as been COW'ed: (Write=0, Cow=1)
> + * The user page is in a R/O VMA, and get_user_pages() needs a
> + * writable copy. The page fault handler creates a copy of the page
> + * and sets the new copy's PTE as Write=0, Cow=1.
> + * (c) A shadow stack PTE: (Write=0, Dirty=1)
> + * (d) A shared (copy-on-access) shadow stack PTE: (Write=0, Cow=1)
> + * When a shadow stack page is being shared among processes (this
> + * happens at fork()), its PTE is cleared of _PAGE_DIRTY, so the next
> + * shadow stack access causes a fault, and the page is duplicated and
> + * _PAGE_DIRTY is set again. This is the COW equivalent for shadow
> + * stack pages, even though it's copy-on-access rather than
> + * copy-on-write.
> + * (e) A page where the processor observed a Write=1 PTE, started a write,
> + * set Dirty=1, but then observed a Write=0 PTE (changed by another
> + * thread). That's possible today, but will not happen on processors
> + * that support shadow stack.
> + */
> +#ifdef CONFIG_X86_CET
> +#define _PAGE_COW(_AT(pteval_t, 1) << _PAGE_BIT_COW)
> +#else
> +#define _PAGE_COW(_AT(pteval_t, 0))
> +#endif
> +
> +#define _PAGE_DIRTY_BITS (_PAGE_DIRTY | _PAGE_COW)
> +
> #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
>
> /*
> --
> 2.21.0
>
--
Kees Cook
On Wed, Feb 03, 2021 at 02:59:00PM -0800, Yu-cheng Yu wrote:
> From: "H.J. Lu"
>
> Update ARCH_X86_CET_STATUS and ARCH_X86_CET_DISABLE for Indirect Branch
> Tracking.
>
> Signed-off-by: H.J. Lu
Reviewed-by: Kees Cook
--
Kees Cook
rs that support Shadow Stack regard read-only and Dirty PTEs as
> shadow stack pages. This results in ambiguity between shadow stack and
> kernel read-only pages. To resolve this, removed Dirty from kernel read-
> only pages.
Does this have any other side-effects?
Otherwise, sure:
Review
SE
> def_bool $(as-instr,tpause %ecx)
> help
> Supported by binutils >= 2.31.1 and LLVM integrated assembler >= V7
> +
> +config AS_WRUSS
> + def_bool $(as-instr,wrussq %rax$(comma)(%rbx))
> + help
> + Supported by binutils >= 2.31 and LLVM integrated assembler
> --
> 2.21.0
>
--
Kees Cook
On Wed, Feb 03, 2021 at 02:55:25PM -0800, Yu-cheng Yu wrote:
> Add CPU feature flags for Control-flow Enforcement Technology (CET).
>
> CPUID.(EAX=7,ECX=0):ECX[bit 7] Shadow stack
> CPUID.(EAX=7,ECX=0):EDX[bit 20] Indirect Branch Tracking
>
> Signed-off-by: Yu-cheng Yu
Revi
u
Reviewed-by: Kees Cook
--
Kees Cook
sigreturn and future ptrace() support, shadow stack address and MSR
> reserved bits are checked before written to the supervisor states.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
On Wed, Feb 03, 2021 at 02:55:23PM -0800, Yu-cheng Yu wrote:
> Explain no_user_shstk/no_user_ibt kernel parameters, and introduce a new
> document on Control-flow Enforcement Technology (CET).
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
tection=branch so that it
> can be used to compile vDSO.
>
> Signed-off-by: H.J. Lu
Reviewed-by: Kees Cook
--
Kees Cook
On Wed, Feb 03, 2021 at 02:59:01PM -0800, Yu-cheng Yu wrote:
> From: "H.J. Lu"
>
> Add ENDBR32 to __kernel_vsyscall entry point.
>
> Signed-off-by: H.J. Lu
Reviewed-by: Kees Cook
--
Kees Cook
-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
a signal is
> raised and preserved in the signal frame. It is restored for sigreturn.
