convert the existing cases (init_on_alloc
and init_on_free) to the new macros.
Acked-by: Peter Zijlstra (Intel)
Link:
https://lore.kernel.org/lkml/20200324220641.gt2...@worktop.programming.kicks-ass.net/
Signed-off-by: Kees Cook
---
include/linux/jump_label.h | 19 +++
include
Alexander Potapenko
Link:
https://lore.kernel.org/lkml/CAG_fn=x0dvwqlahjto6jw7tgcmsm77gkhinrd0m_6y0szwo...@mail.gmail.com/
Signed-off-by: Kees Cook
---
include/linux/mm.h | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index bf
pessimization of the resulting static branch NOP/JMP locations.
Fixes: 04013513cc84 ("mm, page_alloc: do not rely on the order of page_poison
and init_on_alloc/free parameters")
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook
---
include/linux/mm.h | 8
mm/page_allo
ed-by: Alistair Delva
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
get randomized (only one example
> line from /proc/vmallocinfo shown for brevity):
>
> unrandomized:
> 0xc9018000-0xc9021000 36864 kernel_clone+0xf9/0x560 pages=8
> vmalloc
>
> randomized:
> 0xcb57611a8000-0xcb57611b1000 36864 kernel_clone+0x
unneeded variable 'ret'
gcc-plugins: latent_entropy: remove unneeded semicolon
scripts/gcc-plugins/latent_entropy_plugin.c | 2 +-
scripts/gcc-plugins/structleak_plugin.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
--
Kees Cook
age
Tetsuo Handa (1):
pstore: Fix warning in pstore_kill_sb()
fs/pstore/inode.c| 2 +-
fs/pstore/ram_core.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
Kees Cook
sues/1317
> Reported-by: Nathan Chancellor
> Suggested-by: Marc Zyngier
> Suggested-by: Ard Biesheuvel
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
le_id[j] = 1;
> /*
>* Can not break, because one read_file_str
I feel funny about making these into function calls when we've already
validated the index, but yeah, that would be fine. Can you send a v2
with the earlier suggestion addressed?
Thanks!
-Kees
--
Kees Cook
; Signed-off-by: Masahiro Yamada
This seems fine to me, but I want to make sure Josh has somewhere to
actually go with this. Josh, does this get you any closer? It sounds
like the plugins need to move to another location for packaged kernels?
Reviewed-by: Kees Cook
--
Kees Cook
On Wed, Mar 03, 2021 at 11:26:58PM -0800, Drew Fustini wrote:
> Add typo "overlfow" for "overflow". This typo was found and fixed in
> net/sctp/tsnmap.c.
>
> Link:
> https://lore.kernel.org/netdev/20210304055548.56829-1-d...@beagleboard.org/
> Suggeste
.com/linux/latest/source/kernel/seccomp.c#L600
> >
> > I think the desired behavior is to synchronize the filter count.
Yecch. Yeah, that's a bug. Thanks for noticing that! Can you send a
patch to fix it?
--
Kees Cook
C's
-ftrivial-auto-var-init=zero to likely be the next two things to
appear), but it's not the case right now.
--
Kees Cook
> message. Now there are maximum 10 messages printed repeatedly instead
> of 35+.
Applied to for-next/pstore, thanks!
[1/1] pstore/ram: Rate-limit "uncorrectable error in header" message
https://git.kernel.org/kees/c/7db688e99c0f
--
Kees Cook
https://git.kernel.org/kees/c/5477edcacaac
--
Kees Cook
ctleak: remove unneeded variable 'ret'
https://git.kernel.org/kees/c/b924a8197ac7
--
Kees Cook
trace with
> Clang and gcc <5 (later versions of gcc use -mrecord-mcount).
>
> Signed-off-by: Sami Tolvanen
> Reviewed-by: Kees Cook
> Signed-off-by: Sasha Levin
This one doesn't make sense without all the other objtool changes for
it. Please drop this from autosel.
-K
e.kernel.org/patchwork/patch/1360092/
>
>
>
>
>
> On Mon, Jan 4, 2021 at 5:33 PM Masahiro Yamada wrote:
> >
> > Make it slightly readable by using min().
