On Mon, Nov 16, 2020 at 6:48 AM Alexandre Chartre <alexandre.char...@oracle.com> wrote: > > Using stack protector requires the stack canary to be mapped into > the current page-table. Now that the page-table switch between the > user and kernel page-table is deferred to C code, stack protector can > be used while the user page-table is active and so the stack canary > is mapped into the user page-table. > > To prevent leaking the stack canary used with the kernel page-table, > use a different canary with the user and kernel page-table. The stack > canary is changed when switching the page-table.
Unless I've missed something, this doesn't have the security properties we want. One CPU can be executing with kernel CR3, and another CPU can read the stack canary using Meltdown. I think that doing this safely requires mapping a different page with the stack canary in the two pagetables.
