On Mon, Apr 27, 2020 at 10:50:34PM +0200, Ard Biesheuvel wrote: > > OK, so one thing that came up in an offline discussion about SCS is > > the way it interacts with the vmap'ed stack. > > > > The vmap'ed stack is great for robustness, but it only works if things > > don't explode for other reasons in the mean time. This means the > > ordinary-to-shadow-call-stack size ratio should be chosen such that it > > is *really* unlikely you could ever overflow the shadow call stack and > > corrupt another task's call stack before hitting the vmap stack's > > guard region. > > > > Alternatively, I wonder if there is a way we could let the SCS and > > ordinary stack share the [bottom of] the vmap'ed region. That would > > give rather nasty results if the ordinary stack overflows into the > > SCS, but for cases where we really recurse out of control, we could > > catch this occurrence on either stack, whichever one occurs first. And > > the nastiness -when it does occur- will not corrupt any state beyond > > the stack of the current task. > > Hmm, I guess that would make it quite hard to keep the SCS address > secret though :-( Yes, and the stack potentially overflowing into the SCS sort of defeats the purpose. I'm fine with increasing the SCS size to something safer, but using a vmapped shadow stack seems like the correct solution to this problem, at least on devices where allocating a full page isn't an issue. Sami
