From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10746 invoked by alias); 16 Jan 2018 08:47:56 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 10636 invoked by uid 89); 16 Jan 2018 08:47:55 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 16 Jan 2018 08:47:48 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 461D18765D for ; Tue, 16 Jan 2018 08:47:47 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-116-137.ams2.redhat.com [10.36.116.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id C0D7B608F4 for ; Tue, 16 Jan 2018 08:47:45 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id 15FF941610736; Tue, 16 Jan 2018 09:47:45 +0100 (CET) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.25 COMMITTED] [BZ #22637] Fix stack guard size accounting User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20180116084745.15FF941610736@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Tue, 16 Jan 2018 08:47:47 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-01/txt/msg00042.txt.bz2 From: Szabolcs Nagy Previously if user requested S stack and G guard when creating a thread, the total mapping was S and the actual available stack was S - G - static_tls, which is not what the user requested. This patch fixes the guard size accounting by pretending the user requested S+G stack. This way all later logic works out except when reporting the user requested stack size (pthread_getattr_np) or when computing the minimal stack size (__pthread_get_minstack). Normally this will increase thread stack allocations by one page. TLS accounting is not affected, that will require a separate fix. [BZ #22637] * nptl/descr.h (stackblock, stackblock_size): Update comments. * nptl/allocatestack.c (allocate_stack): Add guardsize to stacksize. * nptl/nptl-init.c (__pthread_get_minstack): Remove guardsize from stacksize. * nptl/pthread_getattr_np.c (pthread_getattr_np): Likewise. (cherry picked from commit 630f4cc3aa019ede55976ea561f1a7af2f068639) 2018-01-08 Szabolcs Nagy [BZ #22637] * nptl/descr.h (stackblock, stackblock_size): Update comments. * nptl/allocatestack.c (allocate_stack): Add guardsize to stacksize. * nptl/nptl-init.c (__pthread_get_minstack): Remove guardsize from stacksize. * nptl/pthread_getattr_np.c (pthread_getattr_np): Likewise. diff --git a/NEWS b/NEWS index 1cad04eb0e..fb54fa069c 100644 --- a/NEWS +++ b/NEWS @@ -67,6 +67,7 @@ The following bugs are resolved with this release: [22078] nss_files performance issue in hosts multi mode [22322] libc: [mips64] wrong bits/long-double.h installed [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice + [22637] nptl: Fix stack guard size accounting [22679] getcwd(3) can succeed without returning an absolute path (CVE-2018-1000001) diff --git a/nptl/allocatestack.c b/nptl/allocatestack.c index 368fe3c36b..a1d1be5dfb 100644 --- a/nptl/allocatestack.c +++ b/nptl/allocatestack.c @@ -482,6 +482,10 @@ allocate_stack (const struct pthread_attr *attr, struct pthread **pdp, /* Make sure the size of the stack is enough for the guard and eventually the thread descriptor. */ guardsize = (attr->guardsize + pagesize_m1) & ~pagesize_m1; + if (guardsize < attr->guardsize || size + guardsize < guardsize) + /* Arithmetic overflow. */ + return EINVAL; + size += guardsize; if (__builtin_expect (size < ((guardsize + __static_tls_size + MINIMAL_REST_STACK + pagesize_m1) & ~pagesize_m1), diff --git a/nptl/descr.h b/nptl/descr.h index a145860f07..b63204a992 100644 --- a/nptl/descr.h +++ b/nptl/descr.h @@ -382,9 +382,9 @@ struct pthread /* Machine-specific unwind info. */ struct _Unwind_Exception exc; - /* If nonzero pointer to area allocated for the stack and its - size. */ + /* If nonzero, pointer to the area allocated for the stack and guard. */ void *stackblock; + /* Size of the stackblock area including the guard. */ size_t stackblock_size; /* Size of the included guard area. */ size_t guardsize; diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c index 2f8599b391..1ca783e466 100644 --- a/nptl/nptl-init.c +++ b/nptl/nptl-init.c @@ -473,8 +473,5 @@ strong_alias (__pthread_initialize_minimal_internal, size_t __pthread_get_minstack (const pthread_attr_t *attr) { - struct pthread_attr *iattr = (struct pthread_attr *) attr; - - return (GLRO(dl_pagesize) + __static_tls_size + PTHREAD_STACK_MIN - + iattr->guardsize); + return GLRO(dl_pagesize) + __static_tls_size + PTHREAD_STACK_MIN; } diff --git a/nptl/pthread_getattr_np.c b/nptl/pthread_getattr_np.c index 06093b3d92..210a3f8a1f 100644 --- a/nptl/pthread_getattr_np.c +++ b/nptl/pthread_getattr_np.c @@ -57,9 +57,12 @@ pthread_getattr_np (pthread_t thread_id, pthread_attr_t *attr) /* The sizes are subject to alignment. */ if (__glibc_likely (thread->stackblock != NULL)) { - iattr->stacksize = thread->stackblock_size; + /* The stack size reported to the user should not include the + guard size. */ + iattr->stacksize = thread->stackblock_size - thread->guardsize; #if _STACK_GROWS_DOWN - iattr->stackaddr = (char *) thread->stackblock + iattr->stacksize; + iattr->stackaddr = (char *) thread->stackblock + + thread->stackblock_size; #else iattr->stackaddr = (char *) thread->stackblock; #endif