On Tue, Oct 08, 2024 at 03:37:01PM -0700, Deepak Gupta wrote:
> +int arch_lock_shadow_stack_status(struct task_struct *task,
> + unsigned long arg)
> +{
> + /* If shtstk not supported or not enabled on task, nothing to lock here */
> + if (!cpu_supports_shadow_stack() ||
> + !is_shstk_enabled(task))
> + return -EINVAL;
> +
> + set_shstk_lock(task);
> +
> + return 0;
> +}
This will lock the shadow stack settings regardless of the value of arg.
On arm64 the argument is a mask of bits to block changes to. While for
RISC-V you only support enables so there's only one bit that'll actually
do anything portable code could in theory try to do something like
masking writes or pushes only and get surprised that disabling shadow
stack gets blocked. For arm64 the implementaion accepts any possible
mask value, allowing for userspace to block enabling of any future
options that get added. In theory someone might end up calling with a
value of 0 (eg, if there's a config option for the bitmask to lock and
they don't bother optimising out the syscall if the value is 0) which
would definitely break.
Attachment:
signature.asc
Description: PGP signature
