How does the stack's guard page work on amd64?
Alan Somers
asomers at freebsd.org
Wed Mar 31 02:28:23 UTC 2021
On Tue, Mar 30, 2021 at 3:35 AM Konstantin Belousov <kostikbel at gmail.com>
wrote:
> On Mon, Mar 29, 2021 at 11:06:36PM -0600, Alan Somers wrote:
> > Rust tries to detect stack overflow and handles it differently than other
> > segfaults, but it's currently broken on FreeBSD/amd64. I've got a patch
> > that fixes the problem, but I would like someone to confirm my reasoning.
> >
> > It seems like FreeBSD's main thread stacks include a guard page at the
> > bottom. However, when Rust tries to create its own guard page (by
> > re-mmap()ping and mprotect()ing it), it seems like FreeBSD's guard page
> > automatically moves up into the un-remapped region. At least, that's how
> > it behaves, based on the addresses that segfault. Is that correct?
> Show the facts. For instance, procstat -v (and a note which
> mapping was established by runtime for the 'guard') would tell the whole
> story.
>
> My guess would be that procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE)
> would be enough. Cannot tell without specific data.
>
> >
> > For other threads, Rust doesn't try to remap the guard page, it just
> relies
> > on the guard page created by libthr in _thr_stack_alloc.
> >
> > Finally, what changed in between FreeBSD 10.3 and 11.4? Rust's stack
> > overflow detection worked in 10.3.
> >
> > -Alan
> > _______________________________________________
> > freebsd-hackers at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > To unsubscribe, send any mail to "
> freebsd-hackers-unsubscribe at freebsd.org"
>
Here is the relevant portion of procstat -v for a test program built with
the buggy rustc:
651 0x801554000 0x80155d000 rw- 0 17 3 0 ----- df
651 0x801600000 0x801e00000 rw- 30 30 1 0 ----- df
651 0x7fffdfffd000 0x7fffdfffe000 --- 0 0 0 0 ----- --
651 0x7fffdfffe000 0x7fffdffff000 --- 0 0 0 0 ----- --
<--- What Rustc thinks is the guard page
651 0x7fffdffff000 0x7fffe0000000 --- 0 0 0 0 ----- --
<--- Where did this come from?
651 0x7fffe0000000 0x7fffe001e000 rw- 30 30 1 0 ---D- df
651 0x7fffe001e000 0x7fffe003e000 rw- 32 32 1 0 ---D- df
Rustc tries to create that guard page by finding the base address of the
stack, reallocating one page, then mprotect()ing it, like this:
mmap(0x7fffdfffe000,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1012<MAP_PRIVATE|MAP_FIXED|MAP_ANON>,0xffffffff,0)
mprotect(0x7fffdfffe000,0x1000,0<PROT_NONE>)
If I patch rustc to not attempt to allocate a guard page, then its memory
map looks like this. Notice that 0x7fffdffff000 is now accessible
662 0x801531000 0x80155b000 rw- 3 17 3 0 ----- df
662 0x801600000 0x801e00000 rw- 30 30 1 0 ----- df
662 0x7fffdfffd000 0x7fffdfffe000 --- 0 0 0 0 ----- --
662 0x7fffdfffe000 0x7fffdffff000 --- 0 0 0 0 ----- --
662 0x7fffdffff000 0x7fffe001e000 rw- 31 31 1 0 ---D- df
662 0x7fffe001e000 0x7fffe003e000 rw- 32 32 1 0 ---D- df
So the real question is, why does 0x7fffdffff000 become protected when
rustc protects 0x7fffdfffe000 ?
-Alan
More information about the freebsd-hackers
mailing list