[PATCH v2 2/2] arm64: Stash shadow stack pointer in the task struct on interrupt
Kees Cook
keescook at chromium.org
Thu Jan 12 14:18:56 PST 2023
On Mon, Jan 09, 2023 at 06:48:00PM +0100, Ard Biesheuvel wrote:
> Instead of reloading the shadow call stack pointer from the ordinary
> stack, which may be vulnerable to the kind of gadget based attacks
> shadow call stacks were designed to prevent, let's store a task's shadow
> call stack pointer in the task struct when switching to the shadow IRQ
> stack.
>
> Given that currently, the task_struct::scs_sp field is only used to
> preserve the shadow call stack pointer while a task is scheduled out or
> running in user space, reusing this field to preserve and restore it
> while running off the IRQ stack must be safe, as those occurrences are
> guaranteed to never overlap. (The stack switching logic only switches
> stacks when running from the task stack, and so the value being saved
> here always corresponds to the task mode shadow stack)
>
> While at it, fold a mov/add/mov sequence into a single add.
>
> Signed-off-by: Ard Biesheuvel <ardb at kernel.org>
Reviewed-by: Kees Cook <keescook at chromium.org>
--
Kees Cook
More information about the linux-arm-kernel
mailing list