[GIT PULL] gcc-plugin updates for v4.20-rc6

2018-12-07 Thread Kees Cook
deletions(-) -- Kees Cook

[PATCH] selftests/seccomp: Remove SIGSTOP si_pid check

2018-12-06 Thread Kees Cook
e selftest, since it's more a "extra" sanity check (which turns out, maybe, not to have been useful to test). [1] https://lkml.kernel.org/r/cagxu5jjazaozp1qfz66tyrtbuywqb+un2soa1vlhpccoiyv...@mail.gmail.com Reported-by: Tycho Andersen Suggested-by: Eric W. Biederman Signed-off-by: Kees Cook

Re: siginfo pid not populated from ptrace?

2018-12-06 Thread Kees Cook
On Thu, Dec 6, 2018 at 2:43 PM Eric W. Biederman wrote: > > Kees Cook writes: > > What should we do for v4.20? I need to have the selftests actually > > passing. :) > > For v4.20 we need to do one of two things. > 1) Present a plausible case that someone will could c

Re: siginfo pid not populated from ptrace?

2018-12-06 Thread Kees Cook
_struc > > goto ret; > > > > result = TRACE_SIGNAL_DELIVERED; > > + > > /* > > - * Skip useless siginfo allocation for SIGKILL SIGSTOP, > > - * and kernel threads. > > + * Skip useless siginfo allocation for SIGKILL and kernel threads. > > + * SIGSTOP is visible to tracers, so only skip allocation when the > > task > > + * is not traced. > >*/ > > - if (sig_kernel_only(sig) || (t->flags & PF_KTHREAD)) > > + if ((sig == SIGKILL) || (!task_is_traced(t) && sig == SIGSTOP) || > > + (t->flags & PF_KTHREAD)) > > goto out_set; > > > > /* What should we do for v4.20? I need to have the selftests actually passing. :) -- Kees Cook

Re: [PATCH] proc/sysctl: fix return error for proc_doulongvec_minmax

2018-12-06 Thread Kees Cook
t; ... > > /* > > * Arrays are not supported, keep this simple. *Do not* add > > * support for them. > > */ > > if (vleft != 1) { > > *lenp = 0; > > return -EINVAL; > >

Re: [PATCH 1/2] riscv: add support for SECCOMP incl. filters

2018-12-06 Thread Kees Cook
On Thu, Dec 6, 2018 at 10:26 AM David Abdurachmanov wrote: > > On Thu, Dec 6, 2018 at 5:52 PM Kees Cook wrote: > > > > On Thu, Dec 6, 2018 at 7:02 AM David Abdurachmanov > > wrote: > > > The patch adds support for SECCOMP and SECCOMP_FILTER (BPF). > > &

Re: [PATCH v4] signal: add taskfd_send_signal() syscall

2018-12-06 Thread Kees Cook
critical (but it's always the hardest to settle on). My preference order would be: taskfd_send_signal() pidfd_send_signal() procfd_send_signal() fd_send_signal() But, agreed, I think fdkill() should not be used. -- Kees Cook

Re: [PATCH 1/2] riscv: add support for SECCOMP incl. filters

2018-12-06 Thread Kees Cook
rom ./include/linux/sched.h:21:0, from arch/riscv/kernel/asm-offsets.c:18: ./include/linux/seccomp.h:14:10: fatal error: asm/seccomp.h: No such file or directory #include ^~~ -- Kees Cook

Re: [PATCH 1/2] riscv: add support for SECCOMP incl. filters

2018-12-06 Thread Kees Cook
nating due to OOM killer */ > #define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint > instrumentation */ > #define TIF_SYSCALL_AUDIT 7 /* syscall auditing */ > +#define TIF_SECCOMP8 /* syscall secure computing */ Nit: extra tab needs to be removed. -- Kees Cook

Re: [PATCH 2/2] riscv: fix syscall_{get,set}_arguments

2018-12-06 Thread Kees Cook
handling only %d\n", > + __func__, i + n, SYSCALL_MAX_ARGS); > + n = SYSCALL_MAX_ARGS - i; > + } > + > + if (i == 0) { > + regs->orig_a0 = args[0]; > + args++; > + i++; > + n--; > + } > + > + memcpy(>a0 + i, args, n * sizeof(args[0])); > } > > static inline int syscall_get_arch(void) > -- > 2.19.2 > -- Kees Cook

Re: [PATCH 1/2] riscv: add support for SECCOMP incl. filters

2018-12-06 Thread Kees Cook
syscall_set_nr(current, regs, -1); > > + /* > +* Do the secure computing after ptrace; failures should be fast. > +* If this fails we might have return value in a0 from seccomp > + * (via SECCOMP_RET_ERRNO/TRACE). > +*/ > + if (secure_computing(NULL) == -1) > + syscall_set_nr(current, regs, -1); On a -1 return, this should return immediately -- it should not continue to process trace_sys_enter(), etc. -Kees > + > #ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS > if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) > trace_sys_enter(regs, syscall_get_nr(current, regs)); > -- > 2.19.2 > -- Kees Cook

Re: [PATCH 1/3] stackleak: mark stackleak_track_stack() as notrace

2018-12-05 Thread Kees Cook
On Wed, Dec 5, 2018 at 7:43 PM Steven Rostedt wrote: > > On Wed, 5 Dec 2018 19:29:11 -0800 > Kees Cook wrote: > > > On Wed, Dec 5, 2018 at 6:29 PM Steven Rostedt wrote: > > > > > > On Wed, 5 Dec 2018 21:26:51 -0500 > > > Steven Rostedt wrote: &g

