From patchwork Thu Dec 14 16:16:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Szabolcs Nagy X-Patchwork-Id: 24940 Received: (qmail 128339 invoked by alias); 14 Dec 2017 16:16:32 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 128327 invoked by uid 89); 14 Dec 2017 16:16:30 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.6 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LOTSOFHASH, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=inflated, 5308 X-HELO: EUR01-VE1-obe.outbound.protection.outlook.com Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Szabolcs.Nagy@arm.com; Message-ID: <5A32A3D6.5010200@arm.com> Date: Thu, 14 Dec 2017 16:16:22 +0000 From: Szabolcs Nagy User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0 MIME-Version: 1.0 To: GNU C Library CC: nd@arm.com Subject: [RFC v2] aarch64: enforce >=64K guard size X-ClientProxiedBy: DB6P189CA0018.EURP189.PROD.OUTLOOK.COM (2603:10a6:6:2e::31) To HE1PR0802MB2489.eurprd08.prod.outlook.com (2603:10a6:3:d8::23) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ba9ee84c-425b-4610-895b-08d5430e0603 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603307)(49563074); SRVR:HE1PR0802MB2489; X-Microsoft-Exchange-Diagnostics: 1; HE1PR0802MB2489; 3:3lg3aCvmY05a7+Ce1/gpAVN3epZm9Rft/Akvv7vAqKMsUdfv7fg75zOK5y14dclkCZf9mB3SyUxq6NMSr6h80VM3QGjlT3JDzUC3hNR65WzEi1KNzTgg1tReC/xciWrRgPpvtBHT/01bG3Dwo/WrPTZ0DnRJcfJIV81zWBvz4SWgO8BPLGPoeg50IN3cMxkikjuc60/lr5QTd6bTdP2oUpExGn5RiTqeaDLkprJUvjIMXc/7+ZSppTNND2OjKmvo; 25:h1ufXzIIHRa9tlmNtkrWIVxxRKdH53HeYYelCoKPEpUzTfWdcVh2+iBDQMmbIA0GH+bAGQxpAVuLNFEOBSCGnzgIlC/uuccgSXMmc+avwSRTVcQnzBINL+jf5alMjE2c5v45Mv68OK2dfllNnSs8sulDQLlaIOqC17WiYamGy/vO/Bmu1JaJKgP4/L+h8IcaBSPvr+O69m2DMEPWvhbQ6qobZ52vs1tR2BZkcqaZaUBwQWwkUDVLuNFMtuR+qtiNTjjL2JARSQzjPXfDv0EPzPZ0eL60F/TDg9ht3a+Kp2bhIy9SdZG8JFMPdO8858luJtvgy8BlXWnvXMJ2QdB4wA==; 31:omooNwjuJL+UCzWoBdDliTITHSC8Klkj7U5+I2SfDryRLZF9LGw8R8T2ckElsu8nKM3Rd0CGVrQj3SY2VyRMCLNBz/opkGSkkBMr08BV45l453tCCtW4MyH4EqF70Lebg5QJevnvBRgqkAiEABLHPmVRPx2btKyNMveFT4AdnypbddsQHP6bYeevvjAZ+oK3nynzsD14QMKyulDKGhjFz6vUfEop0lcJwJ4tFtugX/Q= X-MS-TrafficTypeDiagnostic: HE1PR0802MB2489: NoDisclaimer: True X-Microsoft-Exchange-Diagnostics: 1; HE1PR0802MB2489; 20:zVqbmviiJtysFL7w1zPnpzdzgDAb1OcMVFZ61ZiKvZ63TmP+2wZtwp/Rc2hid358rQ57jaO5oTIpeLIoQkJMBhIY85jcvg3IHHmmgxOmMj5kn6QTQoSTu5Nzis+V0DUBai5v7waI5UE/FCS1hPKk8Hq+RPcm/SD2D9cpSbDotw4=; 4:luTXhdpM5rs0fdQp9ABnKwwv4MFsIEzj9fEzVgb9/3/lrz0hIJ4tjWqYTpAFp/utpRWY9UKZ5y0APKOWToQK48hxhWIarTceivrdsaJ7xM2Z83tNprdL5WGVDqgwxAyEJXD36IZ3cZvkomv9epzLGZI6Fy94PfNlnwECRwTqyh90oih9aO9pQfsCENlomwq86Px0LB/1JJ7cFg59tufowPoAMpIZHke9iB/Y4nCiA/D7OA3ZLUjofSzUo4XAhsokT0Q1oDWnBNd/TkUvkY557BW995JyhPGCI8/0B2DGURDbGsQttqdkpiFYgzX7Qtm7 