Before changing anything about memcpy(), memmove(), and memset(), add
run-time tests to check basic behaviors for any regressions.
Signed-off-by: Kees Cook
---
lib/Kconfig.debug | 7 ++
lib/Makefile | 1 +
lib/test_memcpy.c | 264 ++
3 files
() call.
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Ido Schimmel
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
net/ethtool/stats.c | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/net/ethtool/stats.c b/net/ethtool/stats.c
index ec
Cc: Benjamin Tissoires
Cc: linux-in...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +++-
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c
: Greg Kroah-Hartman
Signed-off-by: Kees Cook
Acked-by: Greg Kroah-Hartman
Link: https://lore.kernel.org/lkml/yqdvxaofjli1j...@kroah.com
---
drivers/char/pcmcia/cm4000_cs.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char
Cc: dm-de...@redhat.com
Signed-off-by: Kees Cook
---
drivers/md/dm-integrity.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 40f8116c8e44..59deea0dd305 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md
rting point
of zeroing through the end of the struct.
Cc: Chris Mason
Cc: Josef Bacik
Cc: David Sterba
Cc: linux-bt...@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/btrfs/root-tree.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/root-tree.c b/fs/btrfs
Signed-off-by: Kees Cook
---
kernel/trace/trace.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 13587e771567..9ff8c31975cd 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6691,9 +6691,7 @@ tracing_read_pipe
: Oleg Nesterov
Signed-off-by: Kees Cook
---
include/linux/compiler-gcc.h | 2 --
include/linux/compiler_types.h | 4
include/linux/thread_info.h| 2 +-
3 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index
Chancellor
Cc: Alexey Dobriyan
Cc: Stephen Rothwell
Cc: Bartosz Golaszewski
Signed-off-by: Kees Cook
---
arch/arm/boot/compressed/string.c | 1 +
arch/s390/lib/string.c| 3 +
arch/x86/boot/compressed/misc.h | 2 +
arch/x86/boot/compressed/pgtable_64.c | 2 +
arch
Cc: David Airlie
Cc: Lee Jones
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
Acked-by: Daniel Vetter
Link: https://lore.kernel.org/lkml/YQKa76A6XuFqgM03@phenom.ffwll.local
---
drivers/gpu/drm/mga/mga_ioc32.c | 27 ++-
include/uapi/drm
the last struct
member. There is no change to the resulting machine code.
Cc: Steffen Klassert
Cc: Herbert Xu
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
net/xfrm/xfrm_policy.c | 4 +---
net/xfrm/xfrm_user.c | 2 +-
2 files ch
Elior
Cc: gr-everest-linux...@marvell.com
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/qede
rting point
of zeroing through the end of the struct.
Cc: Jes Sorensen
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-hi...@sunsite.dk
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
net/802/hippi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/80
rel...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/wireless/intersil/hostap/hostap_hw.c | 5 +++--
drivers/net/wireless/intersil/hostap/hostap_wlan.h | 14 --
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/
: Jason Gunthorpe
Cc: linux-r...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/infiniband/hw/mlx5/mlx5_ib.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h
b/drivers/infiniband/hw/mlx5/mlx5_ib.h
index bf20a388eabe..f63bf204a7a1
e struct group
sizes.
Cc: Ariel Elior
Cc: Sudarsana Kalluru
Cc: gr-everest-linux...@marvell.com
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c | 7 ---
drivers/net/etherne
: Jens Axboe
Cc: drbd-...@lists.linbit.com
Cc: linux-bl...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/block/drbd/drbd_main.c | 3 ++-
drivers/block/drbd/drbd_protocol.h | 6 --
drivers/block/drbd/drbd_receiver.c | 3 ++-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git
mp -d" shows no object code changes.
Cc: Raju Rangoju
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/ethernet/chelsio/cxgb4/sge.c | 8 +---
drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 10 ++
is requires
that any FORTIFY helper function prototypes be conditionally built to
avoid "no prototype" warnings. Additionally removes unused helpers.
