SafeStack wasn't really meant to be used with Clang CFI. It was meant to be used as part of a broader CPI feature which was never finished or landed.
Android started adopting SafeStack including shared object support. It was dropped and it now uses ShadowCallStack instead.
Conversation
SafeStack has serious issues with leaks since it uses the main thread stack as the main safe stack but there are assorted pointers to data libc places in it.
Android uses cross-DSO CFI and ShadowCallStack for both the kernel and userspace. ShadowCallStack is arm64 only though.
2
1
It didn't work as intended on x86 since it has stack-based return addresses and they were still returning that way so there was a race. They didn't want to do something more invasive and it wasn't specifically for kernel where they could make stacks inaccessible to other threads.
1
1
arm64 is all that really matters to Android for the foreseeable future. There will be CET on x86 providing hardware shadow stack support and arm64 will be able to use ARMv8.5 / ARMv9 MTE (memory tagging) to make ShadowCallStack more secure if they decide to figure that out.
2
1
Good luck finding stuff that uses PA and MTE extension on the Android side of things
2
Android 12 has support for memory tagging, BTI and PAC. Nearly all available hardware is still ARMv8.2 so it was developed and tested primarily with QEMU. I don't know what you mean about good luck finding stuff. I'm not aware of any product that has shipped with MTE support yet.
1
On a related tangent: I wish there was actual, tangible cost-effective (yet performant) ARM64 development hardware out there.
I would love to just go to a Microcenter and buy ARM64 desktop parts just like I can with AMD64.
Even better if it was ARMv8.5 and above.
2
Where can I see PA extension implemented in Qualcomm and AOSP? My Logic: If PA went years untouched outside Apple, so will MET
2
android.googlesource.com/platform/bioni and their default allocator have fully usable memory tagging support. PAC and BTI support shipped in Android 12. 12 is when MTE, PAC and BTI were ready.
ShadowCallStack and type-based CFI are what's currently being used for both the kernel and userspace.
1
There will probably be devices launching with them late this year. I think they won't get enabled for managed app processes until API 33 (Android 13) since MTE will be disruptive by uncovering latent memory corruption bugs and apparently some apps have broken PAC code included.
1
You can see a fair bit of recent activity related to it in the master branch which will end up backported to the 2nd/3rd quarterly release of 12 in preparation for device launches. 12 did ship with usable support. Memory tagging was supported far earlier but not real prod usage.