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(180628864354917); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231023)(10201501046)(6055026)(6041248)(20161123564025)(20161123560025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(6072148)(201708071742011); SRVR:HE1PR0802MB2489; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HE1PR0802MB2489; X-Forefront-PRVS: 05214FD68E X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6049001)(346002)(396003)(376002)(39860400002)(366004)(377424004)(199004)(189003)(59896002)(106356001)(8936002)(6486002)(52116002)(84326002)(4001150100001)(7736002)(305945005)(2906002)(77096006)(105586002)(21490400003)(25786009)(65956001)(66066001)(65806001)(68736007)(97736004)(86362001)(59450400001)(6916009)(16526018)(5660300001)(386003)(72206003)(4610100001)(6306002)(87266011)(33656002)(4326008)(65816011)(83506002)(16586007)(16576012)(64126003)(568964002)(316002)(33964004)(53936002)(270700001)(58126008)(3846002)(8676002)(81156014)(5890100001)(478600001)(81166006)(6116002)(966005)(2476003)(80316001)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0802MB2489; H:[10.2.206.69]; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: arm.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1PR0802MB2489; 23:6S3xF73BBC7NpcGE0EbqqpU6Z8aSugIk6o9JIVa?= =?us-ascii?Q?QkY34KU/gilZWWNkWypLBM1j18R6FxqREpfkyQkpHRuAdjbIZltjfNn8A0+n?= =?us-ascii?Q?g6QB6Zdl5t0WUffokuQ/JVuq73j8CB7d/+dadB6FftHVswlNGnNQG7JnL4yy?= =?us-ascii?Q?2aPyBhWzV6Q1BRaOKk98KAZoIVRtLf0LpyKtitxDDSwJF62hR3zqWjQjodkn?= =?us-ascii?Q?DLUcvhNUaUdYdokqldxKYgVHQrOqIbXcGw+LJ+7V/ZZSjcUOVCby02VsHQHc?= =?us-ascii?Q?+8xppLnkdIXXo6m82pFuSUNHDVVapr7u6NCQkj8nBLjQttnLC1XCnVoSGua0?= =?us-ascii?Q?PS1OzCujGZAm74ENyPGe0Eg/ySydu4upyISHHaO2Zg5vDGfgqgfJu7VovuZn?= =?us-ascii?Q?jIYPrMazEv000HmhNHjhoVHcQpgA6ZTbmc8MBjILDtPwB7kh25ag18bP1w/D?= =?us-ascii?Q?0VeyS9wMpEnTCjCB+a2kC6vNCyw9q5VBi1Ye3bNUJjH03wUs2rHWGqS89htP?= =?us-ascii?Q?6VIgK8leBsDbzVKtza0QG34/UnystrYvnQg7Acl1dBIyO89nz56WYm0q9qeg?= =?us-ascii?Q?xsNhrnmdVkSRul+ct1bfcyo+uPNgS4qF6AM92ZwLukm/qhg7JP8uquElAKtG?= =?us-ascii?Q?2scqirALBcGItShqF0JV/yIzMc8zNFRoNR/g8UuIJUV/08HhNpbRnAUFBHPd?= =?us-ascii?Q?lX/uLFZl/1TL6Df5ou94VRyyA+qOEr6lT+Us02UTrMV+SJF0KIpfsE4Qo6fJ?= =?us-ascii?Q?IMYIoqRjaLV84fnZtSFyo4Mav1EoSz99d36Zdb6ocqzmjBHbE6s1BoH1Zzww?= =?us-ascii?Q?zGG5jj9OHQrMmDW9pH+KGltI/kQdAeKIDTqhx33o5slbIKf1/wG2hyCprXDS?= =?us-ascii?Q?wJRQjBe4z9B1hAqRHpH5tSFz/GI5bWEKOwnTT7I9PhK5TEwRmMJg6A/bXLob?= =?us-ascii?Q?OdNJlFmfB145QvDechyd2T2XvwQqbftxqeOo7FY+djN/7qULO1qpkdJXOImi?= =?us-ascii?Q?nngzTxTYJylB/dWEQ99QWCenZ9FrSVbY2w6ioVSyEpv8RFrpt2bJGtTV2bqm?