From patchwork Wed Nov 29 14:59:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Szabolcs Nagy X-Patchwork-Id: 24598 Received: (qmail 117921 invoked by alias); 29 Nov 2017 14:59:26 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 117741 invoked by uid 89); 29 Nov 2017 14:59:25 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.6 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_SHORT, KB_WAM_FROM_NAME_SINGLEWORD, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=Fill, 9012, jumping, escalation X-HELO: EUR01-HE1-obe.outbound.protection.outlook.com Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Szabolcs.Nagy@arm.com; Message-ID: <5A1ECB40.9080801@arm.com> Date: Wed, 29 Nov 2017 14:59:12 +0000 From: Szabolcs Nagy User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0 MIME-Version: 1.0 To: GNU C Library CC: nd@arm.com, Jeff Law , Richard Earnshaw , Wilco Dijkstra , Rich Felker , James Greenhalgh Subject: [RFC] nptl: change default stack guard size of threads X-ClientProxiedBy: HE1PR0502CA0024.eurprd05.prod.outlook.com (2603:10a6:3:e3::34) To DB6PR0802MB2486.eurprd08.prod.outlook.com (2603:10a6:4:a0::21) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: c6cd8d6e-be13-4861-b518-08d53739c379 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603271)(49563074); SRVR:DB6PR0802MB2486; X-Microsoft-Exchange-Diagnostics: 1; DB6PR0802MB2486; 3:0scNwokli8irD5/8Q3AQUl0HWkuNM/iMqCWBjWFQlk+VqCNOTjHLRuMHu8rO/4m1anf3nRrRg//+qX/uUYJQDVo6TsE4vI3QW/c++PK7TkURnrNHYVJpYGG29OnXJrQvFqCdD98f0diKq4jwvaaZ2sxMgCpI8NU7cX5V+YXIDSdOf+7AVUFfEZfMp4Thzfs0U+a+MpRzRCDosbwKYrw0pNQnHHtiVV0pCFWRvLYLNunkIYm158Z0EuzQhNwQLSiB; 25:f00Wnjkp+qKtHclE+HAkjTt70TT4DPxktOC8CNTZYPsDvKa7xQrltXJ7id/ZtL4m7H1fnGKYyy/ItssxxQdtAHDhlz2BrTN7L2EMjXaamDRPhOVNjZzyI8Kaaabzcq8IiC3juFzn2PS0FgW/Rp5d6oU6VOPkRxk9N/JBlmcyPuIYUrfOTw8Lt3T0MNQ2Niy9B8ROBawn59e4pmHdqT+Ri6DVdAg5XjwMpAFQAuZ6vG7JdmDrI6uUxNNvmjEBAhErKuAt5/6IB4W1RFvHghKDa9DR3BINFAlCx4xyN3o2yw1ud212wc4FetRw2EZ9ya2pFoU8E8mCTCQVHOBnqGF5mw==; 31:hrz2PDOW94VM/t3HZWA//57ERHTbu3J+Dbx17RhestHy2g/gGajT1/kTGDK2QNShqC9ckgS0SMe8lusczScCYqpuHMDNLFSpveyB7VyGginVJ8HEuVCDf7vlmhVQnGy0d/0oMt+vGEaCd7FXH898yLw0vNxaETWPjhqs5w0JW5X8lfR+Pd99s+GpVlbdgt4waT0z2jhP0vGsMEKsiFzkQk/gLSVm3sNdJmA2lifuiSE= X-MS-TrafficTypeDiagnostic: DB6PR0802MB2486: NoDisclaimer: True X-Microsoft-Exchange-Diagnostics: 1; DB6PR0802MB2486; 20:HJ49oPwx7jvm748x3Qdq9iu33Q+ow1JYbeXr6v1+Ku+f+2FbKgrXOlBGAcrbb2fxKHDtFTamHyURjIbwUIWKD4kYjiT8S61QF15v6Y5+cRBfpa0cfw+gbM3hYTbZyq7nUxeA9BodmCSwYIa7E1tA/CEUcf8astHcBfdUU0sBLbw=; 