[PATCH v2 33/63] lib: Introduce CONFIG_TEST_MEMCPY

Before changing anything about memcpy(), memmove(), and memset(), add run-time tests to check basic behaviors for any regressions. Signed-off-by: Kees Cook --- lib/Kconfig.debug | 7 ++ lib/Makefile | 1 + lib/test_memcpy.c | 264 ++ 3 files

[PATCH v2 58/63] ethtool: stats: Use struct_group() to clear all stats at once

() call. Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Ido Schimmel Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- net/ethtool/stats.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/net/ethtool/stats.c b/net/ethtool/stats.c index ec

[PATCH v2 55/63] HID: roccat: Use struct_group() to zero kone_mouse_event

Cc: Benjamin Tissoires Cc: linux-in...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/hid/hid-roccat-kone.c | 2 +- drivers/hid/hid-roccat-kone.h | 12 +++- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c

[PATCH v2 52/63] cm4000_cs: Use struct_group() to zero struct cm4000_dev region

: Greg Kroah-Hartman Signed-off-by: Kees Cook Acked-by: Greg Kroah-Hartman Link: https://lore.kernel.org/lkml/yqdvxaofjli1j...@kroah.com --- drivers/char/pcmcia/cm4000_cs.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char

[PATCH v2 54/63] dm integrity: Use struct_group() to zero struct journal_sector

Cc: dm-de...@redhat.com Signed-off-by: Kees Cook --- drivers/md/dm-integrity.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c index 40f8116c8e44..59deea0dd305 100644 --- a/drivers/md/dm-integrity.c +++ b/drivers/md

[PATCH v2 49/63] btrfs: Use memset_startat() to clear end of struct

rting point of zeroing through the end of the struct. Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: linux-bt...@vger.kernel.org Signed-off-by: Kees Cook --- fs/btrfs/root-tree.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/root-tree.c b/fs/btrfs

[PATCH v2 50/63] tracing: Use memset_startat() to zero struct trace_iterator

Signed-off-by: Kees Cook --- kernel/trace/trace.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 13587e771567..9ff8c31975cd 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -6691,9 +6691,7 @@ tracing_read_pipe

[PATCH v2 25/63] compiler_types.h: Remove __compiletime_object_size()

: Oleg Nesterov Signed-off-by: Kees Cook --- include/linux/compiler-gcc.h | 2 -- include/linux/compiler_types.h | 4 include/linux/thread_info.h| 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index

[PATCH v2 26/63] lib/string: Move helper functions out of string.c

Chancellor Cc: Alexey Dobriyan Cc: Stephen Rothwell Cc: Bartosz Golaszewski Signed-off-by: Kees Cook --- arch/arm/boot/compressed/string.c | 1 + arch/s390/lib/string.c| 3 + arch/x86/boot/compressed/misc.h | 2 + arch/x86/boot/compressed/pgtable_64.c | 2 + arch

[PATCH v2 20/63] drm/mga/mga_ioc32: Use struct_group() for memcpy() region

Cc: David Airlie Cc: Lee Jones Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook Acked-by: Daniel Vetter Link: https://lore.kernel.org/lkml/YQKa76A6XuFqgM03@phenom.ffwll.local --- drivers/gpu/drm/mga/mga_ioc32.c | 27 ++- include/uapi/drm

[PATCH v2 38/63] xfrm: Use memset_after() to clear padding

the last struct member. There is no change to the resulting machine code. Cc: Steffen Klassert Cc: Herbert Xu Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- net/xfrm/xfrm_policy.c | 4 +--- net/xfrm/xfrm_user.c | 2 +- 2 files ch

[PATCH v2 43/63] net: qede: Use memset_startat() for counters

Elior Cc: gr-everest-linux...@marvell.com Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qede

[PATCH v2 41/63] net: 802: Use memset_startat() to clear struct fields

rting point of zeroing through the end of the struct. Cc: Jes Sorensen Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-hi...@sunsite.dk Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- net/802/hippi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/80

