On Mon, Jun 17, 2024 at 10:33:08PM +0200, Arnd Bergmann wrote:
> On Mon, Jun 17, 2024, at 20:22, Kees Cook wrote:
> > On Mon, Jun 17, 2024 at 04:52:15PM +0100, Mark Rutland wrote:
> >> On Mon, Jun 17, 2024 at 01:37:21PM +, Yuntao Liu wrote:
> >> > Since the
On Tue, Jun 18, 2024 at 12:13:27AM +0200, Thomas Gleixner wrote:
> On Wed, Jun 12 2024 at 11:42, Kees Cook wrote:
> > On Tue, Jun 11, 2024 at 01:26:09PM -0700, Gatlin Newhouse wrote:
> >> It seems that is_valid_bugaddr() needs to be implemented on all
> >> architec
-- a/drivers/net/ethernet/microchip/sparx5/sparx5_psfp.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_psfp.c
@@ -164,6 +164,8 @@ static int sparx5_psfp_sg_set(struct sparx5 *sparx5, u32 id,
/* For each scheduling entry */
for (i = 0; i < sg->num_entries; i++) {
+ if (WARN_ON_ONCE(i >= ARRAY_SIZE(sg->gce)))
+ break;
gce = >gce[i];
ips = sparx5_psfp_ipv_to_ips(gce->ipv);
/* hardware needs TimeInterval to be cumulative */
--
Kees Cook
On Fri, Jun 14, 2024 at 09:50:05AM -0600, Shuah Khan wrote:
> On 6/12/24 13:59, Kees Cook wrote:
> > Convert the runtime tests of hardened usercopy to standard KUnit tests.
> >
> > Additionally disable usercopy_test_invalid() for systems with separate
> > address sp
to for-next/pstore, thanks!
[1/1] pstore: platform: add missing MODULE_DESCRIPTION() macro
https://git.kernel.org/kees/c/9b3c13c9ea4e
Take care,
--
Kees Cook
Update current email address for Kees Cook in the MAINTAINER file to
match the change from commit 4e173c825b19 ("mailmap: update entry for
Kees Cook").
Signed-off-by: Kees Cook
---
MAINTAINERS | 28 ++--
1 file changed, 14 insertions(+), 14 deletions(-)
lain why it's safe add extra bits (2 on arm64, 3 on s39 and
> x86), and those comments need to be updated accordingly.
>
> As-is, I do not think this patch is ok.
Yeah, I agree: the truncation is intentional and tuned to the
architecture.
--
Kees Cook
(struct file *filp, char __user
*buf, size_t len,
}
/* .. and now the head */
- rc = copy_to_user(buf, >buf[i], n_req * sizeof(struct dtl_entry));
+ rc = bounce_copy(buf, >buf[i], n_req * sizeof(struct dtl_entry));
if (rc)
return -EFAULT;
--
Kees Cook
(struct file *filp, char __user
*buf, size_t len,
}
/* .. and now the head */
- rc = copy_to_user(buf, >buf[i], n_req * sizeof(struct dtl_entry));
+ rc = bounce_copy(buf, >buf[i], n_req * sizeof(struct dtl_entry));
if (rc)
return -EFAULT;
--
Kees Cook
Since arch_pick_mmap_layout() is an inline for non-MMU systems, disable
this test there.
Reported-by: kernel test robot
Closes:
https://lore.kernel.org/oe-kbuild-all/202406160505.ubge6tmy-...@intel.com/
Signed-off-by: Kees Cook
---
Cc: Brendan Higgins
Cc: David Gow
Cc: Rae Moar
Cc: "Gu
On Sat, Jun 15, 2024 at 06:09:07PM +0200, Martin Uecker wrote:
> Am Freitag, dem 14.06.2024 um 12:17 +0200 schrieb Peter Zijlstra:
> > On Wed, Jun 12, 2024 at 04:23:31PM -0700, Kees Cook wrote:
> > > On Thu, Jun 13, 2024 at 12:08:21AM +0200, Peter Zijlstra wrote:
> > > &
On Fri, Jun 14, 2024 at 12:17:08PM +0200, Peter Zijlstra wrote:
> On Wed, Jun 12, 2024 at 04:23:31PM -0700, Kees Cook wrote:
> > On Thu, Jun 13, 2024 at 12:08:21AM +0200, Peter Zijlstra wrote:
> > > On Wed, Jun 12, 2024 at 12:01:19PM -0700, Kees Cook wrote:
> > >
it is documented that there is no guarantee
>that this will keep working over a kernel upgrade, then I have no
>objections.