= =?us-ascii?Q?6prNW+XSj76FGl3zEbOS4gyduoTJ2TgA46dibtlDMGdNVgu9Xy0Ntj+F1ipH?= =?us-ascii?Q?MVvgcJ04o/OHeKr8WldaMwj4XYg+oVw9h8fjlj6x+RpWwX1VHGP3Fh4b2qAC?= =?us-ascii?Q?HUXQqXScLwizEZlBN41UAX7wOz5EdWTl7g3Opvlm26MX+Sta7Ec4T2Oo2Sn0?= =?us-ascii?Q?7/7ZN0++sj3BXliOVk8gDJ+hidCUhSSeOWa6VOyB/cM2LB6jldIArLHpzA7P?= =?us-ascii?Q?Ib51/G0Pb9UCj3d/ws9OIe+Iqm0NWTiRsCJiuZujs4Nh9FURMXn2LuGCAWIn?= =?us-ascii?Q?gW2TlhBx+x/7qrQIAoU0DPFH/BttDMtDnX+5I2JoQxZVgONKQJ44Cmzqtytg?= =?us-ascii?Q?do7RqFs9MD0zxBAqvzEThXI0CU3tP1b0=3D?= X-Microsoft-Exchange-Diagnostics: 1; HE1PR0802MB2489; 6:auQ8JbqVFdRcSOltz+3y7JlXxc/x4cPgPU239YjvkKRWKBSUhUDQSfsOwAqzycjJOCa+Da/MlNkrGJ72fHOaPeUkFPKcnNxtwG/DfeJZXfeDs2njvpn2nRYwtKXuCJ7HCjqCNOHvd7jJEd4/2YM1eI4TzNN55eaEPGBNKNbds6Hj5IMXp/SFRE0jYNr1U50ybaJdrs2TA6/VmDlt8K14ee/et2RGkB+quzvjEtCBR87/wZ83WtTJ3GwNYCn3dqTB2E9CM85qP3rZ+0wyYVd+WkCqySDTjcT4cI9EskPoqc1eNwSzLuaceTRxcPTdCRgkYEN+ofbzXJjglb34cILOS67lEQEzp8DXgu2ozs1mDgQ=; 5:5qWZ7No+kGvz00QOwr56YDdjBjl00W+HsLsLcch35/2cLnq7RK7fCNXc9V8+ZeMB62DiYNbrGkuBHVRMHpowQIT+7LQ0zW4qEmfrTaXoKxGT9x4Xs5i8M5IddaXpV0xGjoh8PzAn57c6r63WRO82eS3zv1TDeFqo9qVGlqOLZYs=; 24:fkpunhDk7lhwo24gdgv/c4JNPxajNcLO01uQSDN/K9X0PIVmTi9P00VhEQ3/zIEymE1xX+UEDdYHm5HqmRj6WWTzg4auKZnlYHnKOrT/ewY=; 7:azVaBdCzoJZIgIAeKWGQwSW+Dq7A3diFVMrvZYCDcpEkmi0EQZx2jLXASq75o2IaMQ0rbCI1rqxoyw4sBVOEABI1RGvchXxnRRPfmAkWuf/KzsIPSY339XHI3XQ5LJVp0RPEkuJizPBnk7IZ5MdJybV+y3cWv6tmvNxMXQDmTSna+xYgtZvLuz0K4cgAUEJaqSpml8apvroHvFm6ZTESJ6JJL6FL2asJGomBaEr4AShLLuuLQotkNRUb1WXQuCBp SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2017 16:16:24.9635 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ba9ee84c-425b-4610-895b-08d5430e0603 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2489 v2: - only change guard size on aarch64 - don't report the inflated guard size - this is on top of https://sourceware.org/ml/libc-alpha/2017-12/msg00368.html There are several compiler implementations that allow large stack allocations to jump over the guard page at the end of the stack and corrupt memory beyond that. See CVE-2017-1000364. Compilers can emit code to probe the stack such that the guard page cannot be skipped, but on aarch64 the probe interval is 64K instead of the minimum supported page size (4K). This patch enforces at least 64K guard on aarch64 unless the guard is disabled by setting its size to 0. For backward compatibility reasons the increased guard is not reported, so it is only observable by exhausting the address space or parsing /proc/self/maps on linux. The patch does not affect threads with user allocated stacks. 