h [-Wimplicit-fallthrough=]
>
> Signed-off-by: Gustavo A. R. Silva
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/video/fbdev/omap/omapfb_main.c | 8
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/video/fbdev/omap/omapfb_main.c
> b/drivers/video/fbde
e -Wimplicit-fallthrough
> option will be enabled globally in v5.3.
>
> Warning level 3 was used: -Wimplicit-fallthrough=3
>
> This patch is part of the ongoing efforts to enable
> -Wimplicit-fallthrough.
>
> Signed-off-by: Gustavo A. R. Silva
Excellent; I think t
gt; > > Untag the address before subtracting.
> > >
> > > Reviewed-by: Khalid Aziz
> > > Reviewed-by: Vincenzo Frascino
> > > Reviewed-by: Kees Cook
> > > Reviewed-by: Catalin Marinas
> > > Signed-off-by: Andrey Konovalov
> > > -
version applied
> immediately after an rc1 might be easiest
> rather than individual patches.
This seems reasonable to me. I think the patch steps would be:
1) implement sizeof_member(T, m) as a stand-alone macro
2) do a scripted replacement of all identical macros.
3) remove all the identical
On Tue, Jun 25, 2019 at 10:49:01AM -0700, Joe Perches wrote:
> On Tue, 2019-06-25 at 10:31 -0700, Kees Cook wrote:
> > On Tue, Jun 25, 2019 at 09:52:23AM -0700, Joe Perches wrote:
> > > On Tue, 2019-06-25 at 11:01 -0500, Gustavo A. R. Silva wrote:
> > > > In prep
rough a lot of coordination
with sfr for linux-next nag-mail coverage (where maintainers are now
fixing it themselves) when this came up during the last kernel summit,
and this approach was the agreed solution.
--
Kees Cook
ldren but cleared on execve(). A Kconfig
> option allows the overall disabling of the relaxed ABI.
>
> The PR_SET_TAGGED_ADDR_CTRL will be expanded in the future to handle
> MTE-specific settings like imprecise vs precise exceptions.
>
> Signed-off-by: Catalin Marinas
Reviewed-by: Ke
vma lookups, which can only by done with
> untagged pointers.
>
> This patch untags user pointers in radeon_gem_userptr_ioctl().
>
> Suggested-by: Felix Kuehling
> Acked-by: Felix Kuehling
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
>
that calls the uname syscall with a
> tagged user pointer as an argument. Without the kernel accepting tagged
> user pointers the test fails with EFAULT.
>
> Signed-off-by: Andrey Konovalov
Acked-by: Kees Cook
-Kees
> ---
> tools/testing/selftests/arm64/.gitignore
d user pointers for vma lookups, which can
> only by done with untagged pointers.
>
> Untag user pointers in this function.
>
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/infiniband/hw/mlx4/mr.c | 7 ---
> 1 file changed, 4 insert
vma lookups, which can only by done with
> untagged pointers.
>
> This patch untags user pointers in radeon_gem_userptr_ioctl().
>
> Suggested-by: Felix Kuehling
> Acked-by: Felix Kuehling
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
>
x Kuehling
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 2 +-
> drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 ++
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers
kernel.
That's actually already happening (via -mm tree last I looked). tl;dr:
it ends up using a cast hidden in a macro. It's in linux-next already
along with a checkpatch.pl addition to yell about doing what's being
done here. ;)
https://lore.kernel.org/lkml/20190430180111.106
target struct's field
> + * Return: the size of @f in the struct definition without having a
> + * declared instance of @t.