Re: [PATCH 1/3] stackleak: mark stackleak_track_stack() as notrace

2018-12-05 Thread Kees Cook
On Wed, Dec 5, 2018 at 6:29 PM Steven Rostedt wrote: > > On Wed, 5 Dec 2018 21:26:51 -0500 > Steven Rostedt wrote: > > > On Wed, 5 Dec 2018 17:08:34 -0800 > > Kees Cook wrote: > > > > > I'll Ack the Makefile > > change in the tracing directory, bu

Re: [PATCH v3] signal: add procfd_send_signal() syscall

2018-12-05 Thread Kees Cook
ine to me. -- Kees Cook

Re: [PATCH 1/3] stackleak: mark stackleak_track_stack() as notrace

2018-12-05 Thread Kees Cook
ackleak_erase(void) > current->lowest_stack = current_top_of_stack() - THREAD_SIZE/64; > } > > -void __used stackleak_track_stack(void) > +void __used notrace stackleak_track_stack(void) > { > /* > * N.B. stackleak_erase() fills the kernel stack with the poison > value, > -- > 2.19.2 > Acked-by: Kees Cook Steven, I assume this series going via your tree? -- Kees Cook

Re: siginfo pid not populated from ptrace?

2018-12-05 Thread Kees Cook
On Sat, Dec 1, 2018 at 7:04 AM Eric W. Biederman wrote: > > Kees Cook writes: > > > On Tue, Nov 27, 2018 at 8:44 PM Eric W. Biederman > > wrote: > >> > >> Kees Cook writes: > >> > >> > On Tue, Nov 27, 2018 at 4:38 PM, Kees Cook wr

Re: Re: [PATCH] proc/sysctl: fix return error for proc_doulongvec_minmax

2018-12-05 Thread Kees Cook
and keep the error?) Are there any examples of doing partial writes like this in real software? The proposed change is the safest change, though... -- Kees Cook

Re: [PATCH v3] signal: add procfd_send_signal() syscall

2018-12-05 Thread Kees Cook
gt; > > > + if (!may_signal_procfd(pid)) > > > + goto err; > > > + Does the ns parent checking in may_signal_procfd need any locking or RCU? I know pid and current namespaces are "pinned", but I don't know how parent ns works here. I'm assuming the parents are stuck until all children go away? > > > + ret = kill_pid_info(sig, , pid); Just double-checking for myself: this does not bypass security_task_kill(), so no problem there AFAIK. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH AUTOSEL 4.19 104/123] pstore/ram: Correctly calculate usable PRZ bytes

2018-12-05 Thread Kees Cook
On Wed, Dec 5, 2018 at 1:41 AM Sasha Levin wrote: > > From: Kees Cook > > [ Upstream commit 89d328f637b9904b6d4c9af73c8a608b8dd4d6f8 ] > > The actual number of bytes stored in a PRZ is smaller than the > bytes requested by platform data, since there is a header on eac

Re: [PATCH 00/16] v6 kernel core pieces refcount conversions

2018-12-04 Thread Kees Cook
ions and make the end decision. > * rebase on top of today's linux-next/master *thread resurrection* Was there a v7 for this series? I'd like to finish off any of the known outstanding refcount_t conversions. Thanks! -- Kees Cook

[PATCH] fanotify: Make sure to check event_len when copying

2018-12-04 Thread Kees Cook
As a precaution, make sure we check event_len when copying to userspace. Based on old feedback: https://lkml.kernel.org/r/542d9fe5.3010...@gmx.de Signed-off-by: Kees Cook --- fs/notify/fanotify/fanotify_user.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs

Re: [PATCH] pstore: Convert buf_lock to semaphore

2018-12-04 Thread Kees Cook
On Tue, Dec 4, 2018 at 7:41 AM Sebastian Andrzej Siewior wrote: > > On 2018-11-30 14:47:36 [-0800], Kees Cook wrote: > > diff --git a/drivers/firmware/efi/efi-pstore.c > > b/drivers/firmware/efi/efi-pstore.c > > index cfe87b465819..0f7d97917197 100644 > > --- a/dri

Re: [PATCH v3] panic: Avoid the extra noise dmesg

2018-12-04 Thread Kees Cook
fication for the removing is: when code runs to this point, it > means user has chosed to not reboot, or do any special handling by using > the panic notifier method, no much point in re-enabling the interrupt. > > Signed-off-by: Feng Tang > Cc: Thomas Gleixner > Cc: Kees Cook >

[PATCH] pstore/ram: Avoid NULL deref in ftrace merging failure path

2018-12-03 Thread Kees Cook
' could be null (see line 255) https://lists.01.org/pipermail/kbuild-all/2018-December/055528.html Reported-by: Dan Carpenter Fixes: 2fbea82bbb89 ("pstore: Merge per-CPU ftrace records into one") Cc: "Joel Fernandes (Google)" Signed-off-by: Kees Cook --- fs/pstore/ram.c | 2 +

Re: [PATCH] prctl: add PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT

2018-11-30 Thread Kees Cook
ET_KILL_DESCENDANTS_ON_EXIT can race with PR_SET_CHILD_SUBREAPER, > > > they both > > > need to update the bits in the same word. > > > > Good point. I'll make it a regular bool instead of a bitfield for v2, > > Agreed, Is it worth doing something for singal_struct like we did for task_struct with the TASK_PFA_* and atomic_flags? -- Kees Cook

