The 08/29/2024 00:27, Mark Brown wrote:
Unfortunately plain clone() is not extensible and existing clone3() users will not specify a stack so all existing code would be broken if we mandated specifying the stack explicitly. For compatibility with these cases and also x86 (which did not initially implement clone3() support for shadow stacks) if no GCS is specified we will allocate one so when a thread is created which has GCS enabled allocate one for it. We follow the extensively discussed x86 implementation and allocate min(RLIMIT_STACK, 2G). Since the GCS only stores the call stack and not any variables this should be more than sufficient for most applications.
the code has RLIMIT_STACK/2
(which is what i expect on arm64, since gcs entry size is min stack frame / 2 if the stack is correctly aligned)
GCSs allocated via this mechanism will be freed when the thread exits.
i see gcs still mapped after thread exit when testing.
+static unsigned long gcs_size(unsigned long size) +{
- if (size)
return PAGE_ALIGN(size);
no /2
- /* Allocate RLIMIT_STACK/2 with limits of PAGE_SIZE..2G */
- size = PAGE_ALIGN(min_t(unsigned long long,
rlimit(RLIMIT_STACK) / 2, SZ_2G));
has /2
- return max(PAGE_SIZE, size);
+}
+unsigned long gcs_alloc_thread_stack(struct task_struct *tsk,
const struct kernel_clone_args *args)+{
- unsigned long addr, size;
- if (!system_supports_gcs())
return 0;- if (!task_gcs_el0_enabled(tsk))
return 0;- if ((args->flags & (CLONE_VFORK | CLONE_VM)) != CLONE_VM) {
tsk->thread.gcspr_el0 = read_sysreg_s(SYS_GCSPR_EL0);return 0;- }
- size = args->stack_size;
no /2 (i think this should be divided)
- size = gcs_size(size);
- addr = alloc_gcs(0, size);
- if (IS_ERR_VALUE(addr))
return addr;- tsk->thread.gcs_base = addr;
- tsk->thread.gcs_size = size;
- tsk->thread.gcspr_el0 = addr + size - sizeof(u64);
- return addr;
+}
...
void gcs_free(struct task_struct *task) {
- /*
* When fork() with CLONE_VM fails, the child (tsk) already* has a GCS allocated, and exit_thread() calls this function* to free it. In this case the parent (current) and the* child share the same mm struct.*/- if (!task->mm || task->mm != current->mm)
return;- if (task->thread.gcs_base) vm_munmap(task->thread.gcs_base, task->thread.gcs_size);
not sure why this logic fails to free thread gcs (created with clone3 in glibc)
other the gcs leak, my tests pass.