On Tue, Oct 9, 2018 at 10:13 PM, Michael Ellerman wrote:
> Warn whenever a switch statement has a fallthrough without a comment
> annotating it.
>
> Signed-off-by: Michael Ellerman
Yes please. :)
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/Kbuild | 1 +
> 1 file
in the merge window
(see linux-next), so this will be redundant.
-Kees
--
Kees Cook
Pixel Security
gt; This patch adds a check for an incorrectly initialized to the
> beginning of try_offline_node, and exits the routine.
>
> Another patch is being developed for powerpc to track the
> node Id to which an LMB belongs, so that we can remove the
> LMB from there instead of the nid as currently
-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Cc: "Leonidas S. Barbosa"
Cc: Paulo Flabiano Smorigo
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: Michael Ellerman
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
drivers/crypto/vmx/aes_cbc.c | 22 +++--
On Thu, Jul 19, 2018 at 5:17 AM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> On Fri, Jun 29, 2018 at 11:52 AM, Kees Cook wrote:
>>> In the quest to remove all stack VLA usage from the kernel[1], this
>>> switches from an unchanging variable to a constant expre
On Fri, Jun 29, 2018 at 11:52 AM, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> switches from an unchanging variable to a constant expression to eliminate
> the VLA generation.
>
> [1]
> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX
chael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> Documentation/admin-guide/kernel-parameters.txt | 16 +---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> I tried documenting the differences between the PPC options and X86 ones in
> one
> section, but i
-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
Reviewed-by: Arnd Bergmann
---
v2: use "0x600-0x500" for size calculation to illustrate handler sizes
---
arch/powerpc/platforms/52xx/mpc52xx_pm.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ar
On Sun, Jul 1, 2018 at 6:33 PM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> On Fri, Jun 29, 2018 at 2:02 PM, Arnd Bergmann wrote:
>>> On Fri, Jun 29, 2018 at 8:53 PM, Kees Cook wrote:
>>>> In the quest to remove all stack VLA usage from the kernel[1], th
On Fri, Jun 29, 2018 at 2:02 PM, Arnd Bergmann wrote:
> On Fri, Jun 29, 2018 at 8:53 PM, Kees Cook wrote:
>> In the quest to remove all stack VLA usage from the kernel[1], this
>> switches to using a stack size large enough for the saved routine and
>> adds a sanity check
In the quest to remove all stack VLA usage from the kernel[1], this
switches to using a stack size large enough for the saved routine and
adds a sanity check.
[1]
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
arch
: Paul Mackerras
Cc: Michael Ellerman
Cc: Andrew Morton
Cc: Randy Dunlap
Cc: Tyrel Datwyler
Cc: Rob Herring
Cc: Ingo Molnar
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
arch/powerpc/sysdev/msi_bitmap.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff
le trying to tighten the
CONFIG_FORTIFY_SOURCE checking.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/net/ethernet/ibm/ibmvnic.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/ibm/ibmvnic.c
b/drivers/net/ethernet/ibm/ibmvnic.c
index aad5658
f you keep the Kconfig, you can leave off "default n", and I'd
suggest adding a help section just to describe what the per-arch
responsibilities are when select-ing the config. (See
HAVE_ARCH_SECCOMP_FILTER for an example.)
-Kees
--
Kees Cook
Pixel Security
On Tue, Mar 27, 2018 at 4:49 PM, Matthew Wilcox <wi...@infradead.org> wrote:
> On Tue, Mar 27, 2018 at 03:53:53PM -0700, Kees Cook wrote:
>> I agree: pushing this off to libc leaves a lot of things unprotected.
>> I think this should live in the kernel. The question I ha
t; I believe this is the only one right place for it. Adding these 200+ lines of
> code we give this feature for any user - on desktop, on server, on IoT device,
> on SCADA, etc. But if only glibc will implement ‘user-mode-aslr’ IoT and SCADA
> devices will never get it.
I agree: pushing this off to libc leaves a lot of things unprotected.
I think this should live in the kernel. The question I have is about
making it maintainable/readable/etc.
