From owner-freebsd-hackers@freebsd.org Fri Apr 2 05:00:11 2021 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 02CE85C1571 for ; Fri, 2 Apr 2021 05:00:11 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4FBSXp5104z3p8y for ; Fri, 2 Apr 2021 05:00:10 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mailman.nyi.freebsd.org (Postfix) id A9C715C1570; Fri, 2 Apr 2021 05:00:10 +0000 (UTC) Delivered-To: hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A98B75C156F for ; Fri, 2 Apr 2021 05:00:10 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FBSXp4Ltlz3p6T for ; Fri, 2 Apr 2021 05:00:10 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-ot1-f48.google.com with SMTP id h6-20020a0568300346b02901b71a850ab4so4085609ote.6 for ; Thu, 01 Apr 2021 22:00:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OyQIRg+s0fH/Ct5V135S2WmOJeMP/o7Pc4eREznJ/Ww=; b=f1QRc4z3aOdHevuDmDtHjV2jnz5QI1/AaCDeLeF1GzUimpH6s9b5wGJtDqqXte/KqO 686ni5PZzUm4N/qz2fvEioCBN/AD2tPAs6b1sqn07+7Y7GOZaAZyRC8LGlc7VXObWyvo h2EcTnw99ps8HBvpm7tA9HBjg4QoHj2uEytJNhFXUMgdS9AfrsgrXPMtETMUX+98gcr9 KIgpWMO6X2HrU6yUV1YxUtEG4aZp0S+NxNm+oK5HgjDL8IP7fOvthW3sRamW5NRbe+27 REdx6l9U6YlBhGG2SAbGSowYBPXPtu6N8NxhKZ6nqfnXDOt8MQyRp82IivkeB5isyqPn bXpg== X-Gm-Message-State: AOAM530vmB32D4pQfcajc5Zxa7n6J3lhL31RHe2QzLwdBDehwTiE8l22 OIp7S7I02EKTWf1U4JL1JPlxFK0lDjLA+01MiIui6VmQjdQ= X-Google-Smtp-Source: ABdhPJyIuF1quHPQg2h95E5hlC21oCfaHPKFJA5OCcIAmXyxs3PvN28MZHWVsGS1H2DMXChAb5UU6ut7LJGHVO8yeqw= X-Received: by 2002:a05:6830:1af6:: with SMTP id c22mr9500783otd.291.1617339609091; Thu, 01 Apr 2021 22:00:09 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alan Somers Date: Thu, 1 Apr 2021 22:59:57 -0600 Message-ID: Subject: Re: How does the stack's guard page work on amd64? To: Konstantin Belousov Cc: "freebsd-hackers@freebsd.org" X-Rspamd-Queue-Id: 4FBSXp4Ltlz3p6T X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Technical discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2021 05:00:11 -0000 On Thu, Apr 1, 2021 at 12:59 AM Konstantin Belousov wrote: > On Wed, Mar 31, 2021 at 10:06:30PM -0600, Alan Somers wrote: > > On Wed, Mar 31, 2021 at 5:21 AM Konstantin Belousov > > > wrote: > > > > > On Tue, Mar 30, 2021 at 08:28:09PM -0600, Alan Somers wrote: > > > > On Tue, Mar 30, 2021 at 3:35 AM Konstantin Belousov < > kostikbel@gmail.com > > > > > > > > wrote: > > > > > > > > > On Mon, Mar 29, 2021 at 11:06:36PM -0600, Alan Somers wrote: > > > > > > Rust tries to detect stack overflow and handles it differently > than > > > other > > > > > > segfaults, but it's currently broken on FreeBSD/amd64. I've got > a > > > patch > > > > > > that fixes the problem, but I would like someone to confirm my > > > reasoning. > > > > > > > > > > > > It seems like FreeBSD's main thread stacks include a guard page > at > > > the > > > > > > bottom. However, when Rust tries to create its own guard page > (by > > > > > > re-mmap()ping and mprotect()ing it), it seems like FreeBSD's > guard > > > page > > > > > > automatically moves up into the un-remapped region. At least, > > > that's how > > > > > > it behaves, based on the addresses that segfault. Is that > correct? > > > > > Show the facts. For instance, procstat -v (and a note which > > > > > mapping was established by runtime for the 'guard') would tell the > > > whole > > > > > story. > > > > > > > > > > My guess would be that procctl(PROC_STACKGAP_CTL, > > > &PROC_STACKGAP_DISABLE) > > > > > would be enough. Cannot tell without specific data. > > > > > > > > > > > > > > > > > For other threads, Rust doesn't try to remap the guard page, it > just > > > > > relies > > > > > > on the guard page