Yeah, I should better document this for pstore as a whole, but I've already
made the call that cross-kernel-versison operation is best effort.
-Kees
--
Kees Cook
On Thu, Jun 13, 2024 at 12:41:43PM +0800, David Gow wrote:
> On Thu, 13 Jun 2024 at 03:59, Kees Cook wrote:
> >
> > Hi,
> >
> > This builds on the proposal[1] from Mark and lets me convert the
> > existing usercopy selftest to KUnit. Besides adding this basic
On Thu, Jun 13, 2024 at 12:08:21AM +0200, Peter Zijlstra wrote:
> On Wed, Jun 12, 2024 at 12:01:19PM -0700, Kees Cook wrote:
> > I'm happy to take patches. And for this bikeshed, this would be better
> > named under the size_*() helpers which are trying to keep size_t
> &
ced by 0day
v2: https://lore.kernel.org/lkml/20240610213055.it.075-k...@kernel.org/
v1: https://lore.kernel.org/lkml/20240519190422.work.715-k...@kernel.org/
-Kees
[1] https://lore.kernel.org/lkml/20230321122514.1743889-2-mark.rutl...@arm.com/
Kees Cook (2):
kunit: test: Add vm_mmap() allocat
() and arch_pick_mmap_layout() aren't exported for
modules, so export these only for KUnit testing.
Link:
https://lore.kernel.org/lkml/20230321122514.1743889-2-mark.rutl...@arm.com/ [1]
Co-developed-by: Mark Rutland
Signed-off-by: Mark Rutland
Reviewed-by: David Gow
Signed-off-by: Kees Cook
-by: Vitor Massaru Iha
Link: https://lore.kernel.org/r/20200721174654.72132-1-vi...@massaru.org
Tested-by: Ivan Orlov
Reviewed-by: David Gow
Signed-off-by: Kees Cook
---
MAINTAINERS| 1 +
lib/Kconfig.debug | 21 +-
lib/Makefile
On Wed, Jun 12, 2024 at 09:21:52PM +0200, Geert Uytterhoeven wrote:
> Hi Kees,
>
> On Wed, Jun 12, 2024 at 6:51 PM Kees Cook wrote:
> > On Wed, Jun 12, 2024 at 05:13:39PM +0800, David Gow wrote:
> > > On Tue, 11 Jun 2024 at 05:33, Kees Cook wrote:
> > > > C
On Tue, Jun 11, 2024 at 09:55:42AM +0200, Peter Zijlstra wrote:
> On Mon, Jun 10, 2024 at 02:46:09PM -0700, Kees Cook wrote:
>
> > > I really detest this thing because it makes what was trivially readable
> > > into something opaque. Get me that type qualifie
s known that
> the memory is not cleared on kernel crashes or soft reboots.
>
> Signed-off-by: Steven Rostedt (Google)
Acked-by: Kees Cook
Let me know if this should go via the pstore tree, if you'd rather carry
it?
--
Kees Cook
rning: zero-length gnu_printf format
> string [-Wformat-zero-length]
> 204 | ksft_print_msg("");
> |^~
>
> Reported-by: kernel test robot
> Closes:
> https://lore.kernel.org/oe-kbuild-all/202312260235.uj5ug8k9-...@intel
the two bytes after UD1
> > if ((insn & INSN_UD_MASK) == INSN_UD1)
> > return *(u16 *)(addr + LEN_UD1);
> >
> > return BUG_UD_NONE;
> > }
> >
> > No?
>
> Thanks for the feedback.
>
> It seems that is_valid_bugaddr() needs to be implemented on all architectures
> and the function get_ud_type() replaces it here. So how should the patch
> handle
> is_valid_bugaddr()? Should the function remain as-is in traps.c despite no
> longer being used?
Yeah, this is why I'd suggested to Gatlin in early designs to reuse
is_valid_bugaddr()'s int value. It's a required function, so it seemed
sensible to just repurpose it from yes/no to no/type1/type2/type3/etc.
-Kees
--
Kees Cook
On Wed, Jun 12, 2024 at 10:20:41AM +0200, Johannes Berg wrote:
> On Wed, 2024-06-05 at 11:22 -0400, Kenton Groombridge wrote:
>
>
> > Co-authored-by: Kees Cook
> > Signed-off-by: Kenton Groombridge
> >
>
> Wait ... I don't know what Kees did here, but see
On Wed, Jun 12, 2024 at 05:13:39PM +0800, David Gow wrote:
> On Tue, 11 Jun 2024 at 05:33, Kees Cook wrote:
> >
> > Convert the runtime tests of hardened usercopy to standard KUnit tests.