Fwd: [PATCH RFC 00/15] Zero ****s, hugload of hugs <3

2018-11-30 Thread Kees Cook
| 2 +- > drivers/net/ethernet/sun/sunhme.c | 4 ++-- > drivers/scsi/qlogicpti.h | 2 +- > fs/notify/inotify/inotify_user.c | 2 +- > kernel/irq/timings.c | 2 +- > lib/vsprintf.c| 2 +- > net/core/skbuff.c | 2 +- > 17 files changed, 33 insertions(+), 31 deletions(-) > > -- > 2.19.1 > -- Kees Cook

[GIT PULL] gcc-plugins fix for v4.20-rc5

2018-11-30 Thread Kees Cook
(+), 1 deletion(-) -- Kees Cook

Re: [PATCH 09/14] fs/pstore: Use %pS printk format for direct addresses

2018-11-29 Thread Kees Cook
On Thu, Nov 29, 2018 at 3:49 PM Luck, Tony wrote: > > On Thu, Nov 29, 2018 at 03:26:51PM -0800, Kees Cook wrote: > > On Wed, Sep 6, 2017 at 1:28 PM Helge Deller wrote: > > > > > > Use the %pS instead of the %pF printk format specifier for printing > > &

Re: [PATCH v5 0/5] pstore: ramoops: support multiple pmsg instances

2018-11-29 Thread Kees Cook
+++- > include/linux/pstore.h | 1 + > include/linux/pstore_ram.h | 8 +- > tools/testing/selftests/pstore/common_tests| 21 +- > .../selftests/pstore/pstore_post_reboot_tests | 27 +- > tools/testing/selftests/pstore/pstore_tests| 14 +- > 9 files changed, 342 insertions(+), 97 deletions(-) > > -- > 2.11.0 > -- Kees Cook

Re: [PATCH 09/14] fs/pstore: Use %pS printk format for direct addresses

2018-11-29 Thread Kees Cook
On Wed, Sep 6, 2017 at 1:28 PM Helge Deller wrote: > > Use the %pS instead of the %pF printk format specifier for printing symbols > from direct addresses. This is needed for the ia64, ppc64 and parisc64 > architectures. > > Signed-off-by: Helge Deller > Cc: Kees Cook >

Re: [PATCH] pstore: Fix bool initialization/comparison

2018-11-29 Thread Kees Cook
t; if (pstore_ftrace_enabled) { > unregister_ftrace_function(_ftrace_ops); > - pstore_ftrace_enabled = 0; > + pstore_ftrace_enabled = false; > } > mutex_unlock(_ftrace_lock); > -- Kees Cook

[GIT PULL] pstore fix for v4.20-rc5

2018-11-29 Thread Kees Cook
corrupted compression due to unlucky size choice with ECC Kees Cook (1): pstore/ram: Correctly calculate usable PRZ bytes fs/pstore/ram.c| 15 ++- include/linux/pstore.h | 5 - 2 files changed, 10

[PATCH -next v2 04/12] pstore: Avoid duplicate call of persistent_ram_zap()

2018-11-29 Thread Kees Cook
is called twice. We can avoid this by adding an option to persistent_ram_new(), and only call persistent_ram_zap() when it is needed. Signed-off-by: Peng Wang [kees: minor tweak to exit path and commit log] Signed-off-by: Kees Cook --- fs/pstore/ram.c| 4 +--- fs/pstore/ram_core.c

[PATCH -next v2 01/12] pstore/ram: Correctly calculate usable PRZ bytes

2018-11-29 Thread Kees Cook
: Add compression support to pstore") Signed-off-by: Kees Cook Reviewed-by: Joel Fernandes (Google) --- fs/pstore/ram.c| 15 ++- include/linux/pstore.h | 5 - 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c index ffcff6516e8

[PATCH -next v2 07/12] pstore/ram: Add kern-doc for struct persistent_ram_zone

2018-11-29 Thread Kees Cook
The struct persistent_ram_zone wasn't well documented. This adds kern-doc for it. Signed-off-by: Kees Cook --- fs/pstore/ram_core.c | 10 + include/linux/pstore_ram.h | 46 +++--- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/fs

[PATCH -next v2 05/12] pstore/ram: Standardize module name in ramoops

2018-11-29 Thread Kees Cook
With both ram.c and ram_core.c built into ramoops.ko, it doesn't make sense to have differing pr_fmt prefixes. This fixes ram_core.c to use the module name (as ram.c already does). Additionally improves region reservation error to include the region name. Signed-off-by: Kees Cook --- fs/pstore

[PATCH -next v2 08/12] pstore: Improve and update some comments and status output

2018-11-29 Thread Kees Cook
This improves and updates some comments: - dump handler comment out of sync from calling convention - fix kern-doc typo and improves status output: - reminder that only kernel crash dumps are compressed - do not be silent about ECC infrastructure failures Signed-off-by: Kees Cook --- fs

[PATCH -next v2 06/12] pstore/ram: Report backend assignments with finer granularity

2018-11-29 Thread Kees Cook
to remove the bogus ECC blocksize which isn't actually recorded outside the prz instance.) Signed-off-by: Kees Cook --- fs/pstore/ram.c | 4 ++-- fs/pstore/ram_core.c | 6 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c index 768759841491

[PATCH -next v2 10/12] pstore: Map PSTORE_TYPE_* to strings

2018-11-29 Thread Kees Cook
alized, so a backend would need to have explicitly set compressed=1. Signed-off-by: Joel Fernandes (Google) Co-developed-by: Kees Cook Signed-off-by: Kees Cook --- drivers/acpi/apei/erst.c | 2 +- fs/pstore/inode.c | 51 +++--- fs/pstore/p

