This series adds SIMPLE_MAX() to be used in places where a stack array
is actually fixed, but the compiler still warns about VLA usage due to
confusion caused by the safety checks in the max() macro.
I'm sending these via -mm since that's where I've introduced SIMPLE_MAX(),
and they should all hav
In the quest to remove all stack VLAs from the kernel[1], this refactors
the stack array size calculation to avoid using max(), which makes the
compiler think the size isn't fixed.
[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook
---
fs/btrfs/tree-checker.c | 3 ++-
1
like a variable size
to the compiler.
[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook
---
include/linux/kernel.h | 11 +++
lib/vsprintf.c | 4 ++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/linux/kernel.h b/include/linux/kernel.
In the quest to remove all stack VLAs from the kernel[1], this refactors
the stack array size calculation to avoid using max(), which makes the
compiler think the size isn't fixed.
[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook
---
net/ipv4/proc.c | 10 --
net
On Thu, Mar 8, 2018 at 7:02 AM, Josh Poimboeuf wrote:
> On Wed, Mar 07, 2018 at 07:30:44PM -0800, Kees Cook wrote:
>> This series adds SIMPLE_MAX() to be used in places where a stack array
>> is actually fixed, but the compiler still warns about VLA usage due to
>> confusion
On Thu, Mar 8, 2018 at 11:57 AM, Rasmus Villemoes
wrote:
> On 2018-03-08 16:02, Josh Poimboeuf wrote:
>> On Wed, Mar 07, 2018 at 07:30:44PM -0800, Kees Cook wrote:
>>> This series adds SIMPLE_MAX() to be used in places where a stack array
>>> is actually fixed, but the
90 forbids variable length array ‘buff64’
[-Wvla]
Based on an earlier patch from Josh Poimboeuf.
Signed-off-by: Kees Cook
---
include/linux/kernel.h | 42 ++
1 file changed, 30 insertions(+), 12 deletions(-)
diff --git a/include/linux/kernel.h b/include/linu
On Thu, Mar 8, 2018 at 2:18 PM, Andrew Morton wrote:
> On Thu, 8 Mar 2018 13:40:45 -0800 Kees Cook wrote:
>
>> When max() is used in stack array size calculations from literal values
>> (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler
>> th
On Thu, Mar 8, 2018 at 2:12 PM, Rasmus Villemoes
wrote:
> On 8 March 2018 at 21:39, Kees Cook wrote:
>> However, this works for me:
>>
>> #define __new_max(t1, t2, max1, max2, x, y)\
>>__builtin_choose_
90 forbids variable length array ‘buff64’
[-Wvla]
Based on an earlier patch from Josh Poimboeuf.
Signed-off-by: Kees Cook
---
v2:
- fix copy/paste-o max1_/max2_ (ijc)
- clarify "compile-time" constant in comment (Rasmus)
- clean up formatting on min_t()/max_t()
---
include
On Thu, Mar 8, 2018 at 3:48 PM, Linus Torvalds
wrote:
> On Thu, Mar 8, 2018 at 1:40 PM, Kees Cook wrote:
>> +#define __min(t1, t2, x, y)\
>> + __builtin_choose_expr(__built
_types_compatible_p() just doesn't seem to matter
> for the only thing I thought it was there for.
Yup, agreed. I'll drop it.
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
90 forbids variable length array ‘buff64’
[-Wvla]
Based on an earlier patch from Josh Poimboeuf.
Signed-off-by: Kees Cook
---
v3:
- drop __builtin_types_compatible_p() (Rasmus, Linus)
v2:
- fix copy/paste-o max1_/max2_ (ijc)
- clarify "compile-time" constant in comment (Rasmus)
- clean up
On Fri, Mar 9, 2018 at 1:10 PM, Linus Torvalds
wrote:
> On Fri, Mar 9, 2018 at 12:05 PM, Kees Cook wrote:
>> When max() is used in stack array size calculations from literal values
>> (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler
>> think
nly for constants" macro (meh)
- add gcc version checks around this and similarly for -Wvla in the future (eww)
- raise gcc version (yikes)
-Kees
--
Kees Cook
Pixel SecurityOn
Fri, Mar 9, 2018 at 4:38 PM, Linus Torvalds <mailto:torva...@linux-foundation.org";
target="_blank"&g
On Fri, Mar 9, 2018 at 5:30 PM, Kees Cook wrote:
> --
> Kees Cook
> Pixel SecurityOn
> [...]
WTF, gmail just blasted HTML into my explicitly plain-text email?! Apologies...
