onal. Kees?
I've gone back and forth on this and in the end I decided I'd wait and
see if anyone was bothered by it besides just me. :) But, yes, for
lkdtm do really do want a "real" view of the pointer because we're
comparing it against page tables and/or kernel section layout, etc.
I've applied this to my lkdtm -next tree. Thanks!
--
Kees Cook
After the transition to kprobes, symbols are resolved at runtime. This
means there is no need to have all the Kconfig and header logic to
avoid build failures. This also paves the way to having arbitrary test
locations.
Reported-by: Christophe Leroy
Signed-off-by: Kees Cook
---
drivers/misc
he Leroy
Actually, I don't think any of this is needed, actually. The switch to
kprobes from jprobes meant that the symbols are resolved at runtime
now, so there's no need for the headers at all (nor the Kconfig line).
I'll spin something and send it out...
--
Kees Cook
On Thu, Oct 25, 2018 at 5:49 PM, Andy Lutomirski wrote:
>> On Oct 25, 2018, at 5:35 PM, Kees Cook wrote:
>>
>>> On Fri, Oct 26, 2018 at 12:00 AM, Andy Lutomirski
>>> wrote:
>>> You could bite the bullet and add seccomp eBPF support :)
>>
>>
gt; Without patch:
> Benchmarking 33554432 samples...
> 28.059619466 - 18.706769155 = 9352850311
> getpid native: 278 ns
> 42.299228279 - 28.059761804 = 14239466475
> getpid RET_ALLOW: 424 ns
> Estimated seccomp overhead per syscall: 146 ns
>
> Cc: Kees Cook
> Cc: Andy Lutomirski
On Fri, Oct 26, 2018 at 12:00 AM, Andy Lutomirski wrote:
> You could bite the bullet and add seccomp eBPF support :)
I'm not convinced this is a good enough reason for gaining the eBPF
attack surface yet.
-Kees
--
Kees Cook
x27;m suggesting below...
> +
> +long __probe_user_read(void *dst, const void __user *src, size_t size)
Please make this __always_inline so the "size" variable can be
examined for const-ness by the check_object_size() in
__copy_from_user_inatomic().
-Kees
--
Kees Cook
Pixel Security
> Kees, can you take the patches?
>
> Apparently, neither signal.h nor compat.h have a dedicated maintainer:
>
> $ scripts/get_maintainer.pl --nokeywords --nogit --nogit-fallback
> include/linux/signal.h
> linux-ker...@vger.kernel.org (open list)
>
> $ scripts/get_maintainer.pl --nokeywords --nogit --nogit-fallback
> include/linux/compat.h
> linux-ker...@vger.kernel.org (open list)
Normally things like that go through akpm, but I'm happy to carry them
if needed.
-Kees
--
Kees Cook
Pixel Security
On Wed, Oct 10, 2018 at 5:32 PM, Michael Ellerman wrote:
> Kees Cook writes:
>> On Tue, Oct 9, 2018 at 10:13 PM, Michael Ellerman
>> wrote:
>>> Warn whenever a switch statement has a fallthrough without a comment
>>> annotating it.
>>>
>>>
On Tue, Oct 9, 2018 at 10:13 PM, Michael Ellerman wrote:
> Warn whenever a switch statement has a fallthrough without a comment
> annotating it.
>
> Signed-off-by: Michael Ellerman
Yes please. :)
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/Kbuild | 1 +
> 1 file
Makefile in the merge window
(see linux-next), so this will be redundant.
-Kees
--
Kees Cook
Pixel Security
gt; This patch adds a check for an incorrectly initialized to the
> beginning of try_offline_node, and exits the routine.
>
> Another patch is being developed for powerpc to track the
> node Id to which an LMB belongs, so that we can remove the
> LMB from there instead of the nid as currently
-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Cc: "Leonidas S. Barbosa"
Cc: Paulo Flabiano Smorigo
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: Michael Ellerman
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
drivers/crypto/vmx/aes_cbc.c | 22 +++--
On Thu, Jul 19, 2018 at 5:17 AM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> On Fri, Jun 29, 2018 at 11:52 AM, Kees Cook wrote:
>>> In the quest to remove all stack VLA usage from the kernel[1], this
>>> switches from an unchanging variable to a constant expre
On Fri, Jun 29, 2018 at 11:52 AM, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> switches from an unchanging variable to a constant expression to eliminate
> the VLA generation.
