Re: [PATCH] [Cleanup] x86: signal: unify the sigaltstack check with other arches
From: Andy Lutomirski
Date: Wed Mar 09 2016 - 19:02:50 EST
On Tue, Mar 8, 2016 at 8:20 AM, Ingo Molnar <mingo@xxxxxxxxxx> wrote:
>
> * Stas Sergeev <stsp@xxxxxxx> wrote:
>
>> 25.02.2016 11:25, Ingo Molnar ÐÐÑÐÑ:
>> >
>> > * Stas Sergeev <stsp@xxxxxxx> wrote:
>> >
>> >> Currently x86's get_sigframe() checks for "current->sas_ss_size"
>> >> to determine whether there is a need to switch to sigaltstack.
>> >> The common practice used by all other arches is to check for
>> >> sas_ss_flags(sp) == 0
>> >>
>> >> This patch makes the code consistent with other arches.
>> >> The slight complexity of the patch is added by the optimization on
>> >> !sigstack check that was requested by Andy Lutomirski: sas_ss_flags(sp)==0
>> >> already implies that we are not on a sigstack, so the code is shuffled
>> >> to avoid the duplicate checking.
>> >
>> > So this changelog is missing an analysis about what effect this change will have
>> > on applications. Can any type of user-space code see a change in behavior? If yes,
>> > what will happen and is that effect desirable?
>> This is a clean-up, and as such, there is no visible effect.
>> If there is - it is a bug.
>> The purpose of this patch is only to unify the x86 code with
>> what all the other arches do. It was initially the part of the
>> rejected series, but now it is just a clean-up.
>
> Ok, so AFAICS the relevant change is:
>
> - if (current->sas_ss_size)
> - sp = current->sas_ss_sp + current->sas_ss_size;
> + if (sas_ss_flags(sp) == 0)
> + sp = current->sas_ss_sp + current->sas_ss_size;
>
> and since sas_ss_flags() is defined as:
>
> static inline int sas_ss_flags(unsigned long sp)
> {
> if (!current->sas_ss_size)
> return SS_DISABLE;
>
> return on_sig_stack(sp) ? SS_ONSTACK : 0;
> }
>
> sas_ss_flags() returns 0 iff current->sas_ss_size && !on_sig_stack().
>
> But we already have on_sig_stack(sp) calculated. Why not write that as:
>
> + if (current->sas_ss_size && !onsigstack)
> + sp = current->sas_ss_sp + current->sas_ss_size;
>
> and since we check '!onsigstack' in both branches, we might as well factor it out
> into a single condition ... and arrive to the exact code that we began with.
ISTM it's silly for us to be unconditionally computing onsigstack.
We're doing it because we need it later for this:
/*
* If we are on the alternate signal stack and would overflow it, don't.
* Return an always-bogus address instead so we will die with SIGSEGV.
*/
if (onsigstack && !likely(on_sig_stack(sp)))
return (void __user *)-1L;
This seems basically useless to me. Sure, it's nice to send SIGSEGV
if we overflow due to signal delivery. But we're almost as likely to
overflow in the signal handler as we are to overflow during delivery,
and we don't even try to catch that.
Anyway, I think we should make two changes to the sig_on_stack thing:
1. If SS_AUTODISARM, then we're not on the stack, regardless of what sp says.
2. If !user_64bit_mode(regs) && (regs->ss & 0x4), then we're not on
the signal stack. This will happen if we're running on an LDT stack
and we coincidentally have the ESP part of SS:ESP matching the signal
stack.
In general, the existing design is crap and it should always have
worked the way that Stas is proposing with SS_AUTODISARM.
--Andy