>
> IBT state machine is described in Intel SDM Vol. 1, Sec. 18.3.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
On Wed, Feb 03, 2021 at 02:58:57PM -0800, Yu-cheng Yu wrote:
> Introduce user-mode Indirect Branch Tracking (IBT) support. Add routines
> for the setup/disable of IBT.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
t; unlabeled locations, the processor raises control-protection faults.
>
> Check the compiler is up-to-date at config time.
>
> Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
--
Kees Cook
On Wed, Feb 03, 2021 at 03:25:13PM -0500, Steven Rostedt wrote:
> On Wed, 3 Feb 2021 12:02:05 -0800
> Kees Cook wrote:
>
> > On Wed, Feb 03, 2021 at 12:58:41PM -0600, Timur Tabi wrote:
> > > On 2/3/21 7:31 AM, Petr Mladek wrote:
> > > > Also please make s
_entry entry, unsigned long
> > > old_addr,
> > > - unsigned long old_end, unsigned long new_addr)
> > > +static __always_inline unsigned long get_extent(enum pgt_entry entry,
> > > + unsigned long old_addr, unsigned long old_end,
> > > + unsigned long new_addr)
> > > {
> > > unsigned long next, extent, mask, size;
> > >
> > > --
> > > 2.29.2
> >
--
Kees Cook
the other hand, maybe test_printf should be aware of the command line
> parameter and test to make sure that %p is NOT hashed?
It seems like it'd be best for the test to fail, yes? It _is_ a problem
that %p is unhashed; it's just that the failure was intended.
--
Kees Cook
o longer care.
Okay, cool; it's fine by me too. I prefer this kind of "boot into debug
mode" switch to having lots of %px scattered around in questionable
places. :)
I will update the %p deprecation docs.
--
Kees Cook
,14 @@ char *pointer(const char *fmt, char *buf, char *end,
> void *ptr,
> }
> }
>
> - /* default is to _not_ leak addresses, hash before printing */
> - return ptr_to_id(buf, end, ptr, spec);
> + /*
> + * default is to _not_ leak addresses, so hash before printing, unless
> + * make-printk-non-secret is specified on the command line.
> + */
> + if (unlikely(debug_never_hash_pointers))
> + return pointer_string(buf, end, ptr, spec);
> + else
> + return ptr_to_id(buf, end, ptr, spec);
> }
>
> /*
> --
> 2.25.1
>
--
Kees Cook
BUG();
BUG() should never be used[1]. This is a recoverable situation, I think, and
should be handled as such.
-Kees
[1]
https://www.kernel.org/doc/html/latest/process/deprecated.html#bug-and-bug-on
> case SECCOMP_MODE_FILTER:
> return __seccomp_filter(this_syscall, sd, false);
> default:
> --
> 2.19.1
>
--
Kees Cook
DISABLE_STRUCTLEAK_PLUGIN
gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) += randomize_layout_plugin.so
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \
And then use DISABLE_STRUCTLEAK_PLUGIN.
--
Kees Cook
On Tue, Jan 26, 2021 at 12:43:16PM -0600, Josh Poimboeuf wrote:
> On Tue, Jan 26, 2021 at 09:56:10AM -0800, Kees Cook wrote:
> > On Mon, Jan 25, 2021 at 04:19:53PM -0600, Josh Poimboeuf wrote:
> > > On Mon, Jan 25, 2021 at 02:03:07PM -0800, Kees Cook wrote:
> > > >
On Mon, Jan 25, 2021 at 04:19:53PM -0600, Josh Poimboeuf wrote:
> On Mon, Jan 25, 2021 at 02:03:07PM -0800, Kees Cook wrote:
> > On Mon, Jan 25, 2021 at 02:42:10PM -0600, Josh Poimboeuf wrote:
> > > When a GCC version mismatch is detected, print a warning and disable the
>
efer this patch as-is: only randstruct needs a hard failure. The
others likely work (in fact, randstruct likely works too).
Masahiro, are you suggesting to be a hard-failure for all plugins?
