On Tue, Oct 01, 2024 at 05:12:38PM +0200, Christian Brauner wrote:
On Fri, Sep 27, 2024 at 03:21:59PM GMT, Edgecombe, Rick P wrote:
Did you catch that a token can be at a different offsets location on the stack depending on args passed to map_shadow_stack? So userspace will need something like the code above, but that adjusts the 'shadow_stack_size' such that the kernel looks for the token in the right place. It will be even weirder if someone uses clone3 to switch to a stack that has already been used, and pivoted off of, such that a token was left in the middle of the stack. In that case userspace would have to come up with args disconnected from the actual size of the shadow stack such that the kernel would be cajoled into looking for the token in the right place.
A shadow stack size is more symmetric on the surface, but I'm not sure it will be easier for userspace to handle. So I think we should just have a pointer to the token. But it will be a usable implementation either way.
My suspicion would be that if we're doing the pivot to a previously used shadow stack we'd also be pivoting the regular stack along with it which would face similar issues with having an unusual method for specifying the stack top so I don't know how much we're really winning. Like we both keep saying either of the interfaces works though, it's just a taste question with both having downsides.
Maybe it's best to let glibc folks decide what is better/more ergonomic for them.
The relevant people are on the thread I think.
I've rebased onto v6.12-rc1, assuming I don't notice anything horrible in testing I'll post that with the ABI unchanged for now.