Explicitly unpoison the stack when entering a softint.

Softints are the only place where we "discard" a part of the stack: we may have left the thread without allowing the asan instrumentation to clear the poison, and in this case, we can get false positives when we hit a poisoned area of the stack while executing another handler within the same softint thread. (I was actually getting a rare false positive in ip6intr.)
2018-08-22 17:04:36 +00:00 · 2018-08-22 17:04:36 +00:00 · 2ef4334b7d
commit 2ef4334b7d
parent 008bce6ffe
2 changed files with 24 additions and 3 deletions
--- a/sys/arch/amd64/amd64/asan.c
+++ b/sys/arch/amd64/amd64/asan.c
@ -1,4 +1,4 @@
-/*	$NetBSD: asan.c,v 1.3 2018/08/22 12:07:42 maxv Exp $	*/
+/*	$NetBSD: asan.c,v 1.4 2018/08/22 17:04:36 maxv Exp $	*/

 /*
 * Copyright (c) 2018 The NetBSD Foundation, Inc.
@ -30,7 +30,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: asan.c,v 1.3 2018/08/22 12:07:42 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: asan.c,v 1.4 2018/08/22 17:04:36 maxv Exp $");

 #include <sys/param.h>
 #include <sys/device.h>
@ -59,6 +59,7 @@ __KERNEL_RCSID(0, "$NetBSD: asan.c,v 1.3 2018/08/22 12:07:42 maxv Exp $");

 #define __RET_ADDR	(unsigned long)__builtin_return_address(0)

+void kasan_softint(struct lwp *);
 void kasan_shadow_map(void *, size_t);
 void kasan_early_init(void);
 void kasan_init(void);
@ -322,6 +323,14 @@ kasan_markmem(const void *addr, size_t size, bool valid)
 	}
 }

+void
+kasan_softint(struct lwp *l)
+{
+	const void *stk = (const void *)uvm_lwp_getuarea(l);
+
+	kasan_shadow_fill(stk, USPACE, 0);
+}
+
 void
 kasan_alloc(const void *addr, size_t size, size_t sz_with_redz)
 {
--- a/sys/arch/amd64/amd64/spl.S
+++ b/sys/arch/amd64/amd64/spl.S
@ -1,4 +1,4 @@
-/*	$NetBSD: spl.S,v 1.35 2018/07/14 14:29:40 maxv Exp $	*/
+/*	$NetBSD: spl.S,v 1.36 2018/08/22 17:04:36 maxv Exp $	*/

 /*
 * Copyright (c) 2003 Wasabi Systems, Inc.
@ -65,6 +65,7 @@
 */

 #include "opt_ddb.h"
+#include "opt_kasan.h"

 #define ALIGN_TEXT	.align 16,0x90

@ -105,6 +106,17 @@ IDTVEC(softintr)
 	movq	L_PCB(%r15),%rcx
 	movq	%rdi,CPUVAR(CURLWP)

+#ifdef KASAN
+	/* clear the new stack */
+	pushq	%rax
+	pushq	%rdx
+	pushq	%rcx
+	callq	_C_LABEL(kasan_softint)
+	popq	%rcx
+	popq	%rdx
+	popq	%rax
+#endif
+
 	/* save old context */
 	movq	%rsp,PCB_RSP(%rcx)
 	movq	%rbp,PCB_RBP(%rcx)