Discussion:
[PATCH] x86_64 signal handling for 64-bit apps w/ mixed 32-bit code - trivial fix
Bryan Ford
2005-10-05 16:35:41 UTC
Permalink
The following trivial patch fixes a bug in signal handling on x86-64: the
kernel currently fails to save and restore the CS and SS segment registers on
user-mode signal handler dispatch/return, which makes it impossible for
64-bit applications to catch and handle signals properly that occur while
running 32-bit code fragments in compatibility mode.

The proposed patch doesn't affect any performance-critical paths (e.g.,
syscall or interrupt entry/exit), and merely involves a couple more moves
to/from user space on signal frame setup and sigreturn. It also doesn't
affect the size or shape of the sigcontext at all, since there already was an
(unused) slot for CS, and I've assigned the convenient __pad0 field as a slot
for SS. The existing, unused slots for FS and GS remain unused for now, and
I don't see any urgent need to change that. The only way this might break an
existing app is if the app tries to cons up its own signal frame (not
generated by the kernel) and pass it to sigreturn, but this is presumably a
no-no anyway.

The patch is against linux-2.6.13.3.
Author: Bryan Ford, ***@mit.edu
No copyright claimed; public domain.
Mika Penttilä
2005-10-05 17:38:08 UTC
Permalink
Post by Bryan Ford
The following trivial patch fixes a bug in signal handling on x86-64: the
kernel currently fails to save and restore the CS and SS segment registers on
user-mode signal handler dispatch/return, which makes it impossible for
64-bit applications to catch and handle signals properly that occur while
running 32-bit code fragments in compatibility mode.
The proposed patch doesn't affect any performance-critical paths (e.g.,
syscall or interrupt entry/exit), and merely involves a couple more moves
to/from user space on signal frame setup and sigreturn. It also doesn't
affect the size or shape of the sigcontext at all, since there already was an
(unused) slot for CS, and I've assigned the convenient __pad0 field as a slot
for SS. The existing, unused slots for FS and GS remain unused for now, and
I don't see any urgent need to change that. The only way this might break an
existing app is if the app tries to cons up its own signal frame (not
generated by the kernel) and pass it to sigreturn, but this is presumably a
no-no anyway.
The patch is against linux-2.6.13.3.
No copyright claimed; public domain.
------------------------------------------------------------------------
diff -ur o13/include/asm-x86_64/sigcontext.h linux-2.6.13.3/include/asm-x86_64/sigcontext.h
--- o13/include/asm-x86_64/sigcontext.h 2005-10-03 19:27:35.000000000 -0400
+++ linux-2.6.13.3/include/asm-x86_64/sigcontext.h 2005-10-05 12:06:59.000000000 -0400
@@ -43,7 +43,7 @@
unsigned short cs;
unsigned short gs;
unsigned short fs;
- unsigned short __pad0;
+ unsigned short ss;
unsigned long err;
unsigned long trapno;
unsigned long oldmask;
diff -ur o13/arch/x86_64/kernel/signal.c linux-2.6.13.3/arch/x86_64/kernel/signal.c
--- o13/arch/x86_64/kernel/signal.c 2005-10-03 19:27:35.000000000 -0400
+++ linux-2.6.13.3/arch/x86_64/kernel/signal.c 2005-10-05 12:13:22.000000000 -0400
@@ -110,6 +110,15 @@
COPY(r14);
COPY(r15);
+ /* Kernel saves and restores only CS and DS segments on signals,
+ * which are the bare essentials needed to allow mixed 32/64-bit code.
+ * App's signal handler can save/restore other segments if needed. */
+ unsigned short cs, ss;
+ err |= __get_user(cs, &sc->cs);
+ err |= __get_user(ss, &sc->ss);
+ regs->cs = cs | 3; /* Force into user mode */
+ regs->ss = ss | 3;
+
{
unsigned int tmpflags;
err |= __get_user(tmpflags, &sc->eflags);
@@ -187,6 +196,8 @@
{
int err = 0;
+ err |= __put_user(regs->cs, &sc->cs);
+ err |= __put_user(regs->ss, &sc->ss);
err |= __put_user(0, &sc->gs);
err |= __put_user(0, &sc->fs);
@@ -318,7 +329,15 @@
regs->rsp = (unsigned long)frame;
+ /* Set up segment registers to run signal handlers in 64-bit mode,
+ even if the handler happens to be interrupting 32-bit code. */
+ regs->cs = __USER_CS;
+ regs->ss = __USER_DS;
+
+ /* This, by contrast, has nothing to do with segment registers -
+ see include/asm-x86_64/uaccess.h for details. */
set_fs(USER_DS);
+
regs->eflags &= ~TF_MASK;
if (test_thread_flag(TIF_SINGLESTEP))
ptrace_notify(SIGTRAP);
What about the opposite? Are there things that would break if the app
depends on compatibility mode signal handler?