4:hqwN2OyN8jKyIxClrpmPIzWLQw3BLQE3WnRH7zvAjcWqLoExyZuQEQT5IWONgWwZ8XWmM9uIFphr4b7GRyiNqhAzLLct7ZjLCLtNEk8Jh+NDV9xQukV280E/hKFg964vgzG+KxhR6tiOzfcwjv1IMO+iZPMlqcxkpdwbL4Rmrt+DI33NUj9SG7A8DPrg8uR4m6lScI3xybZDPANO9Zq3+ZduY3EikiRQ24k86IadIly3k9eUqEwiOmYttG0SMwMDsI+bSAuMfS8I4poKQGRIG46TnTfWcwMDaJ29kLRU5y6rfslzVKGpX/R5tmEqsrD2VBhl5sqjN+ZPE4QXZvaD2h67sTGSz59lolouyZrCsN4= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(22074186197030)(183786458502308); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231022)(93006095)(93001095)(6055026)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(20161123562025)(20161123564025)(6072148)(201708071742011); SRVR:DB6PR0802MB2486; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DB6PR0802MB2486; X-Forefront-PRVS: 05066DEDBB X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(6049001)(376002)(39860400002)(366004)(346002)(199003)(189002)(966005)(77096006)(66066001)(6486002)(68736007)(64126003)(84326002)(8936002)(65806001)(65956001)(8676002)(83506002)(36756003)(478600001)(97736004)(80316001)(316002)(16576012)(270700001)(568964002)(16586007)(16526018)(54906003)(4326008)(7736002)(52116002)(65816999)(33656002)(86362001)(4610100001)(6306002)(101416001)(5000100001)(6116002)(2906002)(3846002)(58126008)(50986999)(189998001)(87266999)(59896002)(54356999)(5890100001)(105586002)(305945005)(81166006)(72206003)(81156014)(25786009)(2476003)(53936002)(106356001)(6666003)(5660300001)(6916009)(564344004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0802MB2486; H:[10.2.206.69]; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: arm.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DB6PR0802MB2486; 23:1IOD05XFvYyENTO5EE3m1IYptpIVfWC6aNzHAj0?= =?us-ascii?Q?h7Dfa3zzbMQ4YRQqBV6PQAdq68tmB0AlOqQj9vJmx54pEe7LOs259dy82+xS?= =?us-ascii?Q?F3wc/HkViY+UV8FRdllLypRYQaqzsX/WOVlpHVDf4D0ekl4Ni4Q6BXQq4WH2?= =?us-ascii?Q?OEHTMD/LDUToNrQ4aYVpZ1WA5AZNW+jSy3p6r8xtQkd05dnwQgxL/25FGbg7?= =?us-ascii?Q?JvQOjRh5S4deTcA3syHH9o6vEf9vsE6PH4pfmUZftSlfLZ8rJ9K0b0o87ddx?= =?us-ascii?Q?XHHCQJVIruJqDfo/yS8aSRwV7PA7D01hLrWWGTVMLWvPsj5fUADZS/x+r9HS?= =?us-ascii?Q?0alFAUHgJXCz47T67ryQ6UdVaijhQrFvWI0QbVwIIz8LC7Uda5EF0bPfNBsV?= =?us-ascii?Q?Hmcmhsfp94iDPdbx50suPnnP72xgLIlQnoMPumpXFQCzNZLQtS3LwdmPvZM1?= =?us-ascii?Q?sEcrvEptdyy25vy3lykAMIbRlsctvyrLOZNHJqFyx5vqdG2hdsodr/1zZ4op?= =?us-ascii?Q?lpeNzWhSWwytc6HaD8qjwmlTnQlgxigEmCyFPSTLTOUcFcLKYDkwT4lxcnU/?= =?us-ascii?Q?xCBumdXBwwdtbjkklgsaYZXHER5TptiI/TQNAKa40s1uUUM1el/hPFh7ExVc?= =?us-ascii?Q?7/7m6AXZRK/dFokBps5Mkm5M1p9oRjiTsJiKn2JZ0wdydwlxpBc2fHbF+sr1?= =?us-ascii?Q?6Ph/qhmKtbDsDBSdTSlaBL6Dg2d6RwFW5yL8CwQ5rI43nznXcXEcHiobPhVB?= =?us-ascii?Q?pEf1wYce+nbJBqz8uFLWIf3oaXG7Mrm5JkKTf7pp/yKTpIga6X5WOMfJS+pR?