Re: [regression] x86/signal/64: Fix SS handling for signals delivered to 64-bit programs breaks dosemu

[Stas Sergeev]

12.08.2015 22:20, Andy Lutomirski ÐÐÑÐÑ:
> On Wed, Aug 12, 2015 at 11:55 AM, Stas Sergeev <stsp@xxxxxxx> wrote:
> > 12.08.2015 21:25, Andy Lutomirski ÐÐÑÐÑ:
> > > > > > https://github.com/stsp/dosemu2/commit/7898ac60d5e569964127d6cc48f592caecd20b81
> > > > > So the problem is that dosemu was actually hacking around the old
> > > > > buggy behavior and thus relying on it.  Grr.
> > > > What else it could do? :(
> > > Going back in time?  Ask the kernel to fix the issue.
> > Like this?
> > http://www.x86-64.org/pipermail/discuss/2007-May/009913.html
> > And this:
> > http://www.x86-64.org/pipermail/discuss/2007-May/009923.html
> I apologize on behalf of the upstream kernel in 2007.  :-/  I wasn't
> really involved at that point.
:)

> > > > > Let me see if I can come up with a clean kernel fix.
> > > > The check for proper sigreturn would be good.
> > > I still don't see how sigreturn matters here.  It's signal *delivery*
> > > that's the problem.
> > But the delivery can be easily checked with "if (ss & 4)".
> > What remains is just a sigreturn instead of iret.
> >
> > > I'm thinking of having signal delivery zap ss only if the old ss looks
> > > bogus instead of zapping it unconditionally.  IOW, instead of setting
> > > regs->ss = __USER_DS unconditionally, we'd do larl on the old regs->ss
> > > and keep it if it's DPL 3 RW data (exp-down or otherwise) and present.
> > I am not sure how good is this.
> > Yes, may help for a backward-compatibility.
> > But OTOH the 32bit kernel saves _all_ registers, including
> > ss, which is IMHO the right thing to do in general.
> I agree.  So does x32.
>
> Are you planning on merging your patches into upstream DOSEMU?
Unlikely.
My git tree counts ~3000 patches already, so it is an
entirely separate project, which just happen to share
some code with dosemu (and under different license).
But we can discuss a binary-compatible fix, so that the
original dosemu can work too.

> > > I'll have to check the precise rules in both the SDM and APM.  The
> > > idea is that we don't want IRET to fail during signal delivery, which
> > > can happen due to a bad sigreturn or a race against modify_ldt.
> > Well, this is a "very basic" idea, so to say.
> > The fact that segregs are not restored, have much more
> > consequences, and since now you already broke things,
> > I wonder if something can be finally fixed for good...
> >
> > What alternatives do we have? Can we do something
> > really brave, introduce a new sigaction flag perhaps, that
> > will just restore all segregs for new apps, and none - for
> > old apps? I mean the above gcc bugzilla ticket in particular -
> > very annoying one...
> We might need to do that.
>
> Here's a nasty case:
>
> void sighandler(...) {
>    switch_userspace_thread();
> }
>
> Suppose that switch_userspace_thread() changes fs.  Now what?  On
The crash - see the gcc ticket in the prev e-mail.
If fs on function entry differs from fs on exit, the gcc
stack protector will terminate the program.
So such code will not exist, except maybe in some
asm form...

> current kernels, it stays switched.  If we change this, it won't stay
> switched.  Even ignoring old ABI, it's not really clear to me what the
> right thing to do is.
There can be the following cases:
- switch_userspace_thread() switches fs to non-zero selector
- switch_userspace_thread() switches the fs base via syscall
- switch_userspace_thread() switches fs in sigcontext
- switch_userspace_thread() switches fs_base in sigcontext (???)
What exactly case do you have in mind?
I'd say, the way x86_32 is doing things - is good, but the
bases... perhaps, in ideal world, they should be a part of
the sigcontext as well?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/