The state-of-the-art for ASLR is moving to finer granularity (over
just base-address offset), so I'd really like to see this supported in
the kernel. We'll be getting there for other things in the future, and
I'd like to have a working production example for researchers to
study, etc.
-Kees
--
Kees Cook
Pixel Security
s no longer works.
James updated MAINTAINERS to: James Morris <jmor...@namei.org>
--
Kees Cook
Pixel Security
stophe.le...@c-s.fr>
Signed-off-by: Segher Boessenkool <seg...@kernel.crashing.org>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/powerpc/Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
index ccd2556bdb53..c762
On Thu, Feb 22, 2018 at 5:07 AM, Michal Hocko <mho...@kernel.org> wrote:
> On Wed 14-02-18 09:14:47, Kees Cook wrote:
> [...]
>> I can send it through my seccomp tree via James Morris.
>
> Could you please do it?
Hi! Yes, sorry, this fell through the cracks. Now applie
On Wed, Feb 14, 2018 at 1:20 AM, Michal Hocko <mho...@kernel.org> wrote:
> On Tue 13-02-18 13:27:30, Kees Cook wrote:
>> On Tue, Feb 13, 2018 at 2:32 AM, Michal Hocko <mho...@kernel.org> wrote:
>> > On Tue 13-02-18 21:16:55, Michael Ellerman wrote:
>> >>
On Tue, Feb 13, 2018 at 2:32 AM, Michal Hocko <mho...@kernel.org> wrote:
> On Tue 13-02-18 21:16:55, Michael Ellerman wrote:
>> Kees Cook <keesc...@chromium.org> writes:
>>
>> > On Mon, Feb 12, 2018 at 7:25 PM, Michael Ellerman <m...@ellerman.id.a
it should just be disabled when cross compiling.
Hrm, yeah, the goal was to entirely disable cross compiling, but I
guess we didn't hit it with a hard enough hammer. :)
-Kees
--
Kees Cook
Pixel Security
vphn_enabled = 1;
> setup_cpu_associativity_change_counters();
> - init_timer_deferrable(_timer);
> + timer_setup(_timer, topology_timer_fn,
> + TIMER_DEFERRABLE);
> reset_topology_timer();
> }
> }
Thanks, this looks correct to me!
-Kees
--
Kees Cook
Pixel Security
ux.vnet.ibm.com>
Cc: Benjamin Herrenschmidt <b...@kernel.crashing.org>
Cc: Paul Mackerras <pau...@samba.org>
Cc: Michael Ellerman <m...@ellerman.id.au>
Cc: "James E.J. Bottomley" <j...@linux.vnet.ibm.com>
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.oz
smu_i2c_retry(NULL);
return;
}
mod_timer(>i2c_timer, jiffies + msecs_to_jiffies(5));
--
2.7.4
--
Kees Cook
Pixel Security
On Tue, Oct 17, 2017 at 5:29 AM, Michael Ellerman <m...@ellerman.id.au> wrote:
> Nicholas Piggin <npig...@gmail.com> writes:
>
>> On Mon, 16 Oct 2017 16:47:10 -0700
>> Kees Cook <keesc...@chromium.org> wrote:
>>
>>> In preparation for un
Removes unused timer and its old initialization call.
Cc: Pantelis Antoniou <pantelis.anton...@gmail.com>
Cc: Vitaly Bordug <vbor...@ru.mvista.com>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/net/
Cc: Michael Ellerman <m...@ellerman.id.au>
Cc: Nicholas Piggin <npig...@gmail.com>
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/powerpc/kernel/watchdog.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/po
ux.vnet.ibm.com>
Cc: Benjamin Herrenschmidt <b...@kernel.crashing.org>
Cc: Paul Mackerras <pau...@samba.org>
Cc: Michael Ellerman <m...@ellerman.id.au>
Cc: "James E.J. Bottomley" <j...@linux.vnet.ibm.com>
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.oz
00077ff6bec0] [c0185cdc] handle_irq_event_percpu+0x3c/0x90
> [c0077ff6bf00] [c018c894] handle_percpu_irq+0x84/0xd0
> [c0077ff6bf30] [c01840f4] generic_handle_irq+0x54/0x80
> [c0077ff6bf60] [c0016f00] __do_irq+0x80/0x1d0
> [c0077ff6bf90] [c002b120] call_do_irq+0x14/0x24
> [c0077248bde0] [c00170e8] do_IRQ+0x98/0x140
> [c0077248be30] [c0008ac4] hardware_interrupt_common+0x114/0x120
> Instruction dump:
> e93d0019 2fa9 409effd8 4bfffed8 893f0644 61290004 993f0644 4b10
> 0fe0 4bfffe6c 6000 6042 <0fe0> 4bfffeac 6000 6042
> ---[ end trace 1094995650f27c83 ]---
>
>
>
> --
> Regard's
>
> Abdul Haleem
> IBM Linux Technology Centre
>
>
--
Kees Cook
Pixel Security
ristophe.le...@c-s.fr>
Cc: Balbir Singh <bsinghar...@gmail.com>
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
v2:
- depend on PPC64, as noted by Christophe.