--
Kees Cook
t; ifdef CONFIG_LTO_CLANG_THIN
> -CC_FLAGS_LTO += -flto=thin -fsplit-lto-unit
> +CC_FLAGS_LTO := -flto=thin -fsplit-lto-unit
> KBUILD_LDFLAGS += --thinlto-cache-dir=$(extmod-prefix).thinlto-cache
> else
> -CC_FLAGS_LTO += -flto
> +CC_FLAGS_LTO := -flto
> endif
> CC_FLAGS_LTO += -fvisibility=hidden
>
> --
> 2.30.0
>
>
--
Kees Cook
On Tue, Jan 19, 2021 at 12:18:17PM -0800, Randy Dunlap wrote:
> On 1/19/21 11:45 AM, Kees Cook wrote:
> >
> > How about this so the base address is hashed once, with the offset added
> > to it for each line instead of each line having a "new" hash that makes
>
r + i, linebuf);
+ level, prefix_str, addr + i, linebuf);
break;
case DUMP_PREFIX_OFFSET:
printk("%s%s%.8x: %s\n", level, prefix_str, i, linebuf);
-Kees
[1]
https://www.kernel.org/doc/html/latest/process/deprecated.html#p-format-specifier
--
Kees Cook
px"
> #else
> # define PTR_FMT "%p"
> #endif
>
> And then they just use it as
>
> xfs_alert(mp, "%s: bad inode magic number, dip = "ptr_fmt",
> dino bp = "ptr_fmt", ino = %ld",
> __func__, dip, bp, in_f->ilf_ino);
>
> -ss
Please no, this is effectively a toggle.
--
Kees Cook
d()/write().
I would be fine with that; yes.
--
Kees Cook
pdate its cross-reference accordingly.
>
> Signed-off-by: Mauro Carvalho Chehab
Reviewed-by: Kees Cook
--
Kees Cook
, flags);
> > - ucounts->count -= 1;
> > - if (!ucounts->count)
> > + if (atomic_dec_and_test(&ucounts->count))
> > hlist_del_init(&ucounts->node);
> > else
> > ucounts = NULL;
>
>
> This can become:
> static void put_ucounts(struct ucounts *ucounts)
> {
> unsigned long flags;
>
> if (atomic_dec_and_lock_irqsave(&ucounts->count, &ucounts_lock,
> flags)) {
> hlist_del_init(&ucounts->node);
> spin_unlock_irqrestore(&ucounts_lock);
> kfree(ucounts);
> }
> }
>
--
Kees Cook
Wno-narrowing -Wno-unused-variable \
> >-Wno-format-diag
> >
> > plugin_ldflags = -shared
>
> The first patch has already been merged into Linus' tree, so this
> probably should be an incremental fix on top, with a Fixes: tag.
Yes, please. :)
--
Kees Cook
c549f38 ("ubsan: enable for all*config builds")
> Link: https://lore.kernel.org/lkml/20201230154749.746641-1-a...@kernel.org/
> Signed-off-by: Arnd Bergmann
Acked-by: Kees Cook
--
Kees Cook
32 and
> __ffs returns 0-31. I think that we want __ffs here because we are
> shifting (1UL << 32 overflows on 32-bit architectures) and the code in
> LLVM appears to agree. LeastSignificantSetBitIndex evaluates to
> __builtin_ctzl, which is the asm-generic implementation of __ffs.
Sounds good. With __ffs, consider your v2:
Acked-by: Kees Cook
--
Kees Cook
'
>
> The same fix was already merged for the normal (non-XIP)
> linker script, with a longer description.
>
> Fixes: c39866f268f8 ("arm/build: Always handle .ARM.exidx and .ARM.extab
> sections")
> Signed-off-by: Arnd Bergmann
Reviewed-by: Kees Cook
--
Kees Cook
which has been in gcc since 4.8,
> and we now require 4.9 as a minimum.
>
> Signed-off-by: Valdis Kletnieks
> Acked-by: Josh Poimboeuf
> Signed-off-by: Kees Cook
> Link: https://lore.kernel.org/r/82487.1609006918@turing-police
> Signed-off-by: Sasha Levin
> ---
>
>
> [*] bisect-good sample
> [O] bisect-bad sample
But it's pretty clear _something_ has happened. We'll investigate...
