This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFC] nptl: change default stack guard size of threads

From: Florian Weimer <fweimer at redhat dot com>
To: Rich Felker <dalias at libc dot org>, Carlos O'Donell <carlos at redhat dot com>
Cc: Szabolcs Nagy <szabolcs dot nagy at arm dot com>, GNU C Library <libc-alpha at sourceware dot org>, nd at arm dot com, Jeff Law <law at redhat dot com>, Richard Earnshaw <Richard dot Earnshaw at arm dot com>, Wilco Dijkstra <Wilco dot Dijkstra at arm dot com>, James Greenhalgh <James dot Greenhalgh at arm dot com>
Date: Wed, 29 Nov 2017 21:33:18 +0100
Subject: Re: [RFC] nptl: change default stack guard size of threads
Authentication-results: sourceware.org; auth=none
References: <5A1ECB40.9080801@arm.com> <76c38ecf-6497-c96c-5c8c-95cceed100a5@redhat.com> <d06107b5-3f5d-c706-6bda-0fc7715e32b6@redhat.com> <20171129182909.GE1627@brightrain.aerifal.cx>

On 11/29/2017 07:29 PM, Rich Felker wrote:

On Wed, Nov 29, 2017 at 10:16:54AM -0800, Carlos O'Donell wrote:

On 11/29/2017 07:18 AM, Florian Weimer wrote:

On 11/29/2017 03:59 PM, Szabolcs Nagy wrote:

The change can be made for aarch64 only


That doesn't seem to be the case, looking at the patch.

So what you intended to do, exactly?

A 64 KiB probe interval on legacy 32-bit architectures is really a
no-go.  It means we have to increase the guard region size to 64 KiB.
But we cannot do that: The guard allocation comes out of the overall
thread stack size, and existing applications do not expect that 60K
of configured stack suddenly becomes unavailable.  Adding the guard
size on top of the allocation will break setups which are carefully
tuned for a maximum number of threads.


We cannot be held to account for carefully tuned applications, such
applications have to be tuned again for newer glibc.

I think we *could* do this for 64-bit and 32-bit AArch64/ARM, but I
don't see the value in doing it for 32-bit.


If 64k guard is mandatory for safety against jumping over the guard
zone, then I don't think it's possible to "re-tune" 32-bit apps for
the new requirement. This imposes a relatively small limit on possible
number of threads the process can create.

With the probing implementations I have seen so far, it is feasibletechnically because a probe will never touch a stack area which couldnot conceivably be touched by a signal handler, too.

But it is still a bad situation when GCC documents that it is onlyproviding full protection with guard size X, and you decide to run withsize X/16 to actually get things going. This means that yourconfiguration is out of scope what your vendor will supportsecurity-wise, and probably non-compliant with applicable guidelines atthe user site.

So technically you can run with a smaller guard size, but it's stillimpractical to do so for most organizations.


Thanks,
Florian

References:
- [RFC] nptl: change default stack guard size of threads
  - From: Szabolcs Nagy
- Re: [RFC] nptl: change default stack guard size of threads
  - From: Florian Weimer
- Re: [RFC] nptl: change default stack guard size of threads
  - From: Carlos O'Donell
- Re: [RFC] nptl: change default stack guard size of threads
  - From: Rich Felker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]