20 Feb
2024
20 Feb
'24
11:30 p.m.
On Tue, 2024-02-20 at 20:14 +0000, Mark Brown wrote:
Hmm, could the shadow stack underflow onto the real stack then? Not sure how bad that is. INCSSP (incrementing the SSP register on x86) loops are not rare so it seems like something that could happen.
Yes, they'd trash any pages of normal stack they touch as they do so but otherwise seems similar to overflow.
I was thinking in the normal buffer overflow case there is a guard gap at the end of the stack, but in this case the shadow stack is directly adjacent to the regular stack. It's probably a minor point.