--
Kees Cook
p: Add missing return in non-void function
https://git.kernel.org/kees/c/04b38d012556
--
Kees Cook
> BUG();
> +
> + return -1;
> }
> #endif
>
> --
> 2.29.2
>
--
Kees Cook
| 1 +
> arch/mips/include/asm/asm.h | 18 ++++++
> arch/mips/kernel/cps-vec.S| 1 -
> arch/mips/kernel/vmlinux.lds.S| 11 +--
> include/asm-generic/vmlinux.lds.h | 6 +++---
> 5 files changed, 31 insertions(+), 6 deletions(-)
>
> --
> 2.30.0
>
>
--
Kees Cook
access-beyond-end.
>
> Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
> Cc: sta...@vger.kernel.org # 4.7+
> Signed-off-by: Alexander Lobakin
Reviewed-by: Kees Cook
--
Kees Cook
like we're not,
which means it should silently ignore everything that isn't a sysctl
field, and only return -EINVAL when it IS a sysctl but it lacks a value.
--
Kees Cook
11
> > depending on the output of 'g++ --version'
> >
> > What say the peanut gallery?
>
> I think putting the flag in a variable (based on call cc-ifversion)
> should be easy enough, then we can put this little saga behind us and
> pretend it never happened :-)
Yeah, that seems best. Valdis, can you send a patch for this?
--
Kees Cook
security boundary intact.
> Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ
> and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata
> and CAP_SYS_NICE for influencing process performance.
>
> Signed-off-by: Suren Baghdasaryan
Reviewed-by: Kees Cook
--
Kees Cook
2e86f1752
[14/16] arm64: vdso: disable LTO
https://git.kernel.org/kees/c/d73692f0f527
[15/16] arm64: disable recordmcount with DYNAMIC_FTRACE_WITH_REGS
https://git.kernel.org/kees/c/09b812ac146f
[16/16] arm64: allow LTO to be selected
https://git.kernel.org/kees/c/1354b8946c46
--
Kees Cook
; > > > x1 : x0 :
> > > > Call trace:
> > > > __pi_strlen+0x10/0x98
> > > > parse_args+0x278/0x344
> > > > do_sysctl_args+0x8c/0xfc
> > > > kern
strscpy (only when return value unused)
> strcpy(array, "string") -> stracpy(foo, "string")
> s[cn]printf -> sysfs_emit
>
> would leave relatively few uses of strcpy and sprintf variants and would
> make it much easier to analyze the remainder uses for potential overflows.
I think that would be lovely; yes. :)
--
Kees Cook
/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
Kees Cook
'
>
> [...]
>
> Handle this by adding the related sections to generic definitions
> as suggested by Sami [0].
>
> [0]
> https://lore.kernel.org/lkml/20201211184633.3213045-3-samitolva...@google.com
>
> Suggested-by: Kees Cook
> Signed-off-by: Alexander Lobakin
Suggested-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
properly stops .eh_frame section generation.
>
> Compile and runtime tested on MIPS32R2 CPS board with no issues
> using two different toolkits:
> - Binutils 2.35.1, GCC 10.2.0;
> - LLVM stack 11.0.0.
Nice! Thanks for hunting down the corner cases. :)
--
Kees Cook
;t be handled the same way as .rel.dyn (like it's done for x86).
> Use the ARM/ARM64 path here and place it at the end of .text section.
>
> Reported-by: Nathan Chancellor
> Signed-off-by: Alexander Lobakin
Reviewed-by: Kees Cook
--
Kees Cook
rom `init/main.o' being placed in section `.rel.dyn'
>
> Adopted from x86/kernel/vmlinux.lds.S.
>
> Suggested-by: Fangrui Song
> Signed-off-by: Alexander Lobakin
Reviewed-by: Kees Cook
--
Kees Cook
6b6a89c6d1 ("MIPS: Add DWARF unwinding to assembly")
> Suggested-by: Kees Cook
> Signed-off-by: Alexander Lobakin
Reviewed-by: Kees Cook
--
Kees Cook
like this. Linus rejected that idea, so we're in a weird place.
