Re: [RFC 3/4] x86/signal/64: Re-add support for SS in the 64-bit signal context

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stas Sergeev <stsp@list.ru>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>,
	Pavel Emelyanov <xemul@parallels.com>,
	Borislav Petkov <bp@alien8.de>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Brian Gerst <brgerst@gmail.com>, X86 ML <x86@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC 3/4] x86/signal/64: Re-add support for SS in the 64-bit signal context
Date: Wed, 14 Oct 2015 20:40:57 +0300	[thread overview]
Message-ID: <561E93A9.3030500@list.ru> (raw)
In-Reply-To: <CALCETrVMSa11TOnJ8WNDuQ7gAk7G738z1T5YM=2MC_kOUJt3yA@mail.gmail.com>

14.10.2015 19:40, Andy Lutomirski пишет:
>>> + *
>>> + * Kernels that set UC_SIGCONTEXT_SS will also set UC_STRICT_RESTORE_SS
>>> + * when delivering a signal that came from 64-bit code.
>>> + *
>>> + * Sigreturn modifies its behavior depending on the UC_STRICT_RESTORE_SS
>>> + * flag.  If UC_STRICT_RESTORE_SS is set, then the SS value in the
>>> + * signal context is restored verbatim.  If UC_STRICT_RESTORE_SS is not
>>> + * set, the CS value in the signal context refers to a 64-bit code
>>> + * segment, and the signal context's SS value is invalid, it will be
>>> + * replaced by an flat 32-bit selector.
Is this correct?
It says "64-bit code segment will use the 32-bit SS".
I guess you mean 64-bit SS instead of a 32-bit?
Also it doesn't seem to be saying what happens if CS is 32-bit
and SS is invalid (the flag is not set).

>>> This is a bit risky, and another option would be to do nothing at
>>> all.
>> Andy, could you please stop pretending there are no other solutions?
>> You do not have to like them. You do not have to implement them.
>> But your continuous re-assertions that they do not exist, make me
>> feel a bit uncomfortable after I spelled them many times.
>>
>>> Stas, what do you think?  Could you test this?
>> I think I'll get to testing this only at a week-end.
>> In a mean time, the question about a safety of leaving LDT SS
>> in 64bit mode still makes me wonder. Perhaps, instead of re-iterating
>> this here, you can describe this all in the patch comments? Namely:
>> - How will LDT SS interact with nested signals
> 
> The kernel doesn't think about nested signals.  If the inner signal is
> delivered while SS is in the LDT, the kernel will try to keep it as is
> and will stick whatever was in SS when the signal happened in the
> inner saved context.  On return to the outer signal, it'll restore it
> following the UC_STRICT_RESTORE_SS rules.
Good.

>> - with syscalls
> 
> 64-bit syscalls change SS to some default flat value as a side-effect.
> (Actually, IIRC, 64-bit syscalls change it specifically to __USER_DS,
> but, on Xen, 64-bit fast syscall returns may silently flip it to a
> different flat selector.)
Do we need this?
Maybe it should stop doing so?

>> - with siglongjmp()
> 
> siglongjmp is a glibc thing.  It should work the same way it always
> did.  If it internally does a syscall (sigprocmask or whatever), that
> will override SS.
IMHO this side-effect needs to be documented somewhere.
I was scared about using it because I thought SS could be left bad.
Why I think it IS the kernel's problem is because in an ideal world
the sighandler should not run with LDT SS at all, so there will be no
fear about a bad SS after siglongjmp(). And if the sigprocmask() will
sometime stop validating SS, this can lead to surprises.

>>> If SS starts out invalid (this can happen if the signal was caused
>>> by an IRET fault or was delivered on the way out of set_thread_area
>>> or modify_ldt), then IRET to the signal handler can fail, eventually
>>> killing the task.
>> Is this signal-pecific? I.e. the return from IRQs happens via iret too.
>> So if we are running with invalid SS in 64bit mode, can the iret from
>> IRQ also cause the problem?
>>
> 
> On new kernels, you can't run with invalid SS under any conditions.
Good.

>> On an off-topic: there was recently a patch from you that
>> disables vm86() by mmap_min_addr. I've found that dosemu, when
>> started as root, could override mmap_min_addr. I guess this will
>> no longer work, right? Not a big regression, just something to
>> know and document.
> 
> As root, mmap_min_addr isn't enforced.  Calling mmap and then dropping
> privileges would still keep the old mappings around.  We could
> potentially rig it so that calling vm86 and then dropping privileges
> allows you to keep using vm86 even after dropping privileges.
Well, there is a special vm86() entry that is served just for
checking its presence, so maybe this could indeed be done. Not
that I find this very important. If you code up such a patch, I'll
see about changing dosemu2 accordingly, but don't rush on this too
much. :)

next prev parent reply	other threads:[~2015-10-14 17:41 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-13  1:04 [RFC 0/4] x86: sigcontext SS fixes, take 2 Andy Lutomirski
2015-10-13  1:04 ` [RFC 1/4] x86/signal/64: Add a comment about sigcontext->fs and gs Andy Lutomirski
2015-10-13  1:04 ` [RFC 2/4] x86/signal/64: Fix SS if needed when delivering a 64-bit signal Andy Lutomirski
2015-10-13  1:04 ` [RFC 3/4] x86/signal/64: Re-add support for SS in the 64-bit signal context Andy Lutomirski
2015-10-13 14:59   ` Stas Sergeev
2015-10-14 15:01     ` Ingo Molnar
2015-10-14 15:09       ` Stas Sergeev
2015-10-14 16:40     ` Andy Lutomirski
2015-10-14 17:40       ` Stas Sergeev [this message]
2015-10-14 18:06         ` Andy Lutomirski
2015-10-14 18:34           ` Stas Sergeev
2015-10-14 18:52             ` Andy Lutomirski
2015-10-14 21:37               ` Stas Sergeev
2015-10-14 21:41                 ` Andy Lutomirski
2015-10-18 13:36                   ` Stas Sergeev
2015-10-18 16:12                     ` Andy Lutomirski
2015-10-18 16:29                       ` Stas Sergeev
2015-10-18 16:36                         ` Andy Lutomirski
2015-10-18 16:43                           ` Stas Sergeev
2015-10-18 17:06                             ` Andy Lutomirski
2015-10-14 16:40   ` Cyrill Gorcunov
2015-10-14 16:42     ` Andy Lutomirski
2015-10-14 16:57       ` Cyrill Gorcunov
2015-10-14 16:57     ` Stas Sergeev
2015-10-14 17:01       ` Cyrill Gorcunov
2015-10-13  1:04 ` [RFC 4/4] selftests/x86: Add tests for UC_SIGCONTEXT_SS and UC_STRICT_RESTORE_SS Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=561E93A9.3030500@list.ru \
    --to=stsp@list.ru \
    --cc=bp@alien8.de \
    --cc=brgerst@gmail.com \
    --cc=dvlasenk@redhat.com \
    --cc=gorcunov@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=torvalds@linux-foundation.org \
    --cc=x86@kernel.org \
    --cc=xemul@parallels.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.