qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
	"Tobin Feldman-Fitzthum" <tobin@ibm.com>,
	qemu-devel@nongnu.org, "Stefan Hajnoczi" <stefanha@redhat.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Alex Bennée" <alex.bennee@linaro.org>,
	"Daniele Buono" <dbuono@linux.vnet.ibm.com>
Subject: Re: [PATCH 0/4] Add support for SafeStack
Date: Tue, 5 May 2020 14:31:11 +0100	[thread overview]
Message-ID: <20200505133111.GM764268@redhat.com> (raw)
In-Reply-To: <51f28cf2-0f34-508f-96f8-02c02b3c8a85@redhat.com>

On Tue, May 05, 2020 at 03:15:18PM +0200, Philippe Mathieu-Daudé wrote:
> +Alex & Daniel who keep track on CI stuff.
> 
> On 4/29/20 9:44 PM, Daniele Buono wrote:
> > LLVM supports SafeStack instrumentation to protect against stack buffer
> > overflows, since version 3.7
> > 
> >  From https://clang.llvm.org/docs/SafeStack.html:
> > "It works by separating the program stack into two distinct regions: the
> > safe stack and the unsafe stack. The safe stack stores return addresses,
> > register spills, and local variables that are always accessed in a safe
> > way, while the unsafe stack stores everything else. This separation
> > ensures that buffer overflows on the unsafe stack cannot be used to
> > overwrite anything on the safe stack."
> > 
> > Unfortunately, the use of two stack regions does not cope well with
> > QEMU's coroutines. The second stack region is not properly set up with
> > both ucontext and sigaltstack, so multiple coroutines end up sharing the
> > same memory area for the unsafe stack, causing undefined behaviors at
> > runtime (and most iochecks to fail).
> > 
> > This patch series fixes the implementation of the ucontext backend and
> > make sure that sigaltstack is never used if the compiler is applying
> > the SafeStack instrumentation. It also adds a configure flag to enable
> > SafeStack, and enables iotests when SafeStack is used.
> > 
> > This is an RFC mainly because of the low-level use of the SafeStack
> > runtime.
> > When running swapcontext(), we have to manually set the unsafe stack
> > pointer to the new area allocated for the coroutine. LLVM does not allow
> > this by using builtin, so we have to use implementation details that may
> > change in the future.
> > This patch has been tested briefly ( make check on an x86 system ) with
> > clang v3.9, v4.0, v5.0, v6.0
> > Heavier testing, with make check-acceptance has been performed with
> > clang v7.0
> 
> I noticed building using SafeStack is slower, and running with it is even
> sloooower. It makes sense to have this integrated if we use it regularly. Do
> you have plan for this? Using public CI doesn't seem reasonable.

The runtime behaviour is rather odd, given the docs they provide:

"The performance overhead of the SafeStack instrumentation is
 less than 0.1% on average across a variety of benchmarks 
 This is mainly because most small functions do not have any
 variables that require the unsafe stack and, hence, do not 
 need unsafe stack frames to be created. The cost of creating 
 unsafe stack frames for large functions is amortized by the 
 cost of executing the function.

  In some cases, SafeStack actually improves the performance"

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|



  reply	other threads:[~2020-05-05 13:32 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-29 19:44 [PATCH 0/4] Add support for SafeStack Daniele Buono
2020-04-29 19:44 ` [PATCH 1/4] coroutine: support SafeStack in ucontext backend Daniele Buono
2020-05-21  9:44   ` Stefan Hajnoczi
2020-05-22 15:18     ` Daniele Buono
2020-05-27 10:34       ` Stefan Hajnoczi
2020-04-29 19:44 ` [PATCH 2/4] coroutine: Add check for SafeStack in sigalstack Daniele Buono
2020-05-04 14:56   ` Philippe Mathieu-Daudé
2020-05-21  9:49   ` Stefan Hajnoczi
2020-05-27 17:56     ` Daniele Buono
2020-04-29 19:44 ` [PATCH 3/4] configure: add flag to enable SafeStack Daniele Buono
2020-05-21  9:52   ` Stefan Hajnoczi
2020-05-22 15:24     ` Daniele Buono
2020-05-27 11:12       ` Stefan Hajnoczi
2020-05-27 13:48         ` Daniele Buono
2020-04-29 19:44 ` [PATCH 4/4] check-block: Enable iotests with SafeStack Daniele Buono
2020-05-21  9:59   ` Stefan Hajnoczi
2020-05-22 15:35     ` Daniele Buono
2020-05-27 11:13       ` Stefan Hajnoczi
2020-05-04 14:55 ` [PATCH 0/4] Add support for SafeStack Philippe Mathieu-Daudé
2020-05-05 13:15 ` Philippe Mathieu-Daudé
2020-05-05 13:31   ` Daniel P. Berrangé [this message]
2020-05-05 13:56     ` Philippe Mathieu-Daudé
2020-05-13 14:48       ` Daniele Buono
2020-05-21 10:00         ` Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200505133111.GM764268@redhat.com \
    --to=berrange@redhat.com \
    --cc=alex.bennee@linaro.org \
    --cc=dbuono@linux.vnet.ibm.com \
    --cc=kwolf@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=philmd@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=tobin@ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).