I think we could perhaps build a strcpy() replacement that requires
compile-time validated arguments, and to break the build if not.
i.e.
given:
char array[8];
char *ptr;
allow:
strcpy(array, "1234567");
disallow:
strcpy(array, "12345678"); /* too long */
strcpy(array, src); /* not optimized, so use strscpy? */
strcpy(ptr, "1234567"); /* unknown destination size */
strcpy(ptr, src); /* unknown destination size */
What do you think?
--
Kees Cook
On Thu, Jan 07, 2021 at 02:14:18PM +0800, Xiaoming Ni wrote:
> On 2021/1/7 7:46, Kees Cook wrote:
> > subject typo: "sysclt" -> "sysctl"
> >
> > On Thu, Dec 24, 2020 at 03:42:56PM +0800, Xiaoming Ni wrote:
> > > [...]
> > > + if (!val)
On Wed, Jan 06, 2021 at 04:06:57PM -0800, Randy Dunlap wrote:
> On 1/6/21 3:37 PM, Kees Cook wrote:
> > On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> >> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> >>> GCC 7 has a known bug whe
On Thu, Jan 07, 2021 at 05:09:59PM +0100, Arnd Bergmann wrote:
> On Wed, Jan 6, 2021 at 11:12 PM Arnd Bergmann wrote:
> >
> > On Wed, Jan 6, 2021 at 10:57 PM Kees Cook wrote:
> > > On Wed, Dec 30, 2020 at 04:47:35PM +0100, Arnd Bergmann wrote:
> > > >
am, "sysctl", sizeof("sysctl") - 1) == 0) {
> param += sizeof("sysctl") - 1;
Otherwise, yeah, this is a good test to add. I would make it more
verbose, though:
if (!val) {
pr_err("Missing param value! Expected '%s=...value...'\n",
param);
return 0;
}
--
Kees Cook
e it's time we make UBSAN builds depend on GCC-8+ ?
I would be totally fine with that. The only thing I can think of that
might care is syzbot. Dmitry, does syzbot use anything older than gcc 8?
--
Kees Cook
On Mon, Jan 04, 2021 at 05:32:21PM +0900, Masahiro Yamada wrote:
> Make it slightly readable by using min().
>
> Signed-off-by: Masahiro Yamada
Acked-by: Kees Cook
--
Kees Cook
On Wed, Jan 06, 2021 at 10:36:38PM +, Alexander Lobakin wrote:
> From: Kees Cook
> Date: Wed, 6 Jan 2021 14:07:07 -0800
>
> > On Wed, Jan 06, 2021 at 08:08:19PM +, Alexander Lobakin wrote:
> >> Discard GNU attributes at link time as kernel doesn't use it a
On Wed, Jan 06, 2021 at 11:12:18PM +0100, Arnd Bergmann wrote:
> On Wed, Jan 6, 2021 at 10:57 PM Kees Cook wrote:
> > On Wed, Dec 30, 2020 at 04:47:35PM +0100, Arnd Bergmann wrote:
> > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
> > > index 8b635fd75fe4..e238
report. Other folks have also encountered this,
and it appears to be a problem with distro packaging of the gcc plugin
development packages. You'll need to install the GNU multiprecision
libraries ("gmp-devel" on most rpm-based systems, "libgmp-dev" on most
debian systems)[1].
Hopefully that'll work!
-Kees
[1]
https://lore.kernel.org/lkml/CAHk-=wjjiyjcp61gdampdosubu-a2hffkjovx5vac7yv4k6...@mail.gmail.com/
--
Kees Cook
>32 | #error This file requires compiler and library support \
>
> [...]
Applied to for-linus/gcc-plugins, thanks!