>
> [1]
> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX
el Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> Documentation/admin-guide/kernel-parameters.txt | 16 +---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> I tried documenting the differences between the PPC options and X86 ones in
> one
> section, but i
aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
Reviewed-by: Arnd Bergmann
---
v2: use "0x600-0x500" for size calculation to illustrate handler sizes
---
arch/powerpc/platforms/52xx/mpc52xx_pm.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git
On Sun, Jul 1, 2018 at 6:33 PM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> On Fri, Jun 29, 2018 at 2:02 PM, Arnd Bergmann wrote:
>>> On Fri, Jun 29, 2018 at 8:53 PM, Kees Cook wrote:
>>>> In the quest to remove all stack VLA usage from the kernel[1], th
On Fri, Jun 29, 2018 at 2:02 PM, Arnd Bergmann wrote:
> On Fri, Jun 29, 2018 at 8:53 PM, Kees Cook wrote:
>> In the quest to remove all stack VLA usage from the kernel[1], this
>> switches to using a stack size large enough for the saved routine and
>> adds a sanity check
In the quest to remove all stack VLA usage from the kernel[1], this
switches to using a stack size large enough for the saved routine and
adds a sanity check.
[1]
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
---
arch
: Paul Mackerras
Cc: Michael Ellerman
Cc: Andrew Morton
Cc: Randy Dunlap
Cc: Tyrel Datwyler
Cc: Rob Herring
Cc: Ingo Molnar
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
arch/powerpc/sysdev/msi_bitmap.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff
ile trying to tighten the
CONFIG_FORTIFY_SOURCE checking.
Signed-off-by: Kees Cook
---
drivers/net/ethernet/ibm/ibmvnic.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/ibm/ibmvnic.c
b/drivers/net/ethernet/ibm/ibmvnic.c
index aad5658d79d5..35fbb41cd2d4
fault n", and I'd
suggest adding a help section just to describe what the per-arch
responsibilities are when select-ing the config. (See
HAVE_ARCH_SECCOMP_FILTER for an example.)
-Kees
--
Kees Cook
Pixel Security
On Tue, Mar 27, 2018 at 4:49 PM, Matthew Wilcox wrote:
> On Tue, Mar 27, 2018 at 03:53:53PM -0700, Kees Cook wrote:
>> I agree: pushing this off to libc leaves a lot of things unprotected.
>> I think this should live in the kernel. The question I have is about
>> making it
is feature for any user - on desktop, on server, on IoT device,
> on SCADA, etc. But if only glibc will implement ‘user-mode-aslr’ IoT and SCADA
> devices will never get it.
I agree: pushing this off to libc leaves a lot of things unprotected.
I think this should live in the kernel. The question I have is about
making it maintainable/readable/etc.
The state-of-the-art for ASLR is moving to finer granularity (over
just base-address offset), so I'd really like to see this supported in
the kernel. We'll be getting there for other things in the future, and
I'd like to have a working production example for researchers to
study, etc.
-Kees
--
Kees Cook
Pixel Security
On Sun, Mar 11, 2018 at 5:44 AM, Ard Biesheuvel
wrote:
> On 11 March 2018 at 12:38, Ard Biesheuvel wrote:
>> Cc: James Morris
>
> Note when replying: this ^^^ email address no longer works.
James updated MAINTAINERS to: James Morris
--
Kees Cook
Pixel Security
ption,-mno-readonly-in-sdata)
ifeq ($(CONFIG_PPC_BOOK3S_64),y)
CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power7,-mtune=power4)
--
2.7.4
--
Kees Cook
Pixel Security
On Thu, Feb 22, 2018 at 5:07 AM, Michal Hocko wrote:
> On Wed 14-02-18 09:14:47, Kees Cook wrote:
> [...]
>> I can send it through my seccomp tree via James Morris.
>
> Could you please do it?
Hi! Yes, sorry, this fell through the cracks. Now applied.