--
Kees Cook
Pixel SecurityOn
Fri, Mar 9, 2018 at 5:30 PM, Kees Cook <mailto:keesc...@chromium.org&q
On Fri, Mar 9, 2018 at 10:10 PM, Miguel Ojeda
wrote:
> On Sat, Mar 10, 2018 at 4:11 AM, Randy Dunlap wrote:
>> On 03/09/2018 04:07 PM, Andrew Morton wrote:
>>> On Fri, 9 Mar 2018 12:05:36 -0800 Kees Cook wrote:
>>>
>>>> When max() is used in stack arra
roc.c: In function ‘snmp6_seq_show_item’:
net/ipv6/proc.c:198:2: warning: ISO C90 forbids array ‘buff’ whose
size can’t be evaluated [-Wvla]
unsigned long buff[SNMP_MIB_MAX];
^~~~
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs&q
On Tue, Mar 13, 2018 at 2:02 PM, Andrew Morton
wrote:
> On Mon, 12 Mar 2018 21:28:57 -0700 Kees Cook wrote:
>
>> On Mon, Mar 12, 2018 at 4:57 PM, Linus Torvalds
>> wrote:
>> > On Mon, Mar 12, 2018 at 3:55 PM, Andrew Morton
>> > wrote:
>> >>
thing))];
[1] https://lkml.org/lkml/2018/3/7/621
[2] https://lkml.org/lkml/2018/3/10/170
Signed-off-by: Kees Cook
---
include/linux/kernel.h | 19 +++
1 file changed, 19 insertions(+)
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 3fd291503576..012f588b5a25 100644
() instead.
[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook
---
drivers/input/touchscreen/cyttsp4_core.c | 2 +-
fs/btrfs/tree-checker.c | 3 ++-
lib/vsprintf.c | 4 ++--
net/ipv4/proc.c | 8
net/ipv6
I'm calling this "v4" since the last effort at this was v3, even
if it's a different approach. Patch 1 adds const_max(), patch 2
uses it in all the places max() was used for stack arrays. Commit
log from patch 1:
---snip---
kernel.h: Introduce const_max() for VLA removal
In the effort to remove a
On Thu, Mar 15, 2018 at 2:42 PM, Linus Torvalds
wrote:
> On Thu, Mar 15, 2018 at 12:47 PM, Kees Cook wrote:
>>
>> To gain the ability to compare differing types, the arguments are
>> explicitly cast to size_t.
>
> Ugh, I really hate this.
>
> It sile
On Thu, Mar 15, 2018 at 3:23 PM, Linus Torvalds
wrote:
> On Thu, Mar 15, 2018 at 3:16 PM, Kees Cook wrote:
>>
>> size_t __error_not_const_arg(void) \
>> __compiletime_error("const_max() used with non-compile-time constant arg&qu
error_not_positive_arg(); \
>> if ((y) < 0) \
>> __error_not_positive_arg(); \
>> __builtin_choose_expr((x) > (y), (x), (y)); \
>> })
>>
>
> Nevermind... gcc doesn't take that as
On Thu, Mar 15, 2018 at 4:34 PM, Linus Torvalds
wrote:
> On Thu, Mar 15, 2018 at 3:46 PM, Kees Cook wrote:
>>
>> So, AIUI, I can either get strict type checking, in which case, this
>> is rejected (which I assume there is still a desire to have):
>>
>> int
On Thu, Mar 15, 2018 at 4:46 PM, Linus Torvalds
wrote:
> What I'm *not* so much ok with is "const_max(5,sizeof(x))" erroring
> out, or silently causing insane behavior due to hidden subtle type
> casts..
Yup! I like it as an explicit argument. Thanks!
-Kees
--
Kees C
://lkml.org/lkml/2018/3/10/170
Signed-off-by: Kees Cook
---
include/linux/kernel.h | 19 +++
1 file changed, 19 insertions(+)
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 3fd291503576..e14531781568 100644
--- a/include/linux/kernel.h
+++ b/include/linux
Patch 1 adds const_max_t(), patch 2 uses it in all the places max()
was used for stack arrays. Commit log from patch 1:
---snip---
kernel.h: Introduce const_max_t() for VLA removal
In the effort to remove all VLAs from the kernel[1], it is desirable to
build with -Wvla. However, this warning is o
() instead.