[PATCH v2 15/63] intersil: Use struct_group() for memcpy() region

rel...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intersil/hostap/hostap_hw.c | 5 +++-- drivers/net/wireless/intersil/hostap/hostap_wlan.h | 14 -- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/

[PATCH v2 56/63] RDMA/mlx5: Use struct_group() to zero struct mlx5_ib_mr

: Jason Gunthorpe Cc: linux-r...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/infiniband/hw/mlx5/mlx5_ib.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h index bf20a388eabe..f63bf204a7a1

[PATCH v2 17/63] bnx2x: Use struct_group() for memcpy() region

e struct group sizes. Cc: Ariel Elior Cc: Sudarsana Kalluru Cc: gr-everest-linux...@marvell.com Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c | 7 --- drivers/net/etherne

[PATCH v2 51/63] drbd: Use struct_group() to zero algs

: Jens Axboe Cc: drbd-...@lists.linbit.com Cc: linux-bl...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/block/drbd/drbd_main.c | 3 ++- drivers/block/drbd/drbd_protocol.h | 6 -- drivers/block/drbd/drbd_receiver.c | 3 ++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git

[PATCH v2 16/63] cxgb4: Use struct_group() for memcpy() region

mp -d" shows no object code changes. Cc: Raju Rangoju Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/chelsio/cxgb4/sge.c | 8 +--- drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 10 ++

[PATCH v2 27/63] fortify: Move remaining fortify helpers into fortify-string.h

is requires that any FORTIFY helper function prototypes be conditionally built to avoid "no prototype" warnings. Additionally removes unused helpers. Cc: Andrew Morton Cc: Francis Laniel Cc: Daniel Axtens Cc: Vincenzo Frascino Cc: Andrey Konovalov Cc: Dan Williams Signed-off-by: Kees Co

[PATCH v2 18/63] drm/amd/pm: Use struct_group() for memcpy() region

un Gao Cc: Jiawei Gu Cc: Evan Quan Cc: amd-...@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook Acked-by: Alex Deucher Link: https://lore.kernel.org/lkml/cadnq5_npb8uyvd+r4uhgf-w8-cqj3joodjvijr_y9w9wqj7...@mail.gmail.com --- drivers/gpu/drm/a

[PATCH v2 44/63] mac80211: Use memset_after() to clear tx status

_MAX_RATES") but was harmless. Also drops the associated unneeded BUILD_BUG_ON()s, and adds a note to carl9170 about usage. Cc: Johannes Berg Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-wirel...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook ---

[PATCH v2 48/63] IB/mthca: Use memset_startat() for clearing mpt_entry

rting point of zeroing through the end of the struct. Cc: Doug Ledford Cc: Jason Gunthorpe Cc: Max Gurtovoy Cc: linux-r...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/infiniband/hw/mthca/mthca_mr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/infiniba

[PATCH v2 39/63] ipv6: Use memset_after() to zero rt6_info

HIFUJI Cc: David Ahern Cc: Jakub Kicinski Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- net/ipv6/route.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 6cf4bb89ca69..bd0ab3e436e7 100644 --- a/net/ipv6/route.c +++

[PATCH v2 46/63] iw_cxgb4: Use memset_startat() for cpl_t5_pass_accept_rpl

e Cc: Raju Rangoju Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-r...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/infiniband/hw/cxgb4/cm.c| 5 +++-- drivers/net/ethernet/chelsio/cxgb4/t4_msg.h | 2 +- 2 files changed, 4 insertions(

[PATCH v2 40/63] netfilter: conntrack: Use memset_startat() to zero struct nf_conn

Kadlecsik Cc: Florian Westphal Cc: "David S. Miller" Cc: Jakub Kicinski Cc: netfilter-de...@vger.kernel.org Cc: coret...@netfilter.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- net/netfilter/nf_conntrack_core.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) di