> >
> > Co-developed-by: Vitor Massaru Iha
> > Signed-off-by: V
On Wed, Jun 12, 2024 at 05:13:39PM +0800, David Gow wrote:
> On Tue, 11 Jun 2024 at 05:33, Kees Cook wrote:
> >
> > Convert the runtime tests of hardened usercopy to standard KUnit tests.
> >
> > Co-developed-by: Vitor Massaru Iha
> > Signed-off-by: V
On Mon, Jun 10, 2024 at 10:05:44PM +0200, Peter Zijlstra wrote:
> On Mon, Jun 10, 2024 at 10:28:52AM -0700, Kees Cook wrote:
> > On Sat, Jun 01, 2024 at 06:56:15PM +0200, Erick Archer wrote:
> > > Hi everyone,
> > >
> > > This is an effort to get rid of
://lore.kernel.org/lkml/20230321122514.1743889-2-mark.rutl...@arm.com/ [1]
Co-developed-by: Mark Rutland
Signed-off-by: Mark Rutland
Signed-off-by: Kees Cook
---
include/kunit/test.h | 17 +++
lib/kunit/Makefile | 1 +
lib/kunit/user_alloc.c | 111 +
3
..@kernel.org/
-Kees
[1] https://lore.kernel.org/lkml/20230321122514.1743889-2-mark.rutl...@arm.com/
Kees Cook (2):
kunit: test: Add vm_mmap() allocation resource manager
usercopy: Convert test_user_copy to KUnit test
MAINTAINERS| 1 +
include
Convert the runtime tests of hardened usercopy to standard KUnit tests.
Co-developed-by: Vitor Massaru Iha
Signed-off-by: Vitor Massaru Iha
Link: https://lore.kernel.org/r/20200721174654.72132-1-vi...@massaru.org
Tested-by: Ivan Orlov
Signed-off-by: Kees Cook
---
MAINTAINERS
_kunit.c:278
Expected val_u64 == 0, but
val_u64 == -60129542144 (0xfff2)
Reported-by: David Gow
Closes:
https://lore.kernel.org/all/CABVgOSn=tb=lj9sxhut4_9mtjjkvxsq-ikdxc4kgho4cfkv...@mail.gmail.com
Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get
On Sat, Jun 08, 2024 at 04:44:10PM +0800, David Gow wrote:
> On Mon, 20 May 2024 at 03:12, Kees Cook wrote:
> >
> > Convert the runtime tests of hardened usercopy to standard KUnit tests.
> >
> > Co-developed-by: Vitor Massaru Iha
> > Signed-off-by: V
On Sat, Jun 08, 2024 at 04:44:16PM +0800, David Gow wrote:
> On Mon, 20 May 2024 at 03:12, Kees Cook wrote:
> >
> > For tests that need to allocate using vm_mmap() (e.g. usercopy and
> > execve), provide the interface to have the allocation tracked by KUnit
> > itself
On Wed, May 29, 2024 at 01:17:35PM +0100, Ivan Orlov wrote:
> On 5/19/24 20:12, Kees Cook wrote:
> > #define test(condition, msg, ...) \
> > ({
> > \
> >
On Mon, May 20, 2024 at 10:29:06AM +0100, Mark Rutland wrote:
> On Sun, May 19, 2024 at 12:12:52PM -0700, Kees Cook wrote:
> > +/* Create and attach a new mm if it doesn't already exist. */
> > +static int kunit_attach_mm(void)
> > +{
> > + struct vm_area_struct *vm
incorrect but silent (false negative).
>
> [1] commit dd06e72e68bc ("Compiler Attributes: Add __counted_by macro")
> Link: https://git.kernel.org/torvalds/c/dd06e72e68bc
>
> CC: Kees Cook
> Signed-off-by: Vincent Mailhol
> ---
> drivers/net/can/spi/mcp251xfd/mcp251xfd
f line comments to the previous line to make room and
> apply the __counted_by() attribute to the can flexible array member of
> struct pciefd_board.
>
> [1] commit dd06e72e68bc ("Compiler Attributes: Add __counted_by macro")
> Link: https://git.kernel.org/torvalds/c/dd06e72e68bc
>
.
Reported-by: Christian Schrefl
Closes:
https://lore.kernel.org/all/0bfc6b38-8bc5-4971-b6fb-dc642a73f...@gmail.com/
Suggested-by: Nathan Chancellor
Signed-off-by: Kees Cook
---
Cc: "Gustavo A. R. Silva"
Cc: linux-hardening@vger.kernel.org
---
lib/overflow_kunit.c | 20 +-
ily sized, this is exactly the kind of
place I'd like to see __counted_by used. This is a runtime robustness
improvement, so I don't see this a "churn" at all.