created by libthr in _thr_stack_alloc. > > > > > > > > > > > > Finally, what changed in between FreeBSD 10.3 and 11.4? Rust's > stack > > > > > > overflow detection worked in 10.3. > > > > > > > > > > > > -Alan > > > > > > _______________________________________________ > > > > > > freebsd-hackers@freebsd.org mailing list > > > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > > > > > To unsubscribe, send any mail to " > > > > > freebsd-hackers-unsubscribe@freebsd.org" > > > > > > > > > > > > > Here is the relevant portion of procstat -v for a test program built > with > > > > the buggy rustc: > > > > 651 0x801554000 0x80155d000 rw- 0 17 3 0 > ----- > > > df > > > > 651 0x801600000 0x801e00000 rw- 30 30 1 0 > ----- > > > df > > > > 651 0x7fffdfffd000 0x7fffdfffe000 --- 0 0 0 0 > ----- > > > -- > > > > 651 0x7fffdfffe000 0x7fffdffff000 --- 0 0 0 0 > ----- > > > -- > > > > <--- What Rustc thinks is the guard page > > > > 651 0x7fffdffff000 0x7fffe0000000 --- 0 0 0 0 > ----- > > > -- > > > > <--- Where did this come from? > > > This is the stack grow area, occupied by 'elastic' guard entry. > > > It serves two purposes: > > > 1. it keeps the space, preventing other non-fixed mappings from > selecting > > > the grow area for mapping. > > > 2. it prevents stack from growing down to the next mapping below it, > > > preventing issues like StackClash. > > > > > > See mmap(2) esp. MAP_STACK part of it. > > > > > > > I saw that. And I even saw where libthr uses MAP_STACK when creating new > > threads. However, this program is single-threaded. Where does the stack > > get created for a process's main thread? I couldn't find that. > In kernel during execve(2). Specifically, sys/kern/kern_exec.c, > exec_new_vmspace(), vm_map_stack() call. > > > > > > > > > > > > 651 0x7fffe0000000 0x7fffe001e000 rw- 30 30 1 0 > ---D- > > > df > > > > 651 0x7fffe001e000 0x7fffe003e000 rw- 32 32 1 0 > ---D- > > > df > > > > > > > > Rustc tries to create that guard page by finding the base address of > the > > > > stack, reallocating one page, then mprotect()ing it, like this: > > > > > > > > mmap(0x7fffdfffe000,0x1000,0x3,0x1012,0xffffffff,0) > > > > mprotect(0x7fffdfffe000,0x1000,0) > > > > > > > > If I patch rustc to not attempt to allocate a guard page, then its > memory > > > > map looks like this. Notice that 0x7fffdffff000 is now accessible > > > It is accessible because stack grown down into this address. > > > > > > > 662 0x801531000 0x80155b000 rw- 3 17 3 0 > ----- > > > df > > > > 662 0x801600000 0x801e00000 rw- 30 30 1 0 > ----- > > > df > > > > 662 0x7fffdfffd000 0x7fffdfffe000 --- 0 0 0 0 > ----- > > > -- > > > > 662 0x7fffdfffe000 0x7fffdffff000 --- 0 0 0 0 > ----- > > > -- > > > > 662 0x7fffdffff000 0x7fffe001e000 rw- 31 31 1 0 > ---D- > > > df > > > > 662 0x7fffe001e000 0x7fffe003e000 rw- 32 32 1 0 > ---D- > > > df > > > > > > > > So the real question is, why does 0x7fffdffff000 become protected > when > > > > rustc protects 0x7fffdfffe000 ? > > > See above. > > > > > > As I said in earlier response, if you want fully shrinkable stack > guard, > > > set procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE) during runtime > > > initialization. > > > > > > Or better, do not create custom guard page at all, relying on system > guard. > > > > > > > That's what my patch does. But I've only tested it on amd64, and I don't > > have access to alternative architectures. Does every architecture > create a > > stack guard this way? > > Yes. > Thanks for the explanation. That led me to what has changed since 10.3: r320317 . I've opened a PR with rustc to fix the bug. Thanks for all your help. -Alan