How does the stack's guard page work on amd64?

Alan Somers asomers at freebsd.org
Wed Mar 31 02:28:23 UTC 2021 

On Tue, Mar 30, 2021 at 3:35 AM Konstantin Belousov <kostikbel at gmail.com>
wrote:

> On Mon, Mar 29, 2021 at 11:06:36PM -0600, Alan Somers wrote:
> > Rust tries to detect stack overflow and handles it differently than other
> > segfaults, but it's currently broken on FreeBSD/amd64.  I've got a patch
> > that fixes the problem, but I would like someone to confirm my reasoning.
> >
> > It seems like FreeBSD's main thread stacks include a guard page at the
> > bottom.  However, when Rust tries to create its own guard page (by
> > re-mmap()ping and mprotect()ing it), it seems like FreeBSD's guard page
> > automatically moves up into the un-remapped region.  At least, that's how
> > it behaves, based on the addresses that segfault.  Is that correct?
> Show the facts. For instance, procstat -v (and a note which
> mapping was established by runtime for the 'guard') would tell the whole
> story.
>
> My guess would be that procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE)
> would be enough.  Cannot tell without specific data.
>
> >
> > For other threads, Rust doesn't try to remap the guard page, it just
> relies
> > on the guard page created by libthr in _thr_stack_alloc.
> >
> > Finally, what changed in between FreeBSD 10.3 and 11.4?  Rust's stack
> > overflow detection worked in 10.3.
> >
> > -Alan
> > _______________________________________________
> > freebsd-hackers at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > To unsubscribe, send any mail to "
> freebsd-hackers-unsubscribe at freebsd.org"
>

Here is the relevant portion of procstat -v for a test program built with
the buggy rustc:
  651        0x801554000        0x80155d000 rw-    0   17   3   0 ----- df
  651        0x801600000        0x801e00000 rw-   30   30   1   0 ----- df
  651     0x7fffdfffd000     0x7fffdfffe000 ---    0    0   0   0 ----- --
  651     0x7fffdfffe000     0x7fffdffff000 ---    0    0   0   0 ----- --
<--- What Rustc thinks is the guard page
  651     0x7fffdffff000     0x7fffe0000000 ---    0    0   0   0 ----- --
<--- Where did this come from?
  651     0x7fffe0000000     0x7fffe001e000 rw-   30   30   1   0 ---D- df
  651     0x7fffe001e000     0x7fffe003e000 rw-   32   32   1   0 ---D- df

Rustc tries to create that guard page by finding the base address of the
stack, reallocating one page, then mprotect()ing it, like this:
mmap(0x7fffdfffe000,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1012<MAP_PRIVATE|MAP_FIXED|MAP_ANON>,0xffffffff,0)
mprotect(0x7fffdfffe000,0x1000,0<PROT_NONE>)

If I patch rustc to not attempt to allocate a guard page, then its memory
map looks like this.  Notice that 0x7fffdffff000 is now accessible
  662        0x801531000        0x80155b000 rw-    3   17   3   0 ----- df
  662        0x801600000        0x801e00000 rw-   30   30   1   0 ----- df
  662     0x7fffdfffd000     0x7fffdfffe000 ---    0    0   0   0 ----- --
  662     0x7fffdfffe000     0x7fffdffff000 ---    0    0   0   0 ----- --
  662     0x7fffdffff000     0x7fffe001e000 rw-   31   31   1   0 ---D- df
  662     0x7fffe001e000     0x7fffe003e000 rw-   32   32   1   0 ---D- df

So the real question is, why does 0x7fffdffff000 become protected when
rustc protects 0x7fffdfffe000 ?
-Alan

More information about the freebsd-hackers mailing list