= =?us-ascii?Q?91VUjpTpN6wl7Dvq8c7vHQY0RCVndEicvlymK1N4kBVYU773zLNbu0cXujOx?= =?us-ascii?Q?vW+hMQKEC4h66S+tYaTdjIi4JtmLgZbTXvDdEZFnqM1icNI7Qo5u2FSNgBZB?= =?us-ascii?Q?wCcFAfd7OeZ4A26tEZH0jN3ZUobuEdKMS6AItQMPE/8lvtgR5V19TAQcBRDL?= =?us-ascii?Q?VmEotzQYQuuU+xnsq2P2eQFd3CcMoUXIX9O9wew4SEym6TSiwevUvGHFCsca?= =?us-ascii?Q?mRciTCbpcziXnvQEBXXtFaIT4ZGJe5mepx541eiGLYVyC8cS7bc/N6xd9/lN?= =?us-ascii?Q?E2ctZMHeRu5TAe2NWSAZFaI2EH4LCaXbJGtuTVSE012dMpnXZxEA8b7M9aR2?= =?us-ascii?Q?tgjbMEO1kiQjV5yEdx49aFx/PSZRSH6Z4pAlGkMsskMHsemvmAIacKPqPMMS?= =?us-ascii?Q?AgdgpN9KHVC6z/rLrybxBpAGCepCcYzqbE7zQp3WGTtg+5LTdBYzX4aDjeGh?= =?us-ascii?Q?yK8p1CDN/4SXFRx0iqjxYYJs7c4UeGhZ+hItGCr4dBD2aVZClTfG8+wQlAFK?= =?us-ascii?Q?TxOzyEgdF5jooB54T1jtBA5IvDq5ueVA2l5PyFMNOHJ/9ZV9rnZHq2ZKpwBy?= =?us-ascii?Q?7m5BRx1Xl9L5SC0jNED3twNqxtMdnU3WQRxHXTO4TUSJVPKMEUSAO?= X-Microsoft-Exchange-Diagnostics: 1; DB6PR0802MB2486; 6:JttFafa878pdcGyCe2nz9mfzOwRBFy+90cXciMPuosQGYLla6pjK47AwFXzORaTYu4I4OOi2ZSSDAE5el5z6HzlJKR+OPVRrOBmhgqmHcEl9TnIfOqXnZ6HOgmwo8qlVwqINRpOM06HY7C5MZr9w8t9ri5/BjlPUSoPeVdCvGxT7q57MSj3G4JhI0ORQ5M1VvdFvO6fKHs1Hdq5Dp4I6Z/Hk8VJYJzfA9xERVyOSKZ+CRp3e+301wslsGWr5MVjcNsXzACXcHaGfQlhm0asAsIl4qht6o0ZPzU7+mtrrfvXirnd4A5h0cLCTBriLbw5uK/NRctKIBPLltTlzsCyE7Dr526YhfEvBg7/6fUOHJeA=; 5:Cd5uwe6wLzXIFkeTGf/NNRA6uY5tYfWPdsp2h/jBEssLTz/6LK/deFv+qEr/fYbaW6kGziyvCdqYeM19NKPfkmR31TBmefIYM6F62Fz9axnUiHwDRpkSvN1TlXxC1sk8W4vV1Xu1VUovVOzPpmGblXCkjBqIIC3SK0UeF8eCkjM=; 24:QuS84Uxnzz1qfXV9BCemzpFU2rfdmnwp4Xc9VXb9dmv3TARDbs1zC5PRN52PH8lQ5CqW356J/X9prVgXhjc6ZTiHG3iFKKABlY78MnKLuRo=; 7:TenS352JgbltKjBaPWLaktpcVxJDcnjxaLIN1lMTcQNZw2f7ZOWVtcVDy8HnjyE+s2Akn6i0MhZauifCduhumBg3LsUjGEIV91RX9U8fqV2+I4N+sQnuR2VJB+cjLEdFx46fsfMO2PWJpLcbCyeagPY2vaa/qIqxWpVaSiuNDWinjWInOcM5QrnCgsGermiUA6i17VnHgFHHVNIhID/o/lqCqOxmJa93ov3wpW8EJIQUUsw8XnsG+4y3Px5CQ4hX SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Nov 2017 14:59:15.9677 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c6cd8d6e-be13-4861-b518-08d53739c379 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0802MB2486 RFC patch based on discussions about stack probing at https://gcc.gnu.org/ml/gcc-patches/2017-11/msg02306.html From 84da61fd1e0d80d8bfc4c1e867fb5df3b5148caa Mon Sep 17 00:00:00 2001 From: Szabolcs Nagy Date: Tue, 28 Nov 2017 11:49:24 +0000 Subject: [PATCH] nptl: change default stack guard size of threads There are several compiler implementations that allow large stack allocations to jump over the guard page at the end of the stack and corrupt memory beyond that. See CVE-2017-1000364. The linux kernel increased the default guard size of the main thread