Bug 153531 - Missing size check in sigaltstack
Summary: Missing size check in sigaltstack
Status: NEW
Alias: None
Product: Process Management
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: process_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-22 15:02 UTC by Florian Weimer
Modified: 2020-09-26 12:37 UTC (History)
1 user (show)

See Also:
Kernel Version: 3.10 (with backports)
Tree: Mainline
Regression: Yes


Attachments
tst-minsigstksz.c (1.53 KB, text/plain)
2016-08-22 15:02 UTC, Florian Weimer
Details
A new testcase (1.61 KB, text/plain)
2020-09-26 12:37 UTC, H.J. Lu
Details

Description Florian Weimer 2016-08-22 15:02:03 UTC
Created attachment 229691 [details]
tst-minsigstksz.c

The sigaltstack system call does not check that the supplied stack is large enough to store just the kernel-supplied data related to siginfo_t.

This issue is particularly problematic because x86_64 defines MINSIGSTKSZ as 2048.  For plain x86_64, this is rather tight, but it works.  But if the kernel and the hardware support AVX-512F, MINSIGSTKSZ is too small, and the current kernel behavior results in memory corruption.

I'm attaching the test case from the corresponding glibc bug:

  https://sourceware.org/bugzilla/show_bug.cgi?id=20305

But I don't think this is something we can fix on the glibc side.  (MINSIGSTKSZ is part of the ABI, and we cannot change existing binaries anyway.)

I'm flagging this as a regression because it is a userspace ABI break.  The only conservative fix I can see is to avoid pushing the AVX-512F state to the stack if the specified stack segment is not large enough.
Comment 1 H.J. Lu 2020-09-26 12:37:01 UTC
Created attachment 292663 [details]
A new testcase

On Ice Lake laptop under x86-64 5.8.11 kernel, different MINSIGSTKSZs are
needed for -m32 and -m64:

[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3453
[hjl@gnu-icl-1 tmp]$ ./a.out 
a.out: changed byte 50 bytes below configured stack

[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3454
[hjl@gnu-icl-1 tmp]$ ./a.out 
[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3837 -m32
[hjl@gnu-icl-1 tmp]$ ./a.out 
a.out: changed byte 42 bytes below configured stack

[hjl@gnu-icl-1 tmp]$ gcc tst-minsigstksz-2.c -DMY_MINSIGSTKSZ=3838 -m32
[hjl@gnu-icl-1 tmp]$ ./a.out 
[hjl@gnu-icl-1 tmp]$

Note You need to log in before you can comment on or make changes to this bug.