From owner-freebsd-hackers@freebsd.org  Wed Mar 31 02:28:23 2021
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 989345B7E4C
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Wed, 31 Mar 2021 02:28:23 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F99Gb2PM7z4RMk
 for <freebsd-hackers@freebsd.org>; Wed, 31 Mar 2021 02:28:23 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 506AE5B7E4B; Wed, 31 Mar 2021 02:28:23 +0000 (UTC)
Delivered-To: hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 502EB5B7E4A
 for <hackers@mailman.nyi.freebsd.org>; Wed, 31 Mar 2021 02:28:23 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com
 [209.85.208.169])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F99Gb1lYbz4RV9
 for <hackers@freebsd.org>; Wed, 31 Mar 2021 02:28:22 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: by mail-lj1-f169.google.com with SMTP id 184so22032172ljf.9
 for <hackers@freebsd.org>; Tue, 30 Mar 2021 19:28:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=zRWxaK/SAqSBT2BLLzcaev/CvRCTEAeUw0JLC0P75VU=;
 b=F9QSVblvyr0TUJ/m2/BmqSEGROMduDnFkqMUeYYLKCDlonqyV0xik2zLOXoC/65fhv
 zLDz7yFIvPTDBUqkU451BpoFDuvtHguLTG1Dd67HM+RFh8CkpjM+11H16LDw/Gcj+AuZ
 kgybt4qcThYYKfFnJgiktVR6qv3MJcIEN+ZeOwkLJWT4wn80GdpEC8YZkKU/Hh748Leu
 Ia0qnG9X7iI6a5HOr+EPi9a2ZVNXp7uaUd4GtRUY/Jm/ifVfQQqxuCaEFmXxff9l6/5U
 URle1/54+pirnsrIgIPlT9UzrTv96e5LH6XJc+8+a6xbS16X1lYO+s7VgTADGp6PwyrS
 944g==
X-Gm-Message-State: AOAM533YBeAqPzgb8VjWqO+sBs6jJbgS1nacGWCSQ9f/8KJWXIHrEWWP
 MgmgzCq/5fhCSDbzXvqEsSApW3J7ecwXSpcjHMU=
X-Google-Smtp-Source: ABdhPJyO+NA3km34qjai3DM/RO6SR7132eLyC8opRIjAJNhYklUovuqPheNMIOhH3qmHHx5mkrhZdzIGQJ16PXEUe0o=
X-Received: by 2002:a2e:7619:: with SMTP id r25mr615020ljc.408.1617157700823; 
 Tue, 30 Mar 2021 19:28:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAOtMX2i5d0c9E=W=S6aKp1j5JczaaTqKDX8kW=2NqF=i35dWog@mail.gmail.com>
 <YGLwv+KkmhxeeJUp@kib.kiev.ua>
In-Reply-To: <YGLwv+KkmhxeeJUp@kib.kiev.ua>
From: Alan Somers <asomers@freebsd.org>
Date: Tue, 30 Mar 2021 20:28:09 -0600
Message-ID: <CAOtMX2gM9n+nYEErtv_FmQkJAB5JJ4tpXGydB6oo8qoEjq57yg@mail.gmail.com>
Subject: Re: How does the stack's guard page work on amd64?
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: "freebsd-hackers@freebsd.org" <hackers@freebsd.org>
X-Rspamd-Queue-Id: 4F99Gb1lYbz4RV9
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Technical discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 02:28:23 -0000

On Tue, Mar 30, 2021 at 3:35 AM Konstantin Belousov <kostikbel@gmail.com>
wrote:

> On Mon, Mar 29, 2021 at 11:06:36PM -0600, Alan Somers wrote:
> > Rust tries to detect stack overflow and handles it differently than other
> > segfaults, but it's currently broken on FreeBSD/amd64.  I've got a patch
> > that fixes the problem, but I would like someone to confirm my reasoning.
> >
> > It seems like FreeBSD's main thread stacks include a guard page at the
> > bottom.  However, when Rust tries to create its own guard page (by
> > re-mmap()ping and mprotect()ing it), it seems like FreeBSD's guard page
> > automatically moves up into the un-remapped region.  At least, that's how
> > it behaves, based on the addresses that segfault.  Is that correct?
> Show the facts. For instance, procstat -v (and a note which
> mapping was established by runtime for the 'guard') would tell the whole
> story.
>
> My guess would be that procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE)
> would be enough.  Cannot tell without specific data.
>
> >
> > For other threads, Rust doesn't try to remap the guard page, it just
> relies
> > on the guard page created by libthr in _thr_stack_alloc.
> >
> > Finally, what changed in between FreeBSD 10.3 and 11.4?  Rust's stack
> > overflow detection worked in 10.3.
> >
> > -Alan
> > _______________________________________________
> > freebsd-hackers@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > To unsubscribe, send any mail to "
> freebsd-hackers-unsubscribe@freebsd.org"
>

Here is the relevant portion of procstat -v for a test program built with
the buggy rustc:
  651        0x801554000        0x80155d000 rw-    0   17   3   0 ----- df
  651        0x801600000        0x801e00000 rw-   30   30   1   0 ----- df
  651     0x7fffdfffd000     0x7fffdfffe000 ---    0    0   0   0 ----- --
  651     0x7fffdfffe000     0x7fffdffff000 ---    0    0   0   0 ----- --
<--- What Rustc thinks is the guard page
  651     0x7fffdffff000     0x7fffe0000000 ---    0    0   0   0 ----- --
<--- Where did this come from?
  651     0x7fffe0000000     0x7fffe001e000 rw-   30   30   1   0 ---D- df
  651     0x7fffe001e000     0x7fffe003e000 rw-   32   32   1   0 ---D- df

Rustc tries to create that guard page by finding the base address of the
stack, reallocating one page, then mprotect()ing it, like this:
mmap(0x7fffdfffe000,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1012<MAP_PRIVATE|MAP_FIXED|MAP_ANON>,0xffffffff,0)
mprotect(0x7fffdfffe000,0x1000,0<PROT_NONE>)

If I patch rustc to not attempt to allocate a guard page, then its memory
map looks like this.  Notice that 0x7fffdffff000 is now accessible
  662        0x801531000        0x80155b000 rw-    3   17   3   0 ----- df
  662        0x801600000        0x801e00000 rw-   30   30   1   0 ----- df
  662     0x7fffdfffd000     0x7fffdfffe000 ---    0    0   0   0 ----- --
  662     0x7fffdfffe000     0x7fffdffff000 ---    0    0   0   0 ----- --
  662     0x7fffdffff000     0x7fffe001e000 rw-   31   31   1   0 ---D- df
  662     0x7fffe001e000     0x7fffe003e000 rw-   32   32   1   0 ---D- df

So the real question is, why does 0x7fffdffff000 become protected when
rustc protects 0x7fffdfffe000 ?
-Alan