-Kees
--
Kees Cook
Pixel Security
On Wed, Feb 14, 2018 at 1:20 AM, Michal Hocko wrote:
> On Tue 13-02-18 13:27:30, Kees Cook wrote:
>> On Tue, Feb 13, 2018 at 2:32 AM, Michal Hocko wrote:
>> > On Tue 13-02-18 21:16:55, Michael Ellerman wrote:
>> >> Kees Cook writes:
>> >>
>&g
On Tue, Feb 13, 2018 at 2:32 AM, Michal Hocko wrote:
> On Tue 13-02-18 21:16:55, Michael Ellerman wrote:
>> Kees Cook writes:
>>
>> > On Mon, Feb 12, 2018 at 7:25 PM, Michael Ellerman
>> > wrote:
>> >> Michal Hocko writes:
>> >>>
ed when cross compiling.
Hrm, yeah, the goal was to entirely disable cross compiling, but I
guess we didn't hit it with a hard enough hammer. :)
-Kees
--
Kees Cook
Pixel Security
0;
> vphn_enabled = 1;
> setup_cpu_associativity_change_counters();
> - init_timer_deferrable(&topology_timer);
> + timer_setup(&topology_timer, topology_timer_fn,
> + TIMER_DEFERRABLE);
> reset_topology_timer();
> }
> }
Thanks, this looks correct to me!
-Kees
--
Kees Cook
Pixel Security
c: Michael Ellerman
Cc: "James E.J. Bottomley"
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++
drivers/scsi/ibmvscsi/ibmvscsi.c | 7 +++
2 files changed, 9 insertions(+), 12 deleti
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.
Cc: Benjamin Herrenschmidt
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
drivers
On Tue, Oct 17, 2017 at 5:29 AM, Michael Ellerman wrote:
> Nicholas Piggin writes:
>
>> On Mon, 16 Oct 2017 16:47:10 -0700
>> Kees Cook wrote:
>>
>>> In preparation for unconditionally passing the struct timer_list pointer to
>>> all timer callbacks,
Removes unused timer and its old initialization call.
Cc: Pantelis Antoniou
Cc: Vitaly Bordug
Cc: linuxppc-dev@lists.ozlabs.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c | 2 --
drivers/net/ethernet/freescale/fs_enet
@lists.ozlabs.org
Signed-off-by: Kees Cook
---
arch/powerpc/kernel/watchdog.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/kernel/watchdog.c b/arch/powerpc/kernel/watchdog.c
index 15e209a37c2d..50797528b5e1 100644
--- a/arch/powerpc/kernel/watchdog.c
+++ b
c: Michael Ellerman
Cc: "James E.J. Bottomley"
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
018c894] handle_percpu_irq+0x84/0xd0
> [c0077ff6bf30] [c01840f4] generic_handle_irq+0x54/0x80
> [c0077ff6bf60] [c0016f00] __do_irq+0x80/0x1d0
> [c0077ff6bf90] [c002b120] call_do_irq+0x14/0x24
> [c0077248bde0] [c00170e8] do_IRQ+0x98/0x140
> [c0077248be30] [c0008ac4] hardware_interrupt_common+0x114/0x120
> Instruction dump:
> e93d0019 2fa9 409effd8 4bfffed8 893f0644 61290004 993f0644 4b10
> 0fe0 4bfffe6c 6000 6042 <0fe0> 4bfffeac 6000 6042
> ---[ end trace 1094995650f27c83 ]---
>
>
>
> --
> Regard's
>
> Abdul Haleem
> IBM Linux Technology Centre
>
>
--
Kees Cook
Pixel Security
When available, CONFIG_KERNEL_RWX should be default-enabled for PPC64.
On PPC32, there is a performance trade-off.
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: Michael Ellerman
Cc: Christophe LEROY
Cc: Balbir Singh
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
v2
On Thu, Oct 5, 2017 at 11:57 AM, christophe leroy
wrote:
>
>
> Le 05/10/2017 à 19:30, Kees Cook a écrit :
>>
>> On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY
>> wrote:
>>>
>>>
>>>
>>> Le 05/10/2017 à 05:45, Kees Cook a écr
On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY
wrote:
>
>
> Le 05/10/2017 à 05:45, Kees Cook a écrit :
>>
>> When available, CONFIG_KERNEL_RWX should be default-enabled.
>
>
> On PPC32, this option implies deactivating BATs and/or LTLB mapping of the
> lin
When available, CONFIG_KERNEL_RWX should be default-enabled.
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: Michael Ellerman
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
arch/powerpc/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/Kconfig b/arch
In preparation for unconditionally passing the struct timer_list pointer
to all timer callbacks, switch kthread to use from_timer() and pass the
timer pointer explicitly.
