Re: [PATCH RFC v9 4/7] x86/entry: Erase kernel stack in syscall_trace_enter()

From: Kees Cook
Date: Mon Mar 05 2018 - 15:06:25 EST


On Mon, Mar 5, 2018 at 11:40 AM, Dave Hansen
<dave.hansen@xxxxxxxxxxxxxxx> wrote:
> On 03/03/2018 12:00 PM, Alexander Popov wrote:
>> @@ -128,6 +134,7 @@ static long syscall_trace_enter(struct pt_regs *regs)
>>
>> do_audit_syscall_entry(regs, arch);
>>
>> + erase_kstack();
>> return ret ?: regs->orig_ax;
>> }
>
> This seems like an odd place to be clearing the stack. Why was it done her?

Perhaps the commit log could be improved, but the idea is that the
audit work (ptrace, seccomp, etc), is happening before the syscall
code starts running, and it has therefore written to the stack (that
used to be cleared on last exit). This retains the clear stack state
even in the face of ptrace-ish work happening before the syscall
proper starts.

-Kees

--
Kees Cook
Pixel Security