--Mika
Bryan Ford
2005-10-06 15:22:11 UTC
Permalink
Post by Mika Penttilä
The following trivial patch fixes a bug in signal handling on x86-64=
: the
Post by Mika Penttilä
kernel currently fails to save and restore the CS and SS segment reg=
isters
Post by Mika Penttilä
on user-mode signal handler dispatch/return, which makes it impossi=
ble
Post by Mika Penttilä
for 64-bit applications to catch and handle signals properly that o=
ccur
Post by Mika Penttilä
while running 32-bit code fragments in compatibility mode.
The proposed patch doesn't affect any performance-critical paths (e.=
g.,
Post by Mika Penttilä
syscall or interrupt entry/exit), and merely involves a couple more =
moves
Post by Mika Penttilä
to/from user space on signal frame setup and sigreturn. It also doe=
sn't
Post by Mika Penttilä
affect the size or shape of the sigcontext at all, since there alrea=
dy was
Post by Mika Penttilä
an (unused) slot for CS, and I've assigned the convenient __pad0 fi=
eld as
Post by Mika Penttilä
a slot for SS. The existing, unused slots for FS and GS remain unu=
sed
Post by Mika Penttilä
for now, and I don't see any urgent need to change that. The only =
way
Post by Mika Penttilä
this might break an existing app is if the app tries to cons up its=
own
Post by Mika Penttilä
signal frame (not generated by the kernel) and pass it to sigreturn=
, but
Post by Mika Penttilä
this is presumably a no-no anyway.
What about the opposite? Are there things that would break if the app
depends on compatibility mode signal handler?
If you're thinking about 32-bit compatibility mode apps, this patch doe=
sn't=20
affect them at all, because signal handling for 32-bit apps is already=20
handled by completely separate code paths (in arch/x86_64/ia32/ia32_sig=
nal.c=20
instead of arch/x86_64/kernel/signal.c). And note that the 32-bit ABI'=
s=20
signal handling code path already saves the CS and SS properly, in exac=
tly=20
the same way as my proposed patch does for the 64-bit ABI; my patch=20
effectively just brings the two in line with each other.

There is already no way for a 64-bit app to register and use a=20
compatibility-mode signal handler: the kernel's signal handling code pa=
th for=20
the 64-bit ABI always sets up a signal handling frame assuming that the=
=20
signal handler will be 64-bit, and I see no reason this should be chang=
ed. I=20
would merely like it to be possible for a 64-bit app to run snippets of=
=20
32-bit code when it needs to, and be able to catch signals that may occ=
ur=20
while running that 32-bit code, without immediately dying a horrible fl=
aming=20
death as it does now because of the kernel trying to run a 64-bit signa=
l=20
handler with a 32-bit code segment still loaded.

Cheers,
Bryan
Andi Kleen
2005-10-06 16:46:44 UTC
Permalink
Post by Bryan Ford
The proposed patch doesn't affect any performance-critical paths (e.g.,
syscall or interrupt entry/exit), and merely involves a couple more moves
to/from user space on signal frame setup and sigreturn. It also doesn't
affect the size or shape of the sigcontext at all, since there already was an
(unused) slot for CS, and I've assigned the convenient __pad0 field as a slot
for SS. The existing, unused slots for FS and GS remain unused for now, and
I don't see any urgent need to change that. The only way this might break an
existing app is if the app tries to cons up its own signal frame (not
generated by the kernel) and pass it to sigreturn, but this is presumably a
no-no anyway.
I see the point of saving/restore cs, but why ss and not es/ds ?

-Andi
Bryan Ford
2005-10-07 16:32:38 UTC
Permalink
Post by Andi Kleen
Post by Bryan Ford
The proposed patch doesn't affect any performance-critical paths (e.g.,
syscall or interrupt entry/exit), and merely involves a couple more moves
to/from user space on signal frame setup and sigreturn. It also doesn't
affect the size or shape of the sigcontext at all, since there already
was an (unused) slot for CS, and I've assigned the convenient __pad0
field as a slot for SS. The existing, unused slots for FS and GS remain
unused for now, and I don't see any urgent need to change that. The only
way this might break an existing app is if the app tries to cons up its
own signal frame (not generated by the kernel) and pass it to sigreturn,
but this is presumably a no-no anyway.
I see the point of saving/restore cs, but why ss and not es/ds ?
Hmm - I remember at one point thinking there was a reason it was necessary for
the kernel to save SS as well as CS, but now I can't remember what it was -
and now that you mention it, it does seem unnecessary for the kernel to save
SS since its value is irrelevant to the CPU while running the 64-bit signal
handler code, and the 64-bit signal handler itself can save and restore it if
necessary (as it can with ES/DS/FS/GS).

Saving SS along with CS would make the 64-bit signal path more consistent with
the 32-bit signal path and with the way the processor's interrupt/IRET
mechanism works, but neither of these considerations seem very important. So
on the assumption you'd prefer the code path to do the absolute minimum it
can get away with, here's a new version of my previously posted patch,
trimmed so it only saves and restores CS. This of course makes it
unnecessary even to rename the __pad0 field in struct sigcontext.

Thanks,
Bryan

Loading...