On Thu, Aug 15, 2024 at 03:01:21PM +0100, Dave Martin wrote:
My thought was that if libc knows about shadow stacks, it is probably going to be built to use them too and so would enable shadow stack during startup to protect its own code.
(Technically those would be independent decisions, but it seems a good idea to use a hardening feature if you know about and it is present.)
If so, shadow stacks might always get turned on before the main program gets a look-in.
Or is that not the expectation?
The expectation (at least for arm64) is that the main program will only have shadow stacks if everything says it can support them. If the dynamic linker turns them on during startup prior to parsing the main executables this means that it should turn them off before actually starting the executable, taking care to consider any locking of features.
Is there any scenario where it is legitimate for the signal handler to change the shadow stack mode or to return with an altered GCSPR_EL0?
If userspace can rewrite the stack pointer on return (eg, to return to a different context as part of userspace threading) then it will need to
Do we know if code that actually does that? IIUC, trying to do this is totally broken on most arches nowadays; making it work requires a reentrant C library and/or logic to defer signals around critical sections in userspace.
"Real" threading makes this pretty pointless for the most part.
Related question: does shadow stack work with ucontext-based coroutines? Per-context stacks need to be allocated by the program for that.
Yes, ucontext based coroutines are the sort of thing I meant when I was talking about returning to a different context?
be able to also update GCSPR_EL0 to something consistent otherwise attempting to return from the interrupted context isn't going to go well. Changing the mode is a bit more exotic, as it is in general. It's as much to provide information to the signal handler as anything else.
I'm not sure that we should always put information in the signal frame that the signal handler can't obtain directly.
I guess it's harmless to include this, though.
If we don't include it then if different ucontexts have different GCS features enabled we run into trouble on context switch.
Is the guarded stack considered necessary (or at least beneficial) for backtracing, or is the regular stack sufficient?
It's potentially beneficial, being less vulnerable to corruption and simpler to parse if all you're interested in is return addresses. Profiling in particular was mentioned, grabbing a linear block of memory will hopefully be less overhead than chasing down the stack. The regular stack should generally be sufficient though.
I guess we can't really argue that the shadow stack pointer is redundant here though. The whole point of shadow stacks is to make things more robust...
Just kicking the tyres on the question of whether we need it here, but I guess it's hard to make a good case for saying "no".
Indeed. The general model here is that we don't break userspace that relies on parses the normal stack (so the GCS is never *necessary*) but clearly you want to have it.