Cc: Andrew Morton
Cc: Francis Laniel
Cc: Daniel Axtens
Cc: Vincenzo Frascino
Cc: Andrey Konovalov
Cc: Dan Williams
Signed-off-by: Kees Co
un Gao
Cc: Jiawei Gu
Cc: Evan Quan
Cc: amd-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
Acked-by: Alex Deucher
Link:
https://lore.kernel.org/lkml/cadnq5_npb8uyvd+r4uhgf-w8-cqj3joodjvijr_y9w9wqj7...@mail.gmail.com
---
drivers/gpu/drm/a
_MAX_RATES") but was harmless.
Also drops the associated unneeded BUILD_BUG_ON()s, and adds a note to
carl9170 about usage.
Cc: Johannes Berg
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-wirel...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
rting point
of zeroing through the end of the struct.
Cc: Doug Ledford
Cc: Jason Gunthorpe
Cc: Max Gurtovoy
Cc: linux-r...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/infiniband/hw/mthca/mthca_mr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/infiniba
HIFUJI
Cc: David Ahern
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
net/ipv6/route.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 6cf4bb89ca69..bd0ab3e436e7 100644
--- a/net/ipv6/route.c
+++
e
Cc: Raju Rangoju
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-r...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/infiniband/hw/cxgb4/cm.c| 5 +++--
drivers/net/ethernet/chelsio/cxgb4/t4_msg.h | 2 +-
2 files changed, 4 insertions(
Kadlecsik
Cc: Florian Westphal
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netfilter-de...@vger.kernel.org
Cc: coret...@netfilter.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
net/netfilter/nf_conntrack_core.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
di
x_tx_frame. "objdump -d" shows no meaningful object code changes
(i.e. only source line number induced differences.)
Cc: Greg Kroah-Hartman
Cc: Rustam Kovhaev
Cc: syzbot+22794221ab96b0bab...@syzkaller.appspotmail.com
Cc: Allen Pais
Cc: Romain Perier
Cc: linux-stag...@lists.linux.dev
Sign
Christopherson
Cc: Vitaly Kuznetsov
Cc: Wanpeng Li
Cc: Jim Mattson
Cc: Joerg Roedel
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: x...@kernel.org
Cc: "H. Peter Anvin"
Cc: k...@vger.kernel.org
Signed-off-by: Kees Cook
---
arch/x86/kvm/emulate.c | 3 +--
arch/x86/kvm/kvm
.
Cc: Benjamin Herrenschmidt
Cc: Qinglang Miao
Cc: "Gustavo A. R. Silva"
Cc: Hulk Robot
Cc: Wang Wensheng
Cc: linuxppc-...@lists.ozlabs.org
Signed-off-by: Kees Cook
Reviewed-by: Michael Ellerman
Link: https://lore.kernel.org/lkml/87czqsnmw9@mpe.ellerman.id.au
---
drivers/macin
As done for memcpy(), also update memmove() to use the same tightened
compile-time checks under CONFIG_FORTIFY_SOURCE.
Signed-off-by: Kees Cook
---
arch/x86/boot/compressed/misc.c | 3 ++-
arch/x86/lib/memcpy_32.c | 1 +
include/linux/fortify-string.h
aningful object code changes (i.e. only source
line number induced differences and optimizations).
Cc: Michael Chan
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
Reviewed-by: Michael Chan
Link:
https://lore.kernel.org/lkml/CACKFLinDc6
Cc: linux-wirel...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
.../net/wireless/intel/ipw2x00/libipw_rx.c| 56 ++-
1 file changed, 17 insertions(+), 39 deletions(-)
diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c
b/drivers/net/wireless/int
As done for memcpy(), also update memset() to use the same tightened
compile-time bounds checking under CONFIG_FORTIFY_SOURCE.
