On Mon, 2023-03-06 at 09:08 +0100, Borislav Petkov wrote: > Just typos: All seem reasonable to me. Thanks. For using the log verbiage for the comment, it is quite big. Does something like this seem reasonable? /* * The shadow stack pointer(SSP) is moved by CALL, RET, and INCSSPQ. * The INCSSP instruction can increment the shadow stack pointer. It * is the shadow stack analog of an instruction like: * * addq $0x80, %rsp * * However, there is one important difference between an ADD on %rsp * and INCSSP. In addition to modifying SSP, INCSSP also reads from the * memory of the first and last elements that were "popped". It can be * thought of as acting like this: * * READ_ONCE(ssp); // read+discard top element on stack * ssp += nr_to_pop * 8; // move the shadow stack * READ_ONCE(ssp-8); // read+discard last popped stack element * * The maximum distance INCSSP can move the SSP is 2040 bytes, before * it would read the memory. Therefore a single page gap will be enough * to prevent any operation from shifting the SSP to an adjacent stack, * since it would have to land in the gap at least once, causing a * fault. * * Prevent using INCSSP to move the SSP between shadow stacks by * having a PAGE_SIZE gaurd gap. */