[1/1] gcc-plugins: fix gcc 11 indigestion with plugins...
https://git.kernel.org/kees/c/67a5a6801305
--
Kees Cook
n
Reviewed-by: Kees Cook
--
Kees Cook
_end_init_task
> 805a4000 D __nosave_begin
> 805a4000 D __nosave_end
> 805a4000 d mips_vdso_data
> 805a8000 d vdso_data
> 805ac000 D mmlist_lock
> 805ac080 D tasklist_lock
>
> Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
> Cc: sta...@vger.kernel.org # 4.4+
> Signed-off-by: Alexander Lobakin
Reviewed-by: Kees Cook
--
Kees Cook
*(.MIPS.options)
> + *(.eh_frame)
> + *(.gnu.attributes)
> *(.options)
> *(.pdr)
> *(.reginfo)
> - *(.eh_frame)
> }
> }
> --
> 2.30.0
>
>
--
Kees Cook
etter way to mark this as "known to have issues, please
don't include in randconfig?"
I'd like to keep it around so people can continue to work out the
problems with it, but not have unexpecting folks trip over it. ;)
--
Kees Cook
a73...@syzkaller.appspotmail.com
>
> +Kees
>
> Not sure if it's related to UBSAN or not, but we didn't used to get
> empty stack traces.
> Either way syzbot can't boot the upstream kernel anymore.
_none_ of them? :(
Are you able to see which UBSAN config is tweaking this?
--
Kees Cook
, pstore must avoid any path that might sleep. In a perfect
world, it should also use as little code as possible, to avoid
potentially tripping over areas of the kernel that might be broken.
--
Kees Cook
On Wed, Dec 16, 2020 at 11:24:04AM -0800, Linus Torvalds wrote:
> On Tue, Dec 15, 2020 at 12:15 PM Kees Cook wrote:
> >
> > Please pull these gcc-plugins updates for v5.11-rc1.
>
> Hmm, I pulled this and then did an allmodconfig build.
>
> I expected that to be a full
ndividual backing devices to provide that directly
(which would needed read/write support too). And for those that don't
have panic/read/write support, they could still use the generic hooks
but they wouldn't be able to reliably (or at all?) catch panics (just
console writes, ftrace, pmsg, etc).
--
Kees Cook
2c07343abd8932200a45ff7b10950e71081e9e77:
selftests/seccomp: Update kernel config (2020-12-02 11:20:54 -0800)
seccomp updates for v5.11-rc1
- Improve seccomp performance via constant-action bitmaps (YiFei Zhu & Kees
Cook)
- Fix b
- Clean up gcc plugin builds now that GCC must be 4.9+ (Masahiro Yamada)
- Update MAINTAINERS (Kees Cook)
Kees Cook (1):
MAINTAINERS: Drop inactive gcc-plugins maintainer
Masahiro Yamada (2):
gcc-plugins: remove code for GCC
insertions(+), 123 deletions(-)
--
Kees Cook
In that case,
> optprobe continues jump optimization.
>
> Fixes: 7705dc855797 ("x86/vmlinux: Use INT3 instead of NOP for linker fill
> bytes")
> Cc: sta...@vger.kernel.org
> Reported-by: Adam Zabrocki
> Signed-off-by: Masami Hiramatsu
Reviewed-by: Kees Cook
--
Kees Cook
I'd like to see it in -next ASAP so
we can continue to find any little needed tweaks. Since it works in the
general case, we can add on top of this series once it's in -next.
Masahiro, let me know if you'd rather I not carry this in -next. AFAICT,
the bulk of the changes in the build system continue to be confined to
the LTO-only cases, so it should not be disruptive to anyone doing
non-LTO builds.
--
Kees Cook
rd-c-c-library-intrinsics
> [2] https://llvm.org/docs/LangRef.html#llvm-stackprotector-intrinsic
>
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
> ---
> init/Kconfig| 1 +
> scripts/lto-used-symbollist | 5 +
> 2 files changed, 6 insertions(+)
&
On Thu, Dec 10, 2020 at 08:17:18PM +0800, Zou Wei wrote:
> Fix the following sparse warning:
>
> lib/ubsan.c:20:12: warning: symbol 'type_check_kinds' was not declared.
> Should it be static?
>
> Signed-off-by: Zou Wei
Reviewed-by: Kees Cook
--
Kees Cook
>
> > EXPORT_SYMBOL(kasan_flag_enabled);
>
> DEFINE_STATIC_KEY_FALSE_RO() + EXPORT_SYMBOL() is an immediate bug.