---
arch/powerpc/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/po
On Thu, Oct 5, 2017 at 11:57 AM, christophe leroy
<christophe.le...@c-s.fr> wrote:
>
>
> Le 05/10/2017 à 19:30, Kees Cook a écrit :
>>
>> On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY
>> <christophe.le...@c-s.fr> wrote:
>>>
>
On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY
<christophe.le...@c-s.fr> wrote:
>
>
> Le 05/10/2017 à 05:45, Kees Cook a écrit :
>>
>> When available, CONFIG_KERNEL_RWX should be default-enabled.
>
>
> On PPC32, this option implies deactivating BATs and/or
When available, CONFIG_KERNEL_RWX should be default-enabled.
Cc: Benjamin Herrenschmidt <b...@kernel.crashing.org>
Cc: Paul Mackerras <pau...@samba.org>
Cc: Michael Ellerman <m...@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook <keesc...@chromium.o
org>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: Oleg Nesterov <o...@redhat.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/kthread.h | 10 +-
kernel/kthread.c| 10 --
2 files changed, 9 insertions(+), 11 deletions(-)
diff --git
In preparation for unconditionally passing the struct timer_list pointer
to all timer callbacks, switch workqueue to use from_timer() and pass the
timer pointer explicitly.
Cc: Tejun Heo <t...@kernel.org>
Cc: Lai Jiangshan <jiangshan...@gmail.com>
Signed-off-by: Kees Cook <keesc.
The expires field is normally initialized during the first mod_timer()
call. It was unused by all callers, so remove it from the macro.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/kthread.h | 2 +-
include/linux/timer.h | 5 ++---
include/linux/workqueue.h | 2
broeck <w...@iguana.be>
Cc: Guenter Roeck <li...@roeck-us.net>
Cc: Geert Uytterhoeven <ge...@linux-m68k.org>
Cc: linux-m...@linux-mips.org
Cc: linux-watch...@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/mips/mti-malta/malta-display.
Drop the arguments from the macro and adjust all callers with the
following script:
perl -pi -e 's/DEFINE_TIMER\((.*), 0, 0\);/DEFINE_TIMER($1);/g;' \
$(git grep DEFINE_TIMER | cut -d: -f1 | sort -u | grep -v timer.h)
Signed-off-by: Kees Cook <keesc...@chromium.org>
Acked-by:
Drops the last user of TIMER_INITIALIZER and adapts timer.h to use the
internal version.
Cc: Arnd Bergmann <a...@arndb.de>
Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Cc: Mark Gross <mark.gr...@intel.com>
Cc: Thomas Gleixner <t...@linutronix.de>
Signed-
t;
Cc: Tejun Heo <t...@kernel.org>
Cc: Lai Jiangshan <jiangshan...@gmail.com>
Cc: linux-s...@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/s390/kernel/lgr.c | 6 +++---
arch/s390/kernel/topology.c | 6 +++---
kernel/workqueue.c |
This removes the now unused TIMER_*INITIALIZER macros:
TIMER_INITIALIZER
TIMER_PINNED_INITIALIZER
TIMER_DEFERRED_INITIALIZER
TIMER_PINNED_DEFERRED_INITIALIZER
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/timer.h | 12
1 file changed, 12 deletions(-)
@kernel.org>
Cc: Harish Patil <harish.pa...@cavium.com>
Cc: Manish Chopra <manish.cho...@cavium.com>
Cc: Kalle Valo <kv...@qca.qualcomm.com>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: net...@vger.kernel.org
Cc: linux-wirel...@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@ch
Hi,
This is the first of many timer infrastructure cleanups to simplify the
timer API[1]. All of these patches are expected to land via the timer
tree, so Acks (or corrections) appreciated.
