This is the mail archive of the
mailing list for the glibc project.
Re: RFC: Shadow Stack support in glibc
- From: Szabolcs Nagy <szabolcs dot nagy at arm dot com>
- To: Yu-cheng Yu <yu-cheng dot yu at intel dot com>, Florian Weimer <fweimer at redhat dot com>
- Cc: nd at arm dot com, "H.J. Lu" <hjl dot tools at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>, Igor Tsimbalist <tigor dot tools at gmail dot com>, "Shanbhogue, Vedvyas" <vedvyas dot shanbhogue at intel dot com>
- Date: Thu, 08 Jun 2017 09:46:35 +0100
- Subject: Re: RFC: Shadow Stack support in glibc
- Authentication-results: sourceware.org; auth=none
- Authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=arm.com;
- Nodisclaimer: True
- References: <CAMe9rOqN7oNWWmbw_NmaP=TpBDY7jh=MNbJQNaiOR901Rs7bcw@mail.gmail.com> <email@example.com> <1496876422.12598.31.camel@test-lenovo>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On 08/06/17 00:00, Yu-cheng Yu wrote:
> On Mon, 2017-06-05 at 23:18 -0700, Florian Weimer wrote:
>> On 06/05/2017 11:36 PM, H.J. Lu wrote:
>>> Most of glibc functions are compatible with Shadow Stack, except for
>>> 1. setjmp/longjmp need to be extended to support Shadow Stack.
>>> 2. getcontext/setcontext may be extended to support Shadow Stack.
>>> 3. makecontext/swapcontext are hard to support Shadow Stack.
>> What about these?
> Please comment on the following.
> The child's shadow stack can be copied on access, similar to
> copy-on-write of a regular memory page. A shadow stack PTE has to be
> dirty and read-only. When a task is cloned, the kernel makes shadow
> stack PTEs clean until they are accessed again. At that time, a copy is
> When the kernel gets the sigaltstack syscall, it allocates a
> shadow_sigaltstack and records the pointer in the task header (similar
> to the existing sigaltstack pointer). If there is another sigaltstack
> syscall, the kernel frees the previous shadow_sigaltstack; else, the
> shadow_sigaltstack is freed upon task exit.
> Since shadow stack stores only return pointers, it is not affected by
> the address/size of the program stack.
why is it not affected by the size of the program stack?
how is the size of the shadow stack determined?
thread and signal stacks may be user allocated with special
mmap flags, moving return addresses to a different place
is observable and introduces new failure modes (shadow stack
allocation failure, shadow stack overflow), it is not clear
how an unwinder may access the shadow stack nor how the
ucontext/jmpbuf structs may store the new ssp register without