[PATCH -next v2 03/12] pstore: Remove needless lock during console writes

2018-11-29 Thread Kees Cook
Since the console writer does not use the preallocated crash dump buffer any more, there is no reason to perform locking around it. Fixes: 70ad35db3321 ("pstore: Convert console write to use ->write_buf") Signed-off-by: Kees Cook Reviewed-by: Joel Fernandes (Google) --- fs/psto

[PATCH -next v2 02/12] pstore: Do not use crash buffer for decompression

2018-11-29 Thread Kees Cook
buffer for decompression. Correctness is preferred over performance here. Signed-off-by: Kees Cook --- fs/pstore/platform.c | 56 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c index

[PATCH -next v2 11/12] pstore/ram: Simplify ramoops_get_next_prz() arguments

2018-11-29 Thread Kees Cook
ment since we can detect that. Changes are squashed into a single patch to reduce fixup conflicts. Signed-off-by: Joel Fernandes (Google) Signed-off-by: Kees Cook --- fs/pstore/ram.c | 48 ++-- 1 file changed, 18 insertions(+), 30 deletions(-) diff

[PATCH -next v2 12/12] pstore/ram: Do not treat empty buffers as valid

2018-11-29 Thread Kees Cook
oogle) Co-developed-by: Kees Cook Signed-off-by: Kees Cook --- fs/pstore/ram_core.c | 5 + 1 file changed, 5 insertions(+) diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c index e6375439c5ac..c11711c2cc83 100644 --- a/fs/pstore/ram_core.c +++ b/fs/pstore/ram_core.c @@ -511,6 +511,11

[PATCH -next v2 09/12] pstore: Replace open-coded << with BIT()

2018-11-29 Thread Kees Cook
Minor clean-up to use BIT() (as already done in pstore_ram.h). Signed-off-by: Kees Cook --- include/linux/pstore.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/linux/pstore.h b/include/linux/pstore.h index 81669aa80027..f46e5df76b58 100644 --- a/include

[PATCH -next v2 00/12] pstore: various clean-ups

2018-11-29 Thread Kees Cook
PSTORE_TYPE_* to strings pstore/ram: Simplify ramoops_get_next_prz() arguments pstore/ram: Do not treat empty buffers as valid Kees Cook (8): pstore/ram: Correctly calculate usable PRZ bytes pstore: Do not use crash buffer for decompression pstore: Remove needless lock during console writes

Re: [PATCH 2/8] pstore: Do not use crash buffer for decompression

2018-11-29 Thread Kees Cook
On Tue, Nov 13, 2018 at 11:56 PM Kees Cook wrote: > On Fri, Nov 2, 2018 at 1:24 PM, Joel Fernandes wrote: > > On Thu, Nov 01, 2018 at 04:51:54PM -0700, Kees Cook wrote: > >> + workspace = kmalloc(unzipped_len + record->ecc_notice_size, > > > > Sho

Re: [PATCH] x86/mm/dump_pagetables: Change to use DEFINE_SHOW_ATTRIBUTE macro

2018-11-29 Thread Kees Cook
On Wed, Nov 28, 2018 at 10:45 AM Dave Hansen wrote: > > On 11/27/18 2:50 PM, Kees Cook wrote: > > On Mon, Nov 19, 2018 at 9:06 AM, Dave Hansen wrote: > >> On 11/19/18 7:43 AM, Yangtao Li wrote: > >>> -static const struct file_operations ptdump_c

Re: [PATCH 1/1] sched/headers: fix thread_info. is overwritten by STACK_END_MAGIC

2018-11-29 Thread Kees Cook
On Tue, Nov 27, 2018 at 8:38 PM Wang, Dongsheng wrote: > > Hello Kees, > > On 2018/11/28 6:38, Kees Cook wrote: > > On Thu, Nov 22, 2018 at 11:54 PM, Wang Dongsheng > > wrote: > >> When select ARCH_TASK_STRUCT_ON_STACK the first of thread_info variable >

Re: siginfo pid not populated from ptrace?

2018-11-29 Thread Kees Cook
On Tue, Nov 27, 2018 at 8:44 PM Eric W. Biederman wrote: > > Kees Cook writes: > > > On Tue, Nov 27, 2018 at 4:38 PM, Kees Cook wrote: > >> On Tue, Nov 27, 2018 at 3:21 PM, Tycho Andersen wrote: > >>> On Mon, Nov 12, 2018 at 12:24:43PM -0700, Tycho Anderse

Re: siginfo pid not populated from ptrace?

2018-11-27 Thread Kees Cook
On Tue, Nov 27, 2018 at 4:38 PM, Kees Cook wrote: > On Tue, Nov 27, 2018 at 3:21 PM, Tycho Andersen wrote: >> On Mon, Nov 12, 2018 at 12:24:43PM -0700, Tycho Andersen wrote: >>> On Mon, Nov 12, 2018 at 11:55:38AM -0700, Tycho Andersen wrote: >>> > I haven't manage

Re: siginfo pid not populated from ptrace?

