From owner-freebsd-hackers@freebsd.org  Wed Mar 31 11:21:31 2021
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 84BEF5C43D6
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Wed, 31 Mar 2021 11:21:31 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F9P5l1ybKz3CGl
 for <freebsd-hackers@freebsd.org>; Wed, 31 Mar 2021 11:21:31 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 433575C43D5; Wed, 31 Mar 2021 11:21:31 +0000 (UTC)
Delivered-To: hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 42FBB5C43D4
 for <hackers@mailman.nyi.freebsd.org>; Wed, 31 Mar 2021 11:21:31 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F9P5k6x8lz3C3M;
 Wed, 31 Mar 2021 11:21:30 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
 by kib.kiev.ua (8.16.1/8.16.1) with ESMTPS id 12VBLGKc077447
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
 Wed, 31 Mar 2021 14:21:19 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 12VBLGKc077447
Received: (from kostik@localhost)
 by tom.home (8.16.1/8.16.1/Submit) id 12VBLGlZ077446;
 Wed, 31 Mar 2021 14:21:16 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Wed, 31 Mar 2021 14:21:16 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Alan Somers <asomers@freebsd.org>
Cc: "freebsd-hackers@freebsd.org" <hackers@freebsd.org>
Subject: Re: How does the stack's guard page work on amd64?
Message-ID: <YGRbLLeyqsYa9fp7@kib.kiev.ua>
References: <CAOtMX2i5d0c9E=W=S6aKp1j5JczaaTqKDX8kW=2NqF=i35dWog@mail.gmail.com>
 <YGLwv+KkmhxeeJUp@kib.kiev.ua>
 <CAOtMX2gM9n+nYEErtv_FmQkJAB5JJ4tpXGydB6oo8qoEjq57yg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAOtMX2gM9n+nYEErtv_FmQkJAB5JJ4tpXGydB6oo8qoEjq57yg@mail.gmail.com>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM,
 NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on tom.home
X-Rspamd-Queue-Id: 4F9P5k6x8lz3C3M
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Technical discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 11:21:31 -0000

On Tue, Mar 30, 2021 at 08:28:09PM -0600, Alan Somers wrote:
> On Tue, Mar 30, 2021 at 3:35 AM Konstantin Belousov <kostikbel@gmail.com>
> wrote:
> 
> > On Mon, Mar 29, 2021 at 11:06:36PM -0600, Alan Somers wrote:
> > > Rust tries to detect stack overflow and handles it differently than other
> > > segfaults, but it's currently broken on FreeBSD/amd64.  I've got a patch
> > > that fixes the problem, but I would like someone to confirm my reasoning.
> > >
> > > It seems like FreeBSD's main thread stacks include a guard page at the
> > > bottom.  However, when Rust tries to create its own guard page (by
> > > re-mmap()ping and mprotect()ing it), it seems like FreeBSD's guard page
> > > automatically moves up into the un-remapped region.  At least, that's how
> > > it behaves, based on the addresses that segfault.  Is that correct?
> > Show the facts. For instance, procstat -v (and a note which
> > mapping was established by runtime for the 'guard') would tell the whole
> > story.
> >
> > My guess would be that procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE)
> > would be enough.  Cannot tell without specific data.
> >
> > >
> > > For other threads, Rust doesn't try to remap the guard page, it just
> > relies
> > > on the guard page created by libthr in _thr_stack_alloc.
> > >
> > > Finally, what changed in between FreeBSD 10.3 and 11.4?  Rust's stack
> > > overflow detection worked in 10.3.
> > >
> > > -Alan
> > > _______________________________________________
> > > freebsd-hackers@freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > > To unsubscribe, send any mail to "
> > freebsd-hackers-unsubscribe@freebsd.org"
> >
> 
> Here is the relevant portion of procstat -v for a test program built with
> the buggy rustc:
>   651        0x801554000        0x80155d000 rw-    0   17   3   0 ----- df
>   651        0x801600000        0x801e00000 rw-   30   30   1   0 ----- df
>   651     0x7fffdfffd000     0x7fffdfffe000 ---    0    0   0   0 ----- --
>   651     0x7fffdfffe000     0x7fffdffff000 ---    0    0   0   0 ----- --
> <--- What Rustc thinks is the guard page
>   651     0x7fffdffff000     0x7fffe0000000 ---    0    0   0   0 ----- --
> <--- Where did this come from?
This is the stack grow area, occupied by 'elastic' guard entry.
It serves two purposes:
1. it keeps the space, preventing other non-fixed mappings from selecting
   the grow area for mapping.
2. it prevents stack from growing down to the next mapping below it,
   preventing issues like StackClash.

See mmap(2) esp. MAP_STACK part of it.

>   651     0x7fffe0000000     0x7fffe001e000 rw-   30   30   1   0 ---D- df
>   651     0x7fffe001e000     0x7fffe003e000 rw-   32   32   1   0 ---D- df
> 
> Rustc tries to create that guard page by finding the base address of the
> stack, reallocating one page, then mprotect()ing it, like this:
> mmap(0x7fffdfffe000,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1012<MAP_PRIVATE|MAP_FIXED|MAP_ANON>,0xffffffff,0)
> mprotect(0x7fffdfffe000,0x1000,0<PROT_NONE>)
> 
> If I patch rustc to not attempt to allocate a guard page, then its memory
> map looks like this.  Notice that 0x7fffdffff000 is now accessible
It is accessible because stack grown down into this address.

>   662        0x801531000        0x80155b000 rw-    3   17   3   0 ----- df
>   662        0x801600000        0x801e00000 rw-   30   30   1   0 ----- df
>   662     0x7fffdfffd000     0x7fffdfffe000 ---    0    0   0   0 ----- --
>   662     0x7fffdfffe000     0x7fffdffff000 ---    0    0   0   0 ----- --
>   662     0x7fffdffff000     0x7fffe001e000 rw-   31   31   1   0 ---D- df
>   662     0x7fffe001e000     0x7fffe003e000 rw-   32   32   1   0 ---D- df
> 
> So the real question is, why does 0x7fffdffff000 become protected when
> rustc protects 0x7fffdfffe000 ?
See above.

As I said in earlier response, if you want fully shrinkable stack guard,
set procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE) during runtime
initialization.

Or better, do not create custom guard page at all, relying on system guard.