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h| 54 ---
.../write_overflow_field-memset.c | 5 ++
2 files
n
Cc: Ohad Ben-Cohen
Cc: Mathieu Poirier
Cc: linux-arm-...@vger.kernel.org
Cc: linux-remotep...@vger.kernel.org
Signed-off-by: Kees Cook
Reviewed-by: Gustavo A. R. Silva
Link: https://lore.kernel.org/lkml/20210728020745.GB35706@embeddedor
---
drivers/rpmsg/qcom_glink_native.c |
uot;
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Jesper Dangaard Brouer
Cc: John Fastabend
Cc: net...@vger.kernel.org
Cc: linux-r...@vger.kernel.org
Cc: b...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 ++--
drivers/
Cc: Raju Rangoju
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/ethernet/chelsio/cxgb3/sge.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb3/sge.c
b/drivers/ne
In order to have strlen() use fortified strnlen() internally, swap their
positions in the source. Doing this as part of later changes makes
review difficult, so reoroder it here; no code changes.
Cc: Francis Laniel
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h | 22
_group()? [-Wattribute-warning]
199 |__write_overflow_field(p_size_field, size);
|^~
Cc: Julian Wiedmann
Cc: Karsten Graul
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-s...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-
ges.
Cc: Kalle Valo
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: libertas-...@lists.infradead.org
Cc: linux-wirel...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/wireless/marvell/libertas/host.h | 10 ++
drivers/net/wireless/marvell
changes).
Cc: "Jason A. Donenfeld"
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Jonathan Lemon
Cc: Alexander Lobakin
Cc: Jakub Sitnicki
Cc: Marco Elver
Cc: Willem de Bruijn
Cc: wiregu...@lists.zx2c4.com
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
Reviewed
quot;David S. Miller"
Cc: Jakub Kicinski
Cc: linux-wirel...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/wireless/ray_cs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_
GCC builds, but allows Clang to finally gain full
FORTIFY coverage.
However, because of a third bug which had no work-arounds, FORTIFY_SOURCE
will only work with Clang version 13 and later. Update the Kconfig to
reflect the new requirements.
Signed-off-by: Kees Cook
---
include/linux/fortif
Hi,
This patch series (based on next-20210816) implements stricter (no struct
member overflows) bounds checking for memcpy(), memmove(), and memset()
under CONFIG_FORTIFY_SOURCE. To quote a later patch in the series:
tl;dr: In order to eliminate a large class of common buffer overflow
fla
where a higher level type's allocation size does
not match the resulting cast type eventually passed to a deeper
memcpy() call where the compiler cannot see the true type. In
theory, greater static analysis could catch these.
[0] https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.htm
uct_group_typed() is added.
Given there is a need for a handful of UAPI uses too, the underlying
__struct_group() macro has been defined in UAPI so it can be used there
too.
Co-developed-by: Keith Packard
Signed-off-by: Keith Packard
Signed-off-by: Kees Cook
Acked-by: Gustavo A. R. Silva
Link: h
rting point
of zeroing through the end of the struct.
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: d...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
net/dccp/trace.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/dccp/trace.h b/n
7;s what is being wiped.
Cc: Tyrel Datwyler
Cc: Michael Ellerman
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-...@lists.ozlabs.org
Signed-off-by: Kees Cook
Acked-by:
Under CONFIG_FORTIFY_SOURCE, it is possible for the compiler to perform
strlen() and strnlen() at compile-time when the string size is known.
This is required to support compile-time overflow checking in strlcpy().
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h | 47
zero-filled to avoid
undefined behavior.
Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of
omap3isp_stat_data")
Signed-off-by: Kees Cook
---
drivers/media/platform/omap3isp/ispstat.c | 5 +++--
include/uapi/linux/omap3isp.h | 21 +
2 file
rting point
of zeroing through the end of the struct.
Cc: Alexander Shishkin
Signed-off-by: Kees Cook
---
drivers/hwtracing/intel_th/msu.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c
index 432ade0
the fortify routines have been rearranged.
Update the Kconfig to reflect the reality of the current situation.
Signed-off-by: Kees Cook
---
security/Kconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/Kconfig b/security/Kconfig
index 0ced7fd33e4d..fe6c0395fa02 100644
--- a
of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
199 |__write_overflow_field(p_size_field, size);
|^~
Cc: Wolfgang Grandegger
Cc: Marc Kleine-Budde
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-...@vger.kernel.or
line number induced differences).
