On Tue, Jun 30, 2026 at 3:14 PM H. Peter Anvin <[email protected]> wrote: > > On 2026-06-30 15:05, Dave Hansen wrote: > > On 6/30/26 15:02, Xiang Mei wrote: > >> Please feel free to ask any questions; I am glad to help. > > > > How do the CET features: kernel IBT and the (theoretical for Linux) > > kernel shadow stacks impact the situation? > > CET should prevent this from being the target of a JOP attack. > You are right; CET breaks the assumption that this technique needs a CFH primitive.
> Kernel shadow stacks should prevent most stack-pivot attacks in general. For the shadow stack, I didn't examine the implementation to check if the working stack can be surrounded by attackers' payload (vmalloc pages). If yes, the shadow stack can't stop this technique, assuming we got a CFH from a function pointer in a heap object. > > -hpa >

