[2/2] jmpbuf: Add paddings for target specific usage

To support Shadow Stack (SHSTK) in Intel Control-flow Enforcement
Technology (CET) in setjmp/longjmp, we need to save shadow stack
pointer in jmp_buf.  The __saved_mask field in jmp_buf has type
of __sigset_t.  On Linux, __sigset_t is defined as

 #define _SIGSET_NWORDS (1024 / (8 * sizeof (unsigned long int)))
typedef struct
{
  unsigned long int __val[_SIGSET_NWORDS];
} __sigset_t;

which is much bigger than expected by the __sigprocmask system call,
which has

typedef struct {
        unsigned long sig[_NSIG_WORDS];
} sigset_t;

We can shrink __sigset_t used by __saved_mask in jmp_buf to add paddings
for target specific usage.  As long as the new __sigset_t is not smaller
than sigset_t expected by the __sigprocmask system call, it should work
correctly.  This patch defines __jmp_buf_sigset_t for __saved_mask in
jmp_buf on Linux and verifies __jmp_buf_sigset_t has the suitable size
for the __sigprocmask system call.

Tested with build-many-glibcs.py.

OK for master?

H.J.
---
	* bits/setjmp3.h: New file.
	* sysdeps/unix/sysv/linux/bits/setjmp3.h: Likewise.
	* setjmp/Makefile (headers): Add bits/setjmp3.h.
	* setjmp/longjmp.c (__libc_siglongjmp): Cast &env[0].__saved_mask
	to "sigset_t *".
	* setjmp/sigjmp.c (__sigjmp_save): Likewise.
	* sysdeps/powerpc/longjmp.c (__vmx__libc_siglongjmp): Likewise.
	* sysdeps/powerpc/novmx-longjmp.c (__novmx__libc_siglongjmp):
	Likewise.
	* sysdeps/powerpc/novmx-sigjmp.c (__novmx__sigjmp_save): Likewise.
	* sysdeps/powerpc/sigjmp.c (__vmx__sigjmp_save): Likewise.
	* sysdeps/unix/sysv/linux/ia64/unwind_longjmp.c
	(__libc_unwind_longjmp): Likewise.
	* setjmp/setjmp.h: Include <bits/setjmp3.h> instead of
	<bits/types/__sigset_t.h>.
	(__jmp_buf_tag): Change __saved_mask to __target.
	* setjmp/tst-jmp_buf.c: Include <signal.h>.
	[_NSIG] (KERNEL_NSIG_WORDS): New.
	[_NSIG] (kernel_sigset_t): Likewise.
	[_NSIG] (do_test): Add _Static_assert for size of __saved_mask
	in jmp_buf >= sizeof kernel_sigset_t.
---
 bits/setjmp3.h                                | 31 +++++++++++++++++
 setjmp/Makefile                               |  2 +-
 setjmp/longjmp.c                              |  3 +-
 setjmp/setjmp.h                               |  4 +--
 setjmp/sigjmp.c                               |  2 +-
 setjmp/tst-jmp_buf.c                          | 17 ++++++++++
 sysdeps/powerpc/longjmp.c                     |  3 +-
 sysdeps/powerpc/novmx-longjmp.c               |  3 +-
 sysdeps/powerpc/novmx-sigjmp.c                |  2 +-
 sysdeps/powerpc/sigjmp.c                      |  2 +-
 sysdeps/unix/sysv/linux/bits/setjmp3.h        | 48 +++++++++++++++++++++++++++
 sysdeps/unix/sysv/linux/ia64/unwind_longjmp.c |  3 +-
 12 files changed, 110 insertions(+), 10 deletions(-)
 create mode 100644 bits/setjmp3.h
 create mode 100644 sysdeps/unix/sysv/linux/bits/setjmp3.h

On 11/07/2017 11:39 PM, H.J. Lu wrote:
> +typedef struct
> +  {
> +    __sigset_t __saved_mask;
> +  } __jmpbuf_target_t;

“Target” in the sense of “target architecture”, not “jump target”? 
Maybe it's better to pick a different name.

Should <bits/setjmp3.h> be a header under bits/types/ instead?

Thanks,
Florian

On Tue, Nov 7, 2017 at 10:05 PM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/07/2017 11:39 PM, H.J. Lu wrote:
>>
>> +typedef struct
>> +  {
>> +    __sigset_t __saved_mask;
>> +  } __jmpbuf_target_t;
>
>
> “Target” in the sense of “target architecture”, not “jump target”? Maybe
> it's better to pick a different name.

I checked it to __jmpbuf_arch_t.

> Should <bits/setjmp3.h> be a header under bits/types/ instead?
>

I renamed it to bits/types/__jmpbuf_arch_t.h.

Here is the updated patch.  Tested with build-many-glibcs.py.

Are there any comments or objections?

Thanks.

