On Thu, Aug 22, 2024 at 02:15:27AM +0100, Mark Brown wrote: > When invoking a signal handler we use the GCS configuration and stack > for the current thread. > > Since we implement signal return by calling the signal handler with a > return address set up pointing to a trampoline in the vDSO we need to > also configure any active GCS for this by pushing a frame for the > trampoline onto the GCS. If we do not do this then signal return will > generate a GCS protection fault. > > In order to guard against attempts to bypass GCS protections via signal > return we only allow returning with GCSPR_EL0 pointing to an address > where it was previously preempted by a signal. We do this by pushing a > cap onto the GCS, this takes the form of an architectural GCS cap token > with the top bit set and token type of 0 which we add on signal entry > and validate and pop off on signal return. The combination of the top > bit being set and the token type mean that this can't be interpreted as > a valid token or address. > > Reviewed-by: Thiago Jung Bauermann <thiago.bauermann@xxxxxxxxxx> > Signed-off-by: Mark Brown <broonie@xxxxxxxxxx> Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx>
