[PATCH] D44801: Add the -fsanitize=shadow-call-stack flag

Kostya Serebryany via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Mar 22 21:50:14 PDT 2018 

kcc added a comment.

[didn't look at the code yet, just at the docs]

Please add a docs section describing how to handle leaf functions. 
If they are not handled yet, no need to change the implementation in these pathches -- ok to do it later.



================
Comment at: docs/ShadowCallStack.rst:14
+buffer overflows. It works by saving a function's return address to a
+separately allocated 'shadow call stack' in the function prolog and checking the
+return address on the stack against the shadow call stack in the function
----------------
prologue/epilogue? 
(it's your native tongue, not mine, though)


================
Comment at: docs/ShadowCallStack.rst:20
+and trade-off consuming more memory for shorter function prologs and epilogs
+with fewer memory accesses.
+
----------------
Provide short comparison with RFG (more instructions, less memory, same racy attack)


================
Comment at: docs/ShadowCallStack.rst:38
+return address and bypass ShadowCallStack. Similarly, there is a time-of-check-
+to-time-of-use race in the function prolog where an attacker could overwrite the
+return address after it has been checked and before it has been returned to.
----------------
link to wikipedia maybe? 


================
Comment at: docs/ShadowCallStack.rst:41
+Modifying the call-return semantics to fix this on x86_64 would incur an
+unacceptable performance overhead.
+
----------------
... due to return branch predictor (or some such)


================
Comment at: docs/ShadowCallStack.rst:47
+not easily leak its address.
+
+Usage
----------------
Say something about attacks that first try to discover the secret location of the shadow call stack. 
side channels, thread spaying, whatever you have. 


================
Comment at: docs/ShadowCallStack.rst:74
+declaration to specify that the shadow call stack instrumentation should not be
+applied to that function, even if enabled globally.
----------------
Please add a section that shows the assembly for the following example: 

   int foo() {
      return bar() + 1;
   }


Repository:
  rC Clang

https://reviews.llvm.org/D44801

More information about the cfe-commits mailing list