On 11/08/2017 07:27 PM, H.J. Lu wrote:
> +/* The biggest signal number + 1  */
> +#define _JUMP_BUF_SIGSET_NSIG	257
> +/* Number of longs to hold all signals.  */
> +#define _JUMP_BUF_SIGSET_NWORDS \
> +  ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))

Where does 257 come from?  65 or 129 I would understand considering the 
kernel sources, but 257 is odd.

I think it would be clearer to hard-code the array sizes and explain why 
the values where chosen in that way.

We also need a test that setprocmask does not read from the previously 
unused part.  I can move the existing next_to_fault bits to support/ if 
that would help.

Thanks,
Florian

On Mon, Nov 13, 2017 at 5:09 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/08/2017 07:27 PM, H.J. Lu wrote:
>>
>> +/* The biggest signal number + 1  */
>> +#define _JUMP_BUF_SIGSET_NSIG  257
>> +/* Number of longs to hold all signals.  */
>> +#define _JUMP_BUF_SIGSET_NWORDS \
>> +  ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))
>
>
> Where does 257 come from?  65 or 129 I would understand considering the
> kernel sources, but 257 is odd.

I picked 257 to leave some room
> I think it would be clearer to hard-code the array sizes and explain why the
> values where chosen in that way.
>
> We also need a test that setprocmask does not read from the previously

Did you mean "sigprocmask"?

> unused part.  I can move the existing next_to_fault bits to support/ if that
> would help.

Yes, please.

Thanks.

On 11/13/2017 03:05 PM, H.J. Lu wrote:
> On Mon, Nov 13, 2017 at 5:09 AM, Florian Weimer <fweimer@redhat.com> wrote:
>> On 11/08/2017 07:27 PM, H.J. Lu wrote:
>>>
>>> +/* The biggest signal number + 1  */
>>> +#define _JUMP_BUF_SIGSET_NSIG  257
>>> +/* Number of longs to hold all signals.  */
>>> +#define _JUMP_BUF_SIGSET_NWORDS \
>>> +  ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))
>>
>>
>> Where does 257 come from?  65 or 129 I would understand considering the
>> kernel sources, but 257 is odd.

Oh.  I'm not sure if we should put this into installed header.

Maybe we can use a different approach?  Something similar to the pthread 
types?  Or just not change the external type at all and just ad some 
internal space reuse mechanism?

We had problems with people poking at supposedly invisible jmpbuf 
contents in the past, and I'm worried that adding even __ members will 
encourage that.

>> I think it would be clearer to hard-code the array sizes and explain why the
>> values where chosen in that way.
>>
>> We also need a test that setprocmask does not read from the previously
> 
> Did you mean "sigprocmask"?

Right.

>> unused part.  I can move the existing next_to_fault bits to support/ if that
>> would help.
> 
> Yes, please.

Okay, I'll move it to support/ soon.

Thanks,
Florian

On Mon, Nov 13, 2017 at 8:34 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/13/2017 03:05 PM, H.J. Lu wrote:
>>
>> On Mon, Nov 13, 2017 at 5:09 AM, Florian Weimer <fweimer@redhat.com>
>> wrote:
>>>
>>> On 11/08/2017 07:27 PM, H.J. Lu wrote:
>>>>
>>>>
>>>> +/* The biggest signal number + 1  */
>>>> +#define _JUMP_BUF_SIGSET_NSIG  257
>>>> +/* Number of longs to hold all signals.  */
>>>> +#define _JUMP_BUF_SIGSET_NWORDS \
>>>> +  ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))
>>>
>>>
>>>
>>> Where does 257 come from?  65 or 129 I would understand considering the
>>> kernel sources, but 257 is odd.
>
>
> Oh.  I'm not sure if we should put this into installed header.
>
> Maybe we can use a different approach?  Something similar to the pthread
> types?  Or just not change the external type at all and just ad some
> internal space reuse mechanism?

I will see what I can do.

> We had problems with people poking at supposedly invisible jmpbuf contents
> in the past, and I'm worried that adding even __ members will encourage
> that.
>
>>> I think it would be clearer to hard-code the array sizes and explain why
>>> the
>>> values where chosen in that way.
>>>
>>> We also need a test that setprocmask does not read from the previously
>>
>>
>> Did you mean "sigprocmask"?
>
>
> Right.
>
>>> unused part.  I can move the existing next_to_fault bits to support/ if
>>> that
>>> would help.
>>
>>
>> Yes, please.
>
>
> Okay, I'll move it to support/ soon.
>

Here is what the test will look like

static int
do_test (void)
{
  struct __jmp_buf_tag *sj = memory from next_to_fault
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"SJ" will point to the end of page in such a way that sigprocmask
will fail if it reads beyond the actual __saved_mask.

  sigset_t m;

  sigemptyset (&m);
  sigprocmask (SIG_SETMASK, &m, NULL);
  if (sigsetjmp (sj, 0) == 0)
    {
      sigaddset (&m, SIGUSR1);
      sigprocmask (SIG_SETMASK, &m, NULL);
      siglongjmp (sj, 1);
      return EXIT_FAILURE;
    }
  sigprocmask (SIG_SETMASK, NULL, &m);
  return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE;
}

#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"

Thanks.