Cc: Zhang Rui
Cc: Daniel Lezcano
Cc: Amit Kucheria
Cc: linux...@vger.kernel.org
Signed-off-by: Kees Cook
---
.../intel/int340x_thermal/acpi_thermal_rel.c | 5 +-
.../intel/int340x_thermal/acpi_thermal_rel.h | 48 ++-
2 files changed, 29 inserti
object code changes.
Cc: Kalle Valo
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Lee Jones
Cc: YueHaibing
Cc: linux-wirel...@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/wireless/marvell/libertas_tf/libertas_tf.h | 10 ++
drivers/ne
quot;objdump -d" shows no object code changes.
Cc: Lennert Buytenhek
Cc: Kalle Valo
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: wengjianfeng
Cc: Lv Yunlong
Cc: Arnd Bergmann
Cc: Christophe JAILLET
Cc: Allen Pais
Cc: linux-wirel...@vger.kernel.org
Cc: net...@vger.kerne
x27;t include any preceding padding.
Cc: Steffen Klassert
Cc: Herbert Xu
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Andrew Morton
Cc: Francis Laniel
Cc: Vincenzo Frascino
Cc: Daniel Axtens
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
include/linu
tring functions")
Cc: Daniel Axtens
Cc: Francis Laniel
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 7e67d02764db..68bc5978d916 100644
---
erg Roedel
Cc: Will Deacon
Cc: io...@lists.linux-foundation.org
Signed-off-by: Kees Cook
---
drivers/iommu/amd/init.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index bdcf167b4afe..70506d6175e9 100644
--- a/driv
~~~
Cc: Jens Axboe
Cc: linux-...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/ata/sata_fsl.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c
index e5838b23c9e0..fec3c9032606 100644
--- a/drivers/ata/sata_fsl.c
+++ b/dr
/1d9a2e6df2a9a35b2cdd50a9a68cac5991e7e5f0.ca...@intel.com
Signed-off-by: Kees Cook
---
drivers/cxl/cxl.h | 61 ++-
1 file changed, 18 insertions(+), 43 deletions(-)
diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h
index 53927f9fa77e..9db0c402c9ce 100644
--- a/drivers/cxl/cxl.h
uot;drm/i915: Use a table for i915_init/exit (v2)")
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/i915_module.c | 37 +++---
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_module.c
b/drivers/gpu/drm/i915/i915_module.c
in
On Fri, Aug 13, 2021 at 09:40:07AM +0200, Johannes Berg wrote:
> On Sat, 2021-07-31 at 08:55 -0700, Kees Cook wrote:
> > On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > field
On Fri, Aug 13, 2021 at 10:04:09AM +0200, Johannes Berg wrote:
> On Tue, 2021-07-27 at 13:58 -0700, Kees Cook wrote:
> >
> > +++ b/include/linux/ieee80211.h
> > @@ -297,9 +297,11 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2)
> > struct ieee80211_hdr {
&
On Mon, Aug 02, 2021 at 02:29:28PM +, Shai Malin wrote:
>
> On Tue, Jul 31, 2021 at 07:07:00PM -0300, Kees Cook wrote:
> > On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> >
On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memset(), avoid intentionally writing across
> neighboring fields.
>
> Use memset_after() so memset() doesn't get co
On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memset(), avoid intentionally writing across
> neighboring fields.
