qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Stefan Hajnoczi <stefanha@gmail.com>
To: Daniele Buono <dbuono@linux.vnet.ibm.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Tobin Feldman-Fitzthum <tobin@ibm.com>,
	qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [PATCH 1/4] coroutine: support SafeStack in ucontext backend
Date: Wed, 27 May 2020 11:34:46 +0100	[thread overview]
Message-ID: <20200527103446.GB29137@stefanha-x1.localdomain> (raw)
In-Reply-To: <c4411a43-ea2b-7d8a-60db-6f98239089d7@linux.vnet.ibm.com>

[-- Attachment #1: Type: text/plain, Size: 2481 bytes --]

On Fri, May 22, 2020 at 11:18:20AM -0400, Daniele Buono wrote:
> On 5/21/2020 5:44 AM, Stefan Hajnoczi wrote:
> > On Wed, Apr 29, 2020 at 03:44:17PM -0400, Daniele Buono wrote:
> > > @@ -160,6 +169,19 @@ Coroutine *qemu_coroutine_new(void)
> > >       /* swapcontext() in, siglongjmp() back out */
> > >       if (!sigsetjmp(old_env, 0)) {
> > >           start_switch_fiber(&fake_stack_save, co->stack, co->stack_size);
> > > +#ifdef CONFIG_SAFESTACK
> > > +        /*
> > > +         * Before we swap the context, set the new unsafe stack
> > > +         * The unsafe stack grows just like the normal stack, so start from
> > > +         * the last usable location of the memory area.
> > > +         * NOTE: we don't have to re-set it afterwards because sigsetjmp was
> > > +         * called with the original usp. Since we are not coming back with a
> > > +         * swapcontext, but with a siglongjmp, when we are back here we
> > > +         * already have usp restored to the valid one for this function
> > 
> > I don't understand this comment. __safestack_unsafe_stack_ptr is a
> > thread-local variable, not a CPU register. How will siglongjmp()
> > automatically restore it?
> > 
> Correct, setjmp/longjmp have no visibility of the unsafe stack. What I
> meant is that it is not automatically restored by the longjmp itself,
> but by code the compiler adds around the sigsetjmp.
> 
> Specifically, every sigsetjmp/sigjmp is intercepted by the compiler, the
> current value of __safestack_unsafe_stack_ptr is saved on the normal
> (safe) stack.
> Right after the sigsetjmp call it is then restored.
> 
> I will change the comment to make it clearer.
> 
> In practice, this is what happens:
> 
> Original clang implementation in qemu_coroutine_new:
> ----
> 40130c:  callq  4008d0 <__sigsetjmp@plt>
> 401311:  cmp    $0x0,%eax
> 401314:  jne    40132d <qemu_coroutine_new+0x12d>
> ----
> Clang Implementation with safestack:
> ----
> 4027a7:  mov    %rdx,-0x38(%rbp) <- Save unsafe ptr onto the safe stack
> [...]
> 40289c:  callq  401410 <__sigsetjmp@plt>
> 4028a1:  mov    0x201738(%rip),%rdi        # 603fe0
> <__safestack_unsafe_stack_ptr@@Base+0x603fe0>
> 4028a8:  mov    -0x38(%rbp),%rbx
> 4028ac:  mov    %rbx,%fs:(%rdi) <- Restore the unsafe ptr
> 4028b0:  cmp    $0x0,%eax
> 4028b3:  jne    4028d9 <qemu_coroutine_new+0x179>

Oh, that's interesting. Thanks for explaining and updating the comment.

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

  reply	other threads:[~2020-05-27 10:37 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-29 19:44 [PATCH 0/4] Add support for SafeStack Daniele Buono
2020-04-29 19:44 ` [PATCH 1/4] coroutine: support SafeStack in ucontext backend Daniele Buono
2020-05-21  9:44   ` Stefan Hajnoczi
2020-05-22 15:18     ` Daniele Buono
2020-05-27 10:34       ` Stefan Hajnoczi [this message]
2020-04-29 19:44 ` [PATCH 2/4] coroutine: Add check for SafeStack in sigalstack Daniele Buono
2020-05-04 14:56   ` Philippe Mathieu-Daudé
2020-05-21  9:49   ` Stefan Hajnoczi
2020-05-27 17:56     ` Daniele Buono
2020-04-29 19:44 ` [PATCH 3/4] configure: add flag to enable SafeStack Daniele Buono
2020-05-21  9:52   ` Stefan Hajnoczi
2020-05-22 15:24     ` Daniele Buono
2020-05-27 11:12       ` Stefan Hajnoczi
2020-05-27 13:48         ` Daniele Buono
2020-04-29 19:44 ` [PATCH 4/4] check-block: Enable iotests with SafeStack Daniele Buono
2020-05-21  9:59   ` Stefan Hajnoczi
2020-05-22 15:35     ` Daniele Buono
2020-05-27 11:13       ` Stefan Hajnoczi
2020-05-04 14:55 ` [PATCH 0/4] Add support for SafeStack Philippe Mathieu-Daudé
2020-05-05 13:15 ` Philippe Mathieu-Daudé
2020-05-05 13:31   ` Daniel P. Berrangé
2020-05-05 13:56     ` Philippe Mathieu-Daudé
2020-05-13 14:48       ` Daniele Buono
2020-05-21 10:00         ` Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200527103446.GB29137@stefanha-x1.localdomain \
    --to=stefanha@gmail.com \
    --cc=dbuono@linux.vnet.ibm.com \
    --cc=kwolf@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=tobin@ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).