On Mon, Nov 13, 2017 at 8:44 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Mon, Nov 13, 2017 at 8:34 AM, Florian Weimer <fweimer@redhat.com> wrote:
>> On 11/13/2017 03:05 PM, H.J. Lu wrote:
>>>
>>> On Mon, Nov 13, 2017 at 5:09 AM, Florian Weimer <fweimer@redhat.com>
>>> wrote:
>>>>
>>>> On 11/08/2017 07:27 PM, H.J. Lu wrote:
>>>>>
>>>>>
>>>>> +/* The biggest signal number + 1  */
>>>>> +#define _JUMP_BUF_SIGSET_NSIG  257
>>>>> +/* Number of longs to hold all signals.  */
>>>>> +#define _JUMP_BUF_SIGSET_NWORDS \
>>>>> +  ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))
>>>>
>>>>
>>>>
>>>> Where does 257 come from?  65 or 129 I would understand considering the
>>>> kernel sources, but 257 is odd.
>>
>>
>> Oh.  I'm not sure if we should put this into installed header.
>>
>> Maybe we can use a different approach?  Something similar to the pthread
>> types?  Or just not change the external type at all and just ad some
>> internal space reuse mechanism?
>
> I will see what I can do.
>
>> We had problems with people poking at supposedly invisible jmpbuf contents
>> in the past, and I'm worried that adding even __ members will encourage
>> that.
>>
>>>> I think it would be clearer to hard-code the array sizes and explain why
>>>> the
>>>> values where chosen in that way.
>>>>
>>>> We also need a test that setprocmask does not read from the previously
>>>
>>>
>>> Did you mean "sigprocmask"?
>>
>>
>> Right.
>>
>>>> unused part.  I can move the existing next_to_fault bits to support/ if
>>>> that
>>>> would help.
>>>
>>>
>>> Yes, please.
>>
>>
>> Okay, I'll move it to support/ soon.
>>
>

Here is the updated patch to add <setjmpP.h>.  I added a test:

  struct support_next_to_fault jmpbuf
    = support_next_to_fault_allocate (SAVED_MASK_OFFSET + (_NSIG / 8));
  struct __jmp_buf_tag *sj = (struct __jmp_buf_tag *) jmpbuf.buffer;

  errno = 0;
  if (sigsetjmp (sj, 1) == 0)
    {
      siglongjmp (sj, 1);
      return EXIT_FAILURE;
    }
  if (errno != 0)
    {
      printf ("sigsetjmp: %s\n", strerror (errno));
      return EXIT_FAILURE;
    }

to verify that __sigprocmask won't read beyond _NSIG / 8.

Does it look OK?

Thanks.

On Mon, Nov 13, 2017 at 11:40 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Mon, Nov 13, 2017 at 8:44 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> On Mon, Nov 13, 2017 at 8:34 AM, Florian Weimer <fweimer@redhat.com> wrote:
>>> On 11/13/2017 03:05 PM, H.J. Lu wrote:
>>>>
>>>> On Mon, Nov 13, 2017 at 5:09 AM, Florian Weimer <fweimer@redhat.com>
>>>> wrote:
>>>>>
>>>>> On 11/08/2017 07:27 PM, H.J. Lu wrote:
>>>>>>
>>>>>>
>>>>>> +/* The biggest signal number + 1  */
>>>>>> +#define _JUMP_BUF_SIGSET_NSIG  257
>>>>>> +/* Number of longs to hold all signals.  */
>>>>>> +#define _JUMP_BUF_SIGSET_NWORDS \
>>>>>> +  ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))
>>>>>
>>>>>
>>>>>
>>>>> Where does 257 come from?  65 or 129 I would understand considering the
>>>>> kernel sources, but 257 is odd.
>>>
>>>
>>> Oh.  I'm not sure if we should put this into installed header.
>>>
>>> Maybe we can use a different approach?  Something similar to the pthread
>>> types?  Or just not change the external type at all and just ad some
>>> internal space reuse mechanism?
>>
>> I will see what I can do.
>>
>>> We had problems with people poking at supposedly invisible jmpbuf contents
>>> in the past, and I'm worried that adding even __ members will encourage
>>> that.
>>>
>>>>> I think it would be clearer to hard-code the array sizes and explain why
>>>>> the
>>>>> values where chosen in that way.
>>>>>
>>>>> We also need a test that setprocmask does not read from the previously
>>>>
>>>>
>>>> Did you mean "sigprocmask"?
>>>
>>>
>>> Right.
>>>
>>>>> unused part.  I can move the existing next_to_fault bits to support/ if
>>>>> that
>>>>> would help.
>>>>
>>>>
>>>> Yes, please.
>>>
>>>
>>> Okay, I'll move it to support/ soon.
>>>
>>
>
> Here is the updated patch to add <setjmpP.h>.  I added a test:
>
>   struct support_next_to_fault jmpbuf
>     = support_next_to_fault_allocate (SAVED_MASK_OFFSET + (_NSIG / 8));
>   struct __jmp_buf_tag *sj = (struct __jmp_buf_tag *) jmpbuf.buffer;
>
>   errno = 0;
>   if (sigsetjmp (sj, 1) == 0)
>     {
>       siglongjmp (sj, 1);
>       return EXIT_FAILURE;
>     }
>   if (errno != 0)
>     {
>       printf ("sigsetjmp: %s\n", strerror (errno));
>       return EXIT_FAILURE;
>     }
>
> to verify that __sigprocmask won't read beyond _NSIG / 8.
>
> Does it look OK?
>

This is the updated patch.  Tested with build-many-glibcs.py.

Any other comments?

Thanks.

On 11/14/2017 12:22 AM, H.J. Lu wrote:
> diff --git a/setjmp/tst-sigsetjmp2.c b/setjmp/tst-sigsetjmp2.c
> new file mode 100644
> index 0000000000..131531feb0
> --- /dev/null
> +++ b/setjmp/tst-sigsetjmp2.c
> @@ -0,0 +1,50 @@
> +/* Test that sigprocmask does not read from the unused part of jmpbuf.
> +   Copyright (C) 2017 Free Software Foundation, Inc.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +<http://www.gnu.org/licenses/>.  */
> +
> +#include <stdlib.h>
> +#include <signal.h>
> +#include <setjmp.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <errno.h>
> +#include <jmp_buf-macros.h>
> +#include <support/next_to_fault.h>
> +
> +static int
> +do_test (void)
> +{
> +  struct support_next_to_fault jmpbuf
> +    = support_next_to_fault_allocate (SAVED_MASK_OFFSET + (_NSIG / 8));
> +  struct __jmp_buf_tag *sj = (struct __jmp_buf_tag *) jmpbuf.buffer;
> +
> +  errno = 0;
> +  if (sigsetjmp (sj, 1) == 0)
> +    {
> +      siglongjmp (sj, 1);
> +      return EXIT_FAILURE;
> +    }
> +  if (errno != 0)
> +    {
> +      printf ("sigsetjmp: %s\n", strerror (errno));
> +      return EXIT_FAILURE;
> +    }
> +  return EXIT_SUCCESS;
> +}
> +
> +#define TEST_FUNCTION do_test ()
> +#include "../test-skeleton.c"

Please use <support/test-driver.c>.

Wouldn't the test start to fail if sigsetjmp/siglongjmp actually started 
using the padding you are freeing up for use?

I think you need test sigprocmask directly to ensure it has the desired 
property of not clobbering the padding.

Thanks,
Florian

On Tue, Nov 14, 2017 at 4:26 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/14/2017 12:22 AM, H.J. Lu wrote:
>>
>> diff --git a/setjmp/tst-sigsetjmp2.c b/setjmp/tst-sigsetjmp2.c
>> new file mode 100644
>> index 0000000000..131531feb0
>> --- /dev/null
>> +++ b/setjmp/tst-sigsetjmp2.c
>> @@ -0,0 +1,50 @@
>> +/* Test that sigprocmask does not read from the unused part of jmpbuf.
>> +   Copyright (C) 2017 Free Software Foundation, Inc.
>> +   This file is part of the GNU C Library.
>> +
>> +   The GNU C Library is free software; you can redistribute it and/or
>> +   modify it under the terms of the GNU Lesser General Public
>> +   License as published by the Free Software Foundation; either
>> +   version 2.1 of the License, or (at your option) any later version.
>> +
>> +   The GNU C Library is distributed in the hope that it will be useful,
>> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +   Lesser General Public License for more details.
>> +
>> +   You should have received a copy of the GNU Lesser General Public
>> +   License along with the GNU C Library; if not, see
>> +<http://www.gnu.org/licenses/>.  */
>> +
>> +#include <stdlib.h>
>> +#include <signal.h>
>> +#include <setjmp.h>
>> +#include <stdio.h>
>> +#include <string.h>
>> +#include <errno.h>
>> +#include <jmp_buf-macros.h>
>> +#include <support/next_to_fault.h>
>> +
>> +static int
>> +do_test (void)
>> +{
>> +  struct support_next_to_fault jmpbuf
>> +    = support_next_to_fault_allocate (SAVED_MASK_OFFSET + (_NSIG / 8));
>> +  struct __jmp_buf_tag *sj = (struct __jmp_buf_tag *) jmpbuf.buffer;
>> +
>> +  errno = 0;
>> +  if (sigsetjmp (sj, 1) == 0)
>> +    {
>> +      siglongjmp (sj, 1);
>> +      return EXIT_FAILURE;
>> +    }
>> +  if (errno != 0)
>> +    {
>> +      printf ("sigsetjmp: %s\n", strerror (errno));
>> +      return EXIT_FAILURE;
>> +    }
>> +  return EXIT_SUCCESS;
>> +}
>> +
>> +#define TEST_FUNCTION do_test ()
>> +#include "../test-skeleton.c"
>
>
> Please use <support/test-driver.c>.

Done.

> Wouldn't the test start to fail if sigsetjmp/siglongjmp actually started
> using the padding you are freeing up for use?

You are right.

> I think you need test sigprocmask directly to ensure it has the desired
> property of not clobbering the padding.

Here is the updated patch.   OK for master?

Thanks.

On 11/14/2017 02:10 PM, H.J. Lu wrote:
> +static int
> +do_test (void)
> +{
> +  sigjmp_buf sj;
> +  struct support_next_to_fault sigset_t_buf
> +    = support_next_to_fault_allocate (SIZEOF_SIGSET_T);
> +  sigset_t *m_p = (sigset_t *) sigset_t_buf.buffer;
> +  sigset_t m;
> +
> +  sigemptyset (&m);
> +  memcpy (m_p, &m, SIZEOF_SIGSET_T);
> +  sigprocmask (SIG_SETMASK, m_p, NULL);
> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
> +  if (sigsetjmp (sj, 0) == 0)
> +    {
> +      sigaddset (&m, SIGUSR1);
> +      memcpy (m_p, &m, SIZEOF_SIGSET_T);
> +      sigprocmask (SIG_SETMASK, m_p, NULL);
> +      memcpy (&m, m_p, SIZEOF_SIGSET_T);
> +      siglongjmp (sj, 1);
> +      return EXIT_FAILURE;
> +    }
> +  sigprocmask (SIG_SETMASK, NULL, m_p);
> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
> +  return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE;
> +}

Sorry, I don't understand anymore what this test is supposed to test and 
how.

To be honest, I don't like how you inject the internal definition of 
jmp_buf.  Is this the way we do it for the nptl types?

I think you should check _JUMP_BUF_SIGSET_NSIG against a kernel constant 
(_NSIGS?) somewhere.

Thanks,
Florian

On Wed, Nov 15, 2017 at 3:10 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/14/2017 02:10 PM, H.J. Lu wrote:
>>
>> +static int
>> +do_test (void)
>> +{
>> +  sigjmp_buf sj;
>> +  struct support_next_to_fault sigset_t_buf
>> +    = support_next_to_fault_allocate (SIZEOF_SIGSET_T);
>> +  sigset_t *m_p = (sigset_t *) sigset_t_buf.buffer;
>> +  sigset_t m;
>> +
>> +  sigemptyset (&m);
>> +  memcpy (m_p, &m, SIZEOF_SIGSET_T);
>> +  sigprocmask (SIG_SETMASK, m_p, NULL);
>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>> +  if (sigsetjmp (sj, 0) == 0)
>> +    {
>> +      sigaddset (&m, SIGUSR1);
>> +      memcpy (m_p, &m, SIZEOF_SIGSET_T);
>> +      sigprocmask (SIG_SETMASK, m_p, NULL);
>> +      memcpy (&m, m_p, SIZEOF_SIGSET_T);
>> +      siglongjmp (sj, 1);
>> +      return EXIT_FAILURE;
>> +    }
>> +  sigprocmask (SIG_SETMASK, NULL, m_p);
>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>> +  return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE;
>> +}
>
>
> Sorry, I don't understand anymore what this test is supposed to test and
> how.

This tests the reduced __jmp_buf_sigset_t used by __saved_mask is
bigger than sigset expected by kernel.

> To be honest, I don't like how you inject the internal definition of
> jmp_buf.  Is this the way we do it for the nptl types?

I only need to make some room in

/* Calling environment, plus possibly a saved signal mask.  */
struct __jmp_buf_tag
  {
    /* NOTE: The machine-dependent definitions of `__sigsetjmp'
       assume that a `jmp_buf' begins with a `__jmp_buf' and that
       `__mask_was_saved' follows it.  Do not move these members
       or add others before it.  */
    __jmp_buf __jmpbuf; /* Calling environment.  */
    int __mask_was_saved; /* Saved the signal mask?  */
    __sigset_t __saved_mask; /* Saved signal mask.  */
  };

for target specific purpose.   I changed it to

struct __jmp_buf_tag
  {
    /* NOTE: The machine-dependent definitions of `__sigsetjmp'
       assume that a `jmp_buf' begins with a `__jmp_buf' and that
       `__mask_was_saved' follows it.  Do not move these members
       or add others before it.  */
    __jmp_buf __jmpbuf; /* Calling environment.  */
    int __mask_was_saved; /* Saved the signal mask?  */
    union
    {
    __sigset_t __saved_mask_compat;
    struct
      {
__jmp_buf_sigset_t __saved_mask;
/* Paddings for architecture specific usage.  */
unsigned long int __padding[12];
      } __saved;
    }  __saved_mask;
  };

#define __saved_mask __saved_mask.__saved.__saved_mask

I did only to  __sigset_t  in __jmp_buf_tag and this test verifies that the size
of __jmp_buf_sigset_t works with sigprocmask.

Are you suggesting we make some room in __sigset_t directly?  This will
require very extensive changes. If not, what do you exactly suggest?