> >
> > Signed-off-by: Masahiro Yamada
Acked-by: Kees Cook
Feel free to take this via your tree Masahiro.
this feature for cooperating targets, though, so I think "apply on exec"
isn't great.
struct seccomp_filter_attach_trigger {
u64 nr;
unsigned char *filter;
};
seccomp(SECCOMP_ATTACH_FILTER_TRIGGER, 0, seccomp_filter_attach_trigger);
after "nr" is evaluated (but before it runs), seccomp installs the
filter.
And by "installs", I'm not sure if it needs to keep it in a queue, with
separate ref coutning, or if it should be in the main filter stack, but
have an "alive" toggle, or what.
--
Kees Cook
out whether this is the correct solution for the underlying
> problem.
>
> Signed-off-by: Arnd Bergmann
As a work-around, it seems fine to me.
Reviewed-by: Kees Cook
-Kees
> ---
> arch/arm64/kernel/vmlinux.lds.S | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
ers/hv/vmbus_drv.c | 7 +--
> drivers/mtd/mtdoops.c | 8 +--
> fs/pstore/platform.c | 8 +--
Reviewed-by: Kees Cook # pstore
-Kees
> include/linux/kmsg_dump.h | 38 ---
> kernel/debug/kdb/kd
mber of 'struct
> kobj_structure' expects the second parameter to be of type 'struct
> kobj_attribute'.
>
> $ cat /sys/firmware/qemu_fw_cfg/rev
> 3
>
> [...]
Applied to kspp/cfi/cleanups, thanks!
[1/1] qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
https://git.kernel.org/kees/c/f5c4679d6c49
--
Kees Cook
[1/1] parisc: select FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY
https://git.kernel.org/kees/c/3d1dc719bca9
--
Kees Cook
SANTIZER_DISCARDS with CONFIG_GCOV_KERNEL=y
include/asm-generic/vmlinux.lds.h | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
--
Kees Cook
ng: orphan section `.eh_frame' from `init/calibrate.o' being placed
> in section `.eh_frame'
> ld: warning: orphan section `.eh_frame' from `init/init_task.o' being placed
> in section `.eh_frame'
> ...
>
> [...]
Applied to kspp/linker/orphans, thanks!
[1/1] vmlinux.lds.h: Define SANTIZER_DISCARDS with CONFIG_GCOV_KERNEL=y
https://git.kernel.org/kees/c/f5b6a74d9c08
--
Kees Cook
--
arch/parisc/Kconfig | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
--
Kees Cook
l to 'make clean'
https://git.kernel.org/kees/c/4c7858b9001c
--
Kees Cook
achines.
>
> Link:
> https://lore.kernel.org/lkml/cak8p3a05vz9hskrzvtxtn+1nf9e+gqebjwtj6n23nfm+elh...@mail.gmail.com/
> Signed-off-by: Arnd Bergmann
Reviewed-by: Kees Cook
--
Kees Cook
speed.
>
> Link:
> https://lore.kernel.org/lkml/cak8p3a05vz9hskrzvtxtn+1nf9e+gqebjwtj6n23nfm+elh...@mail.gmail.com/
> Signed-off-by: Arnd Bergmann
Reviewed-by: Kees Cook
--
Kees Cook
On Thu, Feb 25, 2021 at 12:06:37PM -0800, Andrew Morton wrote:
> On Thu, 25 Feb 2021 12:03:48 -0800 Kees Cook wrote:
>
> > On Thu, Feb 25, 2021 at 05:45:09PM +0100, Arnd Bergmann wrote:
> > > From: Arnd Bergmann
> > >
> > > Separating compiler-clang.h fr
ot;kbuild: lto: add a default list of used symbols")
> Signed-off-by: Arnd Bergmann
Thanks!
Reviewed-by: Kees Cook
--
Kees Cook
6c ("include/linux/compiler*.h: make compiler-*.h mutually
> exclusive")
> Signed-off-by: Arnd Bergmann
Cc: sta...@vger.kernel.org
Reviewed-by: Kees Cook
--
Kees Cook
ean"?
>
> Fixes: dc5723b02e52 ("kbuild: add support for Clang LTO")
> Signed-off-by: Masahiro Yamada
That works for me!
Reviewed-by: Kees Cook
-Kees
> ---
>
> Makefile | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --gi
sysfs driver for QEMU's fw_cfg
> device")
> Link: https://github.com/ClangBuiltLinux/linux/issues/1299
> Signed-off-by: Nathan Chancellor
Ah, nice, yes.