> Given its use has not increased substantially since its introduction,
> it may be safer to consider its removal.
Right -- it seems the export is the problem, not the RO-ness. What is
actually trying to change the flag after __init?
--
Kees Cook
.S
> b/arch/powerpc/kernel/vmlinux.lds.S
> index 3b4c26e94328..0318ba436f34 100644
> --- a/arch/powerpc/kernel/vmlinux.lds.S
> +++ b/arch/powerpc/kernel/vmlinux.lds.S
> @@ -296,6 +296,10 @@ SECTIONS
> #else
> .data : AT(ADDR(.data) - LOAD_OFFSET) {
> DATA_DATA
&g
long long'.
>
> Reported-by: Stephen Rothwell
> Suggested-by: Marco Elver
> Signed-off-by: Dmitry Vyukov
Reviewed-by: Kees Cook
Thanks for chasing this down!
Andrew, can you add this to the stack of ubsan patches you're carrying,
please?
--
Kees Cook
On Thu, Dec 03, 2020 at 09:51:40AM +0100, Arnd Bergmann wrote:
> On Thu, Dec 3, 2020 at 1:44 AM Kees Cook wrote:
> >
> > With UBSAN_OBJECT_SIZE disabled for GCC, only UBSAN_ALIGNMENT remained
> > a noisy UBSAN option. Disable it for COMPILE_TEST so the rest of UBSAN
> &g
ame patch will be happy to use something like you
> > are proposing - "Co-developed-Signed-Reviewed-Tested-by:" tag.
>
> We already have "Co-developerd-by:" as a valid tag, no need to merge
> more into this :)
"Co-developed-by", to me, has a connotation of significant authorship.
For the "weaker" cases, I tend to use "Suggested-by" or put something
like "Based on a patch by $person[link]" in the body.
For the kinds of fixes mentioned here, and more specifically for the
kinds of fixes that I have received from both Colin Ian King and Dan
Carpenter that fall into this "tiny fix"[1] category, I think something
simply like "Adjusted-by" could be used. I've already tried to include
"Link" tags to things that got folded in, but without the Adjusted-by tag,
it lacks the right kind of searchability and recognition.
"Fixes-by" is too close to "Fixes" (and implies more than one
fix). "Fixup-by" implies singular. "Debugged-by" is like the other
existing high-level tags, in that they speak to the ENTIRE patch.
If not "Adjusted-by", what about "Tweaked-by", "Helped-by",
"Corrected-by"?
Colin, Dan, any thoughts on how you'd like to see stuff?
-Kees
[1] "tiny" in the sense of characters changed, usually. There was very
much NOT a "tiny" amount of time spent on it, nor do they have "tiny"
impact -- which is the whole point of calling this out in the
commit.
--
Kees Cook
kernel_init_freeable+0x158/0x198
> [0.967115] kernel_init+0x14/0x19c
> [0.968104] ret_from_fork+0x10/0x30
> [0.969110] Code: 0003 ()
> [0.970815] ---[ end trace b5339784e20d015c ]---
>
> Signed-off-by: Mark Rutland
Oh, eek. Why was a ctor generated at all? But yes, this looks good.
Greg, can you pick this up please?
Acked-by: Kees Cook
--
Kees Cook
On Thu, Dec 03, 2020 at 09:51:40AM +0100, Arnd Bergmann wrote:
> On Thu, Dec 3, 2020 at 1:44 AM Kees Cook wrote:
> >
> > With UBSAN_OBJECT_SIZE disabled for GCC, only UBSAN_ALIGNMENT remained
> > a noisy UBSAN option. Disable it for COMPILE_TEST so the rest of UBSAN
> &g
ad a lot. [2]
>
> This commit takes one step further to kill the build test entirely.
>
> [...]
Applied to for-next/gcc-plugins, thanks!
