On Tue, Jun 30, 2026 at 3:14 PM H. Peter Anvin <[email protected]> wrote:
>
> On 2026-06-30 15:05, Dave Hansen wrote:
> > On 6/30/26 15:02, Xiang Mei wrote:
> >> Please feel free to ask any questions; I am glad to help.
> >
> > How do the CET features: kernel IBT and the (theoretical for Linux)
> > kernel shadow stacks impact the situation?
>
> CET should prevent this from being the target of a JOP attack.
>
You are right; CET breaks the assumption that this technique needs a
CFH primitive.

> Kernel shadow stacks should prevent most stack-pivot attacks in general.

For the shadow stack, I didn't examine the implementation to check if
the working stack can be surrounded by attackers' payload (vmalloc
pages). If yes, the shadow stack can't stop this technique, assuming
we got a CFH from a function pointer in a heap object.

>
>         -hpa
>

Reply via email to