[PATCH v2 19/63] staging: wlan-ng: Use struct_group() for memcpy() region

x_tx_frame. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences.) Cc: Greg Kroah-Hartman Cc: Rustam Kovhaev Cc: syzbot+22794221ab96b0bab...@syzkaller.appspotmail.com Cc: Allen Pais Cc: Romain Perier Cc: linux-stag...@lists.linux.dev Sign

[PATCH v2 53/63] KVM: x86: Use struct_group() to zero decode cache

Christopherson Cc: Vitaly Kuznetsov Cc: Wanpeng Li Cc: Jim Mattson Cc: Joerg Roedel Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: x...@kernel.org Cc: "H. Peter Anvin" Cc: k...@vger.kernel.org Signed-off-by: Kees Cook --- arch/x86/kvm/emulate.c | 3 +-- arch/x86/kvm/kvm

[PATCH v2 61/63] powerpc: Split memset() to avoid multi-field overflow

. Cc: Benjamin Herrenschmidt Cc: Qinglang Miao Cc: "Gustavo A. R. Silva" Cc: Hulk Robot Cc: Wang Wensheng Cc: linuxppc-...@lists.ozlabs.org Signed-off-by: Kees Cook Reviewed-by: Michael Ellerman Link: https://lore.kernel.org/lkml/87czqsnmw9@mpe.ellerman.id.au --- drivers/macin

[PATCH v2 35/63] fortify: Detect struct member overflows in memmove() at compile-time

As done for memcpy(), also update memmove() to use the same tightened compile-time checks under CONFIG_FORTIFY_SOURCE. Signed-off-by: Kees Cook --- arch/x86/boot/compressed/misc.c | 3 ++- arch/x86/lib/memcpy_32.c | 1 + include/linux/fortify-string.h

[PATCH v2 08/63] bnxt_en: Use struct_group_attr() for memcpy() region

aningful object code changes (i.e. only source line number induced differences and optimizations). Cc: Michael Chan Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Michael Chan Link: https://lore.kernel.org/lkml/CACKFLinDc6

[PATCH v2 01/63] ipw2x00: Avoid field-overflowing memcpy()

Cc: linux-wirel...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- .../net/wireless/intel/ipw2x00/libipw_rx.c| 56 ++- 1 file changed, 17 insertions(+), 39 deletions(-) diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c b/drivers/net/wireless/int

[PATCH v2 62/63] fortify: Detect struct member overflows in memset() at compile-time

As done for memcpy(), also update memset() to use the same tightened compile-time bounds checking under CONFIG_FORTIFY_SOURCE. Signed-off-by: Kees Cook --- include/linux/fortify-string.h| 54 --- .../write_overflow_field-memset.c | 5 ++ 2 files

[PATCH v2 03/63] rpmsg: glink: Replace strncpy() with strscpy_pad()

n Cc: Ohad Ben-Cohen Cc: Mathieu Poirier Cc: linux-arm-...@vger.kernel.org Cc: linux-remotep...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/lkml/20210728020745.GB35706@embeddedor --- drivers/rpmsg/qcom_glink_native.c |

[PATCH v2 02/63] net/mlx5e: Avoid field-overflowing memcpy()

uot; Cc: Jakub Kicinski Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Jesper Dangaard Brouer Cc: John Fastabend Cc: net...@vger.kernel.org Cc: linux-r...@vger.kernel.org Cc: b...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 ++-- drivers/

[PATCH v2 14/63] cxgb3: Use struct_group() for memcpy() region

Cc: Raju Rangoju Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/chelsio/cxgb3/sge.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/chelsio/cxgb3/sge.c b/drivers/ne

[PATCH v2 30/63] fortify: Prepare to improve strnlen() and strlen() warnings

In order to have strlen() use fortified strnlen() internally, swap their positions in the source. Doing this as part of later changes makes review difficult, so reoroder it here; no code changes. Cc: Francis Laniel Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 22

