diff for duplicates of <1535662366.28781.6.camel@intel.com> diff --git a/a/content_digest b/N1/content_digest index 2119cc7..7f7c30b 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -35,7 +35,10 @@ Mike Kravetz <mike.kravetz@oracle.com> Nadav Amit <nadav.amit@gmail.com> Oleg Nesterov <oleg@redhat.com> - " Pavel Machek <pave>\0" + Pavel Machek <pavel@ucw.cz> + Peter Zijlstra <peterz@infradead.org> + ravi.v.shankar@intel.com + " vedvyas.shanbhogue@intel.com\0" "\00:1\0" "b\0" "On Thu, 2018-08-30 at 22:44 +0200, Jann Horn wrote:\n" @@ -72,4 +75,4 @@ "\n" Yu-cheng -713a3198875738b98930b97cd42d9765a77da7de37bb446127dd74512b146ad6 +7f9b6bb85281edd9c85f72ed35cee40868bab896a43e25bdebd42659c6dd6f6d
diff --git a/a/1.txt b/N2/1.txt index 39871d6..bd68d9b 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -5,14 +5,14 @@ On Thu, 2018-08-30 at 22:44 +0200, Jann Horn wrote: > > In the flow you described, if C writes to the overflow page before > > B > > gets in with a 'call', the return address is still correct for -> > B. To -> > make an attack, C needs to write again before the TLB flush. I +> > B.A A To +> > make an attack, C needs to write again before the TLB flush.A A I > > agree > > that is possible. > > > > Assume we have a guard page, can someone in the short window do > > recursive calls in B, move ssp to the end of the guard page, and -> > trigger the same again? He can simply take the incssp route. +> > trigger the same again?A A He can simply take the incssp route. > I don't understand what you're saying. If the shadow stack is > between > guard pages, you should never be able to move SSP past that area's diff --git a/a/content_digest b/N2/content_digest index 2119cc7..bac8ec1 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -35,7 +35,10 @@ Mike Kravetz <mike.kravetz@oracle.com> Nadav Amit <nadav.amit@gmail.com> Oleg Nesterov <oleg@redhat.com> - " Pavel Machek <pave>\0" + Pavel Machek <pavel@ucw.cz> + Peter Zijlstra <peterz@infradead.org> + ravi.v.shankar@intel.com + " vedvyas.shanbhogue@intel.com\0" "\00:1\0" "b\0" "On Thu, 2018-08-30 at 22:44 +0200, Jann Horn wrote:\n" @@ -45,14 +48,14 @@ "> > In the flow you described, if C writes to the overflow page before\n" "> > B\n" "> > gets in with a 'call', the return address is still correct for\n" - "> > B.\302\240\302\240To\n" - "> > make an attack, C needs to write again before the TLB flush.\302\240\302\240I\n" + "> > B.A A To\n" + "> > make an attack, C needs to write again before the TLB flush.A A I\n" "> > agree\n" "> > that is possible.\n" "> > \n" "> > Assume we have a guard page, can someone in the short window do\n" "> > recursive calls in B, move ssp to the end of the guard page, and\n" - "> > trigger the same again?\302\240\302\240He can simply take the incssp route.\n" + "> > trigger the same again?A A He can simply take the incssp route.\n" "> I don't understand what you're saying. If the shadow stack is\n" "> between\n" "> guard pages, you should never be able to move SSP past that area's\n" @@ -72,4 +75,4 @@ "\n" Yu-cheng -713a3198875738b98930b97cd42d9765a77da7de37bb446127dd74512b146ad6 +5ce0c9f929d8cb5410610800a4c622686bb8997876e6009b89fbb0dde2abaa89
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.