Peter, for patches 1 and 3, if you'd prefer not to carry them, I could
put them in the hardening tree to keep them out of your way. It seems
clear you don't want patch 2 at all.
-Kees
--
Kees Cook
ksft_set_plan(7);
> > ksft_print_msg("Running on:\n");
> > - ksft_print_msg("");
> > system("uname -a");
> > ksft_print_msg("Current BPF sysctl settings:\n");
> > /* Avoid using "sysctl" which may not be installed. */
> > - ksft_print_msg("");
> > system("grep -H . /proc/sys/net/core/bpf_jit_enable");
> > - ksft_print_msg("");
> > system("grep -H . /proc/sys/net/core/bpf_jit_harden");
> > affinity();
>
>
> thanks,
> -- Shuah
--
Kees Cook
using
> ovmf) and on Steam Deck, and it's working flawlessly. I've tested only
> using ramoops as module.
>
> Some code review in the patches themselves (like a missing
> EXPORT_SYMBOL_GPL), but all in all, that's a great addition! Feel free
> to add my:
>
> Tested-by: Guilherme G. Piccoli
Yeah, I think this looks good as long as it's understood to be a "best
effort", and will radically simplify doing qemu testing, etc. I expect I
can take v3 into -next with the fixes Guilherme noted.
-Kees
--
Kees Cook
On Thu, Jun 06, 2024 at 08:48:37PM +0300, Andy Shevchenko wrote:
> On Thu, Jun 6, 2024 at 8:46 PM Kees Cook wrote:
> >
> > On Thu, Jun 06, 2024 at 08:35:13PM +0300, Andy Shevchenko wrote:
> > > On Thu, Jun 6, 2024 at 6:56 PM Kees Cook wrote:
> > > > On T
On Thu, Jun 06, 2024 at 08:35:13PM +0300, Andy Shevchenko wrote:
> On Thu, Jun 6, 2024 at 6:56 PM Kees Cook wrote:
> > On Thu, 06 Jun 2024 15:46:09 +0100, Jean-Philippe Brucker wrote:
>
> [...]
>
> > Applied to for-next/hardening, thanks!
>
> Btw, is it possibl
ted behavior.
>*/
> - struct device_node *parent_node __free(device_node) =
> of_node_parent(of_node);
> if (!of_node_name_eq(parent_node, "reserved-memory") &&
> !pdata->console_size && !pdata->ftrace_size &&
> !pdata->pmsg_size && !pdata->ecc_info.ecc_size) {
> --
> 2.34.1
>
--
Kees Cook
rlier argument should
> specify number of elements, later size of each element
>
> [...]
Applied to for-next/hardening, thanks!
[1/1] mm/util: Swap kmemdup_array() arguments
https://git.kernel.org/kees/c/0ee14725471c
Take care,
--
Kees Cook
On Tue, Jun 04, 2024 at 04:13:32PM -0600, Tycho Andersen wrote:
> On Tue, Jun 04, 2024 at 04:02:28PM +0100, Simon Horman wrote:
> > On Fri, May 31, 2024 at 12:14:56PM -0700, Kees Cook wrote:
> > > + for (idx = 0; idx < ARRAY_SIZE(kmalloc_caches[KMALLOC_NORMAL]); idx++) {
On Tue, Jun 04, 2024 at 10:09:43AM -0700, Nikita Zhandarovich wrote:
> Hi,
>
> On 6/4/24 07:15, Jiri Kosina wrote:
> > On Tue, 4 Jun 2024, Kees Cook wrote:
> >
> >> This isn't the right solution. The problem is that hid_class_descriptor
> >> is a flexible
e flexible array:
struct hid_descriptor {
__u8 bLength;
__u8 bDescriptorType;
__le16 bcdHID;
__u8 bCountryCode;
__u8 bNumDescriptors;
struct hid_class_descriptor desc[1];
} __attribute__ ((packed));
This likely needs to be:
struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
And then check for any sizeof() uses of the struct that might have changed.
