On Wed, 2024-10-02 at 22:01 +0100, Mark Brown wrote:
BTW it's probably also worth noting that at least on arm64 (perhaps x86 is different here?) the shadow stack of a thread that exited won't have a token placed on it so it won't be possible to use it with clone3() at all unless another token is written. To get a shadow stack you could use with clone3() you'd either need to allocate a new one, pivot away from one that's currently in use or enable shadow stack writes and place a token.
Hmm, yea. I didn't have a specific idea in mind. But yea, you would have to switch to something in order to leave a token.
If you enabled WRSS (or similar) you might be able to reuse shadow stacks in some kind of useful way, but in that case you would probably WRSS the token to the end of the shadow stack and the start+size would fit better.