On Tue, 2024-02-20 at 18:11 -0800, Rick Edgecombe wrote:
Some specific cases that were still open were longjmp()ing off of a custom userspace threading library stack, which may not have left a token behind when it jumped to a new stack. And also, potentially off of an alt shadow stack in the future, depending on whether it leaves a restore token when handling a signal. (the problem there, is if there is no room to leave it).
Ah, I remember the other one. If the token on the target shadow stack is at the end of the shadow stack, it may not be able to handle pushing a shadow stack signal frame if a signal hits while is unwinding through the token. As in, where normal longjmp() is direct transition, in this case the longjmp() operation can be temporarily in a place where a signal cannot be handled.