> On Aug 30, 2018, at 10:59 AM, Jann Horn <jannh@xxxxxxxxxx> wrote: > >> On Thu, Aug 30, 2018 at 7:58 PM Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> wrote: >> >>> On Thu, 2018-08-30 at 10:33 -0700, Dave Hansen wrote: >>>> On 08/30/2018 10:26 AM, Yu-cheng Yu wrote: >>>> >>>> We don't have the guard page now, but there is a shadow stack >>>> token >>>> there, which cannot be used as a return address. >>> The overall concern is that we could overflow into a page that we >>> did >>> not intend. Either another actual shadow stack or something that a >>> page >>> that the attacker constructed, like the transient scenario Jann >>> described. >>> >> >> A task could go beyond the bottom of its shadow stack by doing either >> 'ret' or 'incssp'. If it is the 'ret' case, the token prevents it. >> If it is the 'incssp' case, a guard page cannot prevent it entirely, >> right? > > I mean the other direction, on "call". I still think that shadow stacks should work just like mmap and that mmap should learn to add guard pages for all non-MAP_FIXED allocations.