> + */
> +#ifndef FIELD_SIZEOF
> +#define FIELD_SIZEOF(t, f) (sizeof(((t *)0)->f))
> #endif
>
> +/*
> + * For code compatibility
> + *
> + * sizeof_field(TYPE, MEMBER)
> + * @TYPE: The structure containing the field of interest
> + * @MEMBER: The field to return the size of
> + */
> +#define sizeof_field(TYPE, MEMBER) FIELD_SIZEOF(TYPE, MEMBER)
> +
> #ifndef offsetofend
> #define offsetofend(TYPE, MEMBER) \
> - (offsetof(TYPE, MEMBER) + sizeof_field(TYPE, MEMBER))
> + (offsetof(TYPE, MEMBER) + FIELD_SIZEOF(TYPE, MEMBER))
> #endif
>
> #endif /* __BPF_UTIL__ */
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index ca54b09adf5b..e43e3a26f6ab 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -4275,7 +4275,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned
> vcpu_align,
> kmem_cache_create_usercopy("kvm_vcpu", vcpu_size, vcpu_align,
> SLAB_ACCOUNT,
> offsetof(struct kvm_vcpu, arch),
> -sizeof_field(struct kvm_vcpu, arch),
> +FIELD_SIZEOF(struct kvm_vcpu, arch),
> NULL);
> if (!kvm_vcpu_cache) {
> r = -ENOMEM;
> --
> 2.11.0
>
--
Kees Cook
On Mon, Jun 10, 2019 at 07:53:30PM +0100, Catalin Marinas wrote:
> On Mon, Jun 10, 2019 at 11:07:03AM -0700, Kees Cook wrote:
> > On Mon, Jun 10, 2019 at 06:53:27PM +0100, Catalin Marinas wrote:
> > > diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> &
(void)
>
> ptrauth_thread_init_user(current);
> }
> +
> +/*
> + * Enable the relaxed ABI allowing tagged user addresses into the kernel.
> + */
> +int untagged_uaddr_set_mode(unsigned long arg)
> +{
> + if (is_compat_task())
> + return -ENOTSUPP;
> + if (arg)
> + return -EINVAL;
> +
> + set_thread_flag(TIF_UNTAGGED_UADDR);
> +
> + return 0;
> +}
I think this should be paired with a flag clearing in copy_thread(),
yes? (i.e. each binary needs to opt in)
--
Kees Cook
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
tee_shm_unregister()->check_mem_type() uses provided
> user pointers for vma lookups (via __check_mem_type()), which can only by
> done with untagged pointers.
>
> Untag user pointers in this function.
>
> Signed-off-by: Andrey Konovalov
"tee: shm: untag user pointers
e provided user pointers for vma lookups, which can
> only by done with untagged pointers.
>
> Untag user pointers in validate_range().
>
> Signed-off-by: Andrey Konovalov
"userfaultfd: untag user pointers"
Reviewed-by: Kees Cook
-Kees
> ---
> fs/userfaultfd.c | 2
expect, instead:
fs/namespace: untag user pointers in copy_mount_options
Reviewed-by: Kees Cook
-Kees
> ---
> fs/namespace.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index b26778bdc236..2e85712a19ed 1
s provided user pointers for vma lookups, which can
> only by done with untagged pointers. Instead of locating and changing
> all callers of this function, perform untagging in it.
>
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> mm/frame_vector.c | 2 +
vma lookups.
>
> Reviewed-by: Catalin Marinas
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> mm/gup.c | 4
> 1 file changed, 4 insertions(+)
>
> diff --git a/mm/gup.c b/mm/gup.c
> index ddde097cf9e4..c37df3d455a2 100644
> --- a
s provided user pointers for vma lookups, which can
> only by done with untagged pointers.
>
> Untag user pointers in this function.
>
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/vfio/vfio_iommu_type1.c | 2 ++
> 1 file changed, 2 inser
mple test, that calls the uname syscall with a
> tagged user pointer as an argument. Without the kernel accepting tagged
> user pointers the test fails with EFAULT.
>
> Signed-off-by: Andrey Konovalov
I'm adding Shuah to CC in case she has some suggestions about the new
selftest.
user_get() uses provided user pointers for vma
> lookups, which can only by done with untagged pointers.
>
> Untag the pointers in this function.
>
> Acked-by: Mauro Carvalho Chehab
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/me
pointers to be passed to the following memory
> syscalls: get_mempolicy, madvise, mbind, mincore, mlock, mlock2, mprotect,
> mremap, msync, munlock.
>
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> mm/madvise.c | 2 ++
> mm/mempolicy.c | 3 +++
&g
r pointers in access_ok and in __uaccess_mask_ptr,
> before performing access validity checks.
>
> Note, that this patch only temporarily untags the pointers to perform the
> checks, but then passes them as is into the kernel internals.
>
> Reviewed-by: Catalin Marinas
> Signed-off-by
is used in the implementation of the move_pages syscall.
