Bug 153531

Summary: Missing size check in sigaltstack
Product: Process Management Reporter: Florian Weimer (fweimer)
Component: OtherAssignee: process_other
Status: NEW ---    
Severity: normal CC: hjl.tools
Priority: P1    
Hardware: All   
OS: Linux   
See Also: https://sourceware.org/bugzilla/show_bug.cgi?id=20305
Kernel Version: 3.10 (with backports) Subsystem:
Regression: Yes Bisected commit-id:
Attachments: tst-minsigstksz.c
A new testcase

Description Florian Weimer 2016-08-22 15:02:03 UTC 
Created attachment 229691 [details]
tst-minsigstksz.c

The sigaltstack system call does not check that the supplied stack is large enough to store just the kernel-supplied data related to siginfo_t.

This issue is particularly problematic because x86_64 defines MINSIGSTKSZ as 2048.  For plain x86_64, this is rather tight, but it works.  But if the kernel and the hardware support AVX-512F, MINSIGSTKSZ is too small, and the current kernel behavior results in memory corruption.

I'm attaching the test case from the corresponding glibc bug:

  https://sourceware.org/bugzilla/show_bug.cgi?id=20305

But I don't think this is something we can fix on the glibc side.  (MINSIGSTKSZ is part of the ABI, and we cannot change existing binaries anyway.)

I'm flagging this as a regression because it is a userspace ABI break.  The only conservative fix I can see is to avoid pushing the AVX-512F state to the stack if the specified stack segment is not large enough.
Comment 1 H.J. Lu 2020-09-26 12:37:01 UTC 
Created attachment 292663 [details]
A new testcase

On Ice Lake laptop under x86-64 5.8.11 kernel, different MINSIGSTKSZs are
needed for -m32 and -m64:

[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3453
[hjl@gnu-icl-1 tmp]$ ./a.out 
a.out: changed byte 50 bytes below configured stack

[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3454
[hjl@gnu-icl-1 tmp]$ ./a.out 
[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3837 -m32
[hjl@gnu-icl-1 tmp]$ ./a.out 
a.out: changed byte 42 bytes below configured stack

[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3838 -m32
[hjl@gnu-icl-1 tmp]$ ./a.out 
[hjl@gnu-icl-1 tmp]$