These patches refactor various users of timer API that are NOT just using
init_timer() or setup_timer()
<m...@sgi.com>
Cc: "James E.J. Bottomley" <j...@linux.vnet.ibm.com>
Cc: "Martin K. Petersen" <martin.peter...@oracle.com>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: linux...@vger.kernel.org
Cc: linux1394-de...@lists.sourceforge.net
Cc: linux-s...@vger.kernel.
This refactors the only users of init_timer_pinned() to use
the new timer_setup() and from_timer(). Drops the definition of
init_timer_pinned().
Cc: Chris Metcalf <cmetc...@mellanox.com>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: net...@vger.kernel.org
Signed-off-by: Kees
is eliminated.
Cc: John Stultz <john.stu...@linaro.org>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: Stephen Boyd <sb...@codeaurora.org>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/timer.h | 8
kernel/time/timer.c | 26 +++
u...@linaro.org>
Cc: Benjamin Herrenschmidt <b...@kernel.crashing.org>
Cc: Paul Mackerras <pau...@samba.org>
Cc: Michael Ellerman <m...@ellerman.id.au>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: linux...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by:
On Mon, Oct 2, 2017 at 1:08 PM, Segher Boessenkool
<seg...@kernel.crashing.org> wrote:
> On Mon, Oct 02, 2017 at 12:29:45PM -0700, Kees Cook wrote:
>> On Mon, Sep 25, 2017 at 12:41 PM, Segher Boessenkool
>> <seg...@kernel.crashing.org> wrote:
>> > On Mon, Sep
readonly small data.
>>
>> My guess is that the linker script is putting .srodata in with .sdata.
>
> .srodata does not *exist* (in the ABI).
So, I still think this is a bug. The variable is marked const: this is
not a _suggestion_. :) If the compiler produces output where the
gt; #include
>
> -const int rodata_test_data = 0xC3;
> +static const int rodata_test_data = 0xC3;
>
> void rodata_test(void)
> {
> --
> 2.13.3
>
--
Kees Cook
Pixel Security
ger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
Acked-by: Tyrel Datwyler <tyr...@linux.vnet.ibm.com> # for ibmvscsi
---
drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++
drivers/scsi/ibmvscsi/ibmvscsi.c
hugepages ("always")
> 2. Turn off the defrag $ echo 0 > khugepaged/defrag
> 3. Write random to memory path
> 4. Set huge pages numbers
> 5. Turn on defrag $ echo 1 > khugepaged/defrag
>
>
> new trace:
> --
> Unable to handle kernel paging request for da
ger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/net/irda/bfin_sir.c | 5 +++--
drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++
drivers/scsi/ibmvscsi/ibmvscsi.c | 8
3 files changed, 13 insert
ned-off-by: Brijesh Singh <brijesh.si...@amd.com>
This is a nice clean up even without the refactoring need. :)
Reviewed-by: Kees Cook <keesc...@chromium.org>
Thanks!
-Kees
--
Kees Cook
Pixel Security
t = ppc_md.nvram_write(tmp, count, ppos);
>
> -out:
> kfree(tmp);
> +out:
> return ret;
> -
> }
>
> static long dev_nvram_ioctl(struct file *file, unsigned int cmd,
> --
> 2.9.3
>
--
Kees Cook
Pixel Security
On Mon, Jun 26, 2017 at 6:04 AM, Michael Ellerman <m...@ellerman.id.au> wrote:
> Kees Cook <keesc...@chromium.org> writes:
>
>> On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman <m...@ellerman.id.au>
>> wrote:
>>> Kees Cook <keesc...@chromium.or
On Fri, Jun 23, 2017 at 1:59 PM, Kees Cook <keesc...@chromium.org> wrote:
> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> are loaded below the mmap region. This means they can be made to collide
> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) wi
On Sat, Jun 24, 2017 at 2:11 AM, Russell King - ARM Linux
<li...@armlinux.org.uk> wrote:
> On Fri, Jun 23, 2017 at 01:59:55PM -0700, Kees Cook wrote:
>> This is v2 (to refresh the 5 patches in -mm) for moving ELF_ET_DYN_BASE
>> safely lower. Changes are clarifications in the c
4MB would be used (since the NULL address is avoided).
Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.
Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Cc: sta...@vger.kernel.org
Cc: x...@kernel.org
Sign
running PIE on 32-bit ARM will have an MMU, so
the tight mapping is not needed.
Cc: sta...@vger.kernel.org
Cc: Russell King <rmk+ker...@arm.linux.org.uk>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/arm/include/asm/elf.h | 8 ++--
1 file changed, 2 insertions(+),
close to the NULL address.
Cc: sta...@vger.kernel.org
Cc: Heiko Carstens <heiko.carst...@de.ibm.com>
Cc: Martin Schwidefsky <schwidef...@de.ibm.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/s390/include/asm/elf.h | 15 +++
1 file changed, 7 insertio
-bit pointers. On 32-bit use 4MB, which is the
traditional x86 minimum load location, likely to avoid historically
requiring a 4MB page table entry when only a portion of the first 4MB
would be used (since the NULL address is avoided).
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook <ke
<ard.biesheu...@linaro.org>
Cc: Catalin Marinas <catalin.mari...@arm.com>
Cc: Mark Rutland <mark.rutl...@arm.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/arm64/include/asm/elf.h | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/a
This is v2 (to refresh the 5 patches in -mm) for moving ELF_ET_DYN_BASE
safely lower. Changes are clarifications in the commit logs (suggested
by mpe), a compat think-o fix for arm64 (thanks to Ard), and to add
Rik and mpe's Acks.
Quoting patch 1/5:
The ELF_ET_DYN_BASE position was originally
On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman <m...@ellerman.id.au> wrote:
> Kees Cook <keesc...@chromium.org> writes:
>
>> Now that explicitly executed loaders are loaded in the mmap region,
>> position PIE binaries lower in the address space to avoid po
On Fri, Jun 23, 2017 at 6:52 AM, Kees Cook <keesc...@chromium.org> wrote:
> On Thu, Jun 22, 2017 at 11:57 PM, Ard Biesheuvel
> <ard.biesheu...@linaro.org> wrote:
>> Hi Kees,
>>
>> On 22 June 2017 at 18:06, Kees Cook <keesc...@chromium.org> wrote:
>>&
On Thu, Jun 22, 2017 at 11:57 PM, Ard Biesheuvel
<ard.biesheu...@linaro.org> wrote:
> Hi Kees,
>
> On 22 June 2017 at 18:06, Kees Cook <keesc...@chromium.org> wrote:
>> Now that explicitly executed loaders are loaded in the mmap region,
>> position PIE binaries lo
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/arm/include/asm/elf.h | 8 ++--
1 file changed, 2 inse
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions. For 64-bit, align to 4GB to
allow runtimes to use the entire 32-bit address space for 32-bit
pointers.
Signed-off-by: Kees
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions. For 64-bit, align to 4GB to
allow runtimes to use the entire 32-bit address space for 32-bit
pointers.
Signed-off-by: Kees
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions. For 64-bit, align to 4GB to
allow runtimes to use the entire 32-bit address space for 32-bit
pointers.
Signed-off-by: Kees
This is a follow-up to "binfmt_elf: Use ELF_ET_DYN_BASE only for PIE"[1],
which allow ELF_ET_DYN_BASE to be reduced from high in the address space.
That patch only changed x86, and this series changes arm, arm64, powerpc,
and s390.
Since these depend on the mentioned patch (which I'm hoping akpm
() result with its own under some situations, etc.
