How does the stack's guard page work on amd64?
Konstantin Belousov
kostikbel at gmail.com
Wed Mar 31 11:21:31 UTC 2021
On Tue, Mar 30, 2021 at 08:28:09PM -0600, Alan Somers wrote:
> On Tue, Mar 30, 2021 at 3:35 AM Konstantin Belousov <kostikbel at gmail.com>
> wrote:
>
> > On Mon, Mar 29, 2021 at 11:06:36PM -0600, Alan Somers wrote:
> > > Rust tries to detect stack overflow and handles it differently than other
> > > segfaults, but it's currently broken on FreeBSD/amd64. I've got a patch
> > > that fixes the problem, but I would like someone to confirm my reasoning.
> > >
> > > It seems like FreeBSD's main thread stacks include a guard page at the
> > > bottom. However, when Rust tries to create its own guard page (by
> > > re-mmap()ping and mprotect()ing it), it seems like FreeBSD's guard page
> > > automatically moves up into the un-remapped region. At least, that's how
> > > it behaves, based on the addresses that segfault. Is that correct?
> > Show the facts. For instance, procstat -v (and a note which
> > mapping was established by runtime for the 'guard') would tell the whole
> > story.
> >
> > My guess would be that procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE)
> > would be enough. Cannot tell without specific data.
> >
> > >
> > > For other threads, Rust doesn't try to remap the guard page, it just
> > relies
> > > on the guard page created by libthr in _thr_stack_alloc.
> > >
> > > Finally, what changed in between FreeBSD 10.3 and 11.4? Rust's stack
> > > overflow detection worked in 10.3.
> > >
> > > -Alan
> > > _______________________________________________
> > > freebsd-hackers at freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > > To unsubscribe, send any mail to "
> > freebsd-hackers-unsubscribe at freebsd.org"
> >
>
> Here is the relevant portion of procstat -v for a test program built with
> the buggy rustc:
> 651 0x801554000 0x80155d000 rw- 0 17 3 0 ----- df
> 651 0x801600000 0x801e00000 rw- 30 30 1 0 ----- df
> 651 0x7fffdfffd000 0x7fffdfffe000 --- 0 0 0 0 ----- --
> 651 0x7fffdfffe000 0x7fffdffff000 --- 0 0 0 0 ----- --
> <--- What Rustc thinks is the guard page
> 651 0x7fffdffff000 0x7fffe0000000 --- 0 0 0 0 ----- --
> <--- Where did this come from?
This is the stack grow area, occupied by 'elastic' guard entry.
It serves two purposes:
1. it keeps the space, preventing other non-fixed mappings from selecting
the grow area for mapping.
2. it prevents stack from growing down to the next mapping below it,
preventing issues like StackClash.
See mmap(2) esp. MAP_STACK part of it.
> 651 0x7fffe0000000 0x7fffe001e000 rw- 30 30 1 0 ---D- df
> 651 0x7fffe001e000 0x7fffe003e000 rw- 32 32 1 0 ---D- df
>
> Rustc tries to create that guard page by finding the base address of the
> stack, reallocating one page, then mprotect()ing it, like this:
> mmap(0x7fffdfffe000,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1012<MAP_PRIVATE|MAP_FIXED|MAP_ANON>,0xffffffff,0)
> mprotect(0x7fffdfffe000,0x1000,0<PROT_NONE>)
>
> If I patch rustc to not attempt to allocate a guard page, then its memory
> map looks like this. Notice that 0x7fffdffff000 is now accessible
It is accessible because stack grown down into this address.
> 662 0x801531000 0x80155b000 rw- 3 17 3 0 ----- df
> 662 0x801600000 0x801e00000 rw- 30 30 1 0 ----- df
> 662 0x7fffdfffd000 0x7fffdfffe000 --- 0 0 0 0 ----- --
> 662 0x7fffdfffe000 0x7fffdffff000 --- 0 0 0 0 ----- --
> 662 0x7fffdffff000 0x7fffe001e000 rw- 31 31 1 0 ---D- df
> 662 0x7fffe001e000 0x7fffe003e000 rw- 32 32 1 0 ---D- df
>
> So the real question is, why does 0x7fffdffff000 become protected when
> rustc protects 0x7fffdfffe000 ?
See above.
As I said in earlier response, if you want fully shrinkable stack guard,
set procctl(PROC_STACKGAP_CTL, &PROC_STACKGAP_DISABLE) during runtime
initialization.
Or better, do not create custom guard page at all, relying on system guard.
More information about the freebsd-hackers
mailing list