On Mon, Mar 5, 2018 at 11:40 AM, Dave Hansen <dave.han...@linux.intel.com> wrote: > On 03/03/2018 12:00 PM, Alexander Popov wrote: >> @@ -128,6 +134,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> do_audit_syscall_entry(regs, arch); >> >> + erase_kstack(); >> return ret ?: regs->orig_ax; >> } > > This seems like an odd place to be clearing the stack. Why was it done her?
Perhaps the commit log could be improved, but the idea is that the audit work (ptrace, seccomp, etc), is happening before the syscall code starts running, and it has therefore written to the stack (that used to be cleared on last exit). This retains the clear stack state even in the face of ptrace-ish work happening before the syscall proper starts. -Kees -- Kees Cook Pixel Security