--
Kees Cook
memparse(p+1, );
>+ if (*p != ':')
>+ return -EINVAL;
>+
>+ start = memblock_phys_alloc(size, align);
>+ if (!start)
>+ return -ENOMEM;
>+
>+ p++;
>+ err = reserved_mem_add(start, size, p);
>+ if (err) {
>+ memblock_phys_free(start, size);
>+ return err;
>+ }
>+
>+ p += strlen(p);
>+
>+ return *p == '\0' ? 0: -EINVAL;
>+}
>+__setup("reserve_mem=", reserve_mem);
>+
> #if defined(CONFIG_DEBUG_FS) && defined(CONFIG_ARCH_KEEP_MEMBLOCK)
> static const char * const flagname[] = {
> [ilog2(MEMBLOCK_HOTPLUG)] = "HOTPLUG",
--
Kees Cook
On Mon, Jun 03, 2024 at 07:06:15PM +0200, Vlastimil Babka wrote:
> On 5/31/24 9:14 PM, Kees Cook wrote:
> > Introduce CONFIG_SLAB_BUCKETS which provides the infrastructure to
> > support separated kmalloc buckets (in the follow kmem_buckets_create()
> > patches and future cod
-url-here...".
If I've got patches to add to -next from some devel tree, I don't
cherry-pick them to my -next tree: I send them to lore, and then pull
them back down.
But the point is: send your stuff to lore. :)
--
Kees Cook
type = *(u16 *)(regs->ip + offset);
if ((type & 0xFF) != 0x40)
return;
type = (type >> 8) & 0xFF;
pr_crit("%s at %pS\n", report_ubsan_failure(regs, type), (void
*)regs->ip);
--
Kees Cook
and make it a hard failure if such
cases are introduced in the future. This hasn't been a particularly
friendly solution in the past, though, as the fortify routines do tend
to grow additional coverage over time, so there may be future cases that
do trip the runtime checking...
--
Kees Cook
On Fri, May 31, 2024 at 10:49:47PM +0200, Borislav Petkov wrote:
> On Fri, May 31, 2024 at 01:46:37PM -0700, Kees Cook wrote:
> > Please do not do this. It still benefits from compile-time sanity
> > checking.
>
> Care to elaborate how exactly it benefits?
Because whe
On Fri, May 31, 2024 at 12:51:29PM -0400, Kent Overstreet wrote:
> On Fri, May 31, 2024 at 09:48:49AM -0700, Kees Cook wrote:
> > On Fri, May 24, 2024 at 11:01:40AM -0400, Kent Overstreet wrote:
> > > On Wed, Apr 24, 2024 at 02:40:59PM -0700, Kees Cook wrote:
> > > &
On Fri, May 31, 2024 at 09:08:16PM +0200, Borislav Petkov wrote:
> On Fri, May 31, 2024 at 09:53:28AM -0700, Kees Cook wrote:
> > Under CONFIG_FORTIFY_SOURCE, the boot code *does* still uses
> > fortify-string.h. It lets us both catch mistakes we can discover at
> > c
-writeup.html [3]
Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4]
Link:
https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
[5]
Link: https://zplin.me/papers/ELOISE.pdf [6]
Link: https://syst3mfailure.io/wall-of-perdition/ [7]
Signed-off-by: Kees Cook
://github.com/a13xp0p0v/kernel-hack-drill/blob/master/drill_exploit_uaf.c
[4]
Signed-off-by: Kees Cook
---
Cc: "GONG, Ruiqi"
Cc: Xiu Jianfeng
Cc: Suren Baghdasaryan
Cc: Kent Overstreet
Cc: Jann Horn
Cc: Matteo Rizzo
Cc: jvoisin
Cc: linux...@kvack.org
---
mm/util.c | 14 +++
Encapsulate the concept of a single set of kmem_caches that are used
for the kmalloc size buckets. Redefine kmalloc_caches as an array
of these buckets (for the different global cache buckets).
Signed-off-by: Kees Cook
---
Cc: Vlastimil Babka
Cc: Christoph Lameter
Cc: Pekka Enberg
Cc: David
nk:
https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html
[2]
Link:
https://lore.kernel.org/lkml/20230915105933.495735-1-matteori...@google.com/ [3]
Signed-off-by: Kees Cook
---
Cc: Vlastimil Babka
Cc: Christoph Lameter
Cc: Pekka Enberg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: j
Plumb kmem_buckets arguments through kvmalloc_node_noprof() so it is
possible to provide an API to perform kvmalloc-style allocations with
a particular set of buckets. Introduce kvmalloc_buckets_node() that takes a
kmem_buckets argument.
Signed-off-by: Kees Cook
---
Cc: Vlastimil Babka
Cc
g/blog/2023/07-prctl-anon_vma_name-an-amusing-heap-spray/ [1]
Link: https://duasynt.com/blog/linux-kernel-heap-spray [2]
Link: https://etenal.me/archives/1336 [3]
Link:
https://github.com/a13xp0p0v/kernel-hack-drill/blob/master/drill_exploit_uaf.c
[4]
Thanks!
