Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 2 Jan 2018 14:49:09 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] Add comments to i386 assembly source

On Mon, Jan 01, 2018 at 07:15:50PM -0800, John Reiser wrote:
> On 01/01/2018 13:49 UTC, Rich Felker wrote:
> >On Mon, Jan 01, 2018 at 02:57:02PM -0800, John Reiser wrote:
> >>There's a bug.  clone() is a user-level function that can be used
> >>independently of the musl internal implementation of threads.
> >>Thus when clone() in musl/src/linux/clone.c calls
> >>         return __syscall_ret(__clone(func, stack, flags, arg, ptid, tls, ctid));
> >>then the i386 implementation of __clone has no guarantee about
> >>the value in %gs, and it is a bug to assume that (%gs >> 3)
> >>fits in 8 bits.
> >
> >The ABI is that at function call or any time a signal could be
> >received, %gs must always be a valid segment register value reflecting
> >the current thread's thread pointer. If this is violated, the program
> >has undefined behavior.
> 
> More than one segment descriptor can designate the same subset
> of the linear address space.  Duplicate the segment descriptor
> to a target selector that is >= 256, and load %gs with the
> duplicate selector before calling clone().

It's not clear to me that such a substition is valid; as far as I can
tell no explicit effort to ensure that it works is made, and it would
not happen without writing asm to do specifically that.

> >>The code in musl/src/thread/i386/clone.s wastes up to 12 bytes
> >>when aligning the new stack, by aligning before [pre-]allocating
> >>space for the one argument to the thread function.
> >
> >I suspect the initial value happens to be aligned anyway in which case
> >reserving 16 bytes and aligning to 16 is the same as reserving 4 and
> >aligning to 16. If you think it's not, I don't mind changing if you
> >can do careful testing to make sure it doesn't introduce any bugs.
> 
> This is another bug!  Consider the valid code:
> 	void **lo_stack = malloc(5 * sizeof(void *));
> 	/* malloc() guarantees 16-byte alignment of lo_stack */
> 	clone(func, &lo_stack[5], ...);

You can't run code on a 20-byte stack. This is not a surprise. In
theory it might be possible if the callee is only asm, but you can't
make C function calls since each call frame will consume at least 16
bytes (return address and alignment). I also disagree with considering
it valid to assume clone invokes the provided callback function
directly with no intervening functions; this is incorrect on SH right
now since we use a C function to smooth over the difference between
plain and fdpic calling conventions. ARM will probably do the same
once fdpic for cortex-M is added.

> then __clone() does:
> 	and $-16,%ecx  /* &lo_stack[4] */
> 	sub $ 16,%ecx  /* &lo_stack[0] */
> 	  ...
> 	mov %ecx,%esp  /* new thread: implicit action of ___NR_clone system call */
> 	call *%eax  /* OUT-OF-BOUNDS:  lo_stack[-1] = return address */
> 
> Thus, starting the thread function has scribbled outside the allocated area,
> even though the lo_stack[] array can accommodate the call by the code I showed:
> 	lea -NBPW(arg2),%ecx  /* &lo_stack[4] */
> 	and $-16,%ecx  /* still &lo_stack[4] */
> 	  ...
> 	mov %ecx,%esp  /* new thread: implicit action of __NR_clone system call */
> 	call *%eax  /* lo_stack[3] = return address */
> 
> The danger is not "new bugs", but rather revealing latent bugs that were
> obscured by the less-strict old code.  For instance, if the thread
> function actually has two formal parameters, or if it uses va_arg()
> to reference beyond the first actual argument, then running the optimal
> code is more likely to notice.

I agree with your analysis of what happens but I don't think it's
particularly interesting or a bug.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.