On Thu, 2023-10-26 at 13:40 -0700, Deepak Gupta wrote:
FWIW, from arch specific perspective, RISC-V shadow stack extension has `ssamoswap` to perform this token exchange. But I understand x86 has this limitation (not sure about arm GCS).
From security perspective:-- Someone having ability to execute clone3 with control on input, probably already achieved some level of control flow bending because they need to corrupt memory and then carefully control registers input to clone3. Although if it is purely a data oriented gadget, I think it is possible.
struct clone_args should be data somewhere, at least temporarily.
Since this RFC is mostly concerned about `size` of shadow stack. I think we should limit it to size only.
Seems reasonable to me. It still leaves open the option of adding an shadow stack address field later AFAICT.