>
> Untag user pointers in this function.
>
> Reviewed-by: Catalin Marinas
> Signed-off-by: Andrey Konovalov
Reviewed-by: Kees Cook
-Kees
> ---
> mm/migrate.c | 1 +
> 1 file changed, 1 insertion(+)
>
> dif
ly untags the pointers to perform
> validity checks, but then uses them as is to perform user memory accesses.
>
> Reviewed-by: Catalin Marinas
> Signed-off-by: Andrey Konovalov
Acked-by: Kees Cook
-Kees
> ---
> lib/strncpy_from_user.c | 3 ++-
> lib/strnlen_user
On Tue, May 28, 2019 at 06:02:45PM +0100, Catalin Marinas wrote:
> On Thu, May 23, 2019 at 02:31:16PM -0700, Kees Cook wrote:
> > syzkaller already attempts to randomly inject non-canonical and
> > 0x addresses for user pointers in syscalls in an effort to
> > fi
On Thu, May 23, 2019 at 06:43:46PM +0100, Catalin Marinas wrote:
> On Thu, May 23, 2019 at 09:38:19AM -0700, Kees Cook wrote:
> > What on this front would you be comfortable with? Given it's a new
> > feature isn't it sufficient to have a CONFIG (and/or boot option)?
gt; them?).
Okay, sounds fine.
> (there is also the risk of existing applications using TBI already but
> I'm not aware of any still using this feature other than hwasan)
Correct.
Alright, the tl;dr appears to be:
- you want more assurances that we can find __user stripping
ecute.
I've got the same question as Elliot: aren't MTE instructions just NOP
to older CPUs? I.e. if the CPU (or kernel) don't support it, it just
gets entirely ignored: checking is only needed to satisfy curiosity
or behavioral expectations.
To me, the conflict seems to be using
On Wed, May 22, 2019 at 08:30:21AM -0700, enh wrote:
> On Wed, May 22, 2019 at 3:11 AM Catalin Marinas
> wrote:
> > On Tue, May 21, 2019 at 05:04:39PM -0700, Kees Cook wrote:
> > > I just want to make sure I fully understand your concern about this
> > > being an A
ome syscall that is missing untagged_addr() and fails
- kernel has now broken userspace that used to work
The trouble I see with this is that it is largely theoretical and
requires part of userspace to collude to start using a new CPU feature
that tickles a bug in t
gt; > This would be technically conforming with TAP13 and is consistent with
> > what some kselftests have done.
This is what I fixed kselftest to actually do (it wasn't doing correct
TAP13), and Shuah is testing the series now:
https://git.kernel.org/pub/scm/linux/
to
> let unpriviledge userspace spam the logs freely. Definitely not entire
> warning backtraces.
>
> It also means more filtering for our CI, because our testsuite
> exercises these corner cases and so hits these a lot.
>
> Signed-off-by: Daniel Vetter
Reviewed-by: Kees Cook
-Kee
On Mon, Jan 28, 2019 at 4:12 PM Alexander Popov wrote:
>
> On 23.01.2019 14:03, Kees Cook wrote:
> > This adds a new plugin "stackinit" that attempts to perform unconditional
> > initialization of all stack variables
>
> Hello Kees! Hello everyone!
>
> I
ts
> for both.
GCC is reasonable at this. The main issue, though, was most of these
places were using the variables in multiple case statements, so they
couldn't be limited to a single block (or they'd need to be manually
repeated in each block, which is even more ugly, IMO).
Whatever the consensus, I'm happy to tweak the patch.
Thanks!