[1/1] gcc-plugins: simplify GCC plugin-dev capability test
https://git.kernel.org/kees/c/1e860048c53e
--
Kees Cook
r than 4.9
https://git.kernel.org/kees/c/af2d22254e8e
--
Kees Cook
On Thu, Dec 03, 2020 at 06:35:38PM +0900, Masahiro Yamada wrote:
> On Thu, Dec 3, 2020 at 4:01 AM Kees Cook wrote:
> >
> > On Wed, Dec 02, 2020 at 10:49:29PM +0900, Masahiro Yamada wrote:
> > > Documentation/process/changes.rst says the minimal GCC ver
-dev package is installed. The test code is now small enough
> to be embedded in scripts/gcc-plugins/Kconfig.
>
> [1]
> https://lore.kernel.org/lkml/CAHk-=wju4dcuwq4pxshrbwdcuqb31scaeudo1tjoz0_pjhl...@mail.gmail.com/
> [2]
> https://lore.kernel.org/lkml/CAHk-=whK0aQxs6Q5ijJmYF1n2ch8cVFSUzU5yUM_HOjig=+v...@mail.gmail.com/
>
> Reported-by: Linus Torvalds
> Signed-off-by: Masahiro Yamada
Acked-by: Kees Cook
--
Kees Cook
/lkml/20201002221527.177500-1-keesc...@chromium.org/
Kees Cook (7):
ubsan: Remove redundant -Wno-maybe-uninitialized
ubsan: Move cc-option tests into Kconfig
ubsan: Disable object-size sanitizer under GCC
ubsan: Disable UBSAN_TRAP for all*config
ubsan: Enable for all*config builds
ubsan: R
Doing all*config builds attempts to build as much as possible. UBSAN_TRAP
effectively short-circuits lib/usban.c, so it should be disabled for
COMPILE_TEST so that the lib/ubsan.c code gets built.
Reviewed-by: Nathan Chancellor
Signed-off-by: Kees Cook
---
lib/Kconfig.ubsan | 1 +
1 file
). Disable unreachable when objtool is in use
(redundant and confuses things: instrumentation appears at unreachable
locations).
Signed-off-by: Kees Cook
---
Documentation/dev-tools/ubsan.rst | 1 +
lib/Kconfig.ubsan | 82 +--
2 files changed, 57 insertions
-by: Nathan Chancellor
Tested-by: Nathan Chancellor
Signed-off-by: Kees Cook
---
lib/Kconfig.ubsan | 61 +++---
scripts/Makefile.ubsan | 45 +++
2 files changed, 73 insertions(+), 33 deletions(-)
diff --git a/lib/Kconfig.ubsan
In commit 78a5255ffb6a ("Stop the ad-hoc games with -Wno-maybe-initialized")
-Wmaybe-uninitialized was disabled globally, so keeping the disabling logic
here too doesn't make sense.
Signed-off-by: Kees Cook
---
lib/Kconfig.ubsan | 4
scripts/Makefile.ubsan | 4
2 f
Expand the UBSAN tests to include some additional UB cases. Notably the
out-of-bounds enum loading appears not to work. Also include per-test
reporting, including the relevant CONFIG_UBSAN... Kconfigs.
Signed-off-by: Kees Cook
---
lib/test_ubsan.c | 74
...@mail.gmail.com/
Signed-off-by: Kees Cook
---
lib/Kconfig.ubsan | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 6e8b67d4b0d9..fa78f0f3c1dc 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -130,7 +130,6 @@ config UBSAN_ENUM
ellor
Signed-off-by: Kees Cook
---
lib/Kconfig.ubsan | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 05147112b355..4190a99b1eaa 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -113,6 +113,9 @@ config UBSAN_UNSIGNED_OVERFLOW
c
On Wed, Dec 02, 2020 at 04:42:57PM -0500, Konstantin Ryabitsev wrote:
> On Tue, Dec 01, 2020 at 12:12:34PM -0800, Kees Cook wrote:
> > ---
> > This was sent off-list, so I'm resending it to lkml (with the commit log
> > cleaned up sligthly) before I push it into for-ne
cpi_reserved to enum e820_type to fix the type mismatch.
>
> Reported-by: Sedat Dilek
> Suggested-by: Borislav Petkov
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
401 - 500 of 4661 matches
Mail list logo