Re: vmalloced stacks on x86_64? - Richard Weinberger

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Richard Weinberger <richard@nod.at>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>, X86 ML <x86@kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: vmalloced stacks on x86_64?
Date: Sun, 26 Oct 2014 01:31:59 +0200	[thread overview]
Message-ID: <544C32EF.60901@nod.at> (raw)
In-Reply-To: <CALCETrU7NBCcAF6zYjY06SGQt=StNk5kUzUfexKF1CNVaD_o5Q@mail.gmail.com>

Am 26.10.2014 um 01:16 schrieb Andy Lutomirski:
> On Sat, Oct 25, 2014 at 3:26 PM, Richard Weinberger
> <richard.weinberger@gmail.com> wrote:
>> On Sat, Oct 25, 2014 at 2:22 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> Is there any good reason not to use vmalloc for x86_64 stacks?
>>>
>>> The tricky bits I've thought of are:
>>>
>>>  - On any context switch, we probably need to probe the new stack
>>> before switching to it.  That way, if it's going to fault due to an
>>> out-of-sync pgd, we still have a stack available to handle the fault.
>>>
>>>  - Any time we change cr3, we may need to check that the pgd
>>> corresponding to rsp is there.  If now, we need to sync it over.
>>>
>>>  - For simplicity, we probably want all stack ptes to be present all
>>> the time.  This is fine; vmalloc already works that way.
>>>
>>>  - If we overrun the stack, we double-fault.  This should be easy to
>>> detect: any double-fault where rsp is less than 20 bytes from the
>>> bottom of the stack is a failure to deliver a non-IST exception due to
>>>  a stack overflow.  The question is: what do we do if this happens?
>>> We could just panic (guaranteed to work).  We could also try to
>>> recover by killing the offending task, but that might be a bit
>>> challenging, since we're in IST context.  We could do something truly
>>> awful: increment RSP by a few hundred bytes, point RIP at do_exit, and
>>> return from the double fault.
>>>
>>> Thoughts?  This shouldn't be all that much code.
>>
>> FWIW, grsecurity has this already.
>> Maybe we can reuse their GRKERNSEC_KSTACKOVERFLOW feature.
>> It allocates the kernel stack using vmalloc() and installs guard pages.
>>
> 
> On brief inspection, grsecurity isn't actually vmallocing the stack.
> It seems to be allocating it the normal way and then vmapping it.
> That allows it to modify sg_set_buf to work on stack addresses (sigh).

Oh, you're right. They have changed it. (But not the Kconfig help of course)
Last time I looked they did a vmalloc().
I'm not sure which version of the patch was but I think it was code like that one:
http://www.grsecurity.net/~spender/kstackovf32.diff

Thanks,
//richard

next prev parent reply	other threads:[~2014-10-25 23:32 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-25  0:22 vmalloced stacks on x86_64? Andy Lutomirski
2014-10-25  2:38 ` H. Peter Anvin
2014-10-25  4:42   ` Andy Lutomirski
2014-10-26 16:46   ` Eric Dumazet
2014-10-25  9:15 ` Ingo Molnar
2014-10-25 16:05   ` Andy Lutomirski
2014-10-25 22:26 ` Richard Weinberger
2014-10-25 23:16   ` Andy Lutomirski
2014-10-25 23:31     ` Richard Weinberger [this message]
2014-10-26 18:16     ` Linus Torvalds
2014-10-26  4:11 ` Frederic Weisbecker
2014-10-26  5:49   ` Andy Lutomirski
2014-10-26 20:29     ` Frederic Weisbecker
2014-10-27  1:12       ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=544C32EF.60901@nod.at \
    --to=richard@nod.at \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=torvalds@linux-foundation.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.