To do something like this in upstream, we need to be sure we've sanely
dealt with the brk region, which follows the first loaded ELF, and if
it's the interpreter, that means brk ends up in mmap area, up near the
executable area (near what would become the
;
> virt_addr_valid() is used pretty widely, I'm not sure if we can just fix
> it without other fallout. I'll dig a bit more tomorrow if no one beats
> me to it.
>
> Kees, depending on how that turns out we may ask you to revert
> 517e1fbeb65f ("mm/usercopy: Drop extra is_vmalloc_or_module() check").
That's fine by me. Let me know what you think would be best.
Laura, I don't see much harm in putting this back in place. It seems
like it's just a matter of efficiency to have it removed?
-Kees
--
Kees Cook
Pixel Security
ted to the size of
> the type used to define it which then gets enforced by these fortified
> wrappers rather than just used for optimization (in practice, it won't
> break much without these, but it could).
We'd need something to actually extract the sizes of the asm
functions. Right now, that kind of thing is done in the linker
scripts, but that may be too late.
-Kees
--
Kees Cook
Pixel Security
> .name = "nvram",
> + .flags = PSTORE_FLAGS_DMESG,
> .open = nvram_pstore_open,
> .read = nvram_pstore_read,
> .write = nvram_pstore_write,
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
-66,7 +66,7 @@ unsigned long arch_mmap_rnd(void)
> if (is_32bit_task())
> shift = mmap_rnd_compat_bits;
> #endif
> - rnd = get_random_long() % (1 << shift);
> + rnd = get_random_long() % (1ul << shift);
>
> return rnd << PAGE_SHIFT;
> }
> --
> 2.7.4
Reviewed-by: Kees Cook <keesc...@chromium.org>
-Kees
--
Kees Cook
Pixel Security
OMPAT
>>> if (is_32bit_task())
>>> -rnd = get_random_long() % (1<<(23-PAGE_SHIFT));
>>> -else
>>> -rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT));
>>> + shift = mmap_rnd_compat_bits;
>>> +#endif
>>> +rnd = get_random_long() % (1 << shift);
>>
>> Nitpick, 1 should be 1UL?
Nice catch!
> No, shift can only be 29 at most IIRC?
The largest value in the kconfigs is 33?
> But it's a bit fragile, so I'll change it.
Thanks!
-Kees
--
Kees Cook
Pixel Security
es.
>
> Kees/Bhupesh, would love a Review/Ack/Tested-by from you, I'll plan to merge
> this later today (Friday) my time.
Reviewed-by: Kees Cook <keesc...@chromium.org>
Looks good!
-Kees
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 97a8bc8a095c..
, rnd;
>
> - /* 8MB for 32bit, 1GB for 64bit */
> + shift = mmap_rnd_bits;
> +#ifdef CONFIG_COMPAT
> if (is_32bit_task())
> - rnd = get_random_long() % (1<<(23-PAGE_SHIFT));
> - else
> - rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT));
> + shift = mmap_rnd_compat_bits;
> +#endif
> + rnd = get_random_long() % (1 << shift);
>
> return rnd << PAGE_SHIFT;
> }
> --
> 2.7.4
>
Yay! Ever closer to being able to extract arch_mmap_rnd() out of arch/ ;)
-Kees
--
Kees Cook
Pixel Security
On Mon, Mar 27, 2017 at 8:03 PM, Andrew Donnellan
<andrew.donnel...@au1.ibm.com> wrote:
> On 27/03/17 18:38, Andrew Donnellan wrote:
>>
>> On 01/02/17 07:24, Kees Cook wrote:
>>>
>>> From: Emese Revfy <re.em...@gmail.com>
>>>
>>> The
or mine?
If you have other changes queued for v4.11, please take it via your
tree. Otherwise, perhaps the docs tree or mine? (I don't currently
have any fixes queued; I'm just trying to minimize pull requests going
to Linus...)