Cc: Andrew Morton
Cc: Petr Mladek
Cc: Tejun Heo
Cc: Thomas Gleixner
Cc: Oleg Nesterov
Signed-off-by: Kees Cook
In preparation for unconditionally passing the struct timer_list pointer
to all timer callbacks, switch workqueue to use from_timer() and pass the
timer pointer explicitly.
Cc: Tejun Heo
Cc: Lai Jiangshan
Signed-off-by: Kees Cook
---
include/linux/workqueue.h | 15 ---
kernel
The expires field is normally initialized during the first mod_timer()
call. It was unused by all callers, so remove it from the macro.
Signed-off-by: Kees Cook
---
include/linux/kthread.h | 2 +-
include/linux/timer.h | 5 ++---
include/linux/workqueue.h | 2 +-
3 files changed, 4
Cc: Geert Uytterhoeven
Cc: linux-m...@linux-mips.org
Cc: linux-watch...@vger.kernel.org
Signed-off-by: Kees Cook
---
arch/mips/mti-malta/malta-display.c | 6 +++---
drivers/watchdog/alim7101_wdt.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/mips/mti-malta
Drop the arguments from the macro and adjust all callers with the
following script:
perl -pi -e 's/DEFINE_TIMER\((.*), 0, 0\);/DEFINE_TIMER($1);/g;' \
$(git grep DEFINE_TIMER | cut -d: -f1 | sort -u | grep -v timer.h)
Signed-off-by: Kees Cook
Acked-by: Geert Uytterhoeven # for
Drops the last user of TIMER_INITIALIZER and adapts timer.h to use the
internal version.
Cc: Arnd Bergmann
Cc: Greg Kroah-Hartman
Cc: Mark Gross
Cc: Thomas Gleixner
Signed-off-by: Kees Cook
---
drivers/char/tlclk.c | 12 +---
include/linux/timer.h | 2 +-
2 files changed, 6
...@vger.kernel.org
Signed-off-by: Kees Cook
---
arch/s390/kernel/lgr.c | 6 +++---
arch/s390/kernel/topology.c | 6 +++---
kernel/workqueue.c | 8 +++-
3 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/arch/s390/kernel/lgr.c b/arch/s390/kernel/lgr.c
index ae7dff110054
This removes the now unused TIMER_*INITIALIZER macros:
TIMER_INITIALIZER
TIMER_PINNED_INITIALIZER
TIMER_DEFERRED_INITIALIZER
TIMER_PINNED_DEFERRED_INITIALIZER
Signed-off-by: Kees Cook
---
include/linux/timer.h | 12
1 file changed, 12 deletions(-)
diff --git a/include/linux
@lists.ozlabs.org
Cc: net...@vger.kernel.org
Cc: linux-wirel...@vger.kernel.org
Signed-off-by: Kees Cook
---
arch/powerpc/mm/numa.c | 12 +--
drivers/hsi/clients/ssi_protocol.c | 32
drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11
Hi,
This is the first of many timer infrastructure cleanups to simplify the
timer API[1]. All of these patches are expected to land via the timer
tree, so Acks (or corrections) appreciated.
These patches refactor various users of timer API that are NOT just using
init_timer() or setup_timer() (wh
"James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: Thomas Gleixner
Cc: linux...@vger.kernel.org
Cc: linux1394-de...@lists.sourceforge.net
Cc: linux-s...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/base/power/main.c | 8 +
This refactors the only users of init_timer_pinned() to use
the new timer_setup() and from_timer(). Drops the definition of
init_timer_pinned().
Cc: Chris Metcalf
Cc: Thomas Gleixner
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/ethernet/tile/tilepro.c | 9
eliminated.
Cc: John Stultz
Cc: Thomas Gleixner
Cc: Stephen Boyd
Signed-off-by: Kees Cook
---
include/linux/timer.h | 8
kernel/time/timer.c | 26 +++---
2 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/include/linux/timer.h b/include/linux/timer.h
index
Mackerras
Cc: Michael Ellerman
Cc: Thomas Gleixner
Cc: linux...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
drivers/cpufreq/powernv-cpufreq.c | 13 +++--
include/linux/timer.h | 2 --
2 files changed, 7 insertions(+), 8 deletions(-)
di
On Mon, Oct 2, 2017 at 1:08 PM, Segher Boessenkool
wrote:
> On Mon, Oct 02, 2017 at 12:29:45PM -0700, Kees Cook wrote:
>> On Mon, Sep 25, 2017 at 12:41 PM, Segher Boessenkool
>> wrote:
>> > On Mon, Sep 25, 2017 at 04:01:55PM +, David Laight wrote:
>> >>
l data.
