| From f12d11c5c184626b4befdee3d573ec8237405a33 Mon Sep 17 00:00:00 2001 |
| From: Jann Horn <jannh@google.com> |
| Date: Tue, 28 Aug 2018 20:40:33 +0200 |
| Subject: x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit() |
| |
| From: Jann Horn <jannh@google.com> |
| |
| commit f12d11c5c184626b4befdee3d573ec8237405a33 upstream. |
| |
| Reset the KASAN shadow state of the task stack before rewinding RSP. |
| Without this, a kernel oops will leave parts of the stack poisoned, and |
| code running under do_exit() can trip over such poisoned regions and cause |
| nonsensical false-positive KASAN reports about stack-out-of-bounds bugs. |
| |
| This does not wipe the exception stacks; if an oops happens on an exception |
| stack, it might result in random KASAN false-positives from other tasks |
| afterwards. This is probably relatively uninteresting, since if the kernel |
| oopses on an exception stack, there are most likely bigger things to worry |
| about. It'd be more interesting if vmapped stacks and KASAN were |
| compatible, since then handle_stack_overflow() would oops from exception |
| stack context. |
| |
| Fixes: 2deb4be28077 ("x86/dumpstack: When OOPSing, rewind the stack before do_exit()") |
| Signed-off-by: Jann Horn <jannh@google.com> |
| Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
| Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> |
| Cc: Andy Lutomirski <luto@kernel.org> |
| Cc: Dmitry Vyukov <dvyukov@google.com> |
| Cc: Alexander Potapenko <glider@google.com> |
| Cc: Kees Cook <keescook@chromium.org> |
| Cc: kasan-dev@googlegroups.com |
| Cc: stable@vger.kernel.org |
| Link: https://lkml.kernel.org/r/20180828184033.93712-1-jannh@google.com |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kernel/dumpstack.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/arch/x86/kernel/dumpstack.c |
| +++ b/arch/x86/kernel/dumpstack.c |
| @@ -17,6 +17,7 @@ |
| #include <linux/bug.h> |
| #include <linux/nmi.h> |
| #include <linux/sysfs.h> |
| +#include <linux/kasan.h> |
| |
| #include <asm/cpu_entry_area.h> |
| #include <asm/stacktrace.h> |
| @@ -298,7 +299,10 @@ void oops_end(unsigned long flags, struc |
| * We're not going to return, but we might be on an IST stack or |
| * have very little stack space left. Rewind the stack and kill |
| * the task. |
| + * Before we rewind the stack, we have to tell KASAN that we're going to |
| + * reuse the task stack and that existing poisons are invalid. |
| */ |
| + kasan_unpoison_task_stack(current); |
| rewind_stack_do_exit(signr); |
| } |
| NOKPROBE_SYMBOL(oops_end); |