2018-11-27 Thread Kees Cook
scall_restart > seccomp_bpf.c:2736:global.syscall_restart:Expected getpid() (1901) == > info._sifields._kill.si_pid (0) > global.syscall_restart: Test failed at step #22 This fails every time for me -- is it still racey for you? I'm attempting a bisect, hoping it doesn't _become_ racey for me. ;) -- Kees Cook

Re: [PATCH] x86/mm/dump_pagetables: Change to use DEFINE_SHOW_ATTRIBUTE macro

2018-11-27 Thread Kees Cook
st. Er, "ptdump_curusr" matches the generated name "ptdump_curusr_show", is that what you mean? > I don't think saving a few lines of code is worth the obfuscation. This is the standard boilerplate for attributes, though. I'd be nice to drop all the copy/pasted code... -- Kees Cook

Re: [PATCH 1/1] sched/headers: fix thread_info. is overwritten by STACK_END_MAGIC

2018-11-27 Thread Kees Cook
t; > static inline unsigned long *end_of_stack(const struct task_struct *task) > { > - return task->stack; > + if (!IS_ENABLED(CONFIG_ARCH_TASK_STRUCT_ON_STACK) || task != > _task) > + return task->stack; > + return (unsigned long *)(task + 1); > } This seems like a strange place for the change. It feels more like init_task has been defined incorrectly. -Kees > > #elif !defined(__HAVE_THREAD_FUNCTIONS) > -- > 2.19.1 > -- Kees Cook

Re: [RFC PATCH v2] ptrace: add PTRACE_GET_SYSCALL_INFO request

2018-11-27 Thread Kees Cook
ed with kernel headers that don't define > PTRACE_SYSCALL_INFO_SECCOMP, it will break when the kernel > starts to use PTRACE_SYSCALL_INFO_SECCOMP instead of > PTRACE_SYSCALL_INFO_ENTRY for PTRACE_EVENT_SECCOMP support > in PTRACE_GET_SYSCALL_INFO. > > The solution is to introduce PTRACE_SYSCALL_INFO_SECCOMP and struct > ptrace_syscall_info.seccomp along with PTRACE_EVENT_SECCOMP support > in PTRACE_GET_SYSCALL_INFO. The initial revision of the seccomp > structure could be made the same as the entry structure, or it can > diverge from the beginning, e.g., by adding ret_data field containing > SECCOMP_RET_DATA return value stored in ptrace_message, this would save > ptracers an extra PTRACE_GETEVENTMSG call currently required to obtain it. Yup, that'd be a nice addition. -- Kees Cook

Re: [PATCH 2/2] kbuild: descend into scripts/gcc-plugins/ via scripts/Makefile

2018-11-27 Thread Kees Cook
On Thu, Nov 22, 2018 at 8:51 PM, Masahiro Yamada wrote: > Now that 'prepare0' depends on 'scripts', building GCC plugins can > go into scripts/Makefile, which is a more standard way. > > Signed-off-by: Masahiro Yamada Reviewed-by: Kees Cook -Kees > --- > > Makefile

Re: [PATCH 2/2] selftests: firmware: add CONFIG_FW_LOADER_USER_HELPER_FALLBACK to config

2018-11-27 Thread Kees Cook
Signed-off-by: Dan Rue Acked-by: Kees Cook -Kees > --- > tools/testing/selftests/firmware/config | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/testing/selftests/firmware/config > b/tools/testing/selftests/firmware/config > index bf634dda0720..913a25a4a32b

Re: [PATCH 1/2] selftests: firmware: remove use of non-standard diff -Z option

2018-11-27 Thread Kees Cook
t; Signed-off-by: Dan Rue Acked-by: Kees Cook -Kees > --- > tools/testing/selftests/firmware/fw_filesystem.sh | 9 +++-- > 1 file changed, 3 insertions(+), 6 deletions(-) > > diff --git a/tools/testing/selftests/firmware/fw_filesystem.sh > b/tools/testing/selftests/firmware/

Re: [PATCH v2] panic: Add options to print system info when panic happens

2018-11-27 Thread Kees Cook
ovide a easier way to show the system info by adding > a cmdline parameter, referring some idea from sysrq handler. > > Signed-off-by: Feng Tang > Cc: Thomas Gleixner > Cc: John Stultz > Cc: Ingo Molnar > Cc: Peter Zijlstra > Cc: Steven Rostedt Reviewed-by: Ke

Re: linux-next: build warnings after merge of the cifs tree

2018-11-25 Thread Kees Cook
at the point the fall through happens. Kees and others are > working on the several hundred other places that need annotating. Right. The goal is to avoid adding any _new_ cases of this. :) > This one just popped up. It's already working! :) Thanks Stephen! -Kees -- Kees Cook

Re: [PATCH 1/2] x86/pkeys: copy pkey state at fork()

2018-11-20 Thread Kees Cook
located can be allocated again, for instance. > > One thing I omitted. This was very nicely discovered and reported by > danielmi...@gmail.com. Thanks, Daniel! Thread ping. Is there a v2 of this, or can this go in as-is? Looks good to me: Reviewed-by: Kees Cook -Kees -- Kees Cook

Re: [PATCH 1/2] build_bug.h: remove negative-array fallback for BUILD_BUG_ON()

2018-11-16 Thread Kees Cook
l and pointless. Moreover, > commit 0bb95f80a38f ("Makefile: Globally enable VLA warning") enabled > -Wvla warning. The use of variable length arrays is banned. > > Signed-off-by: Masahiro Yamada Acked-by: Kees Cook -Kees > --- > > include/linux/build_bug.h | 14

Re: [PATCH v2 2/2] build_bug.h: remove all dummy BUILD_BUG_ON stubs for sparse

2018-11-16 Thread Kees Cook
> occurred, they would cause errors for GCC as well. (Hence, such > errors would have been detected by the normal compile test process.) > > Signed-off-by: Masahiro Yamada Acked-by: Kees Cook -Kees > --- > > Changes in v2: > - Fix a coding style error (two consecutive bla