--
Kees Cook
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
kinit: small_hole_runtime_all ok
test_stackinit: big_hole_runtime_all ok
test_stackinit: u8 ok
test_stackinit: u16 ok
test_stackinit: u32 ok
test_stackinit: u64 ok
test_stackinit: char_array ok
test_stackinit: small_hole ok
test_stackinit: big_hole ok
test_stackinit: user ok
test_stackinit: failures: 4
Signed-off-by:
: warning: statement will never be executed
[-Wswitch-unreachable]
siginfo_t si;
^~
Signed-off-by: Kees Cook
---
arch/x86/xen/enlighten_pv.c | 7 ---
drivers/char/pcmcia/cm4000_cs.c | 2 +-
drivers/char/ppdev.c | 20
On Thu, Jan 24, 2019 at 4:44 AM Jani Nikula wrote:
>
> On Wed, 23 Jan 2019, Edwin Zimmerman wrote:
> > On Wed, 23 Jan 2019, Jani Nikula wrote:
> >> On Wed, 23 Jan 2019, Greg KH wrote:
> >> > On Wed, Jan 23, 2019 at 03:03:47AM -0800, Kees Cook wrote:
>
/lkml.kernel.org/r/CA+55aFykZL+cSBJjBBts7ebEFfyGPdMzTmLSxKnT_29=j94...@mail.gmail.com
Kees Cook (3):
treewide: Lift switch variables out of switches
gcc-plugins: Introduce stackinit plugin
lib: Introduce test_stackinit module
arch/x86/xen/enlighten_pv.c | 7 +-
d
on't depend on being zero. :)
[1] https://gcc.gnu.org/ml/gcc-patches/2014-06/msg00615.html
[2]
https://lkml.kernel.org/r/CA+55aFykZL+cSBJjBBts7ebEFfyGPdMzTmLSxKnT_29=j94...@mail.gmail.com
Signed-off-by: Kees Cook
---
scripts/Makefile.gcc-plugins | 6 ++
scripts/gcc-plugin
arn on VLA use
- Remove unused fallback for BUILD_BUG_ON (which technically contains a VLA)
- Lift -Wvla to the top-level Makefile
----
Kees Cook (1):
Makefile: Globally enable VLA warning
Masahiro Yamada (1):
compiler.
t nvkm_falcon
>>> *falcon,
>>> bl = acr->hsbl_unload_blob;
>>> } else {
>>> nvkm_error(_acr->subdev, "invalid secure boot blob!\n");
>>> +kfree(bl_desc);
>>> return -EINVAL;
help of Coccinelle.
>
> Signed-off-by: Gustavo A. R. Silva
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
> b/dri
() helper:
>
> instance = devm_kzalloc(dev, struct_size(instance, entry, count), GFP_KERNEL);
>
> This issue was detected with the help of Coccinelle.
>
> Signed-off-by: Gustavo A. R. Silva
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/gpu/drm/sun4i/sun8i_tcon_top.c | 3 +--
> 1
On Fri, Jun 29, 2018 at 2:20 PM, Jordan Crouse wrote:
> On Fri, Jun 29, 2018 at 11:48:18AM -0700, Kees Cook wrote:
>> In the quest to remove all stack VLA usage from the kernel[1], this
>> switches to using a kasprintf()ed buffer. Return paths are updated
>> to free the
On Wed, Jun 20, 2018 at 11:27 AM, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> sets the buffer to maximum size and adds a sanity check.
>
> [1]
> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail
On Wed, Jun 20, 2018 at 11:26 AM, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> uses the maximum sane buffer size and removes copy/paste code.
>
> [1]
> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...
On Thu, Jul 5, 2018 at 6:37 AM, Michel Dänzer wrote:
> On 2018-07-04 07:27 PM, Kees Cook wrote:
>> As already done treewide, switch from open-coded multiplication to
>> 2-factor allocation helper.
>>
>> Signed-off-by: Kees Cook
>> ---
>> drivers/gpu/drm/
As already done treewide, switch from open-coded multiplication to
2-factor allocation helper.
Signed-off-by: Kees Cook
---
drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/modules
/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
drivers/video/fbdev/fsl-diu-fb.c | 23 +--
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/drivers/video/fbdev/fsl-diu-fb.c b/drivers/video/fbdev/fsl-diu-fb.c
index
In the quest to remove all stack VLA usage from the kernel[1], this
switches to using a kasprintf()ed buffer. Return paths are updated
to free the allocation.
[1]
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
drivers
]
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 107 +++--
1 file changed, 64 insertions(+), 43 deletions(-)
diff --git a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c
On Tue, Jun 26, 2018 at 1:21 PM, Joe Perches wrote:
> On Tue, 2018-06-26 at 10:40 -0700, Kees Cook wrote:
>> This is the patch I've got prepared now that fixes for all VLAs have been
>> sent to maintainers (some are still under review/adjustment, but there
>> aren't
an UBSan tests which
are explicitly checking that VLAs trigger their respective tests.
