Re: [PATCH 2/5] powerpc: Allow 4096 bytes of stack expansion for the signal frame

Thu, 23 Jul 2020 06:36:06 -0700 

Hi Michael,

Unfortunately, this patch doesn't completely solve the problem.

Trying the original reproducer, I'm still able to trigger the crash even
with this patch, although not 100% of the time. (If I turn ASLR off
outside of tmux it reliably crashes, if I turn ASLR off _inside_ of tmux
it reliably succeeds; all of this is on a serial console.)

./foo 1241000 & sleep 1; killall -USR1 foo; echo ok

If I add some debugging information, I see that I'm getting
address + 4096 = 7fffffed0fa0
gpr1 =           7fffffed1020

So address + 4096 is 0x80 bytes below the 4k window. I haven't been able
to figure out why, gdb gives me a NIP in __kernel_sigtramp_rt64 but I
don't know what to make of that.

Kind regards,
Daniel

P.S. I don't know what your policy on linking to kernel bugzilla is, but
if you want:

Link: https://bugzilla.kernel.org/show_bug.cgi?id=205183


> Reported-by: Tom Lane <t...@sss.pgh.pa.us>
> Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
> ---
>  arch/powerpc/mm/fault.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
> index 641fc5f3d7dd..ed01329dd12b 100644
> --- a/arch/powerpc/mm/fault.c
> +++ b/arch/powerpc/mm/fault.c
> @@ -274,7 +274,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, 
> unsigned long address,
>       /*
>        * N.B. The POWER/Open ABI allows programs to access up to
>        * 288 bytes below the stack pointer.
> -      * The kernel signal delivery code writes up to about 1.5kB
> +      * The kernel signal delivery code writes up to 4KB
>        * below the stack pointer (r1) before decrementing it.
>        * The exec code can write slightly over 640kB to the stack
>        * before setting the user r1.  Thus we allow the stack to
> @@ -299,7 +299,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, 
> unsigned long address,
>                * between the last mapped region and the stack will
>                * expand the stack rather than segfaulting.
>                */
> -             if (address + 2048 >= uregs->gpr[1])
> +             if (address + 4096 >= uregs->gpr[1])
>                       return false;
>  
>               if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
> -- 
> 2.25.1

Reply via email to