On Tue, Aug 06, 2024 at 09:10:28PM +0100, Mark Brown wrote: > On Mon, Aug 05, 2024 at 08:54:54PM -0700, Kees Cook wrote: > > > # Running test 'Shadow stack on system with shadow stack' > > # [5496] Trying clone3() with flags 0 (size 0) > > # I am the parent (5496). My child's pid is 5505 > > # Child exited with signal 11 > > # [5496] clone3() with flags says: 11 expected 0 > > # [5496] Result (11) is different than expected (0) > > not ok 20 Shadow stack on system with shadow stack > > > The child segfaults immediately, it seems? > > Does this help: > > diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c > index 1755fa21e6fb..27acbdf44c5f 100644 > --- a/arch/x86/kernel/shstk.c > +++ b/arch/x86/kernel/shstk.c > @@ -198,13 +198,14 @@ int arch_shstk_post_fork(struct task_struct *t, struct kernel_clone_args *args) > * the token 64-bit. > */ > struct mm_struct *mm; > - unsigned long addr; > + unsigned long addr, ssp; > u64 expected; > u64 val; > - int ret = -EINVAL;; > + int ret = -EINVAL; > > - addr = args->shadow_stack + args->shadow_stack_size - sizeof(u64); > - expected = (addr - SS_FRAME_SIZE) | BIT(0); > + ssp = args->shadow_stack + args->shadow_stack_size; > + addr = ssp - SS_FRAME_SIZE; > + expected = ssp | BIT(0); > > mm = get_task_mm(t); > if (!mm) Yes indeed! This passes now. "Shadow stack with no token" still crashes the parent. It seems to crash in waitpid(). Under gdb it hangs instead, showing it's in glibc's __GI___wait4(). Ah, it's crashing at c3 (ret), so shadow stack problem, I imagine. Does waitpid() need to be open-coded like the clone3() call too? -- Kees Cook
