| Message ID | 1518804657-24905-4-git-send-email-alex.popov@linux.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 74f6eee..b4be776 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -46,6 +46,12 @@ __visible inline void enter_from_user_mode(void) static inline void enter_from_user_mode(void) {} #endif +#ifdef CONFIG_GCC_PLUGIN_STACKLEAK +asmlinkage void erase_kstack(void); +#else +static void erase_kstack(void) {} +#endif + static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch) { #ifdef CONFIG_X86_64 @@ -128,6 +134,7 @@ static long syscall_trace_enter(struct pt_regs *regs) do_audit_syscall_entry(regs, arch); + erase_kstack(); return ret ?: regs->orig_ax; }
Make STACKLEAK erase kernel stack after ptrace/seccomp/auditing not to leave any sensitive information on the stack for the syscall code. This code is modified from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on our understanding of the code. Changes or omissions from the original code are ours and don't reflect the original grsecurity/PaX code. Signed-off-by: Alexander Popov <alex.popov@linux.com> --- arch/x86/entry/common.c | 7 +++++++ 1 file changed, 7 insertions(+)