From: Ingo Molnar <mingo@kernel.org>
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Michal Marek <mmarek@suse.cz>,
Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andi Kleen <andi@firstfloor.org>, Pedro Alves <palves@redhat.com>,
Namhyung Kim <namhyung@gmail.com>,
Bernd Petrovitsch <bernd@petrovitsch.priv.at>,
Chris J Arges <chris.j.arges@canonical.com>,
live-patching@vger.kernel.org
Subject: Re: [PATCH v10 03/20] x86/stackvalidate: Compile-time stack validation
Date: Sat, 22 Aug 2015 11:17:15 +0200 [thread overview]
Message-ID: <20150822091715.GA18233@gmail.com> (raw)
In-Reply-To: <20150821133207.GB14134@treble.redhat.com>
* Josh Poimboeuf <jpoimboe@redhat.com> wrote:
> On Fri, Aug 21, 2015 at 09:54:49AM +0200, Ingo Molnar wrote:
> >
> > * Josh Poimboeuf <jpoimboe@redhat.com> wrote:
> >
> > > +Why do we need stack validation?
> > > +--------------------------------
> > > +
> > > +Here are some of the benefits of validating stack metadata:
> > > +
> > > +a) More reliable stack traces for frame pointer enabled kernels
> > > +
> > > + Frame pointers are used for debugging purposes. They allow runtime
> > > + code and debug tools to be able to walk the stack to determine the
> > > + chain of function call sites that led to the currently executing
> > > + code.
> > > +
> > > + For some architectures, frame pointers are enabled by
> > > + CONFIG_FRAME_POINTER. For some other architectures they may be
> > > + required by the ABI (sometimes referred to as "backchain pointers").
> > > +
> > > + For C code, gcc automatically generates instructions for setting up
> > > + frame pointers when the -fno-omit-frame-pointer option is used.
> > > +
> > > + But for asm code, the frame setup instructions have to be written by
> > > + hand, which most people don't do. So the end result is that
> > > + CONFIG_FRAME_POINTER is honored for C code but not for most asm code.
> > > +
> > > + For stack traces based on frame pointers to be reliable, all
> > > + functions which call other functions must first create a stack frame
> > > + and update the frame pointer. If a first function doesn't properly
> > > + create a stack frame before calling a second function, the *caller*
> > > + of the first function will be skipped on the stack trace.
> > > +
> > > + The benefit of stackvalidate here is that it ensures that *all*
> > > + functions honor CONFIG_FRAME_POINTER. As a result, no functions will
> > > + ever [*] be skipped on a stack trace.
> > > +
> > > + [*] unless an interrupt or exception has occurred at the very
> > > + beginning of a function before the stack frame has been created,
> > > + or at the very end of the function after the stack frame has been
> > > + destroyed. This is an inherent limitation of frame pointers.
> >
> > What this section does not point out is the actual effects of missing frame
> > pointer annotations. I.e. how about quoting a before/after stack backtrace to
> > demonstrate it?
>
> How about this (on top of the last one):
>
> ---8<---
>
> From: Josh Poimboeuf <jpoimboe@redhat.com>
> Subject: [PATCH] stackvalidate: Add missing frame pointer example
>
> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> ---
> Documentation/stack-validation.txt | 37 ++++++++++++++++++++++++++++++++++---
> 1 file changed, 34 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/stack-validation.txt b/Documentation/stack-validation.txt
> index 94dad40..87a5ab8 100644
> --- a/Documentation/stack-validation.txt
> +++ b/Documentation/stack-validation.txt
> @@ -53,9 +53,40 @@ a) More reliable stack traces for frame pointer enabled kernels
> create a stack frame before calling a second function, the *caller*
> of the first function will be skipped on the stack trace.
>
> - The benefit of stackvalidate here is that it ensures that *all*
> - functions honor CONFIG_FRAME_POINTER. As a result, no functions will
> - ever [*] be skipped on a stack trace.
