Re: [CHECKER] large stack variables (>=1K) in 2.4.4 and 2.4.4-ac8

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Brian Gerst <bgerst@didntduck.org>
To: Andi Kleen <ak@suse.de>
Cc: Linux kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: [CHECKER] large stack variables (>=1K) in 2.4.4 and 2.4.4-ac8
Date: Fri, 25 May 2001 07:52:02 -0400	[thread overview]
Message-ID: <3B0E4762.7A7A3818@didntduck.org> (raw)
In-Reply-To: <200105242110.OAA29766@csl.Stanford.EDU> <200105242308.f4ON8fv8015978@webber.adilger.int> <20010525013303.A21810@gruyere.muc.suse.de>

Andi Kleen wrote:
> 
> On Thu, May 24, 2001 at 05:08:40PM -0600, Andreas Dilger wrote:
> > I'm curious about this stack checker.  Does it check for a single
> > stack allocation >= 1024 bytes, or does it also check for several
> > individual, smaller allocations which total >= 1024 bytes inside
> > a single function?  That would be equally useful.
> 
> At one time someone had a script to grep objdump -S vmlinux for the
> stack allocations generated by gcc and check them. It found a few
> cases. It is easy to rewrite, as they are very regular instruction
> patterns at the beginning of functions (at least when you ignore variable
> length stack arrays, which do not seem to be common in the kernel anyways)
> 
> >
> > On a side note, does anyone know if the kernel does checking if the
> > stack overflowed at any time?  It is hard to use Dawson's tools to
> > verify call paths because of interrupts and such, but I wonder what
> > happens when the kernel stack overflows - OOPS, or silent corruption?
> 
> You normally get a silent hang or worse a stack fault exception
> (which linux/x86 without kdb cannot recover from) which gives you instant
> reboot.
> The ikd patches contain a stack overflow checker for runtime.

Actually, you will never get a stack fault exception, since with a flat
stack segment you can never get a limit violation.  All you will do is
corrupt the data in task struct and cause an oops later on when the
kernel tries to use the task struct.  There are only two ways to
properly trap a kernel stack overflow:

- Make the stack segment non-flat, putting the limit just above the task
struct.  Ugly, because we want to stay away from segmentation.  The
stack fault handler would have to be a task gate.  This also causes
problems because pointers accessed through %ebp also use the stack
segment by default.  We would either need to leave frame pointers turned
on or teach GCC to use %ds overrides when using %ebp as a pointer.

- Add a not-present guard page at the bottom of the stack.  This means
the stack would have to live in vmalloc'ed memory, which I don't think
the kernel can handle at this time (with lazy vmalloc mapping).  The
task struct would have to be moved elsewhere or it would still get
overwritten.  Then a double fault task would be able to detect this and
kill the task.

In other words, with the current x86 architecture, there isn't really
much we can do to handle stack overflows without sacrificing
performance.  Good discipline is the best we have.

-- 

						Brian Gerst

next prev parent reply	other threads:[~2001-05-25 11:52 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-05-24 21:10 [CHECKER] large stack variables (>=1K) in 2.4.4 and 2.4.4-ac8 Dawson Engler
2001-05-24 22:40 ` Anton Altaparmakov
2001-05-24 23:08 ` Andreas Dilger
2001-05-24 23:33   ` Andi Kleen
2001-05-25  5:20     ` Keith Owens
2001-05-25  6:33       ` Andreas Dilger
2001-05-25  6:53         ` Keith Owens
2001-05-25  8:20           ` Andi Kleen
2001-05-25  8:31             ` Keith Owens
2001-05-25  8:39               ` Andi Kleen
2001-05-25 14:03           ` Oliver Neukum
2001-05-25 14:07             ` Andi Kleen
2001-05-25 15:45               ` dean gaudet
2001-05-25 16:34                 ` Jonathan Lundell
2001-05-25 18:37                   ` dean gaudet
2001-05-25 17:49                     ` Jeff Dike
2001-05-25  7:11       ` David Welch
2001-05-25  8:08         ` Keith Owens
2001-05-25 15:31         ` dean gaudet
2001-05-25 15:49           ` Keith Owens
2001-05-25 18:46             ` dean gaudet
2001-05-25  8:14       ` Andi Kleen
2001-05-25  8:25         ` Keith Owens
2001-05-25  8:27           ` Andi Kleen
2001-05-25  8:37             ` Keith Owens
2001-05-25  8:17       ` Andi Kleen
2001-05-25 11:52     ` Brian Gerst [this message]
2001-05-25 11:53       ` Andi Kleen
2001-05-25 12:07         ` Brian Gerst
2001-05-25  3:38   ` Andrew Morton
  -- strict thread matches above, loose matches on Subject: below --
2001-05-24 23:01 Mikael Pettersson
2001-05-25  2:48 ` Dawson Engler
2001-05-25  3:00   ` Alexander Viro
2001-05-25  3:07     ` Dawson Engler
2001-05-25  4:23 Dunlap, Randy
2001-07-03  9:15 VDA

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3B0E4762.7A7A3818@didntduck.org \
    --to=bgerst@didntduck.org \
    --cc=ak@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox