Skip to content

Add stack guard pages #8996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
masaori335 merged 1 commit into from
Aug 3, 2022
Merged

Add stack guard pages #8996

masaori335 merged 1 commit into from
Aug 3, 2022

Conversation

@moonchen
Copy link
Contributor

@moonchen moonchen commented Aug 3, 2022

Use r/w protected pages on top of stacks to guard against stack
overflow. The number of VM pages to use for guarding can be set
via the config option proxy.config.thread.default.stackguard_pages.

@moonchen moonchen force-pushed the guard-pages branch 2 times, most recently from dc00313 to a83a333 Compare August 3, 2022 17:32
@moonchen
Add stack guard pages
3af6b22 
Use r/w protected pages on top of stacks to guard against stack
overflow.  The number of VM pages to use for guarding can be set
via the config option proxy.config.thread.default.stackguard_pages.
@moonchen
Copy link
Contributor Author

moonchen commented Aug 3, 2022

Frequently asked questions:

Q: How much overhead does this add?

A: The VM mappings cost space in the page table. It also adds fragmentation to the page table since adjacent mappings can no longer be coalesced due to having different protection flags.

Q: Do the stack guard pages map to physical memory?

A: Not when I tested on Linux. The pages are not marked as present initially. I believe they're mapped on demand.

Q: Why did you change all stack allocations to use mmap()?

A: mprotect() requires that the memory be first allocated with mmap().

Q: Why do you allow for more than one page of stack guard?

A: Stack hopping can happen where stack allocations of larger than one page in size can skip the guard page. Having more pages of guard reduces the likelihood of this. See this article for more details.

@ywkaras ywkaras added this to the 10.0.0 milestone Aug 3, 2022
@masaori335 masaori335 merged commit 1abf6c0 into apache:master Aug 3, 2022
@masaori335
Copy link
Contributor

masaori335 commented Aug 3, 2022

I want this on the 9.2.x branch because this will detect the stack overflow instead of the random crash.

@zwoop What do you think about this should go to 9.2.0 or 9.2.1?

@bneradt bneradt mentioned this pull request Aug 4, 2022
Merged
@bneradt
Copy link
Contributor

bneradt commented Aug 4, 2022

I want this on the 9.2.x branch because this will detect the stack overflow instead of the random crash.

@zwoop What do you think about this should go to 9.2.0 or 9.2.1?

Just to document this: we need to make sure that wherever this is ported, the Apple Silicon build fix goes with it:
#8999

@bryancall bryancall added the Core label Aug 8, 2022
zwoop pushed a commit that referenced this pull request Aug 10, 2022
@moonchen @zwoop
Add stack guard pages (#8996)
347adb1 
Use r/w protected pages on top of stacks to guard against stack
overflow.  The number of VM pages to use for guarding can be set
via the config option proxy.config.thread.default.stackguard_pages.

(cherry picked from commit 1abf6c0)
@zwoop
Copy link
Contributor

zwoop commented Aug 10, 2022

Cherry-picked to v9.2.x

@zwoop zwoop modified the milestones: 10.0.0, 9.2.0 Aug 10, 2022
Ftywan pushed a commit to Ftywan/trafficserver that referenced this pull request Dec 21, 2022
@cmcfarlen @moonchen
Add stack guard pages (apache#8996) (apache#409)
bd4681d 
Use r/w protected pages on top of stacks to guard against stack
overflow.  The number of VM pages to use for guarding can be set
via the config option proxy.config.thread.default.stackguard_pages.