[PATCH v2 60/63] net/af_iucv: Use struct_group() to zero struct iucv_sock region

_group()? [-Wattribute-warning] 199 |__write_overflow_field(p_size_field, size); |^~ Cc: Julian Wiedmann Cc: Karsten Graul Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-s...@vger.kernel.org Cc: net...@vger.kernel.org Signed-

[PATCH v2 10/63] libertas: Use struct_group() for memcpy() region

ges. Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: libertas-...@lists.infradead.org Cc: linux-wirel...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/marvell/libertas/host.h | 10 ++ drivers/net/wireless/marvell

[PATCH v2 07/63] skbuff: Switch structure bounds to struct_group()

changes). Cc: "Jason A. Donenfeld" Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Jonathan Lemon Cc: Alexander Lobakin Cc: Jakub Sitnicki Cc: Marco Elver Cc: Willem de Bruijn Cc: wiregu...@lists.zx2c4.com Cc: net...@vger.kernel.org Signed-off-by: Kees Cook Reviewed

[PATCH v2 04/63] pcmcia: ray_cs: Split memcpy() to avoid bounds check warning

quot;David S. Miller" Cc: Jakub Kicinski Cc: linux-wirel...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/ray_cs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_

[PATCH v2 63/63] fortify: Work around Clang inlining bugs

GCC builds, but allows Clang to finally gain full FORTIFY coverage. However, because of a third bug which had no work-arounds, FORTIFY_SOURCE will only work with Clang version 13 and later. Update the Kconfig to reflect the new requirements. Signed-off-by: Kees Cook --- include/linux/fortif

[PATCH v2 00/63] Introduce strict memcpy() bounds checking

Hi, This patch series (based on next-20210816) implements stricter (no struct member overflows) bounds checking for memcpy(), memmove(), and memset() under CONFIG_FORTIFY_SOURCE. To quote a later patch in the series: tl;dr: In order to eliminate a large class of common buffer overflow fla

[PATCH v2 34/63] fortify: Detect struct member overflows in memcpy() at compile-time

where a higher level type's allocation size does not match the resulting cast type eventually passed to a deeper memcpy() call where the compiler cannot see the true type. In theory, greater static analysis could catch these. [0] https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.htm

[PATCH v2 05/63] stddef: Introduce struct_group() helper macro

uct_group_typed() is added. Given there is a need for a handful of UAPI uses too, the underlying __struct_group() macro has been defined in UAPI so it can be used there too. Co-developed-by: Keith Packard Signed-off-by: Keith Packard Signed-off-by: Kees Cook Acked-by: Gustavo A. R. Silva Link: h

[PATCH v2 42/63] net: dccp: Use memset_startat() for TP zeroing

rting point of zeroing through the end of the struct. Cc: "David S. Miller" Cc: Jakub Kicinski Cc: d...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- net/dccp/trace.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/dccp/trace.h b/n

[PATCH v2 36/63] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp

7;s what is being wiped. Cc: Tyrel Datwyler Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org Cc: linuxppc-...@lists.ozlabs.org Signed-off-by: Kees Cook Acked-by:

[PATCH v2 31/63] fortify: Allow strlen() and strnlen() to pass compile-time known lengths

Under CONFIG_FORTIFY_SOURCE, it is possible for the compiler to perform strlen() and strnlen() at compile-time when the string size is known. This is required to support compile-time overflow checking in strlcpy(). Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 47

[PATCH v2 23/63] media: omap3isp: Use struct_group() for memcpy() region

zero-filled to avoid undefined behavior. Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data") Signed-off-by: Kees Cook --- drivers/media/platform/omap3isp/ispstat.c | 5 +++-- include/uapi/linux/omap3isp.h | 21 + 2 file

[PATCH v2 47/63] intel_th: msu: Use memset_startat() for clearing hw header

rting point of zeroing through the end of the struct. Cc: Alexander Shishkin Signed-off-by: Kees Cook --- drivers/hwtracing/intel_th/msu.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c index 432ade0

