On Fri, Oct 18, 2019 at 6:14 PM Sami Tolvanen <samitolvanen@xxxxxxxxxx> wrote: > This change adds generic support for Clang's Shadow Call Stack, which > uses a shadow stack to protect return addresses from being overwritten > by an attacker. Details are available here: > > https://clang.llvm.org/docs/ShadowCallStack.html (As I mentioned in the other thread, the security documentation there doesn't fit the kernel usecase.) [...] > +config SHADOW_CALL_STACK_VMAP > + def_bool n > + depends on SHADOW_CALL_STACK > + help > + Use virtually mapped shadow call stacks. Selecting this option > + provides better stack exhaustion protection, but increases per-thread > + memory consumption as a full page is allocated for each shadow stack. Without CONFIG_SHADOW_CALL_STACK_VMAP, after 128 small stack frames, you overflow into random physmap memory even if the main stack is vmapped... I guess you can't get around that without making the SCS instrumentation more verbose. :/ Could you maybe change things so that independent of whether you have vmapped SCS or slab-allocated SCS, the scs_corrupted() check looks at offset 1024-8 (where it currently is for the slab-allocated case)? That way, code won't suddenly stop working when you disable CONFIG_SHADOW_CALL_STACK_VMAP; and especially if you use CONFIG_SHADOW_CALL_STACK_VMAP for development and testing but disable it in production, that would be annoying.