Signed-off-by: Kees Cook
---
Makefile | 3 +++
drivers/gpu/drm/i915/Makefile | 2 +-
lib/Makefile | 2 ++
scripts/Makefile.extrawarn| 1 -
4 files changed, 6 insertions(
me issues in some places, maybe it is totally fine.
Okay, thanks! Who can take the patch into their tree?
-Kees
--
Kees Cook
Pixel Security
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
On Fri, Jun 22, 2018 at 10:50 AM, Karol Herbst wrote:
> On Thu, May 24, 2018 at 7:24 PM, Kees Cook wrote:
>> In the quest to remove all stack VLA usage from the kernel[1], this
>> allocates the working buffers before starting the writing so it won't
>> abort in the mid
In the quest to remove all stack VLA usage from the kernel[1], this
sets the buffer to maximum size and adds a sanity check.
[1]
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i2c/tda9950.c | 5 -
1
In the quest to remove all stack VLA usage from the kernel[1], this
uses the maximum sane buffer size and removes copy/paste code.
[1]
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
drivers/gpu/drm/amd/amdgpu
On Thu, May 24, 2018 at 10:24 AM, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> allocates the working buffers before starting the writing so it won't
> abort in the middle. This needs an initial walk of the lists to figure
> out how
aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
.../nouveau/nvkm/subdev/secboot/acr_r352.c| 25 ---
.../nouveau/nvkm/subdev/secboot/acr_r367.c| 16 +++-
2 files changed, 37 insertions(+), 4 deletions(-)
diff --git a/drivers/gp
On Wed, May 23, 2018 at 5:36 PM, Ben Skeggs wrote:
> On Thu, May 24, 2018 at 8:48 AM, Kees Cook wrote:
>> On Thu, Apr 26, 2018 at 4:25 PM, Kees Cook wrote:
>>> On Thu, Mar 15, 2018 at 7:05 PM, Ben Skeggs wrote:
>>>> On 14 March 2018 at 21:08, Thierry Reding wro
On Thu, Apr 26, 2018 at 4:25 PM, Kees Cook wrote:
> On Thu, Mar 15, 2018 at 7:05 PM, Ben Skeggs wrote:
>> On 14 March 2018 at 21:08, Thierry Reding wrote:
>>> On Tue, Mar 13, 2018 at 11:24:11AM -0500, Gustavo A. R. Silva wrote:
>>>> In preparation to enabl
; the size buffer passed to hdmi_infoframe_pack which is a fixed size.
> Switch to this upper bound.
>
> [1] https://lkml.org/lkml/2018/3/7/621
>
> Signed-off-by: Laura Abbott
Reviewed-by: Kees Cook
Same question for this patch: who's best to take this?
Thanks!
-Kees
>
; Signed-off-by: Laura Abbott
Reviewed-by: Kees Cook
Daniel, can this go via you, or what's the best path for this patch?
Thanks!
-Kees
> ---
> This was a little hard to figure out but I think 32 should be a
> comfortable upper bound based on all the structures I saw. Of course
5dfe61 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
> @@ -39,6 +39,8 @@
>
> #include "amd_shared.h"
>
> +#define KFD_MAX_RING_ENTRY_SIZE8
> +
> #define KFD_SYSFS_FILE_MODE 0444
>
> #define KFD_MMAP_DOORBELL_MA
>is based on the feedback provided by David Laight. Thanks David.
>>>
>>> drivers/gpu/drm/nouveau/nvkm/subdev/secboot/ls_ucode_msgqueue.c | 7 +++
>>> 1 file changed, 3 insertions(+), 4 deletions(-)
>>
>> Reviewed-by
cs/gcc/Integer-Overflow-Builtins.html
grsecurity/PaX has a gcc plugin for overflow detection, though it
hasn't been upstreamed and comes with various caveats:
http://forums.grsecurity.net/viewtopic.php?f=7&t=3043
https://github.com/ephox-gcc-plugins/size_overflow
-Kees
--
Kees Cook
Pix
This is a small series that cleans up struct consw a bit and
prepares it for Control Flow Integrity checking (i.e. Clang's
-fsanitize=cfi).
