Re: [PATCH] lkdtm: print real addresses

onal. Kees? I've gone back and forth on this and in the end I decided I'd wait and see if anyone was bothered by it besides just me. :) But, yes, for lkdtm do really do want a "real" view of the pointer because we're comparing it against page tables and/or kernel section layout, etc. I've applied this to my lkdtm -next tree. Thanks! -- Kees Cook

[PATCH] lkdtm: Do not depend on BLOCK and clean up headers

After the transition to kprobes, symbols are resolved at runtime. This means there is no need to have all the Kconfig and header logic to avoid build failures. This also paves the way to having arbitrary test locations. Reported-by: Christophe Leroy Signed-off-by: Kees Cook --- drivers/misc

Re: [PATCH] lkdtm: do not depend on CONFIG_BLOCK

he Leroy Actually, I don't think any of this is needed, actually. The switch to kprobes from jprobes meant that the symbols are resolved at runtime now, so there's no need for the headers at all (nor the Kconfig line). I'll spin something and send it out... -- Kees Cook

Re: [PATCH] seccomp: Add pkru into seccomp_data

On Thu, Oct 25, 2018 at 5:49 PM, Andy Lutomirski wrote: >> On Oct 25, 2018, at 5:35 PM, Kees Cook wrote: >> >>> On Fri, Oct 26, 2018 at 12:00 AM, Andy Lutomirski >>> wrote: >>> You could bite the bullet and add seccomp eBPF support :) >> >>

Re: [RFC PATCH] seccomp: Add protection keys into seccomp_data

gt; Without patch: > Benchmarking 33554432 samples... > 28.059619466 - 18.706769155 = 9352850311 > getpid native: 278 ns > 42.299228279 - 28.059761804 = 14239466475 > getpid RET_ALLOW: 424 ns > Estimated seccomp overhead per syscall: 146 ns > > Cc: Kees Cook > Cc: Andy Lutomirski

Re: [PATCH] seccomp: Add pkru into seccomp_data

On Fri, Oct 26, 2018 at 12:00 AM, Andy Lutomirski wrote: > You could bite the bullet and add seccomp eBPF support :) I'm not convinced this is a good enough reason for gaining the eBPF attack surface yet. -Kees -- Kees Cook

Re: [RFC PATCH] mm: add probe_user_read() and probe_user_address()

x27;m suggesting below... > + > +long __probe_user_read(void *dst, const void __user *src, size_t size) Please make this __always_inline so the "size" variable can be examined for const-ness by the check_object_size() in __copy_from_user_inatomic(). -Kees -- Kees Cook Pixel Security

Re: [PATCH 4/4] powerpc: Add -Wimplicit-fallthrough to arch CFLAGS

> Kees, can you take the patches? > > Apparently, neither signal.h nor compat.h have a dedicated maintainer: > > $ scripts/get_maintainer.pl --nokeywords --nogit --nogit-fallback > include/linux/signal.h > linux-ker...@vger.kernel.org (open list) > > $ scripts/get_maintainer.pl --nokeywords --nogit --nogit-fallback > include/linux/compat.h > linux-ker...@vger.kernel.org (open list) Normally things like that go through akpm, but I'm happy to carry them if needed. -Kees -- Kees Cook Pixel Security

Re: [PATCH 4/4] powerpc: Add -Wimplicit-fallthrough to arch CFLAGS

On Wed, Oct 10, 2018 at 5:32 PM, Michael Ellerman wrote: > Kees Cook writes: >> On Tue, Oct 9, 2018 at 10:13 PM, Michael Ellerman >> wrote: >>> Warn whenever a switch statement has a fallthrough without a comment >>> annotating it. >>> >>>

Re: [PATCH 4/4] powerpc: Add -Wimplicit-fallthrough to arch CFLAGS

On Tue, Oct 9, 2018 at 10:13 PM, Michael Ellerman wrote: > Warn whenever a switch statement has a fallthrough without a comment > annotating it. > > Signed-off-by: Michael Ellerman Yes please. :) Reviewed-by: Kees Cook -Kees > --- > arch/powerpc/Kbuild | 1 + > 1 file