to 1M to mitigate the issue, which fixes some of the known local privilege escalation exploits using setuid binaries, but does not affect memory corruption in case of thread stack overflow in multi-threaded processes. Compilers can emit code to probe the stack such that a guard page cannot be skipped, but this is not yet available on many targets and may introduce larger performance overhead than necessary when the compiler has to assume the minimum supported page size of the target. On aarch64 the plan is to assume 64K guard size in the probing code since this makes the overhead sufficiently small that it can be turned on by default, but 4K page size is also supported, so the mitigation only works if the libc guard size is increased. This patch increases the default guard size to 64K which should prevent jumping over the guard page in most existing binaries, in particular larger stack allocation should not really exist in glibc itself because this is the __MAX_ALLOCA_CUTOFF limit. Note that POSIX 2008 allows implementation defined default guardsize, but previous versions required it to be one page. This patch can be controversial because it is not conform to old standards, changes the behaviour of pthread_attr_init with respect to the non-standard and underspecified pthread_setattr_default_np, it increases the address space usage of existing code and because security of code using smaller guardsize is not addressed. The address space usage can be a concern on 32bit targets. The change can be made for aarch64 only but I think it may be useful on other targets too. nptl/descr.h (ARCH_GUARD_DEFAULT_SIZE): Define. nptl/nptl-init.c (__pthread_initialize_minimal_internal): Change __default_pthread_attr.guardsize. nptl/pthread_create.c (__pthread_create_2_0): Use __default_pthread_attr.guardsize. nptl/pthread_attr_init.c (__pthread_attr_init_2_1): Likewise. nptl/tst-attr2.c (do_test): Don't check default guardsize. --- nptl/descr.h | 5 +++++ nptl/nptl-init.c | 3 ++- nptl/pthread_attr_init.c | 5 +++-- nptl/pthread_create.c | 6 ++++-- nptl/tst-attr2.c | 6 ------ 5 files changed, 14 insertions(+), 11 deletions(-) diff --git a/nptl/descr.h b/nptl/descr.h index c83b17b674..abb86e917a 100644 --- a/nptl/descr.h +++ b/nptl/descr.h @@ -39,6 +39,11 @@ # define TCB_ALIGNMENT sizeof (double) #endif +/* Default guard size will get rounded up to page size. + Targets can override the setting in pthreaddef.h. */ +#ifndef ARCH_GUARD_DEFAULT_SIZE +# define ARCH_GUARD_DEFAULT_SIZE 65536 +#endif /* We keep thread specific data in a special data structure, a two-level array. The