>>
>> My guess is that the linker script is putting .srodata in with .sdata.
>
> .srodata does not *exist* (in the ABI).
So, I still think this is a bug. The variable is marked const: this is
not a _suggestion_. :) If the compiler produces output where the
variable is writable, that's a bug.
I can't tell if this bug is related:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=9571
-Kees
--
Kees Cook
Pixel Security
1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/rodata_test.c b/mm/rodata_test.c
> index 6bb4deb12e78..d908c8769b48 100644
> --- a/mm/rodata_test.c
> +++ b/mm/rodata_test.c
> @@ -14,7 +14,7 @@
> #include
> #include
>
> -const int rodata_test
: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: net...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
Acked-by: Tyrel Datwyler # for ibmvscsi
---
drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++
d
rn off the defrag $ echo 0 > khugepaged/defrag
> 3. Write random to memory path
> 4. Set huge pages numbers
> 5. Turn on defrag $ echo 1 > khugepaged/defrag
>
>
> new trace:
> --
> Unable to handle kernel paging request for data at address
> 0x5deadbeef108
This looks like use-after-list-removal, that value appears to be LIST_POISON1.
Try enabling CONFIG_DEBUG_LIST to see if you get better details?
-Kees
--
Kees Cook
Pixel Security
: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: net...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Kees Cook
---
drivers/net/irda/bfin_sir.c | 5 +++--
drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++
d
k start and end arguments
> are pulled from the resource structure, the callback functions can obtain
> them from the resource structure directly.
>
> Signed-off-by: Tom Lendacky
> Signed-off-by: Brijesh Singh
This is a nice clean up even without the refactoring need. :)
Reviewed-
t:
> kfree(tmp);
> +out:
> return ret;
> -
> }
>
> static long dev_nvram_ioctl(struct file *file, unsigned int cmd,
> --
> 2.9.3
>
--
Kees Cook
Pixel Security
On Mon, Jun 26, 2017 at 6:04 AM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman
>> wrote:
>>> Kees Cook writes:
>>>
>>>> Now that explicitly executed loaders are loaded in the mmap region,
On Fri, Jun 23, 2017 at 1:59 PM, Kees Cook wrote:
> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> are loaded below the mmap region. This means they can be made to collide
> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
> stack regio
On Sat, Jun 24, 2017 at 2:11 AM, Russell King - ARM Linux
wrote:
> On Fri, Jun 23, 2017 at 01:59:55PM -0700, Kees Cook wrote:
>> This is v2 (to refresh the 5 patches in -mm) for moving ELF_ET_DYN_BASE
>> safely lower. Changes are clarifications in the commit logs (suggested
>&
4MB would be used (since the NULL address is avoided).
Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.
Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Cc: sta...@vger.kernel.org
Cc: x...@kernel.org
Sign
running PIE on 32-bit ARM will have an MMU, so
the tight mapping is not needed.
Cc: sta...@vger.kernel.org
Cc: Russell King
Signed-off-by: Kees Cook
---
arch/arm/include/asm/elf.h | 8 ++--
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/arch/arm/include/asm/elf.h b/arch/arm
close to the NULL address.
Cc: sta...@vger.kernel.org
Cc: Heiko Carstens
Cc: Martin Schwidefsky
Signed-off-by: Kees Cook
---
arch/s390/include/asm/elf.h | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
-bit pointers. On 32-bit use 4MB, which is the
traditional x86 minimum load location, likely to avoid historically
requiring a 4MB page table entry when only a portion of the first 4MB
would be used (since the NULL address is avoided).
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook
Acked-by
: Catalin Marinas
Cc: Mark Rutland
Signed-off-by: Kees Cook
---
arch/arm64/include/asm/elf.h | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index 5d1700425efe..8790fb09f689 100644
--- a/arch/arm64/include/asm
This is v2 (to refresh the 5 patches in -mm) for moving ELF_ET_DYN_BASE
safely lower. Changes are clarifications in the commit logs (suggested
by mpe), a compat think-o fix for arm64 (thanks to Ard), and to add
Rik and mpe's Acks.
