Lelmister101
commented
2 years ago I guess this can be closed? (referring to https://app.element.io/#/room/#offtopic:grapheneos.org/$43Qqo7iluFVIEuRVVW8UbEXnvkw2zAh-olrJPENe0L8). As mentioned there, stack tagging and/or pointer authentication can fix this issue. ShadowCallStack can also likely be extended to fix this (XOR and store instead of just storing the stack), but it seems to be unnecessary.
Could be done by moving the SSP guard value to a reserved register to make it faster and teaching the compiler to XOR the return address into the canary like https://gist.github.com/thestinger/b8502a881d871fbc75d91bc00576157b (which is only complete for x86_64 as we don't want frame pointers enabled but it currently depends on them for arm64).