Re: [PATCH] Revert "HID: uhid: use strlcpy() instead of strncpy()"

2018-11-15 Thread Kees Cook
On Thu, Nov 15, 2018 at 5:55 AM, David Herrmann wrote: > Hi > > On Thu, Nov 15, 2018 at 12:09 AM Kees Cook wrote: >> On Wed, Nov 14, 2018 at 9:40 AM, Laura Abbott wrote: > [...] >> > Can we switch to strscpy instead? This will quiet gcc and avoid the >> > i

Re: [PATCH] firmware: raspberrypi: Fix firmware calls with large buffers

2018-11-15 Thread Kees Cook
ecking Up to Eric, but I think the preferred comment style is: /* * lines go here */ Otherwise, this seems fine to me. Thanks for getting it fixed! -- Kees Cook

Re: [PATCH] mm/usercopy: Use memory range to be accessed for wraparound check

2018-11-14 Thread Kees Cook
asad Sodagudi > Signed-off-by: Isaac J. Manjarres > Cc: sta...@vger.kernel.org Regardless, I'll take it in my tree if akpm doesn't grab it first. :) Acked-by: Kees Cook -Kees > --- > mm/usercopy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/u

Re: [PATCH] mm/usercopy: Use memory range to be accessed for wraparound check

2018-11-14 Thread Kees Cook
s as (n - 1) > wraps to ULONG_MAX. > > Easily fixed via: > > if ((n != 0) && (ptr + (n - 1) < ptr)) Agreed. Thanks for noticing this! -Kees -- Kees Cook

Re: [PATCH] Revert "HID: uhid: use strlcpy() instead of strncpy()"

2018-11-14 Thread Kees Cook
len); >> + /* @hid is zero-initialized, strncpy() is correct, strlcpy() not >> */ >> + len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1; >> + strncpy(hid->name, ev->u.create2.name, len); >> + len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1; >> + strncpy(hid->phys, ev->u.create2.phys, len); >> + len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1; >> + strncpy(hid->uniq, ev->u.create2.uniq, len); >> hid->ll_driver = _hid_driver; >> hid->bus = ev->u.create2.bus; >> > -- Kees Cook

Re: [PATCH 2/8] pstore: Do not use crash buffer for decompression

2018-11-13 Thread Kees Cook
On Fri, Nov 2, 2018 at 1:24 PM, Joel Fernandes wrote: > On Thu, Nov 01, 2018 at 04:51:54PM -0700, Kees Cook wrote: >> static void decompress_record(struct pstore_record *record) >> { >> + int ret; >> int unzipped_len; > > nit: We could get rid of the

Re: [PATCH RFC v2 0/3] cleanups for pstore and ramoops

2018-11-13 Thread Kees Cook
s/pstore/ram.c| 52 +++-- > fs/pstore/ram_core.c | 2 +- > include/linux/pstore.h | 37 ++ > include/linux/pstore_ram.h | 2 ++ > 5 files changed, 67 insertions(+), 79 deletions(-) > > -- > 2.19.1.930.g4563a0d9d0-goog > -- Kees Cook

Re: [PATCH] exec: separate MM_ANONPAGES and RLIMIT_STACK accounting

2018-11-13 Thread Kees Cook
rm->argc/envc and bprm->argmin. > > Signed-off-by: Oleg Nesterov Acked-by: Kees Cook Thanks for nailing this all down. :) -Kees > --- > fs/exec.c | 103 > +++- > include/linux/binfmts.h | 1 + > 2 files

Re: [PATCH 1/2] exec: load_script: don't blindly truncate shebang string

2018-11-13 Thread Kees Cook
6] > happens to be the valid executable path. > > Change load_script() to return ENOEXEC if it can't find '\n' or zero in > bprm->buf. Note that '\0' can come from either prepare_binprm()->memset() > or from kernel_read(), we do not care. > > Signed-off-by: Oleg Nesterov A

Re: [PATCH 1/1] stackleak: Disable function tracing and kprobes for stackleak_erase()

2018-11-13 Thread Kees Cook
gt;lowest_stack = current_top_of_stack() - THREAD_SIZE/64; > } > +NOKPROBE_SYMBOL(stackleak_erase); > > void __used stackleak_track_stack(void) > { > -- > 2.7.4 > -- Kees Cook

Re: [PATCH 2/2] exec: increase BINPRM_BUF_SIZE to 256

2018-11-12 Thread Kees Cook
s. > > But obviously 128 bytes has been enough for all this time, so that's > going too far. However it would be basically cost-free to increase > BINPRM_BUF_SIZE up to the point where sizeof(struct linux_binprm) == > PAGE_SIZE? Yeah, and this might be a useful detail included in a comment above the #define... Regardless: Acked-by: Kees Cook -- Kees Cook

Re: [PATCH] x86: remove gcc-x86_*-has-stack-protector.sh checks

2018-11-12 Thread Kees Cook
On Mon, Nov 12, 2018 at 7:54 AM, Masahiro Yamada wrote: > On Mon, Nov 12, 2018 at 5:29 PM Kees Cook wrote: >> >> On Sun, Nov 11, 2018 at 9:06 PM, Masahiro Yamada >> wrote: >> > gcc-x86_64-has-stack-protector.sh was introduced by commit 4f7fd4d7a791 >> &

