On Sat, Dec 09, 2023 at 12:15:22AM -0300, Thiago Jung Bauermann wrote:
Mark Brown broonie@kernel.org writes:
- /* The cap must have the low bits set to a token value */
- if (GCS_CAP_TOKEN(val) != 0)
return false;
I found the comment above a little confusing, since the if condition actually checks that low bits aren't set at all. Perhaps reword to something like "The token value of a signal cap must be 0"?
Right, that's bitrot from the previous token format.
I'm still not proficient enough in GCS to know how exactly this could be abused (e.g., somehow writing the desired return location right above one of these inactive caps and arranging for GCSPR to point to the cap before returning from a signal) but to be safe or paranoid, perhaps zero the location of the cap before returning?
Right, ideally we'd be doing a compare and exchange here to substitute in a zero.