Shadow Call Stack can be used to protect the return address of a function at runtime, and clang already supports this feature[1]. Linux kernel also recently had a submission to support Shadow Call Stack on aarch64 through a gcc plugin[2]. Could we add similar support in gcc? [1] https://clang.llvm.org/docs/ShadowCallStack.html [2] https://patchwork.kernel.org/project/linux-hardening/patch/1634167668-60198-1-git-send-email-ashimida@linux.alibaba.com/
note that this at least - requires runtime support (to manage the shadow stack), - needs a reserved register (x18), - affects unwinding (shadow stack must be unwound too), - affects longjmp and jmp_buf abi. i guess these are taken care of in the linux context and in that case i think it makes sense to have the gcc support upstream instead of in a plugin. however the general support in user-space is not trivial (the required libc changes may not be possible in a backward compatible way such as changing jmp_buf, or reliably such as allocating the size of shadow stack and dealing with related failures, or with good ui e.g. opt-in mechanism for binaries that require shadow stack so there is no regression for non-shadow-stack binaries, etc.) and there are existing stack protection mechanisms implemented. i just wanted to note here that the linux kernel use-case can be treated separately from user-space applications and likely less effort and less controversial if you scope the feature right.
(In reply to nsz from comment #1) > note that this at least > > - requires runtime support (to manage the shadow stack), > - needs a reserved register (x18), > - affects unwinding (shadow stack must be unwound too), > - affects longjmp and jmp_buf abi. > > i guess these are taken care of in the linux context and in > that case i think it makes sense to have the gcc support > upstream instead of in a plugin. > > however the general support in user-space is not trivial > (the required libc changes may not be possible in a backward > compatible way such as changing jmp_buf, or reliably such as > allocating the size of shadow stack and dealing with related > failures, or with good ui e.g. opt-in mechanism for binaries > that require shadow stack so there is no regression for > non-shadow-stack binaries, etc.) and there are existing stack > protection mechanisms implemented. > > i just wanted to note here that the linux kernel use-case > can be treated separately from user-space applications and > likely less effort and less controversial if you scope the > feature right. Thanks nsz, As far as I know, existing security mechanisms such as stack canary usually do not achieve the same effect, and pac is not always supported by hardware. As you said, it will take a lot of trivial work to let the user space support Shadow Call Stack, and Linux Kernel is ready for this. But Shadow Call Stack should be a general mechanism, just as Android can support Clang SCS by modifying bionic, gcc's basic support for SCS can provide a lot of convenience for users itself to implement user-mode SCS (users may not always need to face all the above issues) So what I want to say in the request is whether we can provide SCS support in the compiler side as a good start. Maybe itβs better to modify the feature description as follows? [feature request] Add compiler support for aarch64 shadow call stack
well, protection mechanisms are rarely equivalent. neither scs nor traditional stack protector are perfect. to me compiler support for freestanding environments such as linux makes sense. i cannot immediately tell if libc support would work. (android is not a good indicator of what can be done in linux userspace: the android abi is broken between releases while glibc is abi stable, bionic can do hacks in longjmp/setcontext that is not acceptable in glibc and android does not have mixed toolchain issues such as old unwinder tries to unwind across a new binary.)
RFC :) https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
Created attachment 51854 [details] [RFC] Aarch64 add libgcc unwind support for shadow call stack
RFC,v2: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/585496.html
Hi nsz, Could you please review this patch :) Link: https://gcc.gnu.org/pipermail/gcc-patches/2021-December/586204.html Thanks, -- Dan
Gentile ping for this :), thanks. https://gcc.gnu.org/pipermail/gcc-patches/2021-December/587185.html
i'm closing this as fixed. open separate bugs for further improvements. Fixed by https://gcc.gnu.org/g:ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e commit ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e Author: Dan Li <ashimida@linux.alibaba.com> AuthorDate: 2022-02-21 20:01:14 +0000 aarch64: Add compiler support for Shadow Call Stack Shadow Call Stack can be used to protect the return address of a function at runtime, and clang already supports this feature[1]. To enable SCS in user mode, in addition to compiler, other support is also required (as discussed in [2]). This patch only adds basic support for SCS from the compiler side, and provides convenience for users to enable SCS. For linux kernel, only the support of the compiler is required. [1] https://clang.llvm.org/docs/ShadowCallStack.html [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768 Signed-off-by: Dan Li <ashimida@linux.alibaba.com> gcc/ChangeLog: * config/aarch64/aarch64.cc (SLOT_REQUIRED): Change wb_candidate[12] to wb_push_candidate[12]. (aarch64_layout_frame): Likewise, and change callee_adjust when scs is enabled. (aarch64_save_callee_saves): Change wb_candidate[12] to wb_push_candidate[12]. (aarch64_restore_callee_saves): Change wb_candidate[12] to wb_pop_candidate[12]. (aarch64_get_separate_components): Change wb_candidate[12] to wb_push_candidate[12]. (aarch64_expand_prologue): Push x30 onto SCS before it's pushed onto stack. (aarch64_expand_epilogue): Pop x30 frome SCS, while preventing it from being popped from the regular stack again. (aarch64_override_options_internal): Add SCS compile option check. (TARGET_HAVE_SHADOW_CALL_STACK): New hook. * config/aarch64/aarch64.h (struct GTY): Add is_scs_enabled, wb_pop_candidate[12], and rename wb_candidate[12] to wb_push_candidate[12]. * config/aarch64/aarch64.md (scs_push): New template. (scs_pop): Likewise. * doc/invoke.texi: Document -fsanitize=shadow-call-stack. * doc/tm.texi: Regenerate. * doc/tm.texi.in: Add hook have_shadow_call_stack. * flag-types.h (enum sanitize_code): Add SANITIZE_SHADOW_CALL_STACK. * opts.cc (parse_sanitizer_options): Add shadow-call-stack and exclude SANITIZE_SHADOW_CALL_STACK. * target.def: New hook. * toplev.cc (process_options): Add SCS compile option check. * ubsan.cc (ubsan_expand_null_ifn): Enum type conversion. gcc/testsuite/ChangeLog: * gcc.target/aarch64/shadow_call_stack_1.c: New test. * gcc.target/aarch64/shadow_call_stack_2.c: New test. * gcc.target/aarch64/shadow_call_stack_3.c: New test. * gcc.target/aarch64/shadow_call_stack_4.c: New test. * gcc.target/aarch64/shadow_call_stack_5.c: New test. * gcc.target/aarch64/shadow_call_stack_6.c: New test. * gcc.target/aarch64/shadow_call_stack_7.c: New test. * gcc.target/aarch64/shadow_call_stack_8.c: New test.