Re: [PATCH] x86: remove gcc-x86_*-has-stack-protector.sh checks

2018-11-12 Thread Kees Cook
otector.sh > deleted file mode 100755 > index 75e4e22..000 > --- a/scripts/gcc-x86_64-has-stack-protector.sh > +++ /dev/null > @@ -1,4 +0,0 @@ > -#!/bin/sh > -# SPDX-License-Identifier: GPL-2.0 > - > -echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -m64 -O0 > -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs" > -- > 2.7.4 > -- Kees Cook

Re: afaef01c00 ("x86/entry: Add STACKLEAK erasing the kernel stack .."): double fault: 0000 [#1]

2018-11-09 Thread Kees Cook
t wrote: >>>> 0day kernel testing robot got the below dmesg and the first bad commit is >>>> >>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >>>> >>>> commit afaef01c001537fa97a25092d7f54d764dc7d8c1 >>>

Re: [PATCH] ARM: mm: dump: Change to use DEFINE_SHOW_ATTRIBUTE macro

2018-11-05 Thread Kees Cook
>> -} >> - >> -static const struct file_operations ptdump_fops = { >> - .open = ptdump_open, >> - .read = seq_read, >> - .llseek = seq_lseek, >> - .release= single_release, >> -}; &g

Re: [PATCH 8/8] pstore/ram: Correctly calculate usable PRZ bytes

2018-11-05 Thread Kees Cook
with algo X but compression selected is Y" or something. But I agree > its a very low priority "doctor it hurts if I do this" kind of issue :) Right, this is fine: if algos change across a kernel version, I'm fine with it failing. pstore isn't expected to work sanely outside of a pretty narrow set of use-cases. -Kees -- Kees Cook

Re: [RFC PATCH 0/7] runtime format string checking

2018-11-02 Thread Kees Cook
d out. >>> >>> I don't agree. [...] >> >> Okay, then I'll forward this to akpm maybe? > > Yes, if all they do is replace f(..., s) by f(..., "%s", s) that should > never hurt. Maybe check if there's a ..._puts() variant that can be used > instead, e.g. seq_puts(). Alright, I'll see about bringing that series forward in time... -Kees -- Kees Cook

Re: [PATCH 7/8] pstore: Remove needless lock during console writes

2018-11-02 Thread Kees Cook
On Fri, Nov 2, 2018 at 11:32 AM, Joel Fernandes wrote: > On Thu, Nov 01, 2018 at 04:51:59PM -0700, Kees Cook wrote: >> Since commit 70ad35db3321 ("pstore: Convert console write to use >> ->write_buf"), the console writer does not use the preallocated crash

Re: [PATCH 8/8] pstore/ram: Correctly calculate usable PRZ bytes

2018-11-02 Thread Kees Cook
On Fri, Nov 2, 2018 at 11:01 AM, Joel Fernandes wrote: > On Thu, Nov 01, 2018 at 04:52:00PM -0700, Kees Cook wrote: >> The actual number of bytes stored in a PRZ is smaller than the >> bytes requested by platform data, since there is a header on each >> PRZ. Additional

[PATCH linux-next 1/8] pstore/ram: Standardize module name in ramoops

2018-11-01 Thread Kees Cook
With both ram.c and ram_core.c built into ramoops.ko, it doesn't make sense to have differing pr_fmt prefixes. This fixes ram_core.c to use the module name (as ram.c already does). Additionally improves region reservation error to include the region name. Signed-off-by: Kees Cook --- fs/pstore

[PATCH 6/8] pstore: Replace open-coded << with BIT()

2018-11-01 Thread Kees Cook
Minor clean-up to use BIT() (as already done in pstore_ram.h). Signed-off-by: Kees Cook --- include/linux/pstore.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/linux/pstore.h b/include/linux/pstore.h index 877ed81de346..3549f2ba865c 100644 --- a/include

[PATCH 2/8] pstore: Do not use crash buffer for decompression

2018-11-01 Thread Kees Cook
buffer for decompression. Correctness is preferred over performance here. Signed-off-by: Kees Cook --- fs/pstore/platform.c | 56 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c index

[PATCH 7/8] pstore: Remove needless lock during console writes

2018-11-01 Thread Kees Cook
Since commit 70ad35db3321 ("pstore: Convert console write to use ->write_buf"), the console writer does not use the preallocated crash dump buffer any more, so there is no reason to perform locking around it. Signed-off-by: Kees Cook --- fs/pstore/pl

[PATCH 3/8] pstore/ram: Report backend assignments with finer granularity

2018-11-01 Thread Kees Cook
to remove the bogus ECC blocksize which isn't actually recorded outside the prz instance.) Signed-off-by: Kees Cook --- fs/pstore/ram.c | 4 ++-- fs/pstore/ram_core.c | 6 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c index b51901f97dc2

[PATCH 4/8] pstore/ram: Add kern-doc for struct persistent_ram_zone

2018-11-01 Thread Kees Cook
The struct persistent_ram_zone wasn't well documented. This adds kern-doc for it. Signed-off-by: Kees Cook --- fs/pstore/ram_core.c | 10 + include/linux/pstore_ram.h | 46 +++--- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/fs

[PATCH 0/8] pstore improvements (pstore-next)

2018-11-01 Thread Kees Cook
This is a posting of several patches I've been working on to improve pstore. Most of it is better comments, output, and naming, but one bug fix stands out to fix head-truncationg of compressed records. Details in the individual patches. Review appreciated! :) -Kees Kees Cook (8): pstore/ram

