From patchwork Sun Sep 21 21:52:43 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Samuel Thibault <samuel.thibault@ens-lyon.org>
X-Patchwork-Id: 120589
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 3D4493858C2D
	for <patchwork@sourceware.org>; Sun, 21 Sep 2025 21:53:26 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3D4493858C2D
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from sonata.ens-lyon.org (sonata.ens-lyon.org [140.77.166.138])
 by sourceware.org (Postfix) with ESMTPS id 255213858410
 for <libc-alpha@sourceware.org>; Sun, 21 Sep 2025 21:52:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 255213858410
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=ens-lyon.org
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=bounce.ens-lyon.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 255213858410
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=140.77.166.138
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1758491567; cv=none;
 b=KOA4iwSpaZ0bwkaIVS6XC4EPkFMW3/Cz+fJz0u1AkltOimCuvddBljAd08FuLVL2P8AvmWsD+NXb94iuSVdrNfRH5PX0MOAzIRY3wD7/DYsFcnpAlX/Alo8vAWtQw3+ZnnnOXiNhUneao2+ts4UEVhqIH1omZxjIYgyy+EpMY3w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1758491567; c=relaxed/simple;
 bh=JmIELtzyjWddsyPNBrudGHdYsRQ34QRE7nZhFnhYJZE=;
 h=From:To:Subject:Date:Message-ID:MIME-Version;
 b=Hg4uS9hvyf4PeEFJi4ckg/wR0sJuM59aEOxo8qKYELW3t+9iiXGIpuPQ6OQGL74GTgSc/oiwU+t7VfZWgk3B7agvywJNwdAgtDHL5z/TjqFHTAary+mD0AIsC2TPTET3/QgbQo58Zy8A4YO/TPJGN/EgJ7Dxi4wYwB4jaMzSdqc=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 255213858410
Received: from localhost (localhost [127.0.0.1])
 by sonata.ens-lyon.org (Postfix) with ESMTP id 84C38A1B8F;
 Sun, 21 Sep 2025 23:52:44 +0200 (CEST)
Received: from sonata.ens-lyon.org ([127.0.0.1])
 by localhost (sonata.ens-lyon.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id rIraVVCKhVBS; Sun, 21 Sep 2025 23:52:44 +0200 (CEST)
Received: from begin (aamiens-653-1-40-48.w83-192.abo.wanadoo.fr
 [83.192.199.48])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by sonata.ens-lyon.org (Postfix) with ESMTPSA id 4DE9DA03B9;
 Sun, 21 Sep 2025 23:52:44 +0200 (CEST)
Received: from samy by begin with local (Exim 4.98.2)
 (envelope-from <samuel.thibault@ens-lyon.org>)
 id 1v0Rz9-00000006za8-33Wv; Sun, 21 Sep 2025 23:52:43 +0200
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
To: libc-alpha@sourceware.org
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>,
	commit-hurd@gnu.org
Subject: [hurd,commited] hurd: catch SIGSEGV on returning from signal handler
Date: Sun, 21 Sep 2025 23:52:43 +0200
Message-ID: <20250921215243.1666681-1-samuel.thibault@ens-lyon.org>
X-Mailer: git-send-email 2.51.0
MIME-Version: 1.0
X-Spam-Status: No, score=-13.0 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, RCVD_IN_VALIDITY_RPBL_BLOCKED,
 RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_PASS, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

On stack overflow typically, we may not actually have room on the stack to
trampoline back from the signal handler.  We have to detect this before
locking the ss, otherwise the signal thread will be stuck on taking the
ss lock while trying to post SIGSEGV.
---
 sysdeps/mach/hurd/i386/sigreturn.c   | 13 ++++++++++++-
 sysdeps/mach/hurd/x86_64/sigreturn.c | 12 +++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/sysdeps/mach/hurd/i386/sigreturn.c b/sysdeps/mach/hurd/i386/sigreturn.c
index dc57d6122c..5a77ebdf31 100644
--- a/sysdeps/mach/hurd/i386/sigreturn.c
+++ b/sysdeps/mach/hurd/i386/sigreturn.c
@@ -89,10 +89,21 @@ __sigreturn (struct sigcontext *scp)
 {
   struct hurd_sigstate *ss;
   struct hurd_userlink *link = (void *) &scp[1];
+  int *usp;
+
+  /* Stack usage while trampolining back:
+   * register dump, parameters, and rough estimation of usage in __sigreturn2
+   * before unlocking ss.  */
+  size_t tramp_usage = 18 * sizeof (uintptr_t) + 32;
 
   if (__glibc_unlikely (scp == NULL || (scp->sc_mask & _SIG_CANT_MASK)))
     return __hurd_fail (EINVAL);
 
+  usp = (int *) scp->sc_uesp;
+
+  /* If we are to segfault, do it now before locking the ss.  */
+  memset ((void*) usp - tramp_usage, 0, tramp_usage);
+
   ss = _hurd_self_sigstate ();
   _hurd_sigstate_lock (ss);
 
@@ -160,7 +171,7 @@ __sigreturn (struct sigcontext *scp)
        copy the registers onto the user's stack, switch there, pop and
        return.  */
 
-    int usp_arg, *usp = (int *) scp->sc_uesp;
+    int usp_arg;
 
     *--usp = scp->sc_eip;
     *--usp = scp->sc_efl;
diff --git a/sysdeps/mach/hurd/x86_64/sigreturn.c b/sysdeps/mach/hurd/x86_64/sigreturn.c
index 773c00f86d..d2494c3681 100644
--- a/sysdeps/mach/hurd/x86_64/sigreturn.c
+++ b/sysdeps/mach/hurd/x86_64/sigreturn.c
@@ -83,9 +83,20 @@ __sigreturn (struct sigcontext *scp)
   uintptr_t *usp;
   mach_port_t sc_reply_port;
 
+  /* Stack usage while trampolining back:
+   * register dump, 16B round-up, and rough estimation of usage in __sigreturn2
+   * before unlocking ss.  */
+  size_t tramp_usage = 17 * sizeof (uintptr_t) + 16 + 64;
+
   if (__glibc_unlikely (scp == NULL || (scp->sc_mask & _SIG_CANT_MASK)))
     return __hurd_fail (EINVAL);
 
+  /* Respect the redzone.  */
+  usp = (uintptr_t *) (scp->sc_ursp - 128);
+
+  /* If we are to segfault, do it now before locking the ss.  */
+  memset ((void*) usp - tramp_usage, 0, tramp_usage);
+
   ss = _hurd_self_sigstate ();
   _hurd_sigstate_lock (ss);
 
@@ -160,7 +171,6 @@ __sigreturn (struct sigcontext *scp)
      located at a larger address than the sigcontext.  */
 
   sc_reply_port = scp->sc_reply_port;
-  usp = (uintptr_t *) (scp->sc_ursp - 128);
 
   *--usp = scp->sc_rip;
   *--usp = scp->sc_rfl;