[PATCH v2 28/63] fortify: Explicitly disable Clang support

the fortify routines have been rearranged. Update the Kconfig to reflect the reality of the current situation. Signed-off-by: Kees Cook --- security/Kconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/Kconfig b/security/Kconfig index 0ced7fd33e4d..fe6c0395fa02 100644 --- a

[PATCH v2 59/63] can: flexcan: Use struct_group() to zero struct flexcan_regs regions

of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] 199 |__write_overflow_field(p_size_field, size); |^~ Cc: Wolfgang Grandegger Cc: Marc Kleine-Budde Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-...@vger.kernel.or

[PATCH v2 12/63] thermal: intel: int340x_thermal: Use struct_group() for memcpy() region

line number induced differences). Cc: Zhang Rui Cc: Daniel Lezcano Cc: Amit Kucheria Cc: linux...@vger.kernel.org Signed-off-by: Kees Cook --- .../intel/int340x_thermal/acpi_thermal_rel.c | 5 +- .../intel/int340x_thermal/acpi_thermal_rel.h | 48 ++- 2 files changed, 29 inserti

[PATCH v2 11/63] libertas_tf: Use struct_group() for memcpy() region

object code changes. Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Lee Jones Cc: YueHaibing Cc: linux-wirel...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/marvell/libertas_tf/libertas_tf.h | 10 ++ drivers/ne

[PATCH v2 09/63] mwl8k: Use struct_group() for memcpy() region

quot;objdump -d" shows no object code changes. Cc: Lennert Buytenhek Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: wengjianfeng Cc: Lv Yunlong Cc: Arnd Bergmann Cc: Christophe JAILLET Cc: Allen Pais Cc: linux-wirel...@vger.kernel.org Cc: net...@vger.kerne

[PATCH v2 37/63] string.h: Introduce memset_after() for wiping trailing members/padding

x27;t include any preceding padding. Cc: Steffen Klassert Cc: Herbert Xu Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Andrew Morton Cc: Francis Laniel Cc: Vincenzo Frascino Cc: Daniel Axtens Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- include/linu

[PATCH v2 29/63] fortify: Fix dropped strcpy() compile-time write overflow check

tring functions") Cc: Daniel Axtens Cc: Francis Laniel Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 7e67d02764db..68bc5978d916 100644 ---

[PATCH v2 13/63] iommu/amd: Use struct_group() for memcpy() region

erg Roedel Cc: Will Deacon Cc: io...@lists.linux-foundation.org Signed-off-by: Kees Cook --- drivers/iommu/amd/init.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index bdcf167b4afe..70506d6175e9 100644 --- a/driv

