x86 thread stack guards persist after thread exit #29499
Assignees
Labels
area: Memory Protection
bug
The issue is a bug, or the PR is fixing a bug
priority: low
Low impact/importance bug
Stale
Comments
andrewboie
added
bug
|
This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
If CONFIG_HW_STACK_PROTECTION is enabled on x86, a page within every thread stack is marked read-only to serve as an overflow guard when the thread is initialized. This page is immediately below the stack buffer; if the stack overflows, writes to it produce an exception.
When the thread exits, the page is left with read-only access permissions.
To Reproduce
Code inspection.
Expected behavior
Any pages in a thread stack object should revert to their original mapping permissions when the thread exits.
Impact
If the memory for the stack object is only used as a stack object, there is no impact.
If the memory for the stack object is returned to a heap after the thread exits, this could cause unexpected faults when that memory is used for some other purpose.
Dynamic heaps have not historically been supported (for a long time there had been no allocator that supported alignment, or a generic way to know the alignment of stack objects) but there is some work going on in this area.
My preferred way of fixing this is to stop using physical pages for guards and memory-map stacks instead: #28899
The text was updated successfully, but these errors were encountered: