On Mon, Dec 18, 2023 at 2:54 AM szabolcs.nagy@arm.com wrote: > > The 12/15/2023 09:08, H.J. Lu wrote: > > On Fri, Dec 15, 2023 at 1:23 AM szabolcs.nagy@arm.com > > wrote: > > > > > > The 12/14/2023 09:40, H.J. Lu wrote: > > > > On Thu, Dec 14, 2023 at 9:13 AM szabolcs.nagy@arm.com > > > > > so the rule can be that if a user wants a stack to be resumable > > > > > then a restore token must be placed on that stack when switching > > > > > > > > That is fine. > > > > > > > > > away from it, if the token is not there then longjmp is ub and > > > > > may crash. (so no need to check for 0, such longjmp is a user error) > > > > > > > > We need to check for 0. Otherwise, all current setjmp tests segfault > > > > since there is no restore token on the target shadow stack. > > > > > > i don't understand this claim. > > > > > > any longjmp target ssp is either > > > - on the same stack: you can check targetssp == ssp > > > - or different stack: you can check *targetssp == restore token > > > as you scan the target ssp. > > > > longjmp doesn't know if the target SSP is on the same shadow stack. > > > > it does if it scans. > > for (;; targetssp--) { > if (targetssp == ssp) do_samestack(); > if (*targetssp == restoretoken) do_differentstack(); > } > > the only problem i see is if the target shadow stack is > different from the current one and does not end in a restore > token. but i think that is a user error. Yes, it works. But it is hard to tell its performance overhead. > if we plan to introduce altshadowstack then this does not > work in case of shadow stack overflow because the overflowed > shadow stack cannot be jumped to even though in practice we > want that to work. > I'd like to support shadow stack in glibc 2.39. Since my patch doesn't enable shadow stack by default, it doesn't have any functionality impact on users. It allows us to evaluate shadow stack support in all packages. We may need to use WRUSS to enable shadow stack for some packages. But users and developers can't see how shadow stack works if shadow stack can't be turned on. -- H.J.