* [PATCH v2] x86/entry/64: wipe KASAN stack shadow before rewind_stack_do_exit()
@ 2018-08-28 18:40 Jann Horn
2018-08-29 8:33 ` Andrey Ryabinin
2018-08-30 9:41 ` [tip:x86/urgent] x86/entry/64: Wipe " tip-bot for Jann Horn
0 siblings, 2 replies; 3+ messages in thread
From: Jann Horn @ 2018-08-28 18:40 UTC (permalink / raw)
To: Andy Lutomirski, the arch/x86 maintainers, Dmitry Vyukov,
Andrey Ryabinin, jannh
Cc: kernel list, kasan-dev, Alexander Potapenko, Kees Cook
Reset the KASAN shadow state of the task stack before rewinding RSP.
Without this, a kernel oops will leave parts of the stack poisoned, and
code running under do_exit() can trip over such poisoned regions and cause
nonsensical false-positive KASAN reports about stack-out-of-bounds bugs.
This patch does not wipe exception stacks; if you oops on an exception
stack, you might get random KASAN false-positives from other tasks
afterwards. This is probably relatively uninteresting, since if you're
oopsing on an exception stack, you likely have bigger things to worry
about. It'd be more interesting if vmapped stacks and KASAN were
compatible, since then handle_stack_overflow() would oops from exception
stack context.
Fixes: 2deb4be28077 ("x86/dumpstack: When OOPSing, rewind the stack before do_exit()")
Signed-off-by: Jann Horn <jannh@google.com>
---
v2:
- Rewrite, do it in C from oops_end() instead of in assembly
(Andrey Ryabinin)
arch/x86/kernel/dumpstack.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index 9c8652974f8e..1596e6bfea6f 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -17,6 +17,7 @@
#include <linux/bug.h>
#include <linux/nmi.h>
#include <linux/sysfs.h>
+#include <linux/kasan.h>
#include <asm/cpu_entry_area.h>
#include <asm/stacktrace.h>
@@ -346,7 +347,10 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
* We're not going to return, but we might be on an IST stack or
* have very little stack space left. Rewind the stack and kill
* the task.
+ * Before we rewind the stack, we have to tell KASAN that we're going to
+ * reuse the task stack and that existing poisons are invalid.
*/
+ kasan_unpoison_task_stack(current);
rewind_stack_do_exit(signr);
}
NOKPROBE_SYMBOL(oops_end);
--
2.19.0.rc0.228.g281dcd1b4d0-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] x86/entry/64: wipe KASAN stack shadow before rewind_stack_do_exit()
2018-08-28 18:40 [PATCH v2] x86/entry/64: wipe KASAN stack shadow before rewind_stack_do_exit() Jann Horn
@ 2018-08-29 8:33 ` Andrey Ryabinin
2018-08-30 9:41 ` [tip:x86/urgent] x86/entry/64: Wipe " tip-bot for Jann Horn
1 sibling, 0 replies; 3+ messages in thread
From: Andrey Ryabinin @ 2018-08-29 8:33 UTC (permalink / raw)
To: Jann Horn, Andy Lutomirski, the arch/x86 maintainers, Dmitry Vyukov
Cc: kernel list, kasan-dev, Alexander Potapenko, Kees Cook
On 08/28/2018 09:40 PM, Jann Horn wrote:
> Reset the KASAN shadow state of the task stack before rewinding RSP.
> Without this, a kernel oops will leave parts of the stack poisoned, and
> code running under do_exit() can trip over such poisoned regions and cause
> nonsensical false-positive KASAN reports about stack-out-of-bounds bugs.
>
> This patch does not wipe exception stacks; if you oops on an exception
> stack, you might get random KASAN false-positives from other tasks
> afterwards. This is probably relatively uninteresting, since if you're
> oopsing on an exception stack, you likely have bigger things to worry
> about. It'd be more interesting if vmapped stacks and KASAN were
> compatible, since then handle_stack_overflow() would oops from exception
> stack context.
>
> Fixes: 2deb4be28077 ("x86/dumpstack: When OOPSing, rewind the stack before do_exit()")
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [tip:x86/urgent] x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit()
2018-08-28 18:40 [PATCH v2] x86/entry/64: wipe KASAN stack shadow before rewind_stack_do_exit() Jann Horn
2018-08-29 8:33 ` Andrey Ryabinin
@ 2018-08-30 9:41 ` tip-bot for Jann Horn
1 sibling, 0 replies; 3+ messages in thread
From: tip-bot for Jann Horn @ 2018-08-30 9:41 UTC (permalink / raw)
To: linux-tip-commits
Cc: linux-kernel, mingo, keescook, dvyukov, luto, glider, jannh, hpa,
aryabinin, tglx
Commit-ID: f12d11c5c184626b4befdee3d573ec8237405a33
Gitweb: https://git.kernel.org/tip/f12d11c5c184626b4befdee3d573ec8237405a33
Author: Jann Horn <jannh@google.com>
AuthorDate: Tue, 28 Aug 2018 20:40:33 +0200
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Thu, 30 Aug 2018 11:37:09 +0200
x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit()
Reset the KASAN shadow state of the task stack before rewinding RSP.
Without this, a kernel oops will leave parts of the stack poisoned, and
code running under do_exit() can trip over such poisoned regions and cause
nonsensical false-positive KASAN reports about stack-out-of-bounds bugs.
This does not wipe the exception stacks; if an oops happens on an exception
stack, it might result in random KASAN false-positives from other tasks
afterwards. This is probably relatively uninteresting, since if the kernel
oopses on an exception stack, there are most likely bigger things to worry
about. It'd be more interesting if vmapped stacks and KASAN were
compatible, since then handle_stack_overflow() would oops from exception
stack context.
Fixes: 2deb4be28077 ("x86/dumpstack: When OOPSing, rewind the stack before do_exit()")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: kasan-dev@googlegroups.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180828184033.93712-1-jannh@google.com
---
arch/x86/kernel/dumpstack.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index 9c8652974f8e..1596e6bfea6f 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -17,6 +17,7 @@
#include <linux/bug.h>
#include <linux/nmi.h>
#include <linux/sysfs.h>
+#include <linux/kasan.h>
#include <asm/cpu_entry_area.h>
#include <asm/stacktrace.h>
@@ -346,7 +347,10 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
* We're not going to return, but we might be on an IST stack or
* have very little stack space left. Rewind the stack and kill
* the task.
+ * Before we rewind the stack, we have to tell KASAN that we're going to
+ * reuse the task stack and that existing poisons are invalid.
*/
+ kasan_unpoison_task_stack(current);
rewind_stack_do_exit(signr);
}
NOKPROBE_SYMBOL(oops_end);
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-08-30 9:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-28 18:40 [PATCH v2] x86/entry/64: wipe KASAN stack shadow before rewind_stack_do_exit() Jann Horn
2018-08-29 8:33 ` Andrey Ryabinin
2018-08-30 9:41 ` [tip:x86/urgent] x86/entry/64: Wipe " tip-bot for Jann Horn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).