[PATCH v2 24/63] sata_fsl: Use struct_group() for memcpy() region

~~~ Cc: Jens Axboe Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/ata/sata_fsl.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c index e5838b23c9e0..fec3c9032606 100644 --- a/drivers/ata/sata_fsl.c +++ b/dr

[PATCH v2 06/63] cxl/core: Replace unions with struct_group()

/1d9a2e6df2a9a35b2cdd50a9a68cac5991e7e5f0.ca...@intel.com Signed-off-by: Kees Cook --- drivers/cxl/cxl.h | 61 ++- 1 file changed, 18 insertions(+), 43 deletions(-) diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h index 53927f9fa77e..9db0c402c9ce 100644 --- a/drivers/cxl/cxl.h

[PATCH] drm/i915: Use designated initializers for init/exit table

uot;drm/i915: Use a table for i915_init/exit (v2)") Signed-off-by: Kees Cook --- drivers/gpu/drm/i915/i915_module.c | 37 +++--- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_module.c b/drivers/gpu/drm/i915/i915_module.c in

Re: [PATCH 39/64] mac80211: Use memset_after() to clear tx status

On Fri, Aug 13, 2021 at 09:40:07AM +0200, Johannes Berg wrote: > On Sat, 2021-07-31 at 08:55 -0700, Kees Cook wrote: > > On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote: > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > > field

Re: [PATCH 10/64] lib80211: Use struct_group() for memcpy() region

On Fri, Aug 13, 2021 at 10:04:09AM +0200, Johannes Berg wrote: > On Tue, 2021-07-27 at 13:58 -0700, Kees Cook wrote: > > > > +++ b/include/linux/ieee80211.h > > @@ -297,9 +297,11 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2) > >  struct ieee80211_hdr { &

Re: [PATCH 42/64] net: qede: Use memset_after() for counters

On Mon, Aug 02, 2021 at 02:29:28PM +, Shai Malin wrote: > > On Tue, Jul 31, 2021 at 07:07:00PM -0300, Kees Cook wrote: > > On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote: > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > >

Re: [PATCH 42/64] net: qede: Use memset_after() for counters

On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memset(), avoid intentionally writing across > neighboring fields. > > Use memset_after() so memset() doesn't get co

Re: [PATCH 39/64] mac80211: Use memset_after() to clear tx status

On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memset(), avoid intentionally writing across > neighboring fields. > > Use memset_after() so memset() doesn't get co

Re: [PATCH 47/64] btrfs: Use memset_after() to clear end of struct

On Thu, Jul 29, 2021 at 12:33:37PM +0200, David Sterba wrote: > On Wed, Jul 28, 2021 at 02:56:31PM -0700, Kees Cook wrote: > > On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote: > > > On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote: > > > > In

Re: [PATCH 04/64] stddef: Introduce struct_group() helper macro

On Sat, Jul 31, 2021 at 07:24:44AM +0200, Rasmus Villemoes wrote: > On Sat, Jul 31, 2021, 04:59 Kees Cook wrote: > > > On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote: > > > On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote: > > > > > /**

Re: [PATCH 54/64] ipv6: Use struct_group() to zero rt6_info

On Thu, Jul 29, 2021 at 11:58:50AM -0700, Jakub Kicinski wrote: > On Tue, 27 Jul 2021 13:58:45 -0700 Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across > &g

Re: [PATCH 25/64] drm/mga/mga_ioc32: Use struct_group() for memcpy() region

On Thu, Jul 29, 2021 at 02:11:27PM +0200, Daniel Vetter wrote: > On Wed, Jul 28, 2021 at 07:56:40AM +0200, Greg Kroah-Hartman wrote: > > On Tue, Jul 27, 2021 at 01:58:16PM -0700, Kees Cook wrote: > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time

Re: [PATCH 04/64] stddef: Introduce struct_group() helper macro

On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote: > On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote: > > On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote: > > > On 27/07/2021 22.57, Kees Cook wrote: > > > > > > > In orde

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

On Fri, Jul 30, 2021 at 10:08:03AM -0700, Nick Desaulniers wrote: > On Fri, Jul 30, 2021 at 9:44 AM Kees Cook wrote: > > > > On Fri, Jul 30, 2021 at 12:00:54PM +0300, Dan Carpenter wrote: > > > On Fri, Jul 30, 2021 at 10:38:45AM +0200, David Sterba wrote: > > > &

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