-Kees
Kees Cook (6):
The actual extern
functions can then been built without the argument, and the internals
fall back to the global kmalloc buckets unconditionally.
Signed-off-by: Kees Cook
---
Cc: Vlastimil Babka
Cc: Christoph Lameter
Cc: Pekka Enberg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: jvoisin
Cc: Andrew Morton
__kmalloc_node() is considered an "internal" function to the Slab, so
drop it from explicit testing.
Signed-off-by: Kees Cook
---
Cc: Vlastimil Babka
Cc: linux...@kvack.org
Cc: linux-hardening@vger.kernel.org
---
lib/fortify_kunit.c | 3 ---
1 file changed, 3 deletions(-)
diff -
took guidance from him :)
>
> The more important question is how does the decompressor build even know of
> this symbol? And then make it forget it again instead of adding silly
> prototypes...
Under CONFIG_FORTIFY_SOURCE, the boot code *does* still uses
fortify-string.h. It lets us both catch mistakes we can discover at
compile and will catch egregious runtime mistakes, though the reporting
is much simpler in the boot code.
--
Kees Cook
On Fri, May 24, 2024 at 11:01:40AM -0400, Kent Overstreet wrote:
> On Wed, Apr 24, 2024 at 02:40:59PM -0700, Kees Cook wrote:
> > To be able to choose which buckets to allocate from, make the buckets
> > available to the lower level kmalloc interfaces by adding them as the
>
On Fri, May 24, 2024 at 03:38:58PM +0200, Vlastimil Babka wrote:
> On 4/24/24 11:40 PM, Kees Cook wrote:
> > To be able to choose which buckets to allocate from, make the buckets
> > available to the lower level kmalloc interfaces by adding them as the
> > first argum
On Fri, May 24, 2024 at 10:54:58AM -0400, Kent Overstreet wrote:
> On Wed, Apr 24, 2024 at 02:40:57PM -0700, Kees Cook wrote:
> > Hi,
> >
> > Series change history:
> >
> > v3:
> > - clarify rationale and purpose in commit log
> > - rebase to
On Fri, May 24, 2024 at 03:43:33PM +0200, Vlastimil Babka wrote:
> On 4/24/24 11:41 PM, Kees Cook wrote:
> > Dedicated caches are available for fixed size allocations via
> > kmem_cache_alloc(), but for dynamically sized allocations there is only
> > the global kmalloc
or("detected buffer overflow");
}
+#endif
Jeff, can you test this? (I still haven't been able to reproduce the
warning.)
--
Kees Cook
gt; > > + type = (type >> 8) & 0xFF;
> > > > > + }
> > > > > + pr_crit("%s at %pS\n", report_ubsan_failure(regs, type),
> > > > > (void *)regs->ip);
> > > > > +
> > > > > + return BUG_TRAP_TYPE_NONE;
> > > > > +}
> > > >
> > > > Shouldn't this return BUG_TRAP_TYPE_WARN?
> > >
> > > So as far as I understand, UBSAN trap mode never warns. Perhaps it does on
> > > arm64, although it calls die() so I am unsure. Maybe the condition in
> > > handle_bug() should be rewritten in the case of UBSAN ud1s? Do you have
> > > any
> > > suggestions?
> >
> > AFAIK on arm64 it's basically a kernel OOPS.
> >
> > The main thing I just wanted to point out though is that your newly added
> > branch
> >
> > > if (handle_ubsan_failure(regs, insn) == BUG_TRAP_TYPE_WARN) {
> >
> > will never be taken, because I don't see where handle_ubsan_failure()
> > returns BUG_TRAP_TYPE_WARN.
> >
>
> Initially I wrote this with some symmetry to the KCFI checks nearby, but I
> was unsure if this would be considered handled or not.
Yeah, that seemed like the right "style" to me too. Perhaps, since it
can never warn, we could just rewrite it so it's a void function avoid
the checking, etc.
--
Kees Cook
On Wed, May 29, 2024 at 10:09:45AM -0700, Jeff Johnson wrote:
> On 5/29/2024 9:55 AM, Kees Cook wrote:
> > On Wed, May 29, 2024 at 07:36:25AM -0700, Jeff Johnson wrote:
> >> 'make W=1 C=1' on x86 gives the warning:
> >> arch/x86/boot/compressed/misc.c:535:6: warni
a prototype to a header file that is only
> for the benefit of the callee and is not the prototype/header used by the
> caller, in this case the one in include/linux/fortify-string.h
The stuff in boot/ doesn't tend to include fortify-string.h (since it's
sort of "outside" the kernel), hence the need for additional prototypes.
