From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-91266-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 87830 invoked by alias); 27 Mar 2018 15:55:25 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 87810 invoked by uid 89); 27 Mar 2018 15:55:24 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=investigate, validate, Hx-languages-length:2302, H*f:sk:e4ce960
X-HELO: mail-ot0-f182.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=kplavQkXSr5zyS9pBeUHiNCYgD4ICHie5lVAn39ekWU=;
        b=N9cNZB5GsBhSdPQ1oyK7sB5FbmotqX3R7a5mDo3I1HYpfmkmhkyDQQLjBsp9rShHM/
         eQmN9tKskuUmP8at0RtZKYqou0ZCVUh19WHW0LChpZgvn1Oo0Tat03sG6ZgnKdzeZ87G
         FYlV2DWNRANLVIPm4Q5FlNWGRKx2LMt4OeiYpqpo526iBMSwXjOQNueZVYNFagGaAs+r
         TVwRqqu7a1XJgICnlHwGDtghxD9WNM0UbW1XaktCKpcuQ/rmgIeI0hLeKkG6Kd53SZZE
         r801Vjl86hGRdGz1t8i5uRWuK7gUUPabS7xwOwV5Y1aMpzLZZ3mfWR0/s2c1EGxm5h9k
         7M+w==
X-Gm-Message-State: AElRT7E/Ix7YgnBXNAHnZRWWsKN/8aLbGA5ZkWz5W+VQfSWaFJ9FD9SJ
	U+VqGOlkJmh1/897OhZG/x1xgt6fiCmwDY4YLuM=
X-Google-Smtp-Source: AIpwx4+xvKnmOWeZAXMhoAc5r0yU9cd0ZC1aHz6+9lwBzSSJ05AHxNx1M5hh+gDkPi/Q8YiZUppFMfYOGCPEkN/z8q4=
X-Received: by 2002:a9d:7098:: with SMTP id l24-v6mr6359980otj.125.1522166121282;
 Tue, 27 Mar 2018 08:55:21 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <e4ce960d-452b-c610-9ad9-878f38591ef3@redhat.com>
References: <CAMe9rOp_ODUck1Oa6cRPKVRkedQ=sq8RrNwPtBQ5RSvyEun-iw@mail.gmail.com>
 <d90b8489-87e9-794c-e8b1-81ee1058bba2@redhat.com> <CAMe9rOrWO+j5c63H_uay9g4spTMCnGYbEVOMe7kVhJeDMz2gfg@mail.gmail.com>
 <e4ce960d-452b-c610-9ad9-878f38591ef3@redhat.com>
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Tue, 27 Mar 2018 15:55:00 -0000
Message-ID: <CAMe9rOqZQzGxS3KvoSndfzmgd6xC=A92H+kp9uESdt_Vi_mS-A@mail.gmail.com>
Subject: Re: RFA: Need to extend x86 psABI to support thread cancellation and
 alternate signal stack
To: Florian Weimer <fweimer@redhat.com>
Cc: GNU C Library <libc-alpha@sourceware.org>, GCC Development <gcc@gcc.gnu.org>, 
	"Carlos O'Donell" <carlos@redhat.com>
Content-Type: text/plain; charset="UTF-8"
X-SW-Source: 2018-03/txt/msg00573.txt.bz2

On Tue, Mar 27, 2018 at 8:43 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 03/27/2018 01:26 PM, H.J. Lu wrote:
>
>> 2. Since shadow stack is never saved and restored by compiler, unwinder
>> in libgcc counts how many stack frame it has to unwind and uses INCSSP
>> to pop shadow stack.  This can't unwind the original shadow stack when
>> the alternate shadow stack is used.  _URC_NO_REASON_CANCEL
>> works only if longjmp will be used to finish stack unwinding, which is
>> the case for thread cancellation in glibc.
>>
>> Here are patches for GCC:
>>
>>
>> https://github.com/hjl-tools/gcc/commit/e9ff815941406e38fa629947af4d809b9129e860
>>
>> and glibc:
>>
>>
>> https://github.com/hjl-tools/glibc/commit/1aec81528ab26aa8a8a7965317b6e1a8ba4526aa
>>
>> They fixed the issue.
>
>
> The patches are nice and short, but: Do they really fix the issue?  They
> make cancellation work again, but they do not fix the general unwinding
> issue with alternate signal handler stacks AFAICS.

That is true.   We do support unwinding with alternate signal handler stack
using longjmp.   If there is another use case of unwinding with alternate signal
handler stack, we can investigate.  If this isn't a valid use case, we
don't want
to create a very complex scheme to support it.

>>> It may be possible to implement this without kernel changes: Patch the
>>> interrupted context to continue unwinding, and then call sigreturn to
>>> switch
>>> both stacks at the same time.
>>>
>>
>> We passed almost all 5000+ tests in glibc with shadow stack and indirect
>> branch tracking enabled. The only remaining failures are thread
>> cancellation
>> with alternate signal stack and -fasynchronous-unwind-tables.  I couldn't
>> find a way to unwind shadow stack by counting stack frame when exception
>> happens in alternate signal stack.
>
>
> I'm not sure how comprehensive these tests are, considering that no one
> expected something like shadow stacks (maybe those dual ia64 stacks are
> somewhat similar, but I don't know anything about them).

Glibc tests are invaluable to validate CET implementation.  I am planning to
backport CET support to glibc 2.27 so that I can enable CET in applications
under Fedora 28.

-- 
H.J.