>
> Use memset_after() so memset() doesn't get co
On Thu, Jul 29, 2021 at 12:33:37PM +0200, David Sterba wrote:
> On Wed, Jul 28, 2021 at 02:56:31PM -0700, Kees Cook wrote:
> > On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote:
> > > On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote:
> > > > In
On Sat, Jul 31, 2021 at 07:24:44AM +0200, Rasmus Villemoes wrote:
> On Sat, Jul 31, 2021, 04:59 Kees Cook wrote:
>
> > On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote:
> > > On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote:
> >
> > > /**
On Thu, Jul 29, 2021 at 11:58:50AM -0700, Jakub Kicinski wrote:
> On Tue, 27 Jul 2021 13:58:45 -0700 Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memset(), avoid intentionally writing across
> &g
On Thu, Jul 29, 2021 at 02:11:27PM +0200, Daniel Vetter wrote:
> On Wed, Jul 28, 2021 at 07:56:40AM +0200, Greg Kroah-Hartman wrote:
> > On Tue, Jul 27, 2021 at 01:58:16PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote:
> On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote:
> > On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote:
> > > On 27/07/2021 22.57, Kees Cook wrote:
> > >
> > > > In orde
On Fri, Jul 30, 2021 at 10:08:03AM -0700, Nick Desaulniers wrote:
> On Fri, Jul 30, 2021 at 9:44 AM Kees Cook wrote:
> >
> > On Fri, Jul 30, 2021 at 12:00:54PM +0300, Dan Carpenter wrote:
> > > On Fri, Jul 30, 2021 at 10:38:45AM +0200, David Sterba wrote:
> > > &
void *ptr;
};
These are fine:
struct foo ok1 = { };
struct foo ok2 = { .flag = 7 };
struct foo ok3 = { .ptr = NULL };
This is not:
struct foo bad = { .flag = 7, .ptr = NULL };
(But, of course, it depends on padding size, compiler version, and
architecture. i.e. things remain unreliable.)
--
Kees Cook
On Thu, Jul 29, 2021 at 12:45:47PM +0200, David Sterba wrote:
> On Wed, Jul 28, 2021 at 02:54:52PM -0700, Kees Cook wrote:
> > On Wed, Jul 28, 2021 at 11:23:23AM +0200, David Sterba wrote:
> > > On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> &
the pattern of
basic initializers, which makes sense given the behavior of initializers
and direct assignment tests above. e.g.:
obj = (type){ .member = ... };
stackinit: small_hole_assigned_static_partial ok
stackinit: small_hole_assigned_dynamic_partial ok
stackinit: big_hole_assigned_dynamic_partial ok
stackinit: big_hole_assigned_static_partial ok
stackinit: trailing_hole_assigned_dynamic_partial ok
stackinit: trailing_hole_assigned_static_partial ok
stackinit: small_hole_assigned_static_all FAIL (uninit bytes: 3)
stackinit: small_hole_assigned_dynamic_all FAIL (uninit bytes: 3)
stackinit: big_hole_assigned_static_all FAIL (uninit bytes: 124)
stackinit: big_hole_assigned_dynamic_all FAIL (uninit bytes: 124)
stackinit: trailing_hole_assigned_dynamic_all FAIL (uninit bytes: 7)
stackinit: trailing_hole_assigned_static_all FAIL (uninit bytes: 7)
So, yeah, it's not very stable.
-Kees
[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-July/576341.html
--
Kees Cook
On Wed, Jul 28, 2021 at 01:19:59PM +0200, Rasmus Villemoes wrote:
> On 27/07/2021 22.58, Kees Cook wrote:
>
> > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size()
> > internal[0] to determine the available size at a target address based on
> > the
On Wed, Jul 28, 2021 at 02:45:55PM -0700, Bart Van Assche wrote:
> On 7/27/21 1:58 PM, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memset(), avoid intentionally writing across
> > neighboring f
On Wed, Jul 28, 2021 at 07:49:46AM +0200, Greg Kroah-Hartman wrote:
> On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
&g
On Wed, Jul 28, 2021 at 01:24:01PM +0200, Rasmus Villemoes wrote:
> On 28/07/2021 07.49, Greg Kroah-Hartman wrote:
> > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote:
> >> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> >> field
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote:
> > [...]
> > - /**
> > -* @it_present: (first) present word
> > -*/
> > - __le32 it_present;
> > + union {
> > +
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
> >
On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote:
> On 27/07/2021 22.57, Kees Cook wrote:
>
> > In order to have a regular programmatic way to describe a struct
> > region that can be used for references and sizing, can be examined for
> > bounds checking
On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote:
> On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memset(), avoid intentionally writing across
> &g
;
> The recommended practice is to always use unsigned types for shifts, so
> "1U << ..." at least.