top-level array contains pointers to dynamically allocated diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c index 869e926f17..447913e9ec 100644 --- a/nptl/nptl-init.c +++ b/nptl/nptl-init.c @@ -436,7 +436,8 @@ __pthread_initialize_minimal_internal (void) limit.rlim_cur = ALIGN_UP (limit.rlim_cur, pagesz); lll_lock (__default_pthread_attr_lock, LLL_PRIVATE); __default_pthread_attr.stacksize = limit.rlim_cur; - __default_pthread_attr.guardsize = GLRO (dl_pagesize); + __default_pthread_attr.guardsize = pagesz > ARCH_GUARD_DEFAULT_SIZE + ? pagesz : ARCH_GUARD_DEFAULT_SIZE; lll_unlock (__default_pthread_attr_lock, LLL_PRIVATE); #ifdef SHARED diff --git a/nptl/pthread_attr_init.c b/nptl/pthread_attr_init.c index eceaf85dbf..ec063a01ae 100644 --- a/nptl/pthread_attr_init.c +++ b/nptl/pthread_attr_init.c @@ -43,8 +43,9 @@ __pthread_attr_init_2_1 (pthread_attr_t *attr) iattr = (struct pthread_attr *) attr; - /* Default guard size specified by the standard. */ - iattr->guardsize = __getpagesize (); + lll_lock (__default_pthread_attr_lock, LLL_PRIVATE); + iattr->guardsize = __default_pthread_attr.guardsize; + lll_unlock (__default_pthread_attr_lock, LLL_PRIVATE); return 0; } diff --git a/nptl/pthread_create.c b/nptl/pthread_create.c index 51ae60dfca..24fdad6271 100644 --- a/nptl/pthread_create.c +++ b/nptl/pthread_create.c @@ -869,7 +869,9 @@ __pthread_create_2_0 (pthread_t *newthread, const pthread_attr_t *attr, if (attr != NULL) { struct pthread_attr *iattr = (struct pthread_attr *) attr; - size_t ps = __getpagesize (); + lll_lock (__default_pthread_attr_lock, LLL_PRIVATE); + size_t guardsize = __default_pthread_attr.guardsize; + lll_unlock (__default_pthread_attr_lock, LLL_PRIVATE); /* Copy values from the user-provided attributes. */ new_attr.schedparam = iattr->schedparam; @@ -878,7 +880,7 @@ __pthread_create_2_0 (pthread_t *newthread, const pthread_attr_t *attr, /* Fill in default values for the fields not present in the old implementation. */ - new_attr.guardsize = ps; + new_attr.guardsize = guardsize; new_attr.stackaddr = NULL; new_attr.stacksize = 0; new_attr.cpuset = NULL; diff --git a/nptl/tst-attr2.c b/nptl/tst-attr2.c index 9967b69773..a965c3ac1c 100644 --- a/nptl/tst-attr2.c +++ b/nptl/tst-attr2.c @@ -90,12 +90,6 @@ default detach state wrong: %d, expected %d (PTHREAD_CREATE_JOINABLE)\n", puts ("1st attr_getguardsize failed"); exit (1); } - if (g != (size_t) sysconf (_SC_PAGESIZE)) - { - printf ("default guardsize %zu, expected %ld (PAGESIZE)\n", - g, sysconf (_SC_PAGESIZE)); - exit (1); - } e = pthread_attr_setguardsize (&a, 0); if (e != 0) -- 2.11.0