> + For example, consider the following example backtrace with frame
> + pointers enabled:
> +
> + [<ffffffff81812584>] dump_stack+0x4b/0x63
> + [<ffffffff812d6dc2>] cmdline_proc_show+0x12/0x30
> + [<ffffffff8127f568>] seq_read+0x108/0x3e0
> + [<ffffffff812cce62>] proc_reg_read+0x42/0x70
> + [<ffffffff81256197>] __vfs_read+0x37/0x100
> + [<ffffffff81256b16>] vfs_read+0x86/0x130
> + [<ffffffff81257898>] SyS_read+0x58/0xd0
> + [<ffffffff8181c1f2>] entry_SYSCALL_64_fastpath+0x12/0x76
> +
> + It correctly shows that the caller of cmdline_proc_show() is
> + seq_read().
> +
> + If we remove the frame pointer logic from cmdline_proc_show() by
> + replacing the frame pointer related instructions with nops, here's
> + what it looks like instead:
> +
> + [<ffffffff81812584>] dump_stack+0x4b/0x63
> + [<ffffffff812d6dc2>] cmdline_proc_show+0x12/0x30
> + [<ffffffff812cce62>] proc_reg_read+0x42/0x70
> + [<ffffffff81256197>] __vfs_read+0x37/0x100
> + [<ffffffff81256b16>] vfs_read+0x86/0x130
> + [<ffffffff81257898>] SyS_read+0x58/0xd0
> + [<ffffffff8181c1f2>] entry_SYSCALL_64_fastpath+0x12/0x76
> +
> + Notice that cmdline_proc_show()'s caller, seq_read(), has been
> + skipped. Instead the stack trace seems to show that
> + cmdline_proc_show() was called by proc_reg_read().
> +
> + The benefit of stackvalidate here is that because it ensures that
> + *all* functions honor CONFIG_FRAME_POINTER, no functions will ever[*]
> + be skipped on a stack trace.
Ok, this sounds good to me!
Thanks,
Ingo
next prev parent reply other threads:[~2015-08-22 9:17 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-14 3:10 [PATCH v10 00/20] Compile-time stack validation Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 01/20] x86/asm: Frame pointer macro cleanup Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 02/20] x86/asm: Add C versions of frame pointer macros Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 03/20] x86/stackvalidate: Compile-time stack validation Josh Poimboeuf
2015-08-15 7:23 ` Andrew Morton
2015-08-15 12:49 ` Josh Poimboeuf
2015-08-19 10:01 ` Ingo Molnar
2015-08-20 4:00 ` Josh Poimboeuf
2015-08-21 7:54 ` Ingo Molnar
2015-08-21 13:32 ` Josh Poimboeuf
2015-08-22 9:17 ` Ingo Molnar [this message]
2015-08-14 3:10 ` [PATCH v10 04/20] x86/stackvalidate: Add file and directory ignores Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 05/20] x86/stackvalidate: Add ignore macros Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 06/20] x86/xen: Add stack frame dependency to hypercall inline asm calls Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 07/20] x86/paravirt: Add stack frame dependency to PVOP " Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 08/20] x86/paravirt: Create a stack frame in PV_CALLEE_SAVE_REGS_THUNK Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 09/20] x86/amd: Set ELF function type for vide() Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 10/20] x86/reboot: Add ljmp instructions to stackvalidate whitelist Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 11/20] x86/xen: Add xen_cpuid() and xen_setup_gdt() to stackvalidate whitelists Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 12/20] x86/asm/crypto: Create stack frames in aesni-intel_asm.S Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 13/20] x86/asm/crypto: Move .Lbswap_mask data to .rodata section Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 14/20] x86/asm/crypto: Move jump_table " Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 15/20] x86/asm/crypto: Create stack frames in clmul_ghash_mul/update() Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 16/20] x86/asm/entry: Create stack frames in thunk functions Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 17/20] x86/asm/acpi: Create a stack frame in do_suspend_lowlevel() Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 18/20] x86/asm: Create stack frames in rwsem functions Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 19/20] x86/asm/efi: Create a stack frame in efi_call() Josh Poimboeuf
2015-08-14 9:11 ` Matt Fleming
2015-08-14 14:07 ` Josh Poimboeuf
2015-08-14 3:10 ` [PATCH v10 20/20] x86/asm/power: Create stack frames in hibernate_asm_64.S Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150822091715.GA18233@gmail.com \
--to=mingo@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=bernd@petrovitsch.priv.at \
--cc=bp@alien8.de \
--cc=chris.j.arges@canonical.com \
--cc=hpa@zytor.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=mmarek@suse.cz \
--cc=namhyung@gmail.com \
--cc=palves@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.