On Wed, Jul 5, 2017 at 4:50 PM, Ben Hutchings <b...@decadent.org.uk> wrote: > On Wed, 2017-07-05 at 13:53 -0700, Andy Lutomirski wrote: >> On Jul 5, 2017, at 12:32 PM, Ben Hutchings <b...@decadent.org.uk> wrote: >> > On Wed, 2017-07-05 at 10:23 -0700, Andy Lutomirski wrote: > [...] >> > > - As a hardening feature, if the stack would expand within 64k or >> > > whatever of a non-MAP_FIXED mapping, refuse to expand it. (This might >> > > have to be a non-hinted mapping, not just a non-MAP_FIXED mapping.) >> > > The idea being that, if you deliberately place a mapping under the >> > > stack, you know what you're doing. If you're like LibreOffice and do >> > > something daft and are thus exploitable, you're on your own. >> > > - As a hardening measure, don't let mmap without MAP_FIXED position >> > > something within 64k or whatever of the bottom of the stack unless a >> > > MAP_FIXED mapping is between them. >> > >> > Having tested patches along these lines, I think the above would avoid >> > the reported regressions. >> > >> >> FWIW, even this last part may be problematic. It'll break anything >> that tries to allocate many small MAP_GROWSDOWN stacks on 32- >> bit. Hopefully nothing does this, but maybe Java does. > > glibc (NPTL) does not. Java (at least Hotspot in OpenJDK 6,7, 8) does > not. LinuxThreads *does* and is used by uclibc. dietlibc *does*. I > would be surprised if either was used for applications with very many > threads, but then this issue has thrown up a lot of surprises. >
Ugh. But yeah, I'd be a bit surprised to see heavily threaded apps using LinuxThreads or dietlibc. LinuxThreads still uses modify_ldt(), right? modify_ldt() performance is abysmal, and I have no intention of even trying to optimize it. Anyhow, you *can't* have more than 8192 threads if you use modify_ldt() for TLS because you run out of LDT slots. 8192 * 64k fits in 32 bits with room to spare, so this is unlikely to be a showstopper. --Andy
