The 07/03/2023 20:49, Florian Weimer wrote: > * szabolcs: > > >> alt shadow stack cannot be transparent to existing software anyway, it > > > > maybe not in glibc, but a libc can internally use alt shadow stack > > in sigaltstack instead of exposing a separate sigaltshadowstack api. > > (this is what a strict posix conform implementation has to do to > > support shadow stacks), leaking shadow stacks is not a correctness > > issue unless it prevents the program working (the shadow stack for > > the main thread likely wastes more memory than all the alt stack > > leaks. if the leaks become dominant in a thread the sigaltstack > > libc api can just fail). > > It should be possible in theory to carve out pages from sigaltstack and > push a shadow stack page and a guard page as part of the signal frame. > As far as I understand it, the signal frame layout is not ABI, so it's > possible to hide arbitrary stuff in it. I'm just saying that it looks > possible, not that it's a good idea. > > Perhaps that's not realistic with 64K pages, though. interesting idea, but it would not work transparently: the user expects the alt stack memory to be usable as normal memory after longjmping out of a signal handler. this would break code in practice e.g. when a malloced alt stack is passed to free(), the contract there is to not allow changes to the underlying mapping (affects malloc interposition so not possible to paper over inside the libc malloc). so signal entry cannot change the mappings of alt stack. i think kernel internal alt shadow stack allocation works in practice where their lifetime is the same as the thread lifetime. it is sketchy as os interface but doing it in userspace should be fine i think (it's policy what kind of sigaltstack usage is allowed). the kernel is easier in the sense that if there is actual sigreturn then the alt shadow stack can be freed, while libc cannot catch this case (at least not easily). leaked shadow stack can also have security implication but reuse of old alt shadow stack sounds like a minor issue in practice.