Co-authored-by: Mo Chen <uncorrupt@gmail.com>
masaori335 pushed a commit to masaori335/trafficserver that referenced this pull request Feb 21, 2023
@zwoop
Merge remote-tracking branch 'asf/9.2.x' into 9.2.x
5479b3e 
* asf/9.2.x:
  Updated ChangeLog
  Fix length bug in validate_unmapped_url_path (apache#8080)
  crash fix (apache#8268)
  test_MMH: fix memory leak in unit test (apache#8357)
  Doc: Add proxy.config.cacvhe.mutex_retry_delay (apache#8376)
  Add thread safety to PendingAction operations. (apache#8443)
  Report an error if configure can't find zlib (apache#8446)
  Update roadmap doc with latest releases (apache#8977)
  Setup UA consumer only if ua_entry is not nullptr (apache#8949)
  Update slice to only prefetch when first block is miss/hit-stale (apache#8890)
  Add RangeTransform::m_write_vio state checks (apache#8980)
  Fix compile on M1 Mac (apache#8999)
  Add stack guard pages (apache#8996)
  Fail fast on HTTP/2 header validation (apache#9009)
  Restrict unknown scheme of HTTP/2 request (apache#9010)
  Add content length mismatch check on handling HEADERS frame and CONTINUATION frame (apache#9012)
  Ignore POST request case from a check for background fill (apache#9013)
  Add back validatation that the scheme matches the wire protocol (apache#9005)
  Pin flask to version 2.1.3 (apache#9008)
JosiahWI pushed a commit to JosiahWI/trafficserver that referenced this pull request Jul 19, 2023
@bneradt @cmcfarlen
@masaori335 @elsloo @brbzull0 @SolidWallOfCode @ezelkow1 @zwoop @moonchen @serrislew @mattyw @bryancall @traeak @duke8253
Merge ASF 9.2.x into our Edge branch (apache#721)
b2643a3 
* add a metric to track how often the range seek bug is detected (apache#8970)

Co-authored-by: Chris McFarlen <cmcfarlen@apple.com>
(cherry picked from commit b23e8a0)

* Fix reverting PR#7302 (apache#8975)

PR#7302 was reverted by PR#8316 as an incompatible change for 9.2.0.
It looks like the revert commit has a mistake that made a crash by
calling `HttpSM::send_origin_throttled_response()` twice.

(cherry picked from commit 3cccd2d)

* Fixes issue with file size calculation for existing logs (apache#8971)

* Issue arises with existing log files at startup

* Because the existing bytes are not accounted for, log rolling does not occur at the correct time

* Existing code can lead to logging being suspended indefinitely without manual intervention if thresholds are exceeded and no rolled log files can be deleted

* Corner case more evident when other data not rolled by ATS is present in the logging directory

(cherry picked from commit 6225b12)

* Proxy Verifier: Update to version 2.4.1 (apache#8965)

This updates the Proxy Verifier version used by our AuTests to version
v2.4.1. This Proxy Verifier version prints the ALPN used by the proxy
(ATS in our case) to the server. This will allow us to verify ALPN
behavior for an upcoming PR for HTTP/2 to origin.

(cherry picked from commit fb02ef8)

* Destroy ssl context after use. (apache#8531)

As per the docs this needs to be released after use, this was missing from the cert_reporting_tool plugin.
This also fixes the example in the docs.

(cherry picked from commit 57015b7)

* Extend milestone api time tracking to remap. (apache#8520)

(cherry picked from commit a9405ac)

* Add 5xx's to be allowed to be used for simple retries (apache#8518)

* Add 5xx's to be allowed to be used for simple retries

Remove unnecessary functions in transact for finding ranges

Change PS response checking to not use internal state. Now pass in retry type and code

(cherry picked from commit 30096b4)

* Updated ChangeLog

* Pin flask to version 2.1.3 (apache#9008)

This resolves an AuTest Pipenv package dependency conflict for Werkzeug,
which is used by httpbin. Latest versions of flask require newer
versions of flask which conflicts with our pin to keep httpbin working.

(cherry picked from commit 46c1a0a)

* Add back validatation that the scheme matches the wire protocol (apache#9005)

This adds back in the scheme and wire protocol check (see apache#8465) along
with a configuration to be able to disable the check if the verification
is not desired.