Quoting patch 1/5:
The ELF_ET_DYN_BASE position was originally int
On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> Now that explicitly executed loaders are loaded in the mmap region,
>> position PIE binaries lower in the address space to avoid possible
>> collisions with mmap or stack regions. For
On Fri, Jun 23, 2017 at 6:52 AM, Kees Cook wrote:
> On Thu, Jun 22, 2017 at 11:57 PM, Ard Biesheuvel
> wrote:
>> Hi Kees,
>>
>> On 22 June 2017 at 18:06, Kees Cook wrote:
>>> Now that explicitly executed loaders are loaded in the mmap region,
>>> positi
On Thu, Jun 22, 2017 at 11:57 PM, Ard Biesheuvel
wrote:
> Hi Kees,
>
> On 22 June 2017 at 18:06, Kees Cook wrote:
>> Now that explicitly executed loaders are loaded in the mmap region,
>> position PIE binaries lower in the address space to avoid possible
>> collisions
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions.
Signed-off-by: Kees Cook
---
arch/arm/include/asm/elf.h | 8 ++--
1 file changed, 2 insertions(+), 6 deletions
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions. For 64-bit, align to 4GB to
allow runtimes to use the entire 32-bit address space for 32-bit
pointers.
Signed-off-by: Kees
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions. For 64-bit, align to 4GB to
allow runtimes to use the entire 32-bit address space for 32-bit
pointers.
Signed-off-by: Kees
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions. For 64-bit, align to 4GB to
allow runtimes to use the entire 32-bit address space for 32-bit
pointers.
Signed-off-by: Kees
This is a follow-up to "binfmt_elf: Use ELF_ET_DYN_BASE only for PIE"[1],
which allow ELF_ET_DYN_BASE to be reduced from high in the address space.
That patch only changed x86, and this series changes arm, arm64, powerpc,
and s390.
Since these depend on the mentioned patch (which I'm hoping akpm w
r some situations, etc.
To do something like this in upstream, we need to be sure we've sanely
dealt with the brk region, which follows the first loaded ELF, and if
it's the interpreter, that means brk ends up in mmap area, up near the
executable area (near what would become the misnomer of
ELF_ET_DYN_BASE -- should be ELF_PIE_BASE).
-Kees
--
Kees Cook
Pixel Security
an just fix
> it without other fallout. I'll dig a bit more tomorrow if no one beats
> me to it.
>
> Kees, depending on how that turns out we may ask you to revert
> 517e1fbeb65f ("mm/usercopy: Drop extra is_vmalloc_or_module() check").
That's fine by me. Let me know what you think would be best.
Laura, I don't see much harm in putting this back in place. It seems
like it's just a matter of efficiency to have it removed?
-Kees
--
Kees Cook
Pixel Security
and the compiler can assume it's limited to the size of
> the type used to define it which then gets enforced by these fortified
> wrappers rather than just used for optimization (in practice, it won't
> break much without these, but it could).
We'd need something to actually extract the sizes of the asm
functions. Right now, that kind of thing is done in the linker
scripts, but that may be too late.
-Kees
--
Kees Cook
Pixel Security
.flags = PSTORE_FLAGS_DMESG,
> .open = nvram_pstore_open,
> .read = nvram_pstore_read,
> .write = nvram_pstore_write,
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
shift = mmap_rnd_compat_bits;
> #endif
> - rnd = get_random_long() % (1 << shift);
> + rnd = get_random_long() % (1ul << shift);
>
> return rnd << PAGE_SHIFT;
> }
> --
> 2.7.4
Reviewed-by: Kees Cook
-Kees
--
Kees Cook
Pixel Security
>>> -rnd = get_random_long() % (1<<(23-PAGE_SHIFT));
>>> -else
>>> -rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT));
>>> + shift = mmap_rnd_compat_bits;
>>> +#endif
>>> +rnd = get_random_long() % (1 << shift);
>>
>> Nitpick, 1 should be 1UL?
Nice catch!
> No, shift can only be 29 at most IIRC?
The largest value in the kconfigs is 33?
> But it's a bit fragile, so I'll change it.
Thanks!
