On 9/16/2020 6:52 AM, Andy Lutomirski wrote:
On Mon, Sep 14, 2020 at 2:14 PM Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
On 9/14/20 11:31 AM, Andy Lutomirski wrote:
No matter what we do, the effects of calling vfork() are going to be a
bit odd with SHSTK enabled. I suppose we could disallow this, but
that seems likely to cause its own issues.
What's odd about it? If you're a vfork()'d child, you can't touch the
stack at all, right? If you do, you or your parent will probably die a
horrible death.
An evil program could vfork(), have the child do a bunch of returns
and a bunch of calls, and exit. The net effect would be to change the
parent's shadow stack contents. In a sufficiently strict model, this
is potentially problematic.
When a vfork child returns, its parent's shadow stack pointer is where
it was before the child starts. To move the shadow stack pointer and
re-use the content left by the child, the parent needs to use CALL, RET,
INCSSP, or RSTORSSP. This seems to be difficult.
The question is: how much do we want to protect userspace from itself?
>
If any issue comes up, people can always find ways to counter it.
--Andy
