On Wed, Apr 22, 2020 at 06:39:47PM +0100, Will Deacon wrote: > On Mon, Apr 20, 2020 at 02:18:30PM -0700, Sami Tolvanen wrote: > > On Mon, Apr 20, 2020 at 06:17:28PM +0100, Will Deacon wrote: > > > > + * The shadow call stack is aligned to SCS_SIZE, and grows > > > > + * upwards, so we can mask out the low bits to extract the base > > > > + * when the task is not running. > > > > + */ > > > > + return (void *)((unsigned long)task_scs(tsk) & ~(SCS_SIZE - 1)); > > > > > > Could we avoid forcing this alignment it we stored the SCS pointer as a > > > (base,offset) pair instead? That might be friendlier on the allocations > > > later on. > > > > The idea is to avoid storing the current task's shadow stack address in > > memory, which is why I would rather not store the base address either. > > What I mean is that, instead of storing the current shadow stack pointer, > we instead store a base and an offset. We can still clear the base, as you > do with the pointer today, and I don't see that the offset is useful to > an attacker on its own. > > But more generally, is it really worthwhile to do this clearing at all? Can > you (or Kees?) provide some justification for it, please? We don't do it > for anything else, e.g. the pointer authentication keys, so something > feels amiss here. It's a hardening step to just reduce the lifetime of a valid address exposed in memory. In fact, since there is a cache, I think it should be wiped even in scs_release(). -- Kees Cook