--
Kees Cook
t
> "crazy" number of relocations which have no practical purpose.
>
> *) Well IGT tests might get upset but they can be easily adjusted.
>
> Signed-off-by: Tvrtko Ursulin
Thanks for fixing this!
Reviewed-by: Kees Cook
--
Kees Cook
t
> "crazy" number of relocations which have no practical purpose.
>
> *) Well IGT tests might get upset but they can be easily adjusted.
>
> Signed-off-by: Tvrtko Ursulin
Thanks for fixing this!
Reviewed-by: Kees Cook
--
Kees Cook
On Tue, May 14, 2024 at 12:52:13PM -0700, Kees Cook wrote:
> On Tue, May 14, 2024 at 10:46:46AM -0700, Andrew Morton wrote:
> > On Mon, 15 Apr 2024 16:35:19 + jef...@chromium.org wrote:
> >
> > > This patchset proposes a new mseal() syscall for the Linux kernel.
&
Reported-by: syzbot+50835f73143cc2905...@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/19f4c00619192...@google.com/
Fixes: 744a56389f73 ("ext4: replace deprecated strncpy with alternatives")
Signed-off-by: Kees Cook
---
Cc: "Theodore Ts'o"
Cc: Ju
const unsigned int nreloc = eb->exec[i].relocation_count;
...
size = nreloc * sizeof(*relocs);
relocs = kvmalloc_array(1, size, GFP_KERNEL);
So something isn't checking the "relocation_count" size that I assume is
coming in from the ioctl?
-Kees
--
Kees Cook
const unsigned int nreloc = eb->exec[i].relocation_count;
...
size = nreloc * sizeof(*relocs);
relocs = kvmalloc_array(1, size, GFP_KERNEL);
So something isn't checking the "relocation_count" size that I assume is
coming in from the ioctl?
-Kees
--
Kees Cook
.org/lkml/ca+55afwqed_d40g4mucssvrzzrfpujt74vc6pppb675hynx...@mail.gmail.com/
--
Kees Cook
.
-Kees
[1]
https://lore.kernel.org/linux-hardening/20240519190422.work.715-k...@kernel.org/
Kees Cook (2):
exec: Add KUnit test for bprm_stack_limits()
exec: Avoid pathological argc, envc, and bprm->p values
MAINTAINERS | 2 +
fs/Kconfig.binfmt | 8 +++
fs/exec.c |
Make sure nothing goes wrong with the string counters or the bprm's
belief about the stack pointer. Add checks and matching self-tests.
For 32-bit validation, this was run under 32-bit UML:
$ tools/testing/kunit/kunit.py run --make_options SUBARCH=i386 exec
Signed-off-by: Kees Cook
---
Cc: Eric
Since bprm_stack_limits() operates with very limited side-effects, add
it as the first exec.c KUnit test. Add to Kconfig and adjust MAINTAINERS
file to include it.
Tested on 64-bit UML:
$ tools/testing/kunit/kunit.py run exec
Signed-off-by: Kees Cook
---
Cc: Eric Biederman
Cc: Justin Stitt
Cc
Convert the runtime tests of hardened usercopy to standard KUnit tests.
Co-developed-by: Vitor Massaru Iha
Signed-off-by: Vitor Massaru Iha
Link: https://lore.kernel.org/r/20200721174654.72132-1-vi...@massaru.org
Signed-off-by: Kees Cook
---
MAINTAINERS| 1
sic infrastructure for adding Mark's much more complete usercopy tests.
-Kees
[1] https://lore.kernel.org/lkml/20230321122514.1743889-2-mark.rutl...@arm.com/
Kees Cook (2):
kunit: test: Add vm_mmap() allocation resource manager
usercopy: Convert test_user_copy to KUnit test
MAINTAIN
://lore.kernel.org/lkml/20230321122514.1743889-2-mark.rutl...@arm.com/ [1]
Co-developed-by: Mark Rutland
Signed-off-by: Mark Rutland
Signed-off-by: Kees Cook
---
include/kunit/test.h | 17 ++
lib/kunit/test.c | 139 ++-
2 files changed, 155 insertions(+), 1
; So, let's use this helper here.
>
> Signed-off-by: Guilherme G. Piccoli
Ah yeah, good idea!
Reviewed-by: Kees Cook
--
Kees Cook
On Sat, May 18, 2024 at 10:23:54PM +0200, Alexandre Belloni wrote:
> On 17/05/2024 17:16:58-0700, Kees Cook wrote:
> > Argument processing is specific to the test harness code. Any optional
> > information needs to be passed via environment variables. Move alternate
> >
or is
> enabled for test builds.