Reviewed-by: Kees Cook
Michael, are you able to take this? I can snag it if needed.
-Kees
> ---
> drivers/firmware/q
enter Roeck
> Fixes: 3b15cdc15956 ("tracing: move function tracer options to Kconfig")
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
Cross-build tested for defconfig, allmodconfig, allyesconfig:
Tested-by: Kees Cook
-Kees
> ---
> arch/parisc/Kconfig | 1 +
> 1 f
On Wed, Feb 24, 2021 at 02:46:34PM -0800, Guenter Roeck wrote:
> On Wed, Feb 24, 2021 at 01:02:27PM -0800, Kees Cook wrote:
> > On Wed, Feb 24, 2021 at 12:59:38PM -0800, Sami Tolvanen wrote:
> > > parisc uses -fpatchable-function-entry with dynamic ftrace, which means w
On Wed, Feb 24, 2021 at 02:28:07PM -0800, Guenter Roeck wrote:
> On Wed, Feb 24, 2021 at 12:38:54PM -0800, Kees Cook wrote:
> > On Wed, Feb 24, 2021 at 12:17:23PM -0800, Guenter Roeck wrote:
> > > On Fri, Dec 11, 2020 at 10:46:18AM -0800, Sami Tolvanen wrote:
> > > >
it 1
fi
fi
done
(and I modified check_fixes and check_commits to exit non-zero on failure)
I wonder if we need this in Documentation/maintainer/configure-git.rst
and to put check_commits and check_fixes into tools/ somewhere?
(Though goodness, please never aim your hook at your tree's tools/
directory.)
--
Kees Cook
enter Roeck
> Fixes: 3b15cdc15956 ("tracing: move function tracer options to Kconfig")
> Signed-off-by: Sami Tolvanen
I've got parisc building now, and can confirm:
Tested-by: Kees Cook
Guenter, does this fix it for you too?
-Kees
> ---
> arch/parisc/Kconfig | 1 +
>
oblem, CONFIG_FTRACE_MCOUNT_RECORD can no longer be
> enabled in parisc builds. Since that is auto-selected by DYNAMIC_FTRACE,
> DYNAMIC_FTRACE can no longer be enabled, and with it everything that
> depends on it.
Ew. Any idea why this didn't show up while it was in linux-next?
--
Kees Cook
check_commits runs
> check_fixes - but just for my convenience.
Thank you! I've added these to my PR workflow now, and it yells quite loudly.
I'm still looking at some kind of push hook too...
--
Kees Cook
om their committer.
Ie! Ugh, yes, my bad, entirely. I screwed up when rebuilding the
LTO "part 2" series for the -rc1 window (missed the -s on the cherry-pick).
Since we can't change git history, the best fix I can do is send it here
to the list. Obviously, these should all be cons
tools/objtool/objtool.c | 1 +
tools/objtool/objtool.h | 1 +
16 files changed, 195 insertions(+), 33 deletions(-)
--
Kees Cook
On Tue, Feb 23, 2021 at 12:33:05PM -0800, Linus Torvalds wrote:
> On Tue, Feb 23, 2021 at 9:49 AM Linus Torvalds
> wrote:
> >
> > On Mon, Feb 22, 2021 at 3:11 PM Kees Cook wrote:
> > >
> > > While x86 LTO enablement is done[1], it depends on some objtool
&
ould_ solve all common problems we currently see.
>
> And it would also do what you suggested.
I've wanted similar (e.g. for some UBSAN options that would go weird
under RANDCONFIG). :)
--
Kees Cook
store_kill_sb()
https://git.kernel.org/kees/c/9c7d83ae6ba6
--
Kees Cook
| 24 +++
24 files changed, 707 insertions(+), 62 deletions(-)
create mode 100755 scripts/generate_initcall_order.pl
create mode 100644 scripts/lto-used-symbollist.txt
--
Kees Cook
- Fix a CONFIG typo (Jiri Bohac)
Jiri Bohac (1):
pstore: Fix typo in compression option name
fs/pstore/platform.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
Kees Cook
; disabled.
>
> Use the correct config option name.
Eek; thanks for the catch!
Applied to for-next/pstore, thanks!
