerman.id.au" <mpe@ellerman.id.au>,
 "carlos@redhat.com" <carlos@redhat.com>, "tony.luck@intel.com"
 <tony.luck@intel.com>, "ravi.v.shankar@intel.com" <ravi.v.shankar@intel.com>, 
 "libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
 "linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
 "linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v8 5/6] x86/signal: Detect and prevent an alternate signal
 stack overflow
Thread-Topic: [PATCH v8 5/6] x86/signal: Detect and prevent an alternate
 signal stack overflow
Thread-Index: AQHXNzOfB++Ln2WD/U+jOvjJUzWT2qrAORRg
Date: Thu, 22 Apr 2021 08:46:14 +0000
Message-ID: <854d6aefdf604b559e37e82669b5e67f@AcuMS.aculab.com>
References: <20210422044856.27250-1-chang.seok.bae@intel.com>
 <20210422044856.27250-6-chang.seok.bae@intel.com>
In-Reply-To: <20210422044856.27250-6-chang.seok.bae@intel.com>
Accept-Language: en-GB, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.202.205.107]
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: aculab.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-8.2 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, KAM_MANYTO, PDS_BAD_THREAD_QP_64, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 08:46:24 -0000

From: Chang S. Bae
> Sent: 22 April 2021 05:49
>=20
> The kernel pushes context on to the userspace stack to prepare for the
> user's signal handler. When the user has supplied an alternate signal
> stack, via sigaltstack(2), it is easy for the kernel to verify that the
> stack size is sufficient for the current hardware context.
>=20
> Check if writing the hardware context to the alternate stack will exceed
> it's size. If yes, then instead of corrupting user-data and proceeding wi=
th
> the original signal handler, an immediate SIGSEGV signal is delivered.

What happens if SIGSEGV is caught?

> Refactor the stack pointer check code from on_sig_stack() and use the new
> helper.
>=20
> While the kernel allows new source code to discover and use a sufficient
> alternate signal stack size, this check is still necessary to protect
> binaries with insufficient alternate signal stack size from data
> corruption.
...
> diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h
> index 3f6a0fcaa10c..ae60f838ebb9 100644
> --- a/include/linux/sched/signal.h
> +++ b/include/linux/sched/signal.h
> @@ -537,6 +537,17 @@ static inline int kill_cad_pid(int sig, int priv)
>  #define SEND_SIG_NOINFO ((struct kernel_siginfo *) 0)
>  #define SEND_SIG_PRIV=09((struct kernel_siginfo *) 1)
>=20
> +static inline int __on_sig_stack(unsigned long sp)
> +{
> +#ifdef CONFIG_STACK_GROWSUP
> +=09return sp >=3D current->sas_ss_sp &&
> +=09=09sp - current->sas_ss_sp < current->sas_ss_size;
> +#else
> +=09return sp > current->sas_ss_sp &&
> +=09=09sp - current->sas_ss_sp <=3D current->sas_ss_size;
> +#endif
> +}
> +

Those don't look different enough.

=09David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1=
PT, UK
Registration No: 1397386 (Wales)