Re: [PATCH 3/4] powerpc: Add -Wvla to arch CFLAGS

Makefile in the merge window (see linux-next), so this will be redundant. -Kees -- Kees Cook Pixel Security

Re: [PATCH] migration/mm: Add WARN_ON to try_offline_node

gt; This patch adds a check for an incorrectly initialized to the > beginning of try_offline_node, and exits the routine. > > Another patch is being developed for powerpc to track the > node Id to which an LMB belongs, so that we can remove the > LMB from there instead of the nid as currently

[PATCH crypto-next 13/23] crypto: vmx - Remove VLA usage of skcipher

-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Cc: "Leonidas S. Barbosa" Cc: Paulo Flabiano Smorigo Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- drivers/crypto/vmx/aes_cbc.c | 22 +++--

Re: [PATCH] powerpc/msi: Remove VLA usage

On Thu, Jul 19, 2018 at 5:17 AM, Michael Ellerman wrote: > Kees Cook writes: > >> On Fri, Jun 29, 2018 at 11:52 AM, Kees Cook wrote: >>> In the quest to remove all stack VLA usage from the kernel[1], this >>> switches from an unchanging variable to a constant expre

Re: [PATCH] powerpc/msi: Remove VLA usage

On Fri, Jun 29, 2018 at 11:52 AM, Kees Cook wrote: > In the quest to remove all stack VLA usage from the kernel[1], this > switches from an unchanging variable to a constant expression to eliminate > the VLA generation. > > [1] > https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX

Re: [PATCH] Documentation: Add powerpc options for spec_store_bypass_disable

el Ellerman Reviewed-by: Kees Cook -Kees > --- > Documentation/admin-guide/kernel-parameters.txt | 16 +--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > I tried documenting the differences between the PPC options and X86 ones in > one > section, but i

[PATCH v2] powerpc: mpc5200: Remove VLA usage

aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook Reviewed-by: Arnd Bergmann --- v2: use "0x600-0x500" for size calculation to illustrate handler sizes --- arch/powerpc/platforms/52xx/mpc52xx_pm.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git

Re: [PATCH] powerpc: mpc5200: Remove VLA usage

On Sun, Jul 1, 2018 at 6:33 PM, Michael Ellerman wrote: > Kees Cook writes: > >> On Fri, Jun 29, 2018 at 2:02 PM, Arnd Bergmann wrote: >>> On Fri, Jun 29, 2018 at 8:53 PM, Kees Cook wrote: >>>> In the quest to remove all stack VLA usage from the kernel[1], th

Re: [PATCH] powerpc: mpc5200: Remove VLA usage

On Fri, Jun 29, 2018 at 2:02 PM, Arnd Bergmann wrote: > On Fri, Jun 29, 2018 at 8:53 PM, Kees Cook wrote: >> In the quest to remove all stack VLA usage from the kernel[1], this >> switches to using a stack size large enough for the saved routine and >> adds a sanity check

[PATCH] powerpc: mpc5200: Remove VLA usage

In the quest to remove all stack VLA usage from the kernel[1], this switches to using a stack size large enough for the saved routine and adds a sanity check. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook --- arch

[PATCH] powerpc/msi: Remove VLA usage

: Paul Mackerras Cc: Michael Ellerman Cc: Andrew Morton Cc: Randy Dunlap Cc: Tyrel Datwyler Cc: Rob Herring Cc: Ingo Molnar Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- arch/powerpc/sysdev/msi_bitmap.c | 15 --- 1 file changed, 8 insertions(+), 7 deletions(-) diff

[PATCH] ibmvnic: Define vnic_login_client_data name field as unsized array

ile trying to tighten the CONFIG_FORTIFY_SOURCE checking. Signed-off-by: Kees Cook --- drivers/net/ethernet/ibm/ibmvnic.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index aad5658d79d5..35fbb41cd2d4

Re: [PATCH] Extract initrd free logic from arch-specific code.

fault n", and I'd suggest adding a help section just to describe what the per-arch responsibilities are when select-ing the config. (See HAVE_ARCH_SECCOMP_FILTER for an example.) -Kees -- Kees Cook Pixel Security

Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap.