void *ptr; }; These are fine: struct foo ok1 = { }; struct foo ok2 = { .flag = 7 }; struct foo ok3 = { .ptr = NULL }; This is not: struct foo bad = { .flag = 7, .ptr = NULL }; (But, of course, it depends on padding size, compiler version, and architecture. i.e. things remain unreliable.) -- Kees Cook

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

On Thu, Jul 29, 2021 at 12:45:47PM +0200, David Sterba wrote: > On Wed, Jul 28, 2021 at 02:54:52PM -0700, Kees Cook wrote: > > On Wed, Jul 28, 2021 at 11:23:23AM +0200, David Sterba wrote: > > > On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > &

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

the pattern of basic initializers, which makes sense given the behavior of initializers and direct assignment tests above. e.g.: obj = (type){ .member = ... }; stackinit: small_hole_assigned_static_partial ok stackinit: small_hole_assigned_dynamic_partial ok stackinit: big_hole_assigned_dynamic_partial ok stackinit: big_hole_assigned_static_partial ok stackinit: trailing_hole_assigned_dynamic_partial ok stackinit: trailing_hole_assigned_static_partial ok stackinit: small_hole_assigned_static_all FAIL (uninit bytes: 3) stackinit: small_hole_assigned_dynamic_all FAIL (uninit bytes: 3) stackinit: big_hole_assigned_static_all FAIL (uninit bytes: 124) stackinit: big_hole_assigned_dynamic_all FAIL (uninit bytes: 124) stackinit: trailing_hole_assigned_dynamic_all FAIL (uninit bytes: 7) stackinit: trailing_hole_assigned_static_all FAIL (uninit bytes: 7) So, yeah, it's not very stable. -Kees [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-July/576341.html -- Kees Cook

Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time

On Wed, Jul 28, 2021 at 01:19:59PM +0200, Rasmus Villemoes wrote: > On 27/07/2021 22.58, Kees Cook wrote: > > > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size() > > internal[0] to determine the available size at a target address based on > > the

Re: [PATCH 48/64] drbd: Use struct_group() to zero algs

On Wed, Jul 28, 2021 at 02:45:55PM -0700, Bart Van Assche wrote: > On 7/27/21 1:58 PM, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across > > neighboring f

Re: [PATCH 62/64] netlink: Avoid false-positive memcpy() warning

On Wed, Jul 28, 2021 at 07:49:46AM +0200, Greg Kroah-Hartman wrote: > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid &g

Re: [PATCH 62/64] netlink: Avoid false-positive memcpy() warning

On Wed, Jul 28, 2021 at 01:24:01PM +0200, Rasmus Villemoes wrote: > On 28/07/2021 07.49, Greg Kroah-Hartman wrote: > > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: > >> In preparation for FORTIFY_SOURCE performing compile-time and run-time > >> field

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote: > > [...] > > - /** > > -* @it_present: (first) present word > > -*/ > > - __le32 it_present; > > + union { > > +

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid > >

Re: [PATCH 04/64] stddef: Introduce struct_group() helper macro

On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote: > On 27/07/2021 22.57, Kees Cook wrote: > > > In order to have a regular programmatic way to describe a struct > > region that can be used for references and sizing, can be examined for > > bounds checking

Re: [PATCH 47/64] btrfs: Use memset_after() to clear end of struct

On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote: > On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across > &g

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

; > The recommended practice is to always use unsigned types for shifts, so > "1U << ..." at least. Ah, good catch! I think just using BIT() is the right replacement here, yes? I suppose that should be a separate patch. -- Kees Cook

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid > >

Re: [PATCH 19/64] ip: Use struct_group() for memcpy() regions

because struct_group() can not be used here? Still feels odd to see > in a userspace-visible header. Yeah, there is some inconsistency here. I will clean this up for v2. Is there a place we can put kernel-specific macros for use in UAPI headers? (I need to figure out where things like __kernel_size_t get defined...) -- Kees Cook

Re: [PATCH 36/64] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp

> Instead of writing beyond the end of evt_struct->iu.srp.cmd, target the > > upper union (evt_struct->iu.srp) instead, as that's what is being wiped. > > > > Signed-off-by: Kees Cook > > Orthogonal to your change, it wasn't immediately obvious to me

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

On Tue, Jul 27, 2021 at 07:55:46PM -0500, Gustavo A. R. Silva wrote: > On Tue, Jul 27, 2021 at 01:57:52PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid &g

Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time

On Tue, Jul 27, 2021 at 03:43:27PM -0700, Nick Desaulniers wrote: > On Tue, Jul 27, 2021 at 2:17 PM Kees Cook wrote: > > > > To accelerate the review of potential run-time false positives, it's > > also worth noting that it is possible to partially automate checki

Re: [PATCH 33/64] lib: Introduce CONFIG_TEST_MEMCPY

On Tue, Jul 27, 2021 at 04:31:03PM -0700, Bart Van Assche wrote: > On 7/27/21 1:58 PM, Kees Cook wrote: > > +static int __init test_memcpy_init(void) > > +{ > > + int err = 0; > > + > > + err |= test_memcpy(); > > + err |= test_memmove(); > > +

Re: [PATCH 31/64] fortify: Explicitly disable Clang support

On Tue, Jul 27, 2021 at 02:18:58PM -0700, Nathan Chancellor wrote: > On 7/27/2021 1:58 PM, Kees Cook wrote: > > Clang has never correctly compiled the FORTIFY_SOURCE defenses due to > > a couple bugs: > > > > Eliding inlines with matching __builtin_* names &g

[PATCH 48/64] drbd: Use struct_group() to zero algs

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add a struct_group() for the algs so that memset() can correctly reason about the size. Signed-off-by: Kees Cook --- drivers/block

[PATCH 59/64] fortify: Detect struct member overflows in memset() at compile-time

As done for memcpy(), also update memset() to use the same tightened compile-time bounds checking under CONFIG_FORTIFY_SOURCE. Signed-off-by: Kees Cook --- include/linux/fortify-string.h| 54 --- .../write_overflow_field-memset.c | 5 ++ 2 files

[PATCH 46/64] IB/mthca: Use memset_after() for clearing mpt_entry

rting point of zeroing through the end of the struct. Signed-off-by: Kees Cook --- drivers/infiniband/hw/mthca/mthca_mr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c index ce0e0867e488..64adba5

[PATCH 51/64] tracing: Use struct_group() to zero struct trace_iterator

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct trace_iterator that should be initialized to zero. Signed-off-by: Kees Cook --- include

[PATCH 49/64] cm4000_cs: Use struct_group() to zero struct cm4000_dev region

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct cm4000_dev that should be initialized to zero. Signed-off-by: Kees Cook --- drivers/char

[PATCH 58/64] powerpc: Split memset() to avoid multi-field overflow

. Signed-off-by: Kees Cook --- drivers/macintosh/smu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/macintosh/smu.c b/drivers/macintosh/smu.c index 94fb63a7b357..59ce431da7ef 100644 --- a/drivers/macintosh/smu.c +++ b/drivers/macintosh/smu.c @@ -848,7 +848,8 @@ int

[PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time

all where the compiler cannot see the true type. In theory, greater static analysis could catch these. [0] https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html [1] https://git.kernel.org/linus/6a39e62abbafd1d58d1722f40c7d26ef379c6a2f Signed-off-by: Kees Cook --- include/linux/fortify-string.h

[PATCH 33/64] lib: Introduce CONFIG_TEST_MEMCPY

Before changing anything about memcpy(), memmove(), and memset(), add run-time tests to check basic behaviors for any regressions. Signed-off-by: Kees Cook --- lib/Kconfig.debug | 3 + lib/Makefile | 1 + lib/test_memcpy.c | 285 ++ 3 files

[PATCH 52/64] dm integrity: Use struct_group() to zero struct journal_sector

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct journal_sector that should be initialized to zero. Signed-off-by: Kees Cook --- drivers

[PATCH 35/64] fortify: Detect struct member overflows in memmove() at compile-time

As done for memcpy(), also update memmove() to use the same tightened compile-time checks under CONFIG_FORTIFY_SOURCE. Signed-off-by: Kees Cook --- arch/x86/boot/compressed/misc.c | 3 ++- arch/x86/lib/memcpy_32.c | 1 + include/linux/fortify-string.h

<    1   2   3   4   5   6   7   >