Ted Unangst <[email protected]> wrote: > Sebastien Marie wrote: > > Assuming the check on protection is a bit too restrictive, and it is > > fine to have some chunks with PROT_NONE, I think we want something like: > > are readonly stacks meaningful? if so, we should fix that too now instead of > waiting.
Other systems lack allocators that opportunistically place guard pages off the edge of mmap/malloc allocations. That as led some programs to install their own guard-page to catch small-range stack overflows (useless for large-range reach, as the public learned a couple months ago). The full range gets passed to sigaltstack, which freaks out due to a recently added check included in the MAP_STACK work. That check isn't needed since prot checks still get evaluated seperately by uvm_fault and sigaltstack should always succeed. So stefan is deleting the check. What occurs without this check? The sigaltstack MAP_STACK-overtake will override the in-region guard-page, turning it into PROT_READ|PROT_WRITE w/ MAP_STACK. I have a seperate discussion with stefan about how to avoid PROT_* mangling that one page inside uvm_map_remap_as_stack(), basically if the overflow-end of stack is properly aligned, ignore 1 full page in case it is a guard. Don't make it MAP_STACK, and don't change it's permissions. MAP_STACK can therefore act as an opportunistic overflow detector, and an applications own PROT_NONE guard can act so otherwise.