On Tue, Mar 27, 2018 at 4:49 PM, Matthew Wilcox wrote: > On Tue, Mar 27, 2018 at 03:53:53PM -0700, Kees Cook wrote: >> I agree: pushing this off to libc leaves a lot of things unprotected. >> I think this should live in the kernel. The question I have is about >> making it

Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap.

is feature for any user - on desktop, on server, on IoT device, > on SCADA, etc. But if only glibc will implement ‘user-mode-aslr’ IoT and SCADA > devices will never get it. I agree: pushing this off to libc leaves a lot of things unprotected. I think this should live in the kernel. The question I have is about making it maintainable/readable/etc. The state-of-the-art for ASLR is moving to finer granularity (over just base-address offset), so I'd really like to see this supported in the kernel. We'll be getting there for other things in the future, and I'd like to have a working production example for researchers to study, etc. -Kees -- Kees Cook Pixel Security

Re: [PATCH v8 0/6] add support for relative references in special sections

On Sun, Mar 11, 2018 at 5:44 AM, Ard Biesheuvel wrote: > On 11 March 2018 at 12:38, Ard Biesheuvel wrote: >> Cc: James Morris > > Note when replying: this ^^^ email address no longer works. James updated MAINTAINERS to: James Morris -- Kees Cook Pixel Security

[PATCH] powerpc: Keep const vars out of writable .sdata

ption,-mno-readonly-in-sdata) ifeq ($(CONFIG_PPC_BOOK3S_64),y) CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power7,-mtune=power4) -- 2.7.4 -- Kees Cook Pixel Security

Re: samples/seccomp/ broken when cross compiling s390, ppc allyesconfig

On Thu, Feb 22, 2018 at 5:07 AM, Michal Hocko wrote: > On Wed 14-02-18 09:14:47, Kees Cook wrote: > [...] >> I can send it through my seccomp tree via James Morris. > > Could you please do it? Hi! Yes, sorry, this fell through the cracks. Now applied. -Kees -- Kees Cook Pixel Security

Re: samples/seccomp/ broken when cross compiling s390, ppc allyesconfig

On Wed, Feb 14, 2018 at 1:20 AM, Michal Hocko wrote: > On Tue 13-02-18 13:27:30, Kees Cook wrote: >> On Tue, Feb 13, 2018 at 2:32 AM, Michal Hocko wrote: >> > On Tue 13-02-18 21:16:55, Michael Ellerman wrote: >> >> Kees Cook writes: >> >> >&g

Re: samples/seccomp/ broken when cross compiling s390, ppc allyesconfig

On Tue, Feb 13, 2018 at 2:32 AM, Michal Hocko wrote: > On Tue 13-02-18 21:16:55, Michael Ellerman wrote: >> Kees Cook writes: >> >> > On Mon, Feb 12, 2018 at 7:25 PM, Michael Ellerman >> > wrote: >> >> Michal Hocko writes: >> >>>

Re: samples/seccomp/ broken when cross compiling s390, ppc allyesconfig

ed when cross compiling. Hrm, yeah, the goal was to entirely disable cross compiling, but I guess we didn't hit it with a hard enough hammer. :) -Kees -- Kees Cook Pixel Security

Re: linux-next: manual merge of the tip tree with the powerpc tree

0; > vphn_enabled = 1; > setup_cpu_associativity_change_counters(); > - init_timer_deferrable(&topology_timer); > + timer_setup(&topology_timer, topology_timer_fn, > + TIMER_DEFERRABLE); > reset_topology_timer(); > } > } Thanks, this looks correct to me! -Kees -- Kees Cook Pixel Security

[PATCH] scsi: ibmvscsi: Convert timers to use timer_setup()

c: Michael Ellerman Cc: "James E.J. Bottomley" Cc: linux-s...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++ drivers/scsi/ibmvscsi/ibmvscsi.c | 7 +++ 2 files changed, 9 insertions(+), 12 deleti

