Re: [PATCH] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot

Next message: Dawei Feng: "[PATCH v2] usb: free iso schedules on failed submit"
Previous message: Christian Brauner: "Re: [RFC] Null Namespaces"
In reply to: Xiang Mei: "Re: [PATCH] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot"
Next in thread: Xiang Mei: "Re: [PATCH] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Peter Zijlstra

Date: Tue Jun 30 2026 - 03:15:06 EST

On Fri, Jun 26, 2026 at 10:48:46AM -0700, Xiang Mei wrote:

> > - The displacement is attacker-chosen (via the immediates) up to 0x100ff,
> > so the pivot can clear any guard narrower than that in one step.
> > - ENTER is reachable as a gadget, so a pivot of this size is available
> > without depending on register state at the hijack site.
> > - The pivot happens after the control transfer, so it is not constrained
> > by forward-edge CFI (kCFI / FineIBT).

> Please ignore this line; it is not related since we assume we already
> have a CFH primitive. Sorry for the confusion.

So I am still confused by all this. CFI does remove a ton of CFH
primitives. Until we have Shadow Stacks sorted, ROP will obviously be
the main alternative, but I'm really struggling to justify adding 16
guard pages rather than going after any actual control flow hijacking
primitives.

I mean, if you have a reliable CFH, we should be fixing that. But
somehow I'm thinking that if you do have one, ENTER isn't going to be
the worst of it.

Or am I missing something here?