(cherry picked from commit 7ec147e)

* Ignore POST request case from a check for background fill (apache#9013)

(cherry picked from commit 1f3e111)

* Add content length mismatch check on handling HEADERS frame and CONTINUATION frame (apache#9012)

* Add content length mismatch check on handling HEADERS frame and CONTINUATION frame

* Correct error class of HTTP/2 malformed requests

(cherry picked from commit e921228)

* Restrict unknown scheme of HTTP/2 request (apache#9010)

Strictly following RFC 3986 Section 3.1

```
scheme      = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
```

(cherry picked from commit c56f872)

* Fail fast on HTTP/2 header validation (apache#9009)

Co-authored-by: Masakazu Kitajo <maskit@apache.org>
(cherry picked from commit eaef5e8)

* Add stack guard pages (apache#8996)

Use r/w protected pages on top of stacks to guard against stack
overflow.  The number of VM pages to use for guarding can be set
via the config option proxy.config.thread.default.stackguard_pages.

(cherry picked from commit 1abf6c0)

* Fix compile on M1 Mac (apache#8999)

Add arm64 to the list of known stack growth directions.

(cherry picked from commit 697da39)

* Add RangeTransform::m_write_vio state checks (apache#8980)

(cherry picked from commit e912ece)

* Update slice to only prefetch when first block is miss/hit-stale (apache#8890)

* Update slice to only prefetch when first block is miss/hit-stale

* Remove extra line spaces & generalize autest output

* Verify cont is valid

* Use xdebug to only prefetch when first block is cacheable with miss/hit-stale status

* Precompile via regex pattern in config

* Remove plugin dependency, add cache status header between slice and crr

* Only enable prefetching from CRR on 206 partial case from origin

* Update header type, fix 206 case for 304 in CRR, allow header to be used for debugging

* update header val type

Co-authored-by: Serris Lew <lserris@apple.com>
(cherry picked from commit f14cce4)

 Conflicts:
	doc/admin-guide/plugins/slice.en.rst

* Setup UA consumer only if ua_entry is not nullptr (apache#8949)

(cherry picked from commit cbe0bea)

* Update roadmap doc with latest releases (apache#8977)

(cherry picked from commit 80a0ff9)

* Report an error if configure can't find zlib (apache#8446)

(cherry picked from commit a100761)

* Add thread safety to PendingAction operations. (apache#8443)

(cherry picked from commit 29a5092)

* Doc: Add proxy.config.cacvhe.mutex_retry_delay (apache#8376)

(cherry picked from commit 3ad1587)

* test_MMH: fix memory leak in unit test (apache#8357)

(cherry picked from commit 0eccef0)

* crash fix (apache#8268)

(cherry picked from commit cd1139b)

* Fix length bug in validate_unmapped_url_path (apache#8080)

(cherry picked from commit ac16a3b)

* Updated ChangeLog

Co-authored-by: Chris McFarlen <chris@mcfarlen.us>
Co-authored-by: Masaori Koshiba <masaori@apache.org>
Co-authored-by: Jeff Elsloo <elsloo@users.noreply.github.com>
Co-authored-by: Brian Neradt <brian.neradt@gmail.com>
Co-authored-by: Damian Meden <damian.meden@gmail.com>
Co-authored-by: Alan M. Carroll <amc@apache.org>
Co-authored-by: Evan Zelkowitz <eze@apache.org>
Co-authored-by: Leif Hedstrom <zwoop@apache.org>
Co-authored-by: Mo Chen <uncorrupt@gmail.com>
Co-authored-by: Serris Lew <serrisnlew@gmail.com>
Co-authored-by: Matt Williams <gh@mattyw.net>
Co-authored-by: Bryan Call <bcall@apache.org>
Co-authored-by: Brian Olsen <bnolsen@gmail.com>
Co-authored-by: Fei Deng <duke8253@gmail.com>
Co-authored-by: bneradt <bneradt@yahooinc.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ywkaras ywkaras ywkaras approved these changes

Assignees

@moonchen moonchen

Labels

Core New Feature

Projects

None yet

Milestone

9.2.0

Development

Successfully merging this pull request may close these issues.

7 participants

@moonchen @masaori335 @bneradt @zwoop @ywkaras @bryancall @vmamidi