[Bug libgcc/85334] Shadow stack isn't unwound properly through signal handler
cvs-commit at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Wed Mar 4 11:20:00 GMT 2020
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85334
--- Comment #14 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-8 branch has been updated by H.J. Lu <hjl@gcc.gnu.org>:
https://gcc.gnu.org/g:f4e748747a6536dc49586c8202284bc2b7bf2c6c
commit r8-10108-gf4e748747a6536dc49586c8202284bc2b7bf2c6c
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Feb 10 07:58:45 2020 -0800
i386: Properly pop restore token in signal frame
Linux CET kernel places a restore token on shadow stack for signal
handler to enhance security. The restore token is 8 byte and aligned
to 8 bytes. It is usually transparent to user programs since kernel
will pop the restore token when signal handler returns. But when an
exception is thrown from a signal handler, now we need to pop the
restore token from shadow stack. For x86-64, we just need to treat
the signal frame as normal frame. For i386, we need to search for
the restore token to check if the original shadow stack is 8 byte
aligned. If the original shadow stack is 8 byte aligned, we just
need to pop 2 slots, one restore token, from shadow stack. Otherwise,
we need to pop 3 slots, one restore token + 4 byte padding, from
shadow stack.
This patch also includes 2 tests, one has a restore token with 4 byte
padding and one without.
Tested on Linux/x86-64 CET machine with and without -m32.
libgcc/
Backport from mainline
PR libgcc/85334
* config/i386/shadow-stack-unwind.h (_Unwind_Frames_Increment):
New.
(cherry picked from commit bf6465d0461234ccd45ae34d5e2375a0bee0081d)
More information about the Gcc-bugs
mailing list