Fix alternate stack for Alpine docker on SELinux (#17936) (#17975)

kasper3 · janvorli · commit 13ea3c2c8e1e · 2018-06-01T14:22:43.000+02:00
For some reason, the Alpine docker container running on a SELinux host maps
heap as RWX. When we allocate alternate stack from the heap, we also
change the protection of the first page to PROT_NONE so that it can
serve as a guard page to catch stack overflow. And when we free the
alternate stack, we restore the protection back to PROT_READ |
PROT_WRITE. The restoration fails in Alpine docker container running on
a SELinux host with EPROT failure and the SELinux log reports that an
attempt to change heap to executable was made. So it looks like the
kernel has added the PERM_EXEC to the permissions we have passed to the
mprotect call. There is a code in the mprotect implementation that can
do that, although I don't fully understand the conditions under which it
happens. This is driven by the VM_MAYEXEC flag in the internal VMA block
structure.
To fix that, I've modified the alternate stack allocation to use mmap /
munmap instead of C heap allocation.
diff --git a/src/pal/src/exception/signal.cpp b/src/pal/src/exception/signal.cpp
@@ -158,9 +158,9 @@ BOOL EnsureSignalAlternateStack()
         // (see kAltStackSize in compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc)
         altStackSize += SIGSTKSZ * 4;
 #endif
-        void* altStack;
-        int st = posix_memalign(&altStack, GetVirtualPageSize(), altStackSize);
-        if (st == 0)
+        altStackSize = ALIGN_UP(altStackSize, GetVirtualPageSize());
+        void* altStack = mmap(NULL, altStackSize, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_STACK | MAP_PRIVATE, -1, 0);
+        if (altStack != MAP_FAILED)
         {
             // create a guard page for the alternate stack
             st = mprotect(altStack, GetVirtualPageSize(), PROT_NONE);
@@ -171,17 +171,12 @@ BOOL EnsureSignalAlternateStack()
                 ss.ss_size = altStackSize;
                 ss.ss_flags = 0;
                 st = sigaltstack(&ss, NULL);
-                if (st != 0)
-                {
-                    // Installation of the alternate stack failed, so revert the guard page protection
-                    int st2 = mprotect(altStack, GetVirtualPageSize(), PROT_READ | PROT_WRITE);
-                    _ASSERTE(st2 == 0);
-                }
             }
 
             if (st != 0)
             {
-                free(altStack);
+               int st2 = munmap(altStack, altStackSize);
+               _ASSERTE(st2 == 0);
             }
         }
     }
@@ -208,9 +203,8 @@ void FreeSignalAlternateStack()
     int st = sigaltstack(&ss, &oss);
     if ((st == 0) && (oss.ss_flags != SS_DISABLE))
     {
-        int st = mprotect(oss.ss_sp, GetVirtualPageSize(), PROT_READ | PROT_WRITE);
+        int st = munmap(oss.ss_sp, oss.ss_size);
         _ASSERTE(st == 0);
-        free(oss.ss_sp);
     }
 }
 #endif // !HAVE_MACH_EXCEPTIONS

Original file line number	Diff line number	Diff line change
`@@ -158,9 +158,9 @@ BOOL EnsureSignalAlternateStack()`
`158`	`158`	`// (see kAltStackSize in compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc)`
`159`	`159`	`altStackSize += SIGSTKSZ * 4;`
`160`	`160`	`#endif`
`161`		`- void* altStack;`
`162`		`- int st = posix_memalign(&altStack, GetVirtualPageSize(), altStackSize);`
`163`		`- if (st == 0)`
	`161`	`+ altStackSize = ALIGN_UP(altStackSize, GetVirtualPageSize());`
	`162`	`+ void* altStack = mmap(NULL, altStackSize, PROT_READ \| PROT_WRITE, MAP_ANONYMOUS \| MAP_STACK \| MAP_PRIVATE, -1, 0);`
	`163`	`+ if (altStack != MAP_FAILED)`
`164`	`164`	`{`
`165`	`165`	`// create a guard page for the alternate stack`
`166`	`166`	`st = mprotect(altStack, GetVirtualPageSize(), PROT_NONE);`
`@@ -171,17 +171,12 @@ BOOL EnsureSignalAlternateStack()`
`171`	`171`	`ss.ss_size = altStackSize;`
`172`	`172`	`ss.ss_flags = 0;`
`173`	`173`	`st = sigaltstack(&ss, NULL);`
`174`		`- if (st != 0)`
`175`		`- {`
`176`		`- // Installation of the alternate stack failed, so revert the guard page protection`
`177`		`- int st2 = mprotect(altStack, GetVirtualPageSize(), PROT_READ \| PROT_WRITE);`
`178`		`- _ASSERTE(st2 == 0);`
`179`		`- }`
`180`	`174`	`}`
`181`	`175`
`182`	`176`	`if (st != 0)`
`183`	`177`	`{`
`184`		`- free(altStack);`
	`178`	`+ int st2 = munmap(altStack, altStackSize);`
	`179`	`+ _ASSERTE(st2 == 0);`
`185`	`180`	`}`
`186`	`181`	`}`
`187`	`182`	`}`
`@@ -208,9 +203,8 @@ void FreeSignalAlternateStack()`
`208`	`203`	`int st = sigaltstack(&ss, &oss);`
`209`	`204`	`if ((st == 0) && (oss.ss_flags != SS_DISABLE))`
`210`	`205`	`{`
`211`		`- int st = mprotect(oss.ss_sp, GetVirtualPageSize(), PROT_READ \| PROT_WRITE);`
	`206`	`+ int st = munmap(oss.ss_sp, oss.ss_size);`
`212`	`207`	`_ASSERTE(st == 0);`
`213`		`- free(oss.ss_sp);`
`214`	`208`	`}`
`215`	`209`	`}`
`216`	`210`	`#endif // !HAVE_MACH_EXCEPTIONS`