[PATCH] drivers/macintosh: Convert timers to use timer_setup()

In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Cc: Benjamin Herrenschmidt Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- drivers

Re: [PATCH] powerpc/watchdog: Convert timers to use timer_setup()

On Tue, Oct 17, 2017 at 5:29 AM, Michael Ellerman wrote: > Nicholas Piggin writes: > >> On Mon, 16 Oct 2017 16:47:10 -0700 >> Kees Cook wrote: >> >>> In preparation for unconditionally passing the struct timer_list pointer to >>> all timer callbacks,

[PATCH 55/58] net: fs_enet: Remove unused timer

Removes unused timer and its old initialization call. Cc: Pantelis Antoniou Cc: Vitaly Bordug Cc: linuxppc-dev@lists.ozlabs.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c | 2 -- drivers/net/ethernet/freescale/fs_enet

[PATCH] powerpc/watchdog: Convert timers to use timer_setup()

@lists.ozlabs.org Signed-off-by: Kees Cook --- arch/powerpc/kernel/watchdog.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/kernel/watchdog.c b/arch/powerpc/kernel/watchdog.c index 15e209a37c2d..50797528b5e1 100644 --- a/arch/powerpc/kernel/watchdog.c +++ b

[PATCH] scsi: ibmvscsi: Convert timers to use timer_setup()

c: Michael Ellerman Cc: "James E.J. Bottomley" Cc: linux-s...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- This requires commit 686fef928bba ("timer: Prepare to change timer callback argument type") in v4.14-rc3, but should be otherwise

Re: [linux-next][Oops] CPU toggle resulted in kernel crash

018c894] handle_percpu_irq+0x84/0xd0 > [c0077ff6bf30] [c01840f4] generic_handle_irq+0x54/0x80 > [c0077ff6bf60] [c0016f00] __do_irq+0x80/0x1d0 > [c0077ff6bf90] [c002b120] call_do_irq+0x14/0x24 > [c0077248bde0] [c00170e8] do_IRQ+0x98/0x140 > [c0077248be30] [c0008ac4] hardware_interrupt_common+0x114/0x120 > Instruction dump: > e93d0019 2fa9 409effd8 4bfffed8 893f0644 61290004 993f0644 4b10 > 0fe0 4bfffe6c 6000 6042 <0fe0> 4bfffeac 6000 6042 > ---[ end trace 1094995650f27c83 ]--- > > > > -- > Regard's > > Abdul Haleem > IBM Linux Technology Centre > > -- Kees Cook Pixel Security

[PATCH v2] powerpc: Default to enabling STRICT_KERNEL_RWX

When available, CONFIG_KERNEL_RWX should be default-enabled for PPC64. On PPC32, there is a performance trade-off. Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: Christophe LEROY Cc: Balbir Singh Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- v2

Re: [PATCH] powerpc: Default to enabling STRICT_KERNEL_RWX

On Thu, Oct 5, 2017 at 11:57 AM, christophe leroy wrote: > > > Le 05/10/2017 à 19:30, Kees Cook a écrit : >> >> On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY >> wrote: >>> >>> >>> >>> Le 05/10/2017 à 05:45, Kees Cook a écr

Re: [PATCH] powerpc: Default to enabling STRICT_KERNEL_RWX

On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY wrote: > > > Le 05/10/2017 à 05:45, Kees Cook a écrit : >> >> When available, CONFIG_KERNEL_RWX should be default-enabled. > > > On PPC32, this option implies deactivating BATs and/or LTLB mapping of the > lin

[PATCH] powerpc: Default to enabling STRICT_KERNEL_RWX

When available, CONFIG_KERNEL_RWX should be default-enabled. Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- arch/powerpc/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/powerpc/Kconfig b/arch

[PATCH 12/13] kthread: Convert callback to use from_timer()

In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch kthread to use from_timer() and pass the timer pointer explicitly. Cc: Andrew Morton Cc: Petr Mladek Cc: Tejun Heo Cc: Thomas Gleixner Cc: Oleg Nesterov Signed-off-by: Kees Cook