> I think you should check _JUMP_BUF_SIGSET_NSIG against a kernel constant
> (_NSIGS?) somewhere.

There is a _Static_assert in include/setjmp.h.  But it isn't triggered.  This
updated patch moves it to sysdeps/unix/sysv/linux/__saved_mask.h.   Now
I got

../sysdeps/unix/sysv/linux/__saved_mask.h:32:1: error: static
assertion failed: "size of ___saved_mask < size of
__sigprocmask_sigset_t"
 _Static_assert (sizeof (___saved_mask) >= sizeof (__sigprocmask_sigset_t),

if __jmp_buf_sigset_t is too small.

On Wed, Nov 15, 2017 at 5:20 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Wed, Nov 15, 2017 at 3:10 AM, Florian Weimer <fweimer@redhat.com> wrote:
>> On 11/14/2017 02:10 PM, H.J. Lu wrote:
>>>
>>> +static int
>>> +do_test (void)
>>> +{
>>> +  sigjmp_buf sj;
>>> +  struct support_next_to_fault sigset_t_buf
>>> +    = support_next_to_fault_allocate (SIZEOF_SIGSET_T);
>>> +  sigset_t *m_p = (sigset_t *) sigset_t_buf.buffer;
>>> +  sigset_t m;
>>> +
>>> +  sigemptyset (&m);
>>> +  memcpy (m_p, &m, SIZEOF_SIGSET_T);
>>> +  sigprocmask (SIG_SETMASK, m_p, NULL);
>>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>> +  if (sigsetjmp (sj, 0) == 0)
>>> +    {
>>> +      sigaddset (&m, SIGUSR1);
>>> +      memcpy (m_p, &m, SIZEOF_SIGSET_T);
>>> +      sigprocmask (SIG_SETMASK, m_p, NULL);
>>> +      memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>> +      siglongjmp (sj, 1);
>>> +      return EXIT_FAILURE;
>>> +    }
>>> +  sigprocmask (SIG_SETMASK, NULL, m_p);
>>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>> +  return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE;
>>> +}
>>
>>
>> Sorry, I don't understand anymore what this test is supposed to test and
>> how.
>
> This tests the reduced __jmp_buf_sigset_t used by __saved_mask is
> bigger than sigset expected by kernel.
>
>> To be honest, I don't like how you inject the internal definition of
>> jmp_buf.  Is this the way we do it for the nptl types?
>
> I only need to make some room in
>
> /* Calling environment, plus possibly a saved signal mask.  */
> struct __jmp_buf_tag
>   {
>     /* NOTE: The machine-dependent definitions of `__sigsetjmp'
>        assume that a `jmp_buf' begins with a `__jmp_buf' and that
>        `__mask_was_saved' follows it.  Do not move these members
>        or add others before it.  */
>     __jmp_buf __jmpbuf; /* Calling environment.  */
>     int __mask_was_saved; /* Saved the signal mask?  */
>     __sigset_t __saved_mask; /* Saved signal mask.  */
>   };
>
> for target specific purpose.   I changed it to
>
> struct __jmp_buf_tag
>   {
>     /* NOTE: The machine-dependent definitions of `__sigsetjmp'
>        assume that a `jmp_buf' begins with a `__jmp_buf' and that
>        `__mask_was_saved' follows it.  Do not move these members
>        or add others before it.  */
>     __jmp_buf __jmpbuf; /* Calling environment.  */
>     int __mask_was_saved; /* Saved the signal mask?  */
>     union
>     {
>     __sigset_t __saved_mask_compat;
>     struct
>       {
> __jmp_buf_sigset_t __saved_mask;
> /* Paddings for architecture specific usage.  */
> unsigned long int __padding[12];
>       } __saved;
>     }  __saved_mask;
>   };
>
> #define __saved_mask __saved_mask.__saved.__saved_mask
>
> I did only to  __sigset_t  in __jmp_buf_tag and this test verifies that the size
> of __jmp_buf_sigset_t works with sigprocmask.
>
> Are you suggesting we make some room in __sigset_t directly?  This will
> require very extensive changes. If not, what do you exactly suggest?
>
>> I think you should check _JUMP_BUF_SIGSET_NSIG against a kernel constant
>> (_NSIGS?) somewhere.
>
> There is a _Static_assert in include/setjmp.h.  But it isn't triggered.  This
> updated patch moves it to sysdeps/unix/sysv/linux/__saved_mask.h.   Now
> I got
>
> ../sysdeps/unix/sysv/linux/__saved_mask.h:32:1: error: static
> assertion failed: "size of ___saved_mask < size of
> __sigprocmask_sigset_t"
>  _Static_assert (sizeof (___saved_mask) >= sizeof (__sigprocmask_sigset_t),
>
> if __jmp_buf_sigset_t is too small.
>
> --
> H.J.

