review.tizen.org Git - platform/upstream/glibc.git/commit

author	H.J. Lu <hjl.tools@gmail.com>
	Tue, 2 Jan 2024 15:03:29 +0000 (07:03 -0800)
committer	H.J. Lu <hjl.tools@gmail.com>
	Thu, 4 Jan 2024 21:38:26 +0000 (13:38 -0800)
commit	35694d3416b273ac19d67ffa49b7969f36684ae1
tree	19987f21faff819af1daadb11bba9fbb88f60d47	tree \| snapshot
parent	e9f5dc7e4ad860bf03349f70635d851fba803d6b	commit \| diff

x86-64/cet: Check the restore token in longjmp

setcontext and swapcontext put a restore token on the old shadow stack
which is used to restore the target shadow stack when switching user
contexts.  When longjmp from a user context, the target shadow stack
can be different from the current shadow stack and INCSSP can't be
used to restore the shadow stack pointer to the target shadow stack.

Update longjmp to search for a restore token.  If found, use the token
to restore the shadow stack pointer before using INCSSP to pop the
shadow stack.  Stop the token search and use INCSSP if the shadow stack
entry value is the same as the current shadow stack pointer.

It is a user error if there is a shadow stack switch without leaving a
restore token on the old shadow stack.

The only difference between __longjmp.S and __longjmp_chk.S is that
__longjmp_chk.S has a check for invalid longjmp usages.  Merge
__longjmp.S and __longjmp_chk.S by adding the CHECK_INVALID_LONGJMP
macro.
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>

sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S		diff \| blob \| history
sysdeps/x86/__longjmp_cancel.S		diff \| blob \| history
sysdeps/x86_64/__longjmp.S		diff \| blob \| history