Re: [PATCH v2] x86: test that userspace stack is in fact NX

From: Ingo Molnar
Date: Tue Oct 03 2023 - 15:01:29 EST

Next message: Dave Kleikamp: "Re: [PATCH v2] jfs: fix array-index-out-of-bounds in dbFindLeaf"
Previous message: Vladimir Oltean: "Re: [RFC PATCH v2 net-next 15/15] net: pcs: lynx: use MTIP AN/LT block for copper backplanes"
In reply to: Alexey Dobriyan: "[PATCH v2] x86: test that userspace stack is in fact NX"
Next in thread: tip-bot2 for Alexey Dobriyan: "[tip: x86/mm] selftests/x86/mm: Add new test that userspace stack is in fact NX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Alexey Dobriyan <adobriyan@xxxxxxxxx> wrote:

> Here is how it works:
>
> * fault and fill the stack from rsp with int3 down until rlimit allows,
> * fill upwards with int3 too, overwrite libc stuff, argv, envp,
> * try to exec int3 on each page and catch it in either SIGSEGV or
> SIGTRAP handler.
>
> Note: trying to execute _every_ int3 on a 8 MiB stack takes 30-40 seconds
> even on fast machine which is too much for kernel selftesting
> (not for LTP!) so only 1 int3 per page is tried.
>
> Tested on F37 kernel and on a custom kernel which does
>
> vm_flags |= VM_EXEC;
>
> to stack VMA.
>
> Report from the buggy kernel:
>
> $ ./nx_stack_32
> stack min ff007000
> stack max ff807000
> FAIL executable page on the stack: eip ff806001
>
> $ ./nx_stack_64
> stack min 7ffe65bb0000
> stack max 7ffe663b0000
> FAIL executable page on the stack: rip 7ffe663af001

Nice, thanks!

Ingo

Next message: Dave Kleikamp: "Re: [PATCH v2] jfs: fix array-index-out-of-bounds in dbFindLeaf"
Previous message: Vladimir Oltean: "Re: [RFC PATCH v2 net-next 15/15] net: pcs: lynx: use MTIP AN/LT block for copper backplanes"
In reply to: Alexey Dobriyan: "[PATCH v2] x86: test that userspace stack is in fact NX"
Next in thread: tip-bot2 for Alexey Dobriyan: "[tip: x86/mm] selftests/x86/mm: Add new test that userspace stack is in fact NX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]