Ah, good catch! I think just using BIT() is the right replacement here,
yes? I suppose that should be a separate patch.
--
Kees Cook
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
> >
because struct_group() can not be used here? Still feels odd to see
> in a userspace-visible header.
Yeah, there is some inconsistency here. I will clean this up for v2.
Is there a place we can put kernel-specific macros for use in UAPI
headers? (I need to figure out where things like __kernel_size_t get
defined...)
--
Kees Cook
> Instead of writing beyond the end of evt_struct->iu.srp.cmd, target the
> > upper union (evt_struct->iu.srp) instead, as that's what is being wiped.
> >
> > Signed-off-by: Kees Cook
>
> Orthogonal to your change, it wasn't immediately obvious to me
On Tue, Jul 27, 2021 at 07:55:46PM -0500, Gustavo A. R. Silva wrote:
> On Tue, Jul 27, 2021 at 01:57:52PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
&g
On Tue, Jul 27, 2021 at 03:43:27PM -0700, Nick Desaulniers wrote:
> On Tue, Jul 27, 2021 at 2:17 PM Kees Cook wrote:
> >
> > To accelerate the review of potential run-time false positives, it's
> > also worth noting that it is possible to partially automate checki
On Tue, Jul 27, 2021 at 04:31:03PM -0700, Bart Van Assche wrote:
> On 7/27/21 1:58 PM, Kees Cook wrote:
> > +static int __init test_memcpy_init(void)
> > +{
> > + int err = 0;
> > +
> > + err |= test_memcpy();
> > + err |= test_memmove();
> > +
On Tue, Jul 27, 2021 at 02:18:58PM -0700, Nathan Chancellor wrote:
> On 7/27/2021 1:58 PM, Kees Cook wrote:
> > Clang has never correctly compiled the FORTIFY_SOURCE defenses due to
> > a couple bugs:
> >
> > Eliding inlines with matching __builtin_* names
&g
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add a struct_group() for the algs so that memset() can correctly reason
about the size.
Signed-off-by: Kees Cook
---
drivers/block
As done for memcpy(), also update memset() to use the same tightened
compile-time bounds checking under CONFIG_FORTIFY_SOURCE.
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h| 54 ---
.../write_overflow_field-memset.c | 5 ++
2 files
rting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook
---
drivers/infiniband/hw/mthca/mthca_mr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c
b/drivers/infiniband/hw/mthca/mthca_mr.c
index ce0e0867e488..64adba5
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct trace_iterator that should
be initialized to zero.
Signed-off-by: Kees Cook
---
include
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct cm4000_dev that should be
initialized to zero.
Signed-off-by: Kees Cook
---
drivers/char
.
Signed-off-by: Kees Cook
---
drivers/macintosh/smu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/macintosh/smu.c b/drivers/macintosh/smu.c
index 94fb63a7b357..59ce431da7ef 100644
--- a/drivers/macintosh/smu.c
+++ b/drivers/macintosh/smu.c
@@ -848,7 +848,8 @@ int
all where the compiler cannot see the true type. In
theory, greater static analysis could catch these.
[0] https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
[1] https://git.kernel.org/linus/6a39e62abbafd1d58d1722f40c7d26ef379c6a2f
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h
Before changing anything about memcpy(), memmove(), and memset(), add
run-time tests to check basic behaviors for any regressions.
Signed-off-by: Kees Cook
---
lib/Kconfig.debug | 3 +
lib/Makefile | 1 +
lib/test_memcpy.c | 285 ++
3 files
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct journal_sector that should be
initialized to zero.
Signed-off-by: Kees Cook
---
drivers
As done for memcpy(), also update memmove() to use the same tightened
compile-time checks under CONFIG_FORTIFY_SOURCE.
Signed-off-by: Kees Cook
---
arch/x86/boot/compressed/misc.c | 3 ++-
arch/x86/lib/memcpy_32.c | 1 +
include/linux/fortify-string.h
301 - 400 of 663 matches
Mail list logo