Any comments, suggestions or objections?  The patch is at

https://sourceware.org/ml/libc-alpha/2017-11/msg00510.html

On Tue, Nov 21, 2017 at 2:22 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Wed, Nov 15, 2017 at 5:20 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> On Wed, Nov 15, 2017 at 3:10 AM, Florian Weimer <fweimer@redhat.com> wrote:
>>> On 11/14/2017 02:10 PM, H.J. Lu wrote:
>>>>
>>>> +static int
>>>> +do_test (void)
>>>> +{
>>>> +  sigjmp_buf sj;
>>>> +  struct support_next_to_fault sigset_t_buf
>>>> +    = support_next_to_fault_allocate (SIZEOF_SIGSET_T);
>>>> +  sigset_t *m_p = (sigset_t *) sigset_t_buf.buffer;
>>>> +  sigset_t m;
>>>> +
>>>> +  sigemptyset (&m);
>>>> +  memcpy (m_p, &m, SIZEOF_SIGSET_T);
>>>> +  sigprocmask (SIG_SETMASK, m_p, NULL);
>>>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>>> +  if (sigsetjmp (sj, 0) == 0)
>>>> +    {
>>>> +      sigaddset (&m, SIGUSR1);
>>>> +      memcpy (m_p, &m, SIZEOF_SIGSET_T);
>>>> +      sigprocmask (SIG_SETMASK, m_p, NULL);
>>>> +      memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>>> +      siglongjmp (sj, 1);
>>>> +      return EXIT_FAILURE;
>>>> +    }
>>>> +  sigprocmask (SIG_SETMASK, NULL, m_p);
>>>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>>> +  return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE;
>>>> +}
>>>
>>>
>>> Sorry, I don't understand anymore what this test is supposed to test and
>>> how.
>>
>> This tests the reduced __jmp_buf_sigset_t used by __saved_mask is
>> bigger than sigset expected by kernel.
>>
>>> To be honest, I don't like how you inject the internal definition of
>>> jmp_buf.  Is this the way we do it for the nptl types?
>>
>> I only need to make some room in
>>
>> /* Calling environment, plus possibly a saved signal mask.  */
>> struct __jmp_buf_tag
>>   {
>>     /* NOTE: The machine-dependent definitions of `__sigsetjmp'
>>        assume that a `jmp_buf' begins with a `__jmp_buf' and that
>>        `__mask_was_saved' follows it.  Do not move these members
>>        or add others before it.  */
>>     __jmp_buf __jmpbuf; /* Calling environment.  */
>>     int __mask_was_saved; /* Saved the signal mask?  */
>>     __sigset_t __saved_mask; /* Saved signal mask.  */
>>   };
>>
>> for target specific purpose.   I changed it to
>>
>> struct __jmp_buf_tag
>>   {
>>     /* NOTE: The machine-dependent definitions of `__sigsetjmp'
>>        assume that a `jmp_buf' begins with a `__jmp_buf' and that
>>        `__mask_was_saved' follows it.  Do not move these members
>>        or add others before it.  */
>>     __jmp_buf __jmpbuf; /* Calling environment.  */
>>     int __mask_was_saved; /* Saved the signal mask?  */
>>     union
>>     {
>>     __sigset_t __saved_mask_compat;
>>     struct
>>       {
>> __jmp_buf_sigset_t __saved_mask;
>> /* Paddings for architecture specific usage.  */
>> unsigned long int __padding[12];
>>       } __saved;
>>     }  __saved_mask;
>>   };
>>
>> #define __saved_mask __saved_mask.__saved.__saved_mask
>>
>> I did only to  __sigset_t  in __jmp_buf_tag and this test verifies that the size
>> of __jmp_buf_sigset_t works with sigprocmask.
>>
>> Are you suggesting we make some room in __sigset_t directly?  This will
>> require very extensive changes. If not, what do you exactly suggest?
>>
>>> I think you should check _JUMP_BUF_SIGSET_NSIG against a kernel constant
>>> (_NSIGS?) somewhere.
>>
>> There is a _Static_assert in include/setjmp.h.  But it isn't triggered.  This
>> updated patch moves it to sysdeps/unix/sysv/linux/__saved_mask.h.   Now
>> I got
>>
>> ../sysdeps/unix/sysv/linux/__saved_mask.h:32:1: error: static
>> assertion failed: "size of ___saved_mask < size of
>> __sigprocmask_sigset_t"
>>  _Static_assert (sizeof (___saved_mask) >= sizeof (__sigprocmask_sigset_t),
>>
>> if __jmp_buf_sigset_t is too small.
>>
>> --
>> H.J.
>
> Any comments, suggestions or objections?  The patch is at
>
> https://sourceware.org/ml/libc-alpha/2017-11/msg00510.html
>

This is the updated patch.  It limited the changes to Linux/x86.
Any comments?

