On Wed, 2024-10-16 at 14:57 -0700, Deepak Gupta wrote: > -/* > - * VM_SHADOW_STACK will have a guard page. This helps userspace protect > - * itself from attacks. The reasoning is as follows: > - * > - * The shadow stack pointer(SSP) is moved by CALL, RET, and INCSSPQ. The > - * INCSSP instruction can increment the shadow stack pointer. It is the > - * shadow stack analog of an instruction like: > - * > - * addq $0x80, %rsp > - * > - * However, there is one important difference between an ADD on %rsp > - * and INCSSP. In addition to modifying SSP, INCSSP also reads from the > - * memory of the first and last elements that were "popped". It can be > - * thought of as acting like this: > - * > - * READ_ONCE(ssp); // read+discard top element on stack > - * ssp += nr_to_pop * 8; // move the shadow stack > - * READ_ONCE(ssp-8); // read+discard last popped stack element > - * > - * The maximum distance INCSSP can move the SSP is 2040 bytes, before > - * it would read the memory. Therefore a single page gap will be enough > - * to prevent any operation from shifting the SSP to an adjacent stack, > - * since it would have to land in the gap at least once, causing a > - * fault. > - */ I want to take a deeper look at this series once I can apply and test it, but can we maybe make this comment more generic and keep it? I think it is similar reasoning for arm (?), is there anything situation like this for risc-v? Or rather, why does risc-v have the guard gaps?