-Kees
--
Kees Cook
Pixel Security
+
> arch/powerpc/mm/mmap.c | 11 ++-
> 2 files changed, 50 insertions(+), 5 deletions(-)
>
> v2: Fix the 32-bit MAX value incorrectly using MIN as spotted by Kees.
>
> Kees/Bhupesh, would love a Review/Ack/Tested-by from you, I
or 32bit, 1GB for 64bit */
> + shift = mmap_rnd_bits;
> +#ifdef CONFIG_COMPAT
> if (is_32bit_task())
> - rnd = get_random_long() % (1<<(23-PAGE_SHIFT));
> - else
> - rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT));
> + shift = mmap_rnd_compat_bits;
> +#endif
> + rnd = get_random_long() % (1 << shift);
>
> return rnd << PAGE_SHIFT;
> }
> --
> 2.7.4
>
Yay! Ever closer to being able to extract arch_mmap_rnd() out of arch/ ;)
-Kees
--
Kees Cook
Pixel Security
On Mon, Mar 27, 2017 at 8:03 PM, Andrew Donnellan
wrote:
> On 27/03/17 18:38, Andrew Donnellan wrote:
>>
>> On 01/02/17 07:24, Kees Cook wrote:
>>>
>>> From: Emese Revfy
>>>
>>> The kernel already has a mechanism to free up code and data m
rhaps the docs tree or mine? (I don't currently
have any fixes queued; I'm just trying to minimize pull requests going
to Linus...)
-Kees
--
Kees Cook
Pixel Security
360645] [c008b72dfd90] [c187dc48] vfs_write+0xc8/0x240
> [ 200.360650] [c008b72dfde0] [c187f8b0] SyS_write+0x60/0x110
> [ 200.360656] [c008b72dfe30] [c15cb8e0] system_call+0x38/0xfc
> [ 200.360660] Instruction dump:
> [ 200.360663] 7d495378 419e0044 2f89 7d434850 7f0a4840 79460020 41de001c
> 4099ffbc
> [ 200.360675] 3c62ffb6 38636af8 48444249 6000 <0fe0> 38210060
> 3860 e8010010
> [ 200.360686] ---[ end trace 937482186422ac36 ]---
>
> I have attached the dmesg log.
>
> Thanks
> -Sachin
>
>
>
--
Kees Cook
Pixel Security
On Tue, Mar 7, 2017 at 8:22 AM, Namhyung Kim wrote:
> On Tue, Mar 7, 2017 at 6:55 AM, Kees Cook wrote:
>> The read/mkfile pair pass the same arguments and should be cleared
>> between calls. Move to a structure and wipe it after every loop.
>>
>> Signed-off-by: Kees
On Tue, Mar 7, 2017 at 8:16 AM, Namhyung Kim wrote:
> Hi Kees,
>
> On Tue, Mar 7, 2017 at 6:55 AM, Kees Cook wrote:
>> Technically, it might be possible for struct pstore_info to go out of
>> scope after the module_put(), so report the backend name first.
>
> But in t
Removes argument list in favor of pstore record, though the user buffer
remains passed separately since it must carry the __user annotation.
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 35 ---
fs/pstore/pmsg.c | 9 ++---
fs/pstore/ram.c
Now that write() and write_buf() are functionally identical, this removes
write_buf(), and renames write_buf_user() to write_user(). Additionally
adds sanity-checks for pstore_info's declared functions and flags at
registration time.
Signed-off-by: Kees Cook
---
fs/pstore/ftrace.c
This removes the argument list for the erase() callback and replaces it
with a pointer to the backend record details to be removed.
Signed-off-by: Kees Cook
---
drivers/acpi/apei/erst.c | 8 +++-
drivers/firmware/efi/efi-pstore.c | 26 +++---
fs/pstore/inode.c
As with the other API updates, this removes the long argument list in favor
of passing a single pstore recaord.
Signed-off-by: Kees Cook
---
fs/pstore/ftrace.c | 9 +++--
fs/pstore/platform.c | 30 +-
fs/pstore/ram.c| 44
This switches the inode-private data from carrying duplicate metadata to
keeping the record passed in during pstore_mkfile().
Signed-off-by: Kees Cook
---
fs/pstore/inode.c| 57 ++--
fs/pstore/platform.c | 6 ++
2 files changed, 30
401 - 500 of 748 matches
Mail list logo