Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp438126imm;
        Thu, 30 Aug 2018 02:43:07 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbRGiuA7w88uc/2Aqm0DQclpMpJWHFYTx2UMjU8YZTMiSNKA5zeMZs48dfnFZMLJZwSykYn
X-Received: by 2002:a63:6aca:: with SMTP id f193-v6mr7288679pgc.310.1535622187288;
        Thu, 30 Aug 2018 02:43:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535622187; cv=none;
        d=google.com; s=arc-20160816;
        b=v7E2OEzeuvpctFBpybgy1i7eqym9gNvX8MHGldsYsRb419sTQ2+1cDmjBPy3rTqw1r
         tsU8jNEUDU6hpBN5CFMvi8mTGr1hBM2DJYnAkrAL9ozd/4MN1QuWq8tCxvRx+oefR21m
         s8N0XaGqhruZICgMUfhmvaVMudkeJ19luFfs1pneg66GW4jFpm3sIe+2L2gVM3+W0wka
         YPb7iBsm2Jcq9sBOVSdWaziQpE1W3L8pgWOZiZfR2T93L4GLV9kvbnULKSuAX27MyoMK
         TKoq63RWwNxrKdAyYNtva/GdwOaMZejP9haWVUfTDBMfjFJhMV5luJ8JaiaRcMlp5MnY
         TLdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-disposition
         :content-transfer-encoding:mime-version:robot-unsubscribe:robot-id
         :git-commit-id:subject:to:references:in-reply-to:reply-to:cc
         :message-id:from:date:arc-authentication-results;
        bh=N2Q9SquHWv8Tyti/4+FmryHMVF7enEoRBfLq+cK/W/A=;
        b=Et+5KIUtwTTj4q593/yPXDV4aEUIXGWJdBTR/ycRJyBfdbglYyM3hAwruz3JQSxinY
         bahnVa6nU0tiWztQf1sZb31re5vM52gW8vd6rwFYirvjS2wSVGoW8bHnzEvHOef1ESZb
         os/Uj6UlWqLWngUbNVoF9JBSxhLG1lxQjWLpGsOL7t99mncR3LYFaloGTCpaOpOCXXcx
         CwbWJS1MPPzWW8ov4hkzuvVh3Ft/MqIWjVNKVWwQDlVzSeH73aSi1tqO0pDJr4dRAJPG
         3/1zNG9m04SGCIbL1TEnICanVcgPY1ONbxgM7W5c04SQb1rkOZ6w+uNL0du5Zxr2/kMc
         2awA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y74-v6si4629184pfg.124.2018.08.30.02.42.52;
        Thu, 30 Aug 2018 02:43:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728273AbeH3Nmr (ORCPT <rfc822;zffurovfq63@gmail.com>
        + 99 others); Thu, 30 Aug 2018 09:42:47 -0400
Received: from terminus.zytor.com ([198.137.202.136]:34539 "EHLO
        terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727170AbeH3Nmr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Aug 2018 09:42:47 -0400
Received: from terminus.zytor.com (localhost [127.0.0.1])
        by terminus.zytor.com (8.15.2/8.15.2) with ESMTPS id w7U9fLWh1703603
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
        Thu, 30 Aug 2018 02:41:21 -0700
Received: (from tipbot@localhost)
        by terminus.zytor.com (8.15.2/8.15.2/Submit) id w7U9fLim1703600;
        Thu, 30 Aug 2018 02:41:21 -0700
Date:   Thu, 30 Aug 2018 02:41:21 -0700
X-Authentication-Warning: terminus.zytor.com: tipbot set sender to tipbot@zytor.com using -f
From:   tip-bot for Jann Horn <tipbot@zytor.com>
Message-ID: <tip-f12d11c5c184626b4befdee3d573ec8237405a33@git.kernel.org>
Cc:     linux-kernel@vger.kernel.org, mingo@kernel.org,
        keescook@chromium.org, dvyukov@google.com, luto@kernel.org,
        glider@google.com, jannh@google.com, hpa@zytor.com,
        aryabinin@virtuozzo.com, tglx@linutronix.de
Reply-To: aryabinin@virtuozzo.com, tglx@linutronix.de, glider@google.com,
          jannh@google.com, hpa@zytor.com, luto@kernel.org,
          linux-kernel@vger.kernel.org, dvyukov@google.com,
          keescook@chromium.org, mingo@kernel.org
In-Reply-To: <20180828184033.93712-1-jannh@google.com>
References: <20180828184033.93712-1-jannh@google.com>
To:     linux-tip-commits@vger.kernel.org
Subject: [tip:x86/urgent] x86/entry/64: Wipe KASAN stack shadow before
 rewind_stack_do_exit()
Git-Commit-ID: f12d11c5c184626b4befdee3d573ec8237405a33
X-Mailer: tip-git-log-daemon
Robot-ID: <tip-bot.git.kernel.org>
Robot-Unsubscribe: Contact <mailto:hpa@kernel.org> to get blacklisted from
 these emails
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00,
        DATE_IN_FUTURE_96_Q autolearn=ham autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on terminus.zytor.com
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Commit-ID:  f12d11c5c184626b4befdee3d573ec8237405a33
Gitweb:     https://git.kernel.org/tip/f12d11c5c184626b4befdee3d573ec8237405a33
Author:     Jann Horn <jannh@google.com>
AuthorDate: Tue, 28 Aug 2018 20:40:33 +0200
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Thu, 30 Aug 2018 11:37:09 +0200

x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit()

Reset the KASAN shadow state of the task stack before rewinding RSP.
Without this, a kernel oops will leave parts of the stack poisoned, and
code running under do_exit() can trip over such poisoned regions and cause
nonsensical false-positive KASAN reports about stack-out-of-bounds bugs.

This does not wipe the exception stacks; if an oops happens on an exception
stack, it might result in random KASAN false-positives from other tasks
afterwards. This is probably relatively uninteresting, since if the kernel
oopses on an exception stack, there are most likely bigger things to worry
about. It'd be more interesting if vmapped stacks and KASAN were
compatible, since then handle_stack_overflow() would oops from exception
stack context.

Fixes: 2deb4be28077 ("x86/dumpstack: When OOPSing, rewind the stack before do_exit()")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: kasan-dev@googlegroups.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180828184033.93712-1-jannh@google.com

---
 arch/x86/kernel/dumpstack.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index 9c8652974f8e..1596e6bfea6f 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -17,6 +17,7 @@
 #include <linux/bug.h>
 #include <linux/nmi.h>
 #include <linux/sysfs.h>
+#include <linux/kasan.h>
 
 #include <asm/cpu_entry_area.h>
 #include <asm/stacktrace.h>
@@ -346,7 +347,10 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
 	 * We're not going to return, but we might be on an IST stack or
 	 * have very little stack space left.  Rewind the stack and kill
 	 * the task.
+	 * Before we rewind the stack, we have to tell KASAN that we're going to
+	 * reuse the task stack and that existing poisons are invalid.
 	 */
+	kasan_unpoison_task_stack(current);
 	rewind_stack_do_exit(signr);
 }
 NOKPROBE_SYMBOL(oops_end);