[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook
---
drivers/input/touchscreen/cyttsp4_core.c | 2 +-
fs/btrfs/tree-checker.c | 3 ++-
lib/vsprintf.c | 5 +++--
net/ipv4/proc.c | 8
net
_builtin_constant_p() in
4.4 that we hit earlier? :(
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
ngth array is used
./include/linux/mm.h:1567: error: first argument to
‘__builtin_choose_expr’ not a constant
6.8 is happy with it (of course).
I do think the earlier version (without the
sizeof-hiding-builting_constant_p) provides a template for a
const_max() that both you and Rasmus would be happ
On Tue, Mar 20, 2018 at 4:23 PM, Linus Torvalds
wrote:
> On Sat, Mar 17, 2018 at 1:07 PM, Kees Cook wrote:
>>
>> No luck! :( gcc 4.4 refuses to play along. And, hilariously, not only
>> does it not change the complaint about __builtin_choose_expr(), it
>> also think
FSE_MAX_SYMBOL_VALUE + 1];
-FSE_DTable dtable[1]; /* Dynamically sized */
+FSE_DTable dtable[__FLEX_ARRAY_DIM]; /* Dynamically sized */
} FSE_DecompressWksp;
--
Kees Cook
rray member.
>
> This code was found with the help of Coccinelle, and audited and
> fixed manually.
>
> Signed-off-by: Gustavo A. R. Silva
Looks right to me.
Reviewed-by: Kees Cook
--
Kees Cook
On Thu, Oct 12, 2023 at 07:55:55PM +, Nick Terrell wrote:
>
> > On Oct 9, 2023, at 1:29 PM, Kees Cook wrote:
> >
> > !---|
> > This Message
ik
Cc: David Sterba
Cc: linux-btrfs@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/btrfs/extent_map.c | 6 --
fs/btrfs/extent_map.h | 6 --
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
index b61099bf97a8..29a649507857 100644
-
nel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Chris Mason
Cc: Josef Bacik
Cc: David Sterba
Cc: linux-btrfs@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/btrfs/order
that trades
coverage for speed, and checks only the overflow condition. This gets
us the critical coverage without the changes in performance. This is
basically what PaX/grsecurity already did: there is a tiny change to
the atomic inc functions to detect the wrap.
-Kees
--
Kees Cook
Pixel Security
gging stuff is actually preventing
> the security improvement from being adopted, which is unfortunate.
We've been trying to handle the conflicting desires of those wanting
very precise refcounting implementation and gaining the security
protections. Ultimately, the best way forward seemed to be to first
land the precise refcounting implementation, and start conversion
until we ran into concerns over performance. Now, since we're here, we
can move forward with getting a fast implementation that provides the
desired security protections without too greatly messing with the
refcount API.
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Apr 21, 2017 at 2:27 PM, James Bottomley
wrote:
> On Fri, 2017-04-21 at 13:22 -0700, Kees Cook wrote:
>> On Fri, Apr 21, 2017 at 12:55 PM, Eric Biggers
>> wrote:
>> > > > Of course, having extra checks behind a debug option is fine.
>> > >
? If the latter, please resend
> this when those changes are in, thanks.
It's in -next currently ("locking/refcount: Create unchecked atomic_t
implementation")
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
On Tue, Nov 19, 2013 at 8:05 PM, Fengguang Wu wrote:
> On Tue, Nov 19, 2013 at 07:56:35PM -0800, Kees Cook wrote:
>> Hi!
>>
>> Which tree is 'devel-snb'? I don't see that on the kernel.org trees.
>
> It's my local merge branch, based on the latest up
On Wed, Nov 20, 2013 at 10:05 AM, Jeff Mahoney wrote:
> On 11/20/13, 12:30 PM, Chris Mason wrote:
>> Quoting Fengguang Wu (2013-11-19 23:05:51)
>>> On Tue, Nov 19, 2013 at 07:56:35PM -0800, Kees Cook wrote:
>>>> Hi!
>>>>
>>>> Which tree is
no
> format arguments [-Werror=format-security] get_raid_name(index));
>
> Signed-off-by: Jeff Mahoney
Reviewed-by: Kees Cook
Thanks!
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to
even when they
> > are
> > not enabled in the config.
> >
> > -chris
> >
>
> Lets get Kees involved. He developed the patch set for Hardy. I would
> hope that if CONFIG_SECURITY_APPARMOR=n then the source would default to
> its normal state.
I can't claim to have developed the patches, only helping coordinate
their merging into Ubuntu. John Johansen is the real person we should
check with -- he did all the heavy lifting -- now added to discussion.
(Hi John!)
-Kees
--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
m not entirely sure.
Any thoughts on how to accomplish this?
Thanks,
-Kees
--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
47 matches
Mail list logo