diff options
author | H.J. Lu <hjl.tools@gmail.com> | 2024-01-02 07:03:29 -0800 |
---|---|---|
committer | H.J. Lu <hjl.tools@gmail.com> | 2024-01-04 13:38:26 -0800 |
commit | 35694d3416b273ac19d67ffa49b7969f36684ae1 (patch) | |
tree | 19987f21faff819af1daadb11bba9fbb88f60d47 /io/euidaccess.c | |
parent | e9f5dc7e4ad860bf03349f70635d851fba803d6b (diff) | |
download | glibc-35694d3416b273ac19d67ffa49b7969f36684ae1.tar.gz glibc-35694d3416b273ac19d67ffa49b7969f36684ae1.tar.xz glibc-35694d3416b273ac19d67ffa49b7969f36684ae1.zip |
x86-64/cet: Check the restore token in longjmp
setcontext and swapcontext put a restore token on the old shadow stack which is used to restore the target shadow stack when switching user contexts. When longjmp from a user context, the target shadow stack can be different from the current shadow stack and INCSSP can't be used to restore the shadow stack pointer to the target shadow stack. Update longjmp to search for a restore token. If found, use the token to restore the shadow stack pointer before using INCSSP to pop the shadow stack. Stop the token search and use INCSSP if the shadow stack entry value is the same as the current shadow stack pointer. It is a user error if there is a shadow stack switch without leaving a restore token on the old shadow stack. The only difference between __longjmp.S and __longjmp_chk.S is that __longjmp_chk.S has a check for invalid longjmp usages. Merge __longjmp.S and __longjmp_chk.S by adding the CHECK_INVALID_LONGJMP macro. Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
Diffstat (limited to 'io/euidaccess.c')
0 files changed, 0 insertions, 0 deletions