Thanks!
-Kees
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/li
.
Signed-off-by: Kees Cook
---
include/linux/console.h | 58 +++--
1 file changed, 32 insertions(+), 26 deletions(-)
diff --git a/include/linux/console.h b/include/linux/console.h
index b8920a031a3e..dfd6b0e97855 100644
--- a/include/linux/console.h
+++ b
As done in commit:
724ba8b30b04 ("console/dummy: leave .con_font_get set to NULL")
This drops the dummy .con_font_get(), as it could leave arguments
uninitialized.
Cc: Thomas Winischhofer
Signed-off-by: Kees Cook
---
drivers/usb/misc/sisusbvga/sisusb_con.c | 1 -
1 file changed,
This expands the no-op dummy functions into full prototypes to avoid
indirect call mismatches when running under Control Flow Integrity
checking, like with Clang's -fsanitize=cfi.
Co-Developed-by: Sami Tolvanen
Signed-off-by: Sami Tolvanen
Signed-off-by: Kees Cook
---
drivers/usb
On Fri, Dec 8, 2017 at 2:17 AM, David Laight wrote:
> From: Kees Cook
>> Sent: 06 December 2017 20:29
>>
>> There's no good reason to separate the access_ok() from the copy,
>> especially since the access_ok() size is hard-coded instead of using
>> size
Wilson
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 435ed95df144..1da703213b17 100644
--- a/drive
[7.814325] ---[ end trace 3348554eb91e19a1 ]---
>> > >
>> > > Looks like I didn't test this code with CONFIG_REFCOUNT_FULL enabled :-/.
>> > >
>> > > Anyway, can you try to apply the following diff and let me know if it
>> > >
On Mon, Nov 13, 2017 at 5:45 PM, Guenter Roeck wrote:
> On Tue, Oct 24, 2017 at 08:20:26AM -0700, Kees Cook wrote:
>> In preparation for unconditionally passing the struct timer_list pointer to
>> all timer callbacks, switch to using the new timer_setup() and from_timer()
>&
_list, not struct pxa3xx_gcu_priv.
Cc: Bartlomiej Zolnierkiewicz
Cc: "Gustavo A. R. Silva"
Cc: Himanshu Jha
Cc: dri-devel@lists.freedesktop.org
Cc: linux-fb...@vger.kernel.org
Signed-off-by: Kees Cook
---
If you can take this for v4.15, please do. Otherwise, I can carry it in the
tim
On Thu, Nov 9, 2017 at 9:08 AM, Bartlomiej Zolnierkiewicz
wrote:
> On Tuesday, October 24, 2017 08:20:26 AM Kees Cook wrote:
>
>> diff --git a/drivers/video/fbdev/pxa3xx-gcu.c
>> b/drivers/video/fbdev/pxa3xx-gcu.c
>> index 933619da1a94..e88447eac32c 100644
>> --
On Mon, Oct 30, 2017 at 4:49 PM, Eric Anholt wrote:
> Kees Cook writes:
>
>> In preparation for unconditionally passing the struct timer_list pointer to
>> all timer callbacks, switch to using the new timer_setup() and from_timer()
>> to pass the timer pointer expl
On Tue, Oct 31, 2017 at 3:18 AM, Daniel Vetter wrote:
> On Mon, Oct 30, 2017 at 03:05:29PM -0700, Kees Cook wrote:
>> On Mon, Oct 30, 2017 at 3:08 AM, Daniel Vetter wrote:
>> > On Tue, Oct 24, 2017 at 08:16:09AM -0700, Kees Cook wrote:
>> >> In preparation for unco
On Mon, Oct 30, 2017 at 3:08 AM, Daniel Vetter wrote:
> On Tue, Oct 24, 2017 at 08:16:09AM -0700, Kees Cook wrote:
>> In preparation for unconditionally passing the struct timer_list pointer to
>> all timer callbacks, switch to using the new timer_setup() and from_timer()
>&
On Wed, Oct 25, 2017 at 4:16 PM, Chris Wilson wrote:
> Quoting Kees Cook (2017-10-25 15:05:13)
>> On Wed, Oct 25, 2017 at 3:11 PM, Chris Wilson
>> wrote:
>> > Quoting Chris Wilson (2017-10-25 11:24:19)
>> >> Quoting Chris Wilson (2017-10-24 17:17:09)
>>
On Wed, Oct 25, 2017 at 3:11 PM, Chris Wilson wrote:
> Quoting Chris Wilson (2017-10-25 11:24:19)
>> Quoting Chris Wilson (2017-10-24 17:17:09)
>> > Quoting Kees Cook (2017-10-24 16:13:44)
>> > > In preparation for unconditionally passing the struct timer_list point
: Benjamin Herrenschmidt
Cc: Tomi Valkeinen
Cc: David Lechner
Cc: Daniel Vetter
Cc: Sean Paul
Cc: Jean Delvare
Cc: Hans de Goede
Cc: "Gustavo A. R. Silva"
Cc: linux-fb...@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: linux-o...@vger.kernel.org
Signed-off-by: Kees Cook
--
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.