[1/1] pstore: Fix typo in compression option name
https://git.kernel.org/kees/c/19d8e9149c27
--
Kees Cook
)
Paul Cercueil (1):
seccomp: Add missing return in non-void function
wanghongzhe (1):
seccomp: Improve performace by optimizing rmb()
kernel/seccomp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
Kees Cook
On Tue, Feb 16, 2021 at 10:48:10PM +, Alexander Lobakin wrote:
> From: Kees Cook
> Date: Tue, 16 Feb 2021 12:34:37 -0800
>
> > Hi Linus,
> >
> > Please pull this Clang Link Time Optimization series for v5.12-rc1. This
> > has been in linux-next for the enti
.pl
create mode 100644 scripts/lto-used-symbollist.txt
--
Kees Cook
verity: CID 1497771 Out-of-bounds access
Fixes: abf00907538e ("spi: dw: Add Baikal-T1 SPI Controller glue driver")
Signed-off-by: Kees Cook
---
drivers/spi/spi-dw-bt1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-dw-bt1.c b/drivers/spi/spi-dw
On Wed, Feb 10, 2021 at 01:38:10PM -0800, Yu, Yu-cheng wrote:
> On 2/10/2021 11:58 AM, Kees Cook wrote:
> > On Wed, Feb 10, 2021 at 09:56:59AM -0800, Yu-cheng Yu wrote:
> > > To deliver a signal, create a shadow stack restore token and put the token
> > > and the sig
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
drivers/usb/serial/ark3116.c | 7 ---
1
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
This patch may make more sense if this entire comment
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
drivers/block/aoe/aoecmd.c | 2 +-
1 file changed, 1
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
drivers/xen/xen-acpi-processor.c | 3 ++-
1
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
arch/arm/kernel/hibernate.c | 2 +-
arch/arm64/ker
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
tools/perf/Documentation/examples.txt | 2 +-
tools
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace a few more scattered lkml.org links with
lore to better use a single source that's more likely to stay available
long-term.
Signed-off-by: Kees Cook
---
CREDITS
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
drivers/staging/clocking-wizard/TODO |
As started by commit 05a5f51ca566 ("Documentation: Replace lkml.org
links with lore"), replace lkml.org links with lore to better use a
single source that's more likely to stay available long-term.
Signed-off-by: Kees Cook
---
arch/arc/include/asm/irqflags-compact.h | 8 ++
elftests/arm64/ptrace/ptrace_syscall_regs_test.c
>
> Thanks for the tests!
>
> We already have a pretty extensive set of syscall entry tests in
> tools/testing/selftests/seccomp, so perhaps this would be better off as part
> of that? Maybe worth a look.
I'm happy with this living in either place -- I can make an argument
either way. If it's arm64-specific, maybe better to live outside of
seccomp?
--
Kees Cook
ptimizing rmb()
https://git.kernel.org/kees/c/a381b70a1cf8
--
Kees Cook
if (memtype == MEM_TYPE_NONCACHED)
> prot = pgprot_noncached(PAGE_KERNEL);
> - else
> + else if (memtype == MEM_TYPE_WCOMBINE)
> prot = pgprot_writecombine(PAGE_KERNEL);
Let's make this a switch statement.
>
> pages = kmalloc_array(page_count, sizeof(struct page *), GFP_KERNEL);
> --
> Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center,
> Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative
> Project
>
--
Kees Cook
+
> + * FP_XSTATE_MAGIC2_SIZE, then aligned to 8.