2017-12-14 Szabolcs Nagy * nptl/allocatestack.c (allocate_stack): Use ARCH_MIN_GUARD_SIZE. * nptl/descr.h (ARCH_MIN_GUARD_SIZE): Define. * sysdeps/aarch64/nptl/pthreaddef.h (ARCH_MIN_GUARD_SIZE): Define. Reviewed-by: Carlos O'Donell diff --git a/nptl/allocatestack.c b/nptl/allocatestack.c index 9525322b1f92bb34aa21dcab28566aecd7434e90..9d47b86cbfc45e40c06e0ee13889fcce48902261 100644 --- a/nptl/allocatestack.c +++ b/nptl/allocatestack.c @@ -520,6 +520,7 @@ allocate_stack (const struct pthread_attr *attr, struct pthread **pdp, { /* Allocate some anonymous memory. If possible use the cache. */ size_t guardsize; + size_t reported_guardsize; size_t reqsize; void *mem; const int prot = (PROT_READ | PROT_WRITE @@ -530,8 +531,14 @@ allocate_stack (const struct pthread_attr *attr, struct pthread **pdp, assert (size != 0); /* Make sure the size of the stack is enough for the guard and - eventually the thread descriptor. */ + eventually the thread descriptor. On some targets there is + a minimum guard size requirement, ARCH_MIN_GUARD_SIZE, so + internally enforce it (unless the guard was disabled), but + report the original guard size for backward compatibility. */ guardsize = (attr->guardsize + pagesize_m1) & ~pagesize_m1; + reported_guardsize = guardsize; + if (guardsize > 0 && guardsize < ARCH_MIN_GUARD_SIZE) + guardsize = ARCH_MIN_GUARD_SIZE; size += guardsize; if (__builtin_expect (size < ((guardsize + __static_tls_size + MINIMAL_REST_STACK + pagesize_m1) @@ -740,7 +747,7 @@ allocate_stack (const struct pthread_attr *attr, struct pthread **pdp, /* The pthread_getattr_np() calls need to get passed the size requested in the attribute, regardless of how large the actually used guardsize is. */ - pd->reported_guardsize = guardsize; + pd->reported_guardsize = reported_guardsize; } /* Initialize the lock. We have to do this unconditionally since the diff --git a/nptl/descr.h b/nptl/descr.h index c83b17b674b07e5b4e2cbaecf984f6d1673187b5..b5f9412eec0a09e8af10eb9e0c5ff2a8b083559d 100644 --- a/nptl/descr.h +++ b/nptl/descr.h @@ -39,6 +39,10 @@ # define TCB_ALIGNMENT sizeof (double) #endif +#ifndef ARCH_MIN_GUARD_SIZE +# define ARCH_MIN_GUARD_SIZE 0 +#endif + /* We keep thread specific data in a special data structure, a two-level array. The top-level array contains pointers to dynamically allocated diff --git a/sysdeps/aarch64/nptl/pthreaddef.h b/sysdeps/aarch64/nptl/pthreaddef.h index d0411a57a1f1356d7e3961f65b733a6b6eb96ae1..5d4c90f83f2b3f3759ab15ee2bc818078ec1f150 100644 --- a/sysdeps/aarch64/nptl/pthreaddef.h +++ b/sysdeps/aarch64/nptl/pthreaddef.h @@ -19,6 +19,9 @@ /* Default stack size. */ #define ARCH_STACK_DEFAULT_SIZE (2 * 1024 * 1024) +/* Minimum guard size. */ +#define ARCH_MIN_GUARD_SIZE (64 * 1024) + /* Required stack pointer alignment at beginning. */ #define STACK_ALIGN 16