From: Florian Weimer <fweimer@redhat.com>
To: Rich Felker <dalias@libc.org>, Carlos O'Donell <carlos@redhat.com>
Cc: Szabolcs Nagy <szabolcs.nagy@arm.com>,
GNU C Library <libc-alpha@sourceware.org>,
nd@arm.com, Jeff Law <law@redhat.com>,
Richard Earnshaw <Richard.Earnshaw@arm.com>,
Wilco Dijkstra <Wilco.Dijkstra@arm.com>,
James Greenhalgh <James.Greenhalgh@arm.com>
Subject: Re: [RFC] nptl: change default stack guard size of threads
Date: Wed, 29 Nov 2017 20:33:00 -0000 [thread overview]
Message-ID: <e68674a4-9c02-b91e-356e-55e23273ebf7@redhat.com> (raw)
In-Reply-To: <20171129182909.GE1627@brightrain.aerifal.cx>
On 11/29/2017 07:29 PM, Rich Felker wrote:
> On Wed, Nov 29, 2017 at 10:16:54AM -0800, Carlos O'Donell wrote:
>> On 11/29/2017 07:18 AM, Florian Weimer wrote:
>>> On 11/29/2017 03:59 PM, Szabolcs Nagy wrote:
>>>> The change can be made for aarch64 only
>>>
>>> That doesn't seem to be the case, looking at the patch.
>>>
>>> So what you intended to do, exactly?
>>>
>>> A 64 KiB probe interval on legacy 32-bit architectures is really a
>>> no-go. It means we have to increase the guard region size to 64 KiB.
>>> But we cannot do that: The guard allocation comes out of the overall
>>> thread stack size, and existing applications do not expect that 60K
>>> of configured stack suddenly becomes unavailable. Adding the guard
>>> size on top of the allocation will break setups which are carefully
>>> tuned for a maximum number of threads.
>>
>> We cannot be held to account for carefully tuned applications, such
>> applications have to be tuned again for newer glibc.
>>
>> I think we *could* do this for 64-bit and 32-bit AArch64/ARM, but I
>> don't see the value in doing it for 32-bit.
>
> If 64k guard is mandatory for safety against jumping over the guard
> zone, then I don't think it's possible to "re-tune" 32-bit apps for
> the new requirement. This imposes a relatively small limit on possible
> number of threads the process can create.
With the probing implementations I have seen so far, it is feasible
technically because a probe will never touch a stack area which could
not conceivably be touched by a signal handler, too.
But it is still a bad situation when GCC documents that it is only
providing full protection with guard size X, and you decide to run with
size X/16 to actually get things going. This means that your
configuration is out of scope what your vendor will support
security-wise, and probably non-compliant with applicable guidelines at
the user site.
So technically you can run with a smaller guard size, but it's still
impractical to do so for most organizations.
Thanks,
Florian
next prev parent reply other threads:[~2017-11-29 20:33 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 14:59 Szabolcs Nagy
2017-11-29 15:18 ` Florian Weimer
2017-11-29 18:17 ` Carlos O'Donell
2017-11-29 18:29 ` Rich Felker
2017-11-29 20:33 ` Florian Weimer [this message]
2017-11-29 18:40 ` Szabolcs Nagy
2017-11-29 20:44 ` Florian Weimer
2017-11-29 20:52 ` Rich Felker
2017-11-29 21:02 ` Florian Weimer
2017-11-29 23:13 ` Szabolcs Nagy
2017-12-05 10:55 ` James Greenhalgh
2017-12-06 12:51 ` Florian Weimer
2017-12-11 23:49 ` Jeff Law
2017-12-12 11:43 ` Szabolcs Nagy
2017-12-12 16:36 ` Rich Felker
2017-12-12 18:07 ` Szabolcs Nagy
2017-12-12 19:30 ` Florian Weimer
2017-12-13 11:58 ` Szabolcs Nagy
2017-12-19 12:35 ` James Greenhalgh
2017-12-19 13:06 ` Florian Weimer
2017-12-19 18:21 ` Szabolcs Nagy
2017-12-19 20:34 ` Rich Felker
2017-12-20 4:42 ` Jeff Law
2017-12-20 4:49 ` Rich Felker
2017-12-27 13:08 ` Wilco Dijkstra
2017-12-20 4:45 ` Jeff Law
2017-11-29 22:28 ` Wilco Dijkstra
2017-11-29 22:38 ` Carlos O'Donell
2017-12-06 12:53 ` Florian Weimer
2017-12-06 13:10 ` Wilco Dijkstra
2017-12-06 13:13 ` Florian Weimer
2017-11-29 23:02 ` Rich Felker
2017-12-06 13:16 ` Florian Weimer
2017-12-06 13:40 ` Joseph Myers
2017-12-06 13:51 ` Florian Weimer
2017-12-06 14:44 ` Jeff Law
2017-12-06 14:27 ` Wilco Dijkstra
2017-12-06 20:41 ` Szabolcs Nagy
2017-12-06 21:24 ` Adhemerval Zanella
2017-12-06 22:08 ` Rich Felker
2017-12-08 18:28 ` Szabolcs Nagy
2017-11-29 22:45 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e68674a4-9c02-b91e-356e-55e23273ebf7@redhat.com \
--to=fweimer@redhat.com \
--cc=James.Greenhalgh@arm.com \
--cc=Richard.Earnshaw@arm.com \
--cc=Wilco.Dijkstra@arm.com \
--cc=carlos@redhat.com \
--cc=dalias@libc.org \
--cc=law@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=nd@arm.com \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).