summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Soldatov <soldatov.a@samsung.com>2018-09-07 13:22:47 (GMT)
committerAlexander Soldatov <soldatov.a@samsung.com>2018-09-07 13:22:47 (GMT)
commitbbfc6eaf3761ed2222b0946845a84a7c46d3f2b0 (patch)
treebfb43f66602891ddf87ebe33ed63458ff5a9ca6a
parent7fd5fa2e58123dbadf0084b0e3eaf6dfc90b2ed0 (diff)
downloadcoreclr-bbfc6eaf3761ed2222b0946845a84a7c46d3f2b0.zip
coreclr-bbfc6eaf3761ed2222b0946845a84a7c46d3f2b0.tar.gz
coreclr-bbfc6eaf3761ed2222b0946845a84a7c46d3f2b0.tar.bz2
Change-Id: Iafe8300a8f6318a047d30e67ecbc3007b01208e6
-rw-r--r--packaging/0001-Fix-alternate-stack-for-Alpine-docker-on-SELinux-179.patch75
-rwxr-xr-xpackaging/coreclr.spec4
2 files changed, 78 insertions, 1 deletions
diff --git a/packaging/0001-Fix-alternate-stack-for-Alpine-docker-on-SELinux-179.patch b/packaging/0001-Fix-alternate-stack-for-Alpine-docker-on-SELinux-179.patch
new file mode 100644
index 0000000..f032093
--- /dev/null
+++ b/packaging/0001-Fix-alternate-stack-for-Alpine-docker-on-SELinux-179.patch
@@ -0,0 +1,75 @@
+From 9bfa48bafefa5735887570cbc219279513eef26d Mon Sep 17 00:00:00 2001
+From: Jan Vorlicek <janvorli@microsoft.com>
+Date: Thu, 10 May 2018 15:33:54 +0200
+Subject: [PATCH] Fix alternate stack for Alpine docker on SELinux (#17936)
+
+For some reason, the Alpine docker container running on a SELinux host maps
+heap as RWX. When we allocate alternate stack from the heap, we also
+change the protection of the first page to PROT_NONE so that it can
+serve as a guard page to catch stack overflow. And when we free the
+alternate stack, we restore the protection back to PROT_READ |
+PROT_WRITE. The restoration fails in Alpine docker container running on
+a SELinux host with EPROT failure and the SELinux log reports that an
+attempt to change heap to executable was made. So it looks like the
+kernel has added the PERM_EXEC to the permissions we have passed to the
+mprotect call. There is a code in the mprotect implementation that can
+do that, although I don't fully understand the conditions under which it
+happens. This is driven by the VM_MAYEXEC flag in the internal VMA block
+structure.
+To fix that, I've modified the alternate stack allocation to use mmap /
+munmap instead of C heap allocation.
+---
+ src/pal/src/exception/signal.cpp | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/src/pal/src/exception/signal.cpp b/src/pal/src/exception/signal.cpp
+index 430cd05..9a990cd 100644
+--- a/src/pal/src/exception/signal.cpp
++++ b/src/pal/src/exception/signal.cpp
+@@ -158,9 +158,9 @@ BOOL EnsureSignalAlternateStack()
+ // (see kAltStackSize in compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc)
+ altStackSize += SIGSTKSZ * 4;
+ #endif
+- void* altStack;
+- int st = posix_memalign(&altStack, VIRTUAL_PAGE_SIZE, altStackSize);
+- if (st == 0)
++ altStackSize = ALIGN_UP(altStackSize, VIRTUAL_PAGE_SIZE);
++ void* altStack = mmap(NULL, altStackSize, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_STACK | MAP_PRIVATE, -1, 0);
++ if (altStack != MAP_FAILED)
+ {
+ // create a guard page for the alternate stack
+ st = mprotect(altStack, VIRTUAL_PAGE_SIZE, PROT_NONE);
+@@ -171,17 +171,12 @@ BOOL EnsureSignalAlternateStack()
+ ss.ss_size = altStackSize;
+ ss.ss_flags = 0;
+ st = sigaltstack(&ss, NULL);
+- if (st != 0)
+- {
+- // Installation of the alternate stack failed, so revert the guard page protection
+- int st2 = mprotect(altStack, VIRTUAL_PAGE_SIZE, PROT_READ | PROT_WRITE);
+- _ASSERTE(st2 == 0);
+- }
+ }
+
+ if (st != 0)
+ {
+- free(altStack);
++ int st2 = munmap(altStack, altStackSize);
++ _ASSERTE(st2 == 0);
+ }
+ }
+ }
+@@ -208,9 +203,8 @@ void FreeSignalAlternateStack()
+ int st = sigaltstack(&ss, &oss);
+ if ((st == 0) && (oss.ss_flags != SS_DISABLE))
+ {
+- int st = mprotect(oss.ss_sp, VIRTUAL_PAGE_SIZE, PROT_READ | PROT_WRITE);
++ int st = munmap(oss.ss_sp, oss.ss_size);
+ _ASSERTE(st == 0);
+- free(oss.ss_sp);
+ }
+ }
+ #endif // !HAVE_MACH_EXCEPTIONS
+--
+2.7.4
+
diff --git a/packaging/coreclr.spec b/packaging/coreclr.spec
index e643b35..bbe3fbc 100755
--- a/packaging/coreclr.spec
+++ b/packaging/coreclr.spec
@@ -23,7 +23,7 @@ Source1000: downloaded_files.tar.gz
Source1001: %{name}.manifest
Source1002: libicu.tar.gz
Source1003: dep_libs.tar.gz
-# Gbp-Ignore-Patches: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
+# Gbp-Ignore-Patches: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
Patch0: 0001-Add-project.assets.json-files.patch
Patch1: 0001-ARM-Linux-Support-unaligned-struct-read-write-11290.patch
Patch2: 0002-x86-Linux-Thread-safe-UMThunkMarshInfo-RunTimeInit-1.patch
@@ -152,6 +152,7 @@ Patch124: 0047-Launching-the-Memory-Profiler-on-x86-emulator-may-le.patch
Patch125: 0001-Fixed-Bug-with-xmm-registry-on-x86-emulator-183.patch
Patch126: 0002-Fix-unset-ZapRelocationType-for-fixup-18589.patch
Patch127: 0001-Tizen-Remove-tizen-release-package-dependency-for-GB.patch
+Patch128: 0001-Fix-alternate-stack-for-Alpine-docker-on-SELinux-179.patch
ExcludeArch: aarch64
@@ -381,6 +382,7 @@ cp %{SOURCE1001} .
%patch125 -p1
%patch126 -p1
%patch127 -p1
+%patch128 -p1
cat > os-release <<EOF
NAME=Tizen