>
> Rearrange arithmetic and use check_add_overflow() for validating the
> allocation size to avoid the overflow.
>
> Fixes: a61ddb4393ad ("drm: enable (most) W=1 warnings by default across the
> subsystem")
> Cc: Javier Martinez Canillas
>
or is
> enabled for test builds.
>
> Rearrange arithmetic and use check_add_overflow() for validating the
> allocation size to avoid the overflow.
>
> Fixes: a61ddb4393ad ("drm: enable (most) W=1 warnings by default across the
> subsystem")
> Cc: Javier Martinez Canillas
>
When memcmp() returns a non-zero value, only the signed bit has any
meaning. The actual value may differ between implementations.
Reported-by: Nathan Chancellor
Closes: https://github.com/ClangBuiltLinux/linux/issues/2025
Tested-by: Nathan Chancellor
Signed-off-by: Kees Cook
---
Cc: linux
aling()
>
> Link:
> https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
> [1]
> Link: https://github.com/KSPP/linux/issues/160 [2]
> Signed-off-by: Christophe JAILLET
Yes please! :)
Reviewed-by: Kees Cook
--
Kees Cook
_host_cmd
> *cmd)
> out_meta->callback = cmd->callback;
>
> out_cmd->hdr.cmd = cmd->id;
> - memcpy(_cmd->cmd.payload, cmd->data, cmd->len);
> + memcpy(_cmd->hdr.data, cmd->data, cmd->len);
>
> /* At this point, the out_cmd now has all of the incoming cmd
>* information */
--
Kees Cook
ter yet, since "sizeof(*args) + size" is repeated 3 times in the
function, I'd recommend:
...
u32 args_size;
if (check_add_overflow(sizeof(*args), size, _size))
return -ENOMEM;
if (args_size > sizeof(stack)) {
if (!(args = kmalloc(args_size, GFP_KERNEL)))
return -ENOMEM;
} else {
args = (void *)stack;
}
...
ret = nvif_object_ioctl(object, args, args_size, NULL);
This will catch the u32 overflow to nvif_object_ioctl(), catch an
allocation underflow on 32-bits systems, and make the code more
readable. :)
-Kees
--
Kees Cook
ter yet, since "sizeof(*args) + size" is repeated 3 times in the
function, I'd recommend:
...
u32 args_size;
if (check_add_overflow(sizeof(*args), size, _size))
return -ENOMEM;
if (args_size > sizeof(stack)) {
if (!(args = kmalloc(args_size, GFP_KERNEL)))
return -ENOMEM;
} else {
args = (void *)stack;
}
...
ret = nvif_object_ioctl(object, args, args_size, NULL);
This will catch the u32 overflow to nvif_object_ioctl(), catch an
allocation underflow on 32-bits systems, and make the code more
readable. :)
-Kees
--
Kees Cook
I'd still like to replace
all the open-coded TEST_HARNESS_MAIN calls, though.
--
Kees Cook
Instead of mixing selftest harness and ksft helpers, perform SKIP
testing from the FIXTURE_SETUPs. This also means TEST_HARNESS_MAIN does
not need to be open-coded.
Signed-off-by: Kees Cook
---
Cc: Christian Borntraeger
Cc: Janosch Frank
Cc: Claudio Imbrenda
Cc: David Hildenbrand
Cc: Shuah
Avoid open-coding TEST_HARNESS_MAIN. (It might change, for example.)
Signed-off-by: Kees Cook
---
Cc: Jiri Kosina
Cc: Benjamin Tissoires
Cc: Shuah Khan
Cc: Masahiro Yamada
Cc: linux-in...@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org
---
tools/testing/selftests/hid/hid_bpf.c | 12
be done in the FIXTURE_SETUP(). With
this adjustment, also improve the error reporting when the device cannot
be opened.
Signed-off-by: Kees Cook
---
Cc: Alexandre Belloni
Cc: Shuah Khan
Cc: Masahiro Yamada
Cc: linux-...@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org
---
tools/testing
gt; }
>
> -static void __attribute__((constructor))
> -__constructor_order_last(void)
> -{
> - if (!__constructor_order)
> - __constructor_order = _CONSTRUCTOR_ORDER_BACKWARD;
> -}
> -
> int main(int argc, char **argv)
> {
> switch (argc) {
A better question is why these tests are open-coding the execution of
"main"...
--
Kees Cook
1 - 100 of 37844 matches
Mail list logo