Re: [PATCH v2] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot

From: Xiang Mei

Date: Tue Jun 30 2026 - 19:48:48 EST


On Tue, Jun 30, 2026 at 4:40 PM Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
>
> On 6/30/26 15:47, Xiang Mei wrote:
> > On Tue, Jun 30, 2026 at 3:14 PM H. Peter Anvin <hpa@xxxxxxxxx> wrote:
> >> On 2026-06-30 15:05, Dave Hansen wrote:
> >>> On 6/30/26 15:02, Xiang Mei wrote:
> >>>> Please feel free to ask any questions; I am glad to help.
> >>> How do the CET features: kernel IBT and the (theoretical for Linux)
> >>> kernel shadow stacks impact the situation?
> >> CET should prevent this from being the target of a JOP attack.
> >>
> > You are right; CET breaks the assumption that this technique needs a
> > CFH primitive.
>
> I'm not sure what you're saying.
>
> Are you saying that this ENTER-based technique is worthless if IBT is in
> play, so the new stack gap is a worthless mitigation too?

IBT makes it hard to use a CFH primitive(including ENTER gadgets,
which are a subset of CFH gadgets).
Currently, it's worthless to enlarge the guard area for Fine-IBT/kCFI
protected targets.

Xiang