On Wed, May 15, 2024 at 01:19:20PM +0200, Oleg Nesterov wrote:
> Sorry for the late reply, I was on PTO.
>
> On 05/14, Deepak Gupta wrote:
> >
> > Question,
> >
> > Is it kernel who is maintaining all return probes, meaning original return
> > addresses
> > are saved in kernel data structures on per task basis.
>
> Yes. task_struct->utask->return_instances
>
> See prepare_uretprobe() which inserts the new return_instance with
> ->orig_ret_vaddr = original return addresses
> when the tracee enters the ret-probed function.
>
> > Once uretprobe did its job then
> > its kernel who is ensuring return to original return address ?
>
> Yes. See instruction_pointer_set(regs, ri->orig_ret_vaddr) in
> handle_trampoline().
>
>
>
> I know absolutely nothing about the shadow stacks, trying to read
> Documentation/arch/x86/shstk.rst but it doesn't tell me too much...
> Where can I find more documentation? I didn't try to google yet.
>
> Upon function return, the processor pops the shadow stack copy
> and compares it to the normal stack copy. If the two differ, the
> processor raises a control-protection fault.
>
> grep-grep-grep... exc_control_protection I guess.
>
> Let me ask a couple of really stupid questions. What if the shadow stack
> is "shorter" than the normal stack? I mean,
>
> enable_shstk()
> {
> prctl(ARCH_SHSTK_SHSTK);
> }
>
> what happens when enable_shstk() returns?
I think it will crash, there's explanation in the comment in
tools/testing/selftests/x86/test_shadow_stack.c test
that's why ARCH_PRCTL is using syscall instruction directly and
not calling syscall function
jirka
> And what is the purpose of fpregs_lock_and_load() ? Why do we need to
> fpregs_restore_userregs() in shstk_setup() and other places?
>
> Oleg.
>
