From: Florian Weimer via Gdb <gdb@sourceware.org>
To: "Schimpe, Christina" <christina.schimpe@intel.com>
Cc: "Schimpe, Christina via Gdb" <gdb@sourceware.org>,
Thiago Jung Bauermann <thiago.bauermann@linaro.org>,
Tom Tromey <tom@tromey.com>
Subject: Re: Shadow stack backtrace command name
Date: Wed, 10 Jul 2024 12:05:55 +0200 [thread overview]
Message-ID: <87y169h88s.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <SN7PR11MB7638EBBEA792F9364DB5BB5CF9A42@SN7PR11MB7638.namprd11.prod.outlook.com> (Christina Schimpe's message of "Wed, 10 Jul 2024 09:07:35 +0000")
* Christina Schimpe:
> We are currently working on the implementation of the shadow stack backtrace.
> This is how we would print a shadow stack backtrace for signals:
>
> ~~~
> (gdb) bt shadow
> #0 0x00007ffff7c54d90 in __restore_rt from /lib64/libc.so.6
> #1 0x80007ffff79fffd8
> #2 0x00007ffff7c54ce6 in __GI_raise at ../sysdeps/posix/raise.c:27
> #3 0x000000000040115d in main at /tmp/amd64-shadow-stack-signal.c:32
> [...]
> ~~~
> This would be the corresponding ordinary stack:
> ~~~
> (gdb) bt
> #0 handler (signo=10) at /tmp/amd64-shadow-stack-signal.c:25
> #1 <signal handler called>
> #2 __pthread_kill_implementation ([...]) at pthread_kill.c:44
> #3 0x00007ffff7ca15f3 in __pthread_kill_internal (signo=10, threadid=<optimized out>) at pthread_kill.c:78
> #4 0x00007ffff7c54ce6 in __GI_raise (sig=10) at ../sysdeps/posix/raise.c:26
> #5 0x000000000040115d in main () at /tmp/amd64-shadow-stack-signal.c:31
> ~~~
> Do you see much value in combining the outputs?
The difference is that the shadow stack backtrace does not contain the
interrupted instruction, so frame #2 in the traditional backtrace. This
is more important for CPU-generated signals such as division by zero or
invalid memory access, where you really want to see the fault address in
the backtrace.
> The elements on the shadow stack are following the description of the linux
> kernel for signals:
> "When a signal happens, the old pre-signal state is pushed on the stack.
> When shadow stack is enabled, the shadow stack specific state is pushed
> onto the shadow stack. Today this is only the old SSP (shadow stack pointer),
> pushed in a special format with bit 63 set."
> (https://docs.kernel.org/arch/x86/shstk.html)
>
> Frame 1 contains the old SSP with bit 63 set.
I would like the kernel to push the address of the interrupted
instruction as well, potentially with additional flag markup. Or maybe
it's so early that we don't need it. The signal return path would have
pop it off the stack and not validate it because I think it's an
expected use case to redirect execution from a signal handler by
patching the signal context. Alternatively, the kernel could push the
address of the signal context, which might be even more useful. I think
it would be useful if the shadow stack contained all the data needed to
implement the glibc backtrace function, not because glibc is important,
but because it seems to be a good indicator what programmers expect from
a backtrace.
We also need to figure out how this interacts with LAM. Does the CPU
push tagged addresses onto the shadow stack? It could impact the type
of tagging the kernel can use for its own special addresses.
Thanks,
Florian
next prev parent reply other threads:[~2024-07-10 10:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-20 9:42 Schimpe, Christina via Gdb
2023-12-20 10:59 ` Guinevere Larsen via Gdb
2023-12-20 15:11 ` Schimpe, Christina via Gdb
2023-12-20 11:38 ` Luis Machado via Gdb
2023-12-20 15:35 ` Schimpe, Christina via Gdb
2023-12-20 15:57 ` Luis Machado via Gdb
2023-12-21 4:35 ` Thiago Jung Bauermann via Gdb
2023-12-21 22:26 ` Shadow stack command to host related subcommands (was Re: Shadow stack backtrace command name) Thiago Jung Bauermann via Gdb
2024-01-09 8:34 ` Schimpe, Christina via Gdb
2023-12-23 18:22 ` Shadow stack backtrace command name Tom Tromey
2023-12-28 22:34 ` Thiago Jung Bauermann via Gdb
2024-01-09 10:21 ` Schimpe, Christina via Gdb
2024-07-05 18:16 ` Florian Weimer via Gdb
2024-07-09 14:50 ` Schimpe, Christina via Gdb
2024-07-09 15:16 ` Florian Weimer via Gdb
2024-07-10 9:07 ` Schimpe, Christina via Gdb
2024-07-10 10:05 ` Florian Weimer via Gdb [this message]
2024-07-10 11:35 ` Schimpe, Christina via Gdb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y169h88s.fsf@oldenburg.str.redhat.com \
--to=gdb@sourceware.org \
--cc=christina.schimpe@intel.com \
--cc=fweimer@redhat.com \
--cc=thiago.bauermann@linaro.org \
--cc=tom@tromey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox