Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description

From: Szabolcs Nagy
Date: Tue Jul 04 2023 - 07:34:34 EST

Next message: Ronald Warsow: "Re: [PATCH 6.4 00/15] 6.4.2-rc2 review"
Previous message: Hans de Goede: "Re: [PATCH v2 1/8] platform/x86: asus-wmi: add support for showing charger mode"
In reply to: Florian Weimer: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Next in thread: Edgecombe, Rick P: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The 07/03/2023 20:49, Florian Weimer wrote:
> * szabolcs:
>
> >> alt shadow stack cannot be transparent to existing software anyway, it
> >
> > maybe not in glibc, but a libc can internally use alt shadow stack
> > in sigaltstack instead of exposing a separate sigaltshadowstack api.
> > (this is what a strict posix conform implementation has to do to
> > support shadow stacks), leaking shadow stacks is not a correctness
> > issue unless it prevents the program working (the shadow stack for
> > the main thread likely wastes more memory than all the alt stack
> > leaks. if the leaks become dominant in a thread the sigaltstack
> > libc api can just fail).
>
> It should be possible in theory to carve out pages from sigaltstack and
> push a shadow stack page and a guard page as part of the signal frame.
> As far as I understand it, the signal frame layout is not ABI, so it's
> possible to hide arbitrary stuff in it. I'm just saying that it looks
> possible, not that it's a good idea.
>
> Perhaps that's not realistic with 64K pages, though.

interesting idea, but it would not work transparently:

the user expects the alt stack memory to be usable as normal
memory after longjmping out of a signal handler.

this would break code in practice e.g. when a malloced alt
stack is passed to free(), the contract there is to not
allow changes to the underlying mapping (affects malloc
interposition so not possible to paper over inside the
libc malloc).

so signal entry cannot change the mappings of alt stack.

i think kernel internal alt shadow stack allocation works
in practice where their lifetime is the same as the thread
lifetime. it is sketchy as os interface but doing it in
userspace should be fine i think (it's policy what kind of
sigaltstack usage is allowed). the kernel is easier in the
sense that if there is actual sigreturn then the alt shadow
stack can be freed, while libc cannot catch this case (at
least not easily). leaked shadow stack can also have
security implication but reuse of old alt shadow stack
sounds like a minor issue in practice.

Next message: Ronald Warsow: "Re: [PATCH 6.4 00/15] 6.4.2-rc2 review"
Previous message: Hans de Goede: "Re: [PATCH v2 1/8] platform/x86: asus-wmi: add support for showing charger mode"
In reply to: Florian Weimer: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Next in thread: Edgecombe, Rick P: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]