On Tue, Nov 17 2020 at 09:42, Alexandre Chartre wrote:
> On 11/17/20 12:06 AM, Andy Lutomirski wrote:
> The PTI stack does have guard pages because it maps only a part of the task
> stack into the user page-table, so pages around the PTI stack are not mapped
> into the user-pagetable (the page below is the task stack guard, and the page
> above is part of the kernel-only stack so it's never mapped into the user
> page-table).
>
> + * +-------------+
> + * | | ^ ^
> + * | kernel-only | | KERNEL_STACK_SIZE |
> + * | stack | | |
> + * | | V |
> + * +-------------+ <- top of kernel stack | THREAD_SIZE
> + * | | ^ |
> + * | kernel and | | KERNEL_STACK_SIZE |
> + * | PTI stack | | |
> + * | | V v
> + * +-------------+ <- top of stack
Well, the PTI stack might have guard pages, but the kernel stack can now
underflow into the PTI stack. Not good.
Thanks,
tglx
