This is the mail archive of the
mailing list for the glibc project.
Re: RFC: Shadow Stack support in glibc
- From: Yu-cheng Yu <yu-cheng dot yu at intel dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: "H.J. Lu" <hjl dot tools at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>, Igor Tsimbalist <tigor dot tools at gmail dot com>, "Shanbhogue, Vedvyas" <vedvyas dot shanbhogue at intel dot com>
- Date: Wed, 07 Jun 2017 16:00:22 -0700
- Subject: Re: RFC: Shadow Stack support in glibc
- Authentication-results: sourceware.org; auth=none
- References: <CAMe9rOqN7oNWWmbw_NmaP=TpBDY7jh=MNbJQNaiOR901Rs7bcw@mail.gmail.com> <email@example.com>
On Mon, 2017-06-05 at 23:18 -0700, Florian Weimer wrote:
> On 06/05/2017 11:36 PM, H.J. Lu wrote:
> > Most of glibc functions are compatible with Shadow Stack, except for
> > 1. setjmp/longjmp need to be extended to support Shadow Stack.
> > 2. getcontext/setcontext may be extended to support Shadow Stack.
> > 3. makecontext/swapcontext are hard to support Shadow Stack.
> What about these?
Please comment on the following.
The child's shadow stack can be copied on access, similar to
copy-on-write of a regular memory page. A shadow stack PTE has to be
dirty and read-only. When a task is cloned, the kernel makes shadow
stack PTEs clean until they are accessed again. At that time, a copy is
When the kernel gets the sigaltstack syscall, it allocates a
shadow_sigaltstack and records the pointer in the task header (similar
to the existing sigaltstack pointer). If there is another sigaltstack
syscall, the kernel frees the previous shadow_sigaltstack; else, the
shadow_sigaltstack is freed upon task exit.
Since shadow stack stores only return pointers, it is not affected by
the address/size of the program stack.