From: "H.J. Lu" <hjl.tools@gmail.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "szabolcs.nagy@arm.com" <szabolcs.nagy@arm.com>,
"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>
Subject: Re: [PATCH 11/17] x86/cet: Sync with Linux kernel 6.6 shadow stack interface
Date: Wed, 13 Dec 2023 16:20:46 -0800 [thread overview]
Message-ID: <CAMe9rOosbs+ir+pjeY+4T3X3G6OPS1JZ9TgLS=exFRS_4T01NA@mail.gmail.com> (raw)
In-Reply-To: <ed8703d42ea0a07345bff7fd992513d76e767ef3.camel@intel.com>
On Wed, Dec 13, 2023 at 3:54 PM Edgecombe, Rick P
<rick.p.edgecombe@intel.com> wrote:
>
> On Wed, 2023-12-13 at 14:45 -0800, H.J. Lu wrote:
> > > longjmp cannot target arbitrary setjmp that happened on another
> > > stack: if that stack is still in use by another thread then the
> > > two threads clobber each other's stack. it can only work if that
> > > stack is switched away from and at that point a token was placed.
> > > we can make this the abi: you can only longjmp to a stack which
> > > is switched away from such that a token is placed on it.
> >
> > The restore token is put on shadow stack by setcontext and
> > swapcontext. When longjmp is called, it doesn't know if there
> > is a token or not. If longjmp keeps searching for the token and
> > doesn't find it, it will run out of shadow stack. Rick, can we
> > assume that the shadow stack entries are 0, if they aren't in
> > use?
>
> Not sure what you mean by entries not in use. You mean the restore
> token? The shadow stack entries are not zeroed as they are popped by
> RET.
>
longjmp needs to know when to stop searching the token since there
won't be one if setcontext and swapcontext aren't called on the shadow
stack where setjmp is called. Will checking for zero shadow stack entry
value work here? It is OK if the value isn't zeroed by RET as long as
zero value can be checked to avoid going beyond the shadow stack boundary.
> longjmp() doesn't return an error code, so is a crash actually ok here?
>
>
> I'm remembering another issue that came up when this idea was discussed
> before. Apps might not call SAVEPREVSSP after they RSTORSSP. You can
> just just swap away and not leave a token. So setjmp() cannot be
> guaranteed to work with custom stack switching code. It has to be one
> of the rules, at least for x86.
>
> I need to go dig through the mails, but I thought there were some more
> limitations (that could also be rules) that we ran into.
--
H.J.
next prev parent reply other threads:[~2023-12-14 0:21 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-06 17:19 [PATCH 00/17] x86/cet: Update CET kernel interface H.J. Lu
2023-12-06 17:19 ` [PATCH 01/17] x86/cet: Check user_shstk in /proc/cpuinfo H.J. Lu
2023-12-06 17:19 ` [PATCH 02/17] x86/cet: Update tst-cet-vfork-1 H.J. Lu
2023-12-06 17:19 ` [PATCH 03/17] x86/cet: Don't assume that SHSTK implies IBT H.J. Lu
2023-12-06 17:19 ` [PATCH 04/17] x86/cet: Check legacy shadow stack applications H.J. Lu
2023-12-06 17:19 ` [PATCH 05/17] x86/cet: Check CPU_FEATURE_ACTIVE when CET is disabled H.J. Lu
2023-12-06 23:53 ` Noah Goldstein
2023-12-07 21:07 ` H.J. Lu
2023-12-06 17:19 ` [PATCH 06/17] x86/cet: Add tests for GLIBC_TUNABLES=glibc.cpu.hwcaps=-SHSTK H.J. Lu
2023-12-06 17:20 ` [PATCH 07/17] x86/cet: Check legacy shadow stack code in .init_array section H.J. Lu
2023-12-06 17:20 ` [PATCH 08/17] x86/cet: Check CPU_FEATURE_ACTIVE in permissive mode H.J. Lu
2023-12-06 17:20 ` [PATCH 09/17] x86: Check PT_GNU_PROPERTY early H.J. Lu
2023-12-06 23:57 ` Noah Goldstein
2023-12-07 21:06 ` H.J. Lu
2023-12-06 17:20 ` [PATCH 10/17] x86: Modularize sysdeps/x86/dl-cet.c H.J. Lu
2023-12-06 17:20 ` [PATCH 11/17] x86/cet: Sync with Linux kernel 6.6 shadow stack interface H.J. Lu
2023-12-11 11:34 ` Szabolcs Nagy
2023-12-11 16:44 ` H.J. Lu
2023-12-12 18:02 ` Szabolcs Nagy
2023-12-12 18:39 ` H.J. Lu
2023-12-13 10:48 ` Szabolcs Nagy
2023-12-13 22:45 ` H.J. Lu
2023-12-13 23:54 ` Edgecombe, Rick P
2023-12-14 0:20 ` H.J. Lu [this message]
2023-12-14 2:21 ` H.J. Lu
2023-12-14 17:13 ` szabolcs.nagy
2023-12-14 17:40 ` H.J. Lu
2023-12-14 23:00 ` Edgecombe, Rick P
2023-12-14 23:47 ` H.J. Lu
2023-12-15 1:00 ` Edgecombe, Rick P
2023-12-15 9:23 ` szabolcs.nagy
2023-12-15 17:08 ` H.J. Lu
2023-12-18 10:53 ` szabolcs.nagy
2023-12-18 19:06 ` H.J. Lu
2023-12-19 17:15 ` szabolcs.nagy
2023-12-19 18:12 ` H.J. Lu
2023-12-06 17:20 ` [PATCH 12/17] elf: Always provide _dl_get_dl_main_map in libc.a H.J. Lu
2023-12-06 17:20 ` [PATCH 13/17] x86/cet: Enable shadow stack during startup H.J. Lu
2023-12-06 17:20 ` [PATCH 14/17] x86/cet: Check feature_1 in TCB for active IBT and SHSTK H.J. Lu
2023-12-06 17:20 ` [PATCH 15/17] x86/cet: Don't disable CET if not single threaded H.J. Lu
2023-12-06 17:20 ` [PATCH 16/17] x86/cet: Don't set CET active by default H.J. Lu
2023-12-06 17:20 ` [PATCH 17/17] x86/cet: Run some CET tests with shadow stack H.J. Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMe9rOosbs+ir+pjeY+4T3X3G6OPS1JZ9TgLS=exFRS_4T01NA@mail.gmail.com' \
--to=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=rick.p.edgecombe@intel.com \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).