On Aug 30, 2018, at 10:59 AM, Jann Horn [off-list ref] wrote:
quoted
On Thu, Aug 30, 2018 at 7:58 PM Yu-cheng Yu [off-list ref] wrote:
quoted
On Thu, 2018-08-30 at 10:33 -0700, Dave Hansen wrote:
quoted
On 08/30/2018 10:26 AM, Yu-cheng Yu wrote:
We don't have the guard page now, but there is a shadow stack
token
there, which cannot be used as a return address.
The overall concern is that we could overflow into a page that we
did
not intend. Either another actual shadow stack or something that a
page
that the attacker constructed, like the transient scenario Jann
described.
A task could go beyond the bottom of its shadow stack by doing either
'ret' or 'incssp'. If it is the 'ret' case, the token prevents it.
If it is the 'incssp' case, a guard page cannot prevent it entirely,
right?
I mean the other direction, on "call".
I still think that shadow stacks should work just like mmap and that mmap should learn to add guard pages for all non-MAP_FIXED allocations.