On Sat, Nov 25, 2017 at 8:34 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Tue, Nov 21, 2017 at 2:22 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> On Wed, Nov 15, 2017 at 5:20 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>> On Wed, Nov 15, 2017 at 3:10 AM, Florian Weimer <fweimer@redhat.com> wrote:
>>>> On 11/14/2017 02:10 PM, H.J. Lu wrote:
>>>>>
>>>>> +static int
>>>>> +do_test (void)
>>>>> +{
>>>>> +  sigjmp_buf sj;
>>>>> +  struct support_next_to_fault sigset_t_buf
>>>>> +    = support_next_to_fault_allocate (SIZEOF_SIGSET_T);
>>>>> +  sigset_t *m_p = (sigset_t *) sigset_t_buf.buffer;
>>>>> +  sigset_t m;
>>>>> +
>>>>> +  sigemptyset (&m);
>>>>> +  memcpy (m_p, &m, SIZEOF_SIGSET_T);
>>>>> +  sigprocmask (SIG_SETMASK, m_p, NULL);
>>>>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>>>> +  if (sigsetjmp (sj, 0) == 0)
>>>>> +    {
>>>>> +      sigaddset (&m, SIGUSR1);
>>>>> +      memcpy (m_p, &m, SIZEOF_SIGSET_T);
>>>>> +      sigprocmask (SIG_SETMASK, m_p, NULL);
>>>>> +      memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>>>> +      siglongjmp (sj, 1);
>>>>> +      return EXIT_FAILURE;
>>>>> +    }
>>>>> +  sigprocmask (SIG_SETMASK, NULL, m_p);
>>>>> +  memcpy (&m, m_p, SIZEOF_SIGSET_T);
>>>>> +  return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE;
>>>>> +}
>>>>
>>>>
>>>> Sorry, I don't understand anymore what this test is supposed to test and
>>>> how.
>>>
>>> This tests the reduced __jmp_buf_sigset_t used by __saved_mask is
>>> bigger than sigset expected by kernel.
>>>
>>>> To be honest, I don't like how you inject the internal definition of
>>>> jmp_buf.  Is this the way we do it for the nptl types?
>>>
>>> I only need to make some room in
>>>
>>> /* Calling environment, plus possibly a saved signal mask.  */
>>> struct __jmp_buf_tag
>>>   {
>>>     /* NOTE: The machine-dependent definitions of `__sigsetjmp'
>>>        assume that a `jmp_buf' begins with a `__jmp_buf' and that
>>>        `__mask_was_saved' follows it.  Do not move these members
>>>        or add others before it.  */
>>>     __jmp_buf __jmpbuf; /* Calling environment.  */
>>>     int __mask_was_saved; /* Saved the signal mask?  */
>>>     __sigset_t __saved_mask; /* Saved signal mask.  */
>>>   };
>>>
>>> for target specific purpose.   I changed it to
>>>
>>> struct __jmp_buf_tag
>>>   {
>>>     /* NOTE: The machine-dependent definitions of `__sigsetjmp'
>>>        assume that a `jmp_buf' begins with a `__jmp_buf' and that
>>>        `__mask_was_saved' follows it.  Do not move these members
>>>        or add others before it.  */
>>>     __jmp_buf __jmpbuf; /* Calling environment.  */
>>>     int __mask_was_saved; /* Saved the signal mask?  */
>>>     union
>>>     {
>>>     __sigset_t __saved_mask_compat;
>>>     struct
>>>       {
>>> __jmp_buf_sigset_t __saved_mask;
>>> /* Paddings for architecture specific usage.  */
>>> unsigned long int __padding[12];
>>>       } __saved;
>>>     }  __saved_mask;
>>>   };
>>>
>>> #define __saved_mask __saved_mask.__saved.__saved_mask
>>>
>>> I did only to  __sigset_t  in __jmp_buf_tag and this test verifies that the size
>>> of __jmp_buf_sigset_t works with sigprocmask.
>>>
>>> Are you suggesting we make some room in __sigset_t directly?  This will
>>> require very extensive changes. If not, what do you exactly suggest?
>>>
>>>> I think you should check _JUMP_BUF_SIGSET_NSIG against a kernel constant
>>>> (_NSIGS?) somewhere.
>>>
>>> There is a _Static_assert in include/setjmp.h.  But it isn't triggered.  This
>>> updated patch moves it to sysdeps/unix/sysv/linux/__saved_mask.h.   Now
>>> I got
>>>
>>> ../sysdeps/unix/sysv/linux/__saved_mask.h:32:1: error: static
>>> assertion failed: "size of ___saved_mask < size of
>>> __sigprocmask_sigset_t"
>>>  _Static_assert (sizeof (___saved_mask) >= sizeof (__sigprocmask_sigset_t),
>>>
>>> if __jmp_buf_sigset_t is too small.
>>>
>>> --
>>> H.J.
>>
>> Any comments, suggestions or objections?  The patch is at
>>
>> https://sourceware.org/ml/libc-alpha/2017-11/msg00510.html
>>
>
> This is the updated patch.  It limited the changes to Linux/x86.
> Any comments?
>

This is the patch I am checking in tomorrow.

Andrew, you can include <jmp_buf-ssp.h> to get
SHADOW_STACK_POINTER_OFFSET in jmp_buf.