Skip to content

ShadowStack#223

Draft
zoogies wants to merge 14 commits into
mainfrom
dev/libresolve-stack
Draft

ShadowStack#223
zoogies wants to merge 14 commits into
mainfrom
dev/libresolve-stack

Conversation

@zoogies

@zoogies zoogies commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

This (WIP) PR implements a special path for stack objects, keeping them in a ShadowStack with various references that make it easy for us to search for and validate ShadowObjects, including invalidating and re-using slots for stack re-use.

Currently, it is untested, and needs CVEAssert to call __resolve_push_frame on every frame entry (except that of the first frame, unless we adjust the constructor to defer that)

@zoogies zoogies self-assigned this Jun 11, 2026
@zoogies zoogies added enhancement New feature or request libresolve Related to libresolve component labels Jun 11, 2026
rjsmith1999
rjsmith1999 reviewed Jun 11, 2026
View reviewed changes
Comment thread resolve-cveassert/libresolve/src/remediate.rs Outdated
rjsmith1999
rjsmith1999 reviewed Jun 11, 2026
View reviewed changes
Comment thread resolve-cveassert/libresolve/src/remediate.rs Outdated
rjsmith1999
rjsmith1999 reviewed Jun 11, 2026
View reviewed changes
Comment thread resolve-cveassert/libresolve/src/remediate.rs Outdated
@zoogies zoogies requested a review from rjsmith1999 June 12, 2026 12:36
elazaro-riverside
elazaro-riverside approved these changes Jun 12, 2026
View reviewed changes

@elazaro-riverside elazaro-riverside left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like these changes. As an aside, I think it's cool in Rust how you can implement the From trait and get Into as a by-product. I think Jackson will have the final decision but these changes look good to me.

@zoogies

zoogies commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator Author

I like these changes. As an aside, I think it's cool in Rust how you can implement the From trait and get Into as a by-product. I think Jackson will have the final decision but these changes look good to me.

Thanks for the feedback, I just learned about the from trait, and I think it's super neat as well.

@zoogies

zoogies commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator Author

I haven't tackled the CVEAssert wiring or any testing yet, but here is the new shape per our discussions. add_shadow_object will presume that adding an object in the middle of the shadow stack means the program has since dropped all objects and frames from that base address to the end. This means we get frame-dropping "for free" without instrumenting function entries/exits.

In stack object lookups there are three paths

  • match the top object on the shadow stack (hot)
  • check if object out of bounds (easy out)
  • binary search the shadow stack for object

I got rid of galloping when I was rewriting to make the stack grow downwards like it does on x86, partially also because the implementation using binary search is much simpler.

rjsmith1999
rjsmith1999 reviewed Jun 15, 2026
View reviewed changes
Comment thread resolve-cveassert/libresolve/src/remediate.rs
Comment thread resolve-cveassert/libresolve/src/shadowobjs.rs
Comment thread resolve-cveassert/libresolve/src/shadowobjs.rs
/// Compute the sentinel pointer value for this object, 1 past its limit
pub fn past_limit(&self) -> Vaddr {
self.limit + 1
self.limit.saturating_add(1)

@rjsmith1999 rjsmith1999 Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearly the existing behavior was not the right one, but what is the argument for saturating add? Can we record it in a comment?

@zoogies zoogies Jun 15, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was mostly just to be consistent with the other places I used saturating add for Vaddr offset computation. Happy to add a comment to each instance if you have a suggestion for what to say. Maybe "avoid overflow". Realistically though this should never actually saturate

@rjsmith1999 rjsmith1999 Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we just panic on overflow? We should probably revisit the overflow behavior everywhere...

@zoogies zoogies Jun 16, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could remove the saturating calls and just force it to panic with overflow-checks = true in Cargo.toml? Unsure what the correct behavior is here that doesn't cost performance.

Comment thread resolve-cveassert/libresolve/src/shadowobjs.rs Outdated
Comment thread resolve-cveassert/libresolve/src/shadowobjs.rs
Comment thread resolve-cveassert/libresolve/src/shadowobjs.rs Outdated
@zoogies zoogies requested a review from rjsmith1999 June 16, 2026 14:37
@zoogies

zoogies commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator Author

Addressed everything except the two comments I left open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elazaro-riverside elazaro-riverside Awaiting requested review from elazaro-riverside

@rjsmith1999 rjsmith1999 Awaiting requested review from rjsmith1999

Assignees

@zoogies zoogies

Labels

enhancement New feature or request libresolve Related to libresolve component

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zoogies @rjsmith1999 @elazaro-riverside