-Kees
--
Kees Cook
Pixel Security
00187c330] __vfs_write+0x40/0x1c0
> [ 200.360645] [c008b72dfd90] [c187dc48] vfs_write+0xc8/0x240
> [ 200.360650] [c008b72dfde0] [c187f8b0] SyS_write+0x60/0x110
> [ 200.360656] [c008b72dfe30] [c15cb8e0] system_call+0x38/0xfc
> [ 200.360660] Instruction dump:
> [ 200.360663] 7d495378 419e0044 2f89 7d434850 7f0a4840 79460020 41de001c
> 4099ffbc
> [ 200.360675] 3c62ffb6 38636af8 48444249 6000 <0fe0> 38210060
> 3860 e8010010
> [ 200.360686] ---[ end trace 937482186422ac36 ]---
>
> I have attached the dmesg log.
>
> Thanks
> -Sachin
>
>
>
--
Kees Cook
Pixel Security
On Tue, Mar 7, 2017 at 8:22 AM, Namhyung Kim <namhy...@gmail.com> wrote:
> On Tue, Mar 7, 2017 at 6:55 AM, Kees Cook <keesc...@chromium.org> wrote:
>> The read/mkfile pair pass the same arguments and should be cleared
>> between calls. Move to a structure and wipe it aft
On Tue, Mar 7, 2017 at 8:16 AM, Namhyung Kim <namhy...@gmail.com> wrote:
> Hi Kees,
>
> On Tue, Mar 7, 2017 at 6:55 AM, Kees Cook <keesc...@chromium.org> wrote:
>> Technically, it might be possible for struct pstore_info to go out of
>> scope after the module_
Removes argument list in favor of pstore record, though the user buffer
remains passed separately since it must carry the __user annotation.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/pstore/platform.c | 35 ---
fs/pstore/pmsg.c
Now that write() and write_buf() are functionally identical, this removes
write_buf(), and renames write_buf_user() to write_user(). Additionally
adds sanity-checks for pstore_info's declared functions and flags at
registration time.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/
This removes the argument list for the erase() callback and replaces it
with a pointer to the backend record details to be removed.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/acpi/apei/erst.c | 8 +++-
drivers/firmware/efi/efi-pstore.
As with the other API updates, this removes the long argument list in favor
of passing a single pstore recaord.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/pstore/ftrace.c | 9 +++--
fs/pstore/platform.c | 30 +-
fs/pstore/ram.c
This switches the inode-private data from carrying duplicate metadata to
keeping the record passed in during pstore_mkfile().
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/pstore/inode.c| 57 ++--
fs/pstore/platform.c | 6 ++-
In preparation for handling records off to pstore_mkfile(), allocate the
record instead of reusing stack. This still always frees the record,
though, since pstore_mkfile() isn't yet keeping it.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/pstore/platform.
The argument list for the pstore_read() interface is unwieldy. This changes
passes the new struct pstore_record instead. The erst backend was already
doing something similar internally.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/powerpc/kernel/nvram_64.c
pstore_mkfile() shouldn't have to memcpy the record contents. It can use
the existing copy instead. This adjusts the allocation lifetime management
and renames the contents variable from "data" to "buf" to assist moving to
struct pstore_record in the future.
Signed-off-
Currently, pstore_mkfile() performs a memcpy() of the record contents,
so it can live anywhere. However, this is needlessly wasteful. In
preparation of pstore_mkfile() keeping the record contents, always
allocate a buffer for the contents.
Signed-off-by: Kees Cook <keesc...@chromium.org>
-
This adds documentation for struct pstore_info, which also includes
the basic API the backends need to implement.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/pstore.h | 133 +++--
1 file changed, 128 insertions(+), 5 del
Similar to the pstore_info read() callback, there were too many arguments.
This switches to the new struct pstore_record pointer instead. This adds
"reason" and "part" to the record structure as well.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/powerpc
Instead of the long list of arguments, just pass the new record struct.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/pstore/inode.c| 57 +---
fs/pstore/internal.h | 5 +
fs/pstore/platform.c | 6 +-
3 files chang
This moves the record decompression logic out to a separate function
to avoid the deep indentation.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/pstore/platform.c | 67 +---
1 file changed, 37 insertions(+), 30 deletions(-)
diff
The read/mkfile pair pass the same arguments and should be cleared
between calls. Move to a structure and wipe it after every loop.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/pstore/platform.c | 55 +++---
include/linux/pstore.
401 - 500 of 739 matches
Mail list logo