> + */
> + if (cet->shstk_size)
> + sp -= (sizeof(struct sc_ext) + 8);
> +
> + return sp;
> +}
> +#else
> +static unsigned long fpu__alloc_sigcontext_ext(unsigned long sp)
> +{
> + return sp;
> +}
> +#endif
> +
> unsigned long
> fpu__alloc_mathframe(unsigned long sp, int ia32_frame,
>unsigned long *buf_fx, unsigned long *size)
> {
> unsigned long frame_size = xstate_sigframe_size();
>
> + sp = fpu__alloc_sigcontext_ext(sp);
> +
> *buf_fx = sp = round_down(sp - frame_size, 64);
> if (ia32_frame && use_fxsr()) {
> frame_size += sizeof(struct fregs_state);
> diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> index ea794a083c44..1807379f1d86 100644
> --- a/arch/x86/kernel/signal.c
> +++ b/arch/x86/kernel/signal.c
> @@ -46,6 +46,7 @@
> #include
> #include
> #include
> +#include
>
> #ifdef CONFIG_X86_64
> /*
> @@ -239,6 +240,9 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs
> *regs, size_t frame_size,
> unsigned long buf_fx = 0;
> int onsigstack = on_sig_stack(sp);
> int ret;
> +#ifdef CONFIG_X86_64
> + void __user *restorer = NULL;
> +#endif
>
> /* redzone */
> if (IS_ENABLED(CONFIG_X86_64))
> @@ -270,6 +274,12 @@ get_sigframe(struct k_sigaction *ka, struct pt_regs
> *regs, size_t frame_size,
> if (onsigstack && !likely(on_sig_stack(sp)))
> return (void __user *)-1L;
>
> +#ifdef CONFIG_X86_64
> + if (ka->sa.sa_flags & SA_RESTORER)
> + restorer = ka->sa.sa_restorer;
> + ret = save_cet_to_sigframe(0, *fpstate, (unsigned long)restorer);
> +#endif
> +
> /* save i387 and extended state */
> ret = copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx,
> math_size);
> if (ret < 0)
> --
> 2.21.0
>
>
--
Kees Cook
eparate it into its own patch?
>
> [1] https://lore.kernel.org/lkml/20200828121624.108243-1-hjl.to...@gmail.com/
>
> Signed-off-by: Yu-cheng Yu
With that done:
Reviewed-by: Kees Cook
--
Kees Cook
r Zijlstra provided many
> insights to the issue. Jann Horn provided the cmpxchg solution.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
needs a
> + * writable copy. The page fault handler creates a copy of the page
> + * and sets the new copy's PTE as Write=0, Cow=1.
> + * (c) A shadow stack PTE: (Write=0, Dirty=1)
> + * (d) A shared (copy-on-access) shadow stack PTE: (Write=0, Cow=1)
> + * When a shadow stack page is being shared among processes (this
> + * happens at fork()), its PTE is cleared of _PAGE_DIRTY, so the next
> + * shadow stack access causes a fault, and the page is duplicated and
> + * _PAGE_DIRTY is set again. This is the COW equivalent for shadow
> + * stack pages, even though it's copy-on-access rather than
> + * copy-on-write.
> + * (e) A page where the processor observed a Write=1 PTE, started a write,
> + * set Dirty=1, but then observed a Write=0 PTE (changed by another
> + * thread). That's possible today, but will not happen on processors
> + * that support shadow stack.
> + */
> +#ifdef CONFIG_X86_CET
> +#define _PAGE_COW(_AT(pteval_t, 1) << _PAGE_BIT_COW)
> +#else
> +#define _PAGE_COW(_AT(pteval_t, 0))
> +#endif
> +
> +#define _PAGE_DIRTY_BITS (_PAGE_DIRTY | _PAGE_COW)
> +
> #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
>
> /*
> --
> 2.21.0
>
--
Kees Cook
gt;
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
rs that support Shadow Stack regard read-only and Dirty PTEs as
> shadow stack pages. This results in ambiguity between shadow stack and
> kernel read-only pages. To resolve this, removed Dirty from kernel read-
> only pages.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
sure, say N.
>
> +config ARCH_HAS_SHADOW_STACK
> + def_bool n
> +
> +config X86_CET
> + prompt "Intel Control-flow protection for user-mode"
> + def_bool n
> + depends on X86_64
This depends isn't needed any more. With t
se lore.kernel.org archive links when possible -
> see https://lore.kernel.org/lists.html\n"; . $herecurr);
> + }
> +
> # Check for added, moved or deleted files
> if (!$reported_maintainer_file && !$in_commit_log &&
> ($line =~ /^(?:new|deleted) file mode\s*\d+\s*$/ ||
>
>
Ah, nice. Yes, this would be great to get added. Joe, can you respin as
a full path? Please consider it:
Reviewed-by: Kees Cook
--
Kees Cook
. (And more generally, can it also suggest https
over http?)
--
Kees Cook
ovide an inline implementation of
> do_softirq_own_stack() without introducing a lot of #ifdeffery all over the
> place.