[PATCH 8/8] pstore/ram: Correctly calculate usable PRZ bytes

2018-11-01 Thread Kees Cook
.z" file), and triggering errors at boot: [2.790759] pstore: crypto_comp_decompress failed, ret = -22! Reported-by: Joel Fernandes Fixes: b0aad7a99c1d ("pstore: Add compression support to pstore") Signed-off-by: Kees Cook --- fs/pstore/ram.c| 15 ++- in

[PATCH 5/8] pstore: Improve and update some comments and status output

2018-11-01 Thread Kees Cook
This improves and updates some comments: - dump handler comment out of sync from calling convention - fix kern-doc typo and improves status output: - reminder that only kernel crash dumps are compressed - do not be silent about ECC infrastructure failures Signed-off-by: Kees Cook --- fs

Re: [PATCH] ARM: kprobes: Fix false positive with FORTIFY_SOURCE

2018-11-01 Thread Kees Cook
On Thu, Nov 1, 2018 at 7:41 AM, Masami Hiramatsu wrote: > On Tue, 30 Oct 2018 13:40:27 -0400 > William Cohen wrote: > >> On 10/22/18 5:30 AM, Kees Cook wrote: >> > The arm compiler internally interprets an inline assembly label >> > as an unsigned long value,

Re: [PATCH 16/17] prmem: pratomic-long

2018-10-31 Thread Kees Cook
reate the mapping outside of the loop to minimise your time in >> the critical section. > > Ah, so I was thikning that the altnerative mm would have stuff in the > same location, just RW instead of RO. I was hoping for the same location too. That allows use to use a gcc plugin to mark, say, function pointer tables, as read-only, and annotate their rare updates with write_rare() without any recalculation. -Kees -- Kees Cook

Re: [patch 0/9] time: Add SPDX identifiers and cleanup boilerplates

2018-10-31 Thread Kees Cook
he tree! :) Acked-by: Kees Cook -- Kees Cook

Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace

2018-10-30 Thread Kees Cook
On Tue, Oct 30, 2018 at 5:29 PM, Tycho Andersen wrote: > On Tue, Oct 30, 2018 at 03:34:54PM -0700, Kees Cook wrote: >> On Tue, Oct 30, 2018 at 3:32 PM, Tycho Andersen wrote: >> > On Tue, Oct 30, 2018 at 03:00:17PM -0700, Kees Cook wrote: >> >> On Tue, Oct 30, 2

Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace

2018-10-30 Thread Kees Cook
On Tue, Oct 30, 2018 at 3:32 PM, Tycho Andersen wrote: > On Tue, Oct 30, 2018 at 03:00:17PM -0700, Kees Cook wrote: >> On Tue, Oct 30, 2018 at 2:54 PM, Tycho Andersen wrote: >> > On Tue, Oct 30, 2018 at 02:49:21PM -0700, Kees Cook wrote: >> >> On Mon, Oct 29, 2

Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace

2018-10-30 Thread Kees Cook
On Tue, Oct 30, 2018 at 2:54 PM, Tycho Andersen wrote: > On Tue, Oct 30, 2018 at 02:49:21PM -0700, Kees Cook wrote: >> On Mon, Oct 29, 2018 at 3:40 PM, Tycho Andersen wrote: >> > * switch to a flags based future-proofing mechanism for struct >> > seccomp_n

Re: [PATCH v4] pstore: Avoid duplicate call of persistent_ram_zap()

2018-10-30 Thread Kees Cook
PRZ_FLAG_ZAP_OLD) > persistent_ram_zap(prz); > > And remove the zap from below below. I actually rearranged things a little to avoid additional round-trips on the mailing list. :) > Since Kees already took this patch, I can just patch this in my series if > Kees and you are Ok with this suggestion. I've put it up here: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=pstore/devel=ac564e023248e3f4d87917b91d12376ddfca5000 > Sorry for the delay in my RFC series, I just got back from paternity leave > and I'm catching up with email. No worries! It's many weeks until the next merge window. :) -- Kees Cook

Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace

2018-10-30 Thread Kees Cook
) Do we need another ioctl to discover the seccomp_data size maybe? -- Kees Cook

Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace

2018-10-30 Thread Kees Cook
value always takes priority (ignoring the DATA). > @@ -821,6 +815,7 @@ static int __seccomp_filter(int this_syscall, const > struct seccomp_data *sd, > u32 filter_ret, action; > struct seccomp_filter *match = NULL; > int data; > + struct seccomp_data sd_local; > > /* > * Make sure that any changes to mode from another thread have > @@ -828,6 +823,11 @@ static int __seccomp_filter(int this_syscall, const > struct seccomp_data *sd, > */ > rmb(); > > + if (!sd) { > + populate_seccomp_data(_local); > + sd = _local; > + } > + > filter_ret = seccomp_run_filters(sd, ); > data = filter_ret & SECCOMP_RET_DATA; > action = filter_ret & SECCOMP_RET_ACTION_FULL; > -- > 2.17.1 > Looks good to me, yes. -- Kees Cook

Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace

2018-10-30 Thread Kees Cook
s series unless Kees does it > before. I'd like to avoid changing the return value of __secure_computing() to just avoid having to touch all the callers. And I'd prefer not to change __seccomp_filter() to a bool, since I'd like the return values to be consistent through the call chain. I find the existing code more readable than a single-line return, just because it's very explicit. I don't want to have to think any harder when reading seccomp. ;) -Kees -- Kees Cook

  1   2   3   4   5   6   7   8   9   10   >