Cc: Patrik Jakobsson
Cc: David Airlie
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.
Cc: Eric Anholt
Cc: David Airlie
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
Wilson
Cc: intel-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/selftests/lib_sw_fence.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/selftests/lib_sw_fence.c
b/drivers/gpu/drm/i915
Ursulin
Cc: Oscar Mateo
Cc: intel-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
Reviewed-by: Joonas Lahtinen # for mock_engine
---
This patch includes additional timers since the last time it was sent.
---
drivers/gpu/drm/i915/i915_sw_fence.c | 8
...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
index 8197e1d6ed11..e19cbe05da2a
On Thu, Oct 5, 2017 at 6:45 AM, Joonas Lahtinen
wrote:
> On Wed, 2017-10-04 at 17:54 -0700, Kees Cook wrote:
>> In preparation for unconditionally passing the struct timer_list pointer to
>> all timer callbacks, switch to using the new timer_setup() and from_timer()
>> to p
Ursulin
Cc: Oscar Mateo
Cc: intel-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Cc: Thomas Gleixner
Signed-off-by: Kees Cook
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
s
On Fri, Jul 28, 2017 at 2:13 AM, Christian König
wrote:
> Am 28.07.2017 um 03:43 schrieb Alex Deucher:
>>
>> On Tue, Jul 25, 2017 at 5:47 PM, Kees Cook wrote:
>>>
>>> As done for vega10 in commit 3ddd396f6b57 ("drm/amd/powerplay: Use
>>> designated
On Thu, Jul 27, 2017 at 6:43 PM, Alex Deucher wrote:
> On Tue, Jul 25, 2017 at 5:47 PM, Kees Cook wrote:
>> As done for vega10 in commit 3ddd396f6b57 ("drm/amd/powerplay: Use
>> designated initializers") mark other tableFunction entries with designated
>> init
Zhang
Cc: Alex Deucher
Signed-off-by: Kees Cook
---
If I can get an Ack for this, I'll carry it in the gcc-plugins tree, unless
you think this is worth landing for v4.13, in which case, please take it
now. :)
Thanks!
---
drivers/gpu/drm/amd/powerplay/hwmgr/rv_hwmgr.c | 8
1
On Sun, May 14, 2017 at 3:00 PM, Mauro Carvalho Chehab
wrote:
> Em Sun, 14 May 2017 14:05:09 -0700
> Kees Cook escreveu:
>
>> On Sun, May 14, 2017 at 8:38 AM, Mauro Carvalho Chehab
>> wrote:
>> > As just one book (lsm) was missing conversion, let's conver
ge into my rst-ification of
Documentation/security/
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/rst
Specifically, the new Documentation/security/LSM.rst was rather short.
I think your lsm.txt and this one could be likely merged.
-Kees
--
Kees Cook
While highly unlikely, this makes sure that the string built from
engine names won't be processed as a format string.
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/intel_hangcheck.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/intel_hangcheck
On Thu, Apr 6, 2017 at 1:48 AM, Jani Nikula wrote:
> On Thu, 06 Apr 2017, Kees Cook wrote:
>> While examining output from trial builds with -Wformat-security enabled,
>> many strings were found that should be defined as "const", or as a char
>> array instead o
501 - 600 of 663 matches
Mail list logo