>
> Signed-off-by: Thomas Gleixner
Reviewed-by: Kees Cook
--
Kees Cook
and the inline
> stub into a seperate asm-generic header file which is required to avoid
> include recursion.
>
> Signed-off-by: Thomas Gleixner
Reviewed-by: Kees Cook
--
Kees Cook
On Fri, Feb 05, 2021 at 12:25:22PM -0600, Timur Tabi wrote:
> I can extend make-printk-non-secret to %pK if everyone agrees.
Let's just leave those alone. There is already a toggle for that in
/proc.
--
Kees Cook
o just remove the code, I'll send the patch shortly.
I have a specific goal of getting both signed and unsigned overflow
detection working sanely, so removing this entirely from the kernel
really makes working on that difficult. :)
I view the primary problem as compiler-specific. I'd much rather we
correctly mask against versions (or better yet, behaviors).
--
Kees Cook
r Peter's fix instead.
-Kees
> Cc: Peter Zijlstra
> Cc: Josh Poimboeuf
> Cc: Randy Dunlap
> Cc: Stephen Rothwell
> Cc: Dmitry Vyukov
> Cc: Kees Cook
> Cc: Alexander Viro
> ---
> lib/Kconfig.ubsan | 17 ---
> lib/test_ubsan.c | 49 -
rvice file descriptor store.
>
> Note that some distributions such as Ubuntu are already enabling
> CHECKPOINT_RESTORE in their configs and so, by extension, SYS_kcmp.
>
> References: https://gitlab.freedesktop.org/drm/intel/-/issues/3046
> Signed-off-by: Chris Wilson
Thanks!
Re
; > +#define TAINT_FLAGS_COUNT 19
> > #define TAINT_FLAGS_MAX((1UL << TAINT_FLAGS_COUNT)
> > - 1)
> >
> > struct taint_flag {
> > diff --git a/kernel/panic.c b/kernel/panic.c
> > index 332736a72a58..dff22bd80eaf 100644
> > --- a/kernel/panic.c
> > +++ b/kernel/panic.c
> > @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT]
> > = {
> > [ TAINT_LIVEPATCH ] = { 'K', ' ', true },
> > [ TAINT_AUX ] = { 'X', ' ', true },
> > [ TAINT_RANDSTRUCT ]= { 'T', ' ', true },
> > + [ TAINT_RAW_PASSTHROUGH ] = { 'H', ' ', true },
> > };
> >
> > /**
> > --
> > 2.30.0
> >
--
Kees Cook
13 (fresh from
> git). The difference between the output of these compilers is minimal.
> gcc8 being slightly worse due to stupid register selection and random
> NOPs injected.
Awesome. Please consider the series:
Reviewed-by: Kees Cook
--
Kees Cook
the non-default
> > CONFIG_CHECKPOINT_RESTORE into the selectable syscall category.
> >
> > Note that some distributions such as Ubuntu are already enabling
> > CHECKPOINT_RESTORE in their configs and so, by extension, SYS_kcmp.
> >
> > References: https://g
uf) point to the same struct file. Since they depend on it for
> core functionality, lift SYS_kcmp out of the non-default
> CONFIG_CHECKPOINT_RESTORE into the selectable syscall category.
>
> Signed-off-by: Chris Wilson
> Cc: Kees Cook
> Cc: Andy Lutomirski
> Cc: Will Drewry
gt; The ratelimit here is only for #CP, and its rate is not counted together
> with other types of faults. If a task gets here, it will exit. The only
> condition the ratelimit will trigger is when multiple tasks hit #CP at once,
> which is unlikely. Are you suggesting that we do not need the ratelimit
> here?
Since this is a potentially unprivileged-userspace-triggerable
condition, I tend to prefer having a ratelimit. I don't feel _strongly_
about it, but I find it better to be defensive against log spamming
(whether malicious or accidental).
--
Kees Cook
On Thu, Feb 04, 2021 at 03:41:59PM -0800, Yu, Yu-cheng wrote:
> On 2/4/2021 12:35 PM, Kees Cook wrote:
> > On Wed, Feb 03, 2021 at 02:55:46PM -0800, Yu-cheng Yu wrote:
> > > arch_prctl(ARCH_X86_CET_STATUS, u64 *args)
> > > Get CET feature status.
> > >
but can't introduce
> security problem on its own.
>
> Being alarmist is not my complaint; being untrue is.
It's just semantics. Printing addresses DOES weaken the security of a
system, especially when we know attackers have and do use stuff from dmesg
to tune their attacks. How about "reduces the security of your system"?
--
Kees Cook
t; +}
> diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
> index 3af6b36e1a5c..9e11e5f589f3 100644
> --- a/arch/x86/kernel/process.c
> +++ b/arch/x86/kernel/process.c
> @@ -979,14 +979,14 @@ unsigned long get_wchan(struct task_struct *p)
> }
>
> long do_arch_prctl_common(struct task_struct *task, int option,
> - unsigned long cpuid_enabled)
> + unsigned long arg2)
> {
> switch (option) {
> case ARCH_GET_CPUID:
> return get_cpuid_mode();
> case ARCH_SET_CPUID:
> - return set_cpuid_mode(task, cpuid_enabled);
> + return set_cpuid_mode(task, arg2);
> }
>
> - return -EINVAL;
> + return prctl_cet(option, arg2);
> }
> --
> 2.21.0
>
>
--
Kees Cook
ce x86 feature definitions and arch_setup_elf_property(), which
> enables such features. The first use-case of this function is Shadow
> Stack.
>
> ARM64 is the other arch that has ARCH_USE_GNU_PROPERTY and arch_parse_elf_
> property(). Add arch_setup_elf_property() for it.
>
> Signed-off-
eng Yu
Reviewed-by: Kees Cook
--
Kees Cook
.
>
> There is a new user now. Shadow stack allocation passes VM_SHSTK to
> do_mmap(). Re-introduce vm_flags to do_mmap(), but without the old wrapper
> do_mmap_pgoff(). Instead, make all callers of the wrapper pass a zero
> vm_flags to do_mmap().
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
a passed down? Should it just pass vm_flags? I
suppose it doesn't really matter, though.
Reviewed-by: Kees Cook
-Kees
>
> Signed-off-by: Yu-cheng Yu
> ---
> mm/gup.c | 8 +---
> mm/huge_memory.c | 8 +---
> 2 files changed, 10 insertions(+), 6 deletions(-
On Wed, Feb 03, 2021 at 02:55:39PM -0800, Yu-cheng Yu wrote:
> Account shadow stack pages to stack memory.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
8 = 2040 bytes and
> 255 * 4 = 1020 bytes by INCSSPD. Both ranges are far from PAGE_SIZE.
> Thus, putting a gap page on both ends of a shadow stack prevents INCSSP,
> CALL, and RET from going beyond.
>
> Signed-off-by: Yu-cheng Yu
Yay guard pages! :)
Reviewed-by: Kees Cook
--
Kees Cook
.
>
> - In change_pte_range(), pte_mkwrite() is called directly. Replace it with
> maybe_mkwrite().
>
> A shadow stack vma is writable but has different vma
> flags, and handled accordingly in maybe_mkwrite().
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
__user *)uprobe_get_trap_addr(regs));
> + cond_local_irq_disable(regs);
> +}
> +#endif
> +
> static bool do_int3(struct pt_regs *regs)
> {
> int res;
> diff --git a/include/uapi/asm-generic/siginfo.h
> b/include/uapi/asm-generic/siginfo.h
> index d2597000407a..1c2ea91284a0 100644
> --- a/include/uapi/asm-generic/siginfo.h
> +++ b/include/uapi/asm-generic/siginfo.h
> @@ -231,7 +231,8 @@ typedef struct siginfo {
> #define SEGV_ADIPERR 7 /* Precise MCD exception */
> #define SEGV_MTEAERR 8 /* Asynchronous ARM MTE error */
> #define SEGV_MTESERR 9 /* Synchronous ARM MTE exception */
> -#define NSIGSEGV 9
> +#define SEGV_CPERR 10 /* Control protection fault */
> +#define NSIGSEGV 10
>
> /*
> * SIGBUS si_codes
> --
> 2.21.0
>
--
Kees Cook
e().
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
r Zijlstra provided many
> insights to the issue. Jann Horn provided the cmpxchg solution.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
GE_DIRTY or _PAGE_COW.
>
> Apply the same changes to pmd_modify().
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
301 - 400 of 4661 matches
Mail list logo