[PATCH 13/13] workqueue: Convert callback to use from_timer()

In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch workqueue to use from_timer() and pass the timer pointer explicitly. Cc: Tejun Heo Cc: Lai Jiangshan Signed-off-by: Kees Cook --- include/linux/workqueue.h | 15 --- kernel

[PATCH 11/13] timer: Remove expires argument from __TIMER_INITIALIZER()

The expires field is normally initialized during the first mod_timer() call. It was unused by all callers, so remove it from the macro. Signed-off-by: Kees Cook --- include/linux/kthread.h | 2 +- include/linux/timer.h | 5 ++--- include/linux/workqueue.h | 2 +- 3 files changed, 4

[PATCH 09/13] timer: Remove users of expire and data arguments to DEFINE_TIMER

Cc: Geert Uytterhoeven Cc: linux-m...@linux-mips.org Cc: linux-watch...@vger.kernel.org Signed-off-by: Kees Cook --- arch/mips/mti-malta/malta-display.c | 6 +++--- drivers/watchdog/alim7101_wdt.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/mips/mti-malta

[PATCH 10/13] timer: Remove expires and data arguments from DEFINE_TIMER

Drop the arguments from the macro and adjust all callers with the following script: perl -pi -e 's/DEFINE_TIMER\((.*), 0, 0\);/DEFINE_TIMER($1);/g;' \ $(git grep DEFINE_TIMER | cut -d: -f1 | sort -u | grep -v timer.h) Signed-off-by: Kees Cook Acked-by: Geert Uytterhoeven # for

[PATCH 07/13] timer: Remove last user of TIMER_INITIALIZER

Drops the last user of TIMER_INITIALIZER and adapts timer.h to use the internal version. Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Mark Gross Cc: Thomas Gleixner Signed-off-by: Kees Cook --- drivers/char/tlclk.c | 12 +--- include/linux/timer.h | 2 +- 2 files changed, 6

[PATCH 06/13] timer: Remove users of TIMER_DEFERRED_INITIALIZER

...@vger.kernel.org Signed-off-by: Kees Cook --- arch/s390/kernel/lgr.c | 6 +++--- arch/s390/kernel/topology.c | 6 +++--- kernel/workqueue.c | 8 +++- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/arch/s390/kernel/lgr.c b/arch/s390/kernel/lgr.c index ae7dff110054

[PATCH 08/13] timer: Remove unused static initializer macros

This removes the now unused TIMER_*INITIALIZER macros: TIMER_INITIALIZER TIMER_PINNED_INITIALIZER TIMER_DEFERRED_INITIALIZER TIMER_PINNED_DEFERRED_INITIALIZER Signed-off-by: Kees Cook --- include/linux/timer.h | 12 1 file changed, 12 deletions(-) diff --git a/include/linux

[PATCH 05/13] timer: Remove init_timer_deferrable() in favor of timer_setup()

@lists.ozlabs.org Cc: net...@vger.kernel.org Cc: linux-wirel...@vger.kernel.org Signed-off-by: Kees Cook --- arch/powerpc/mm/numa.c | 12 +-- drivers/hsi/clients/ssi_protocol.c | 32 drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11

[PATCH 00/13] timer: Start conversion to timer_setup()

Hi, This is the first of many timer infrastructure cleanups to simplify the timer API[1]. All of these patches are expected to land via the timer tree, so Acks (or corrections) appreciated. These patches refactor various users of timer API that are NOT just using init_timer() or setup_timer() (wh

[PATCH 03/13] timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack()

"James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: Thomas Gleixner Cc: linux...@vger.kernel.org Cc: linux1394-de...@lists.sourceforge.net Cc: linux-s...@vger.kernel.org Cc: linux-s...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/base/power/main.c | 8 +

[PATCH 04/13] timer: Remove init_timer_pinned() in favor of timer_setup()

This refactors the only users of init_timer_pinned() to use the new timer_setup() and from_timer(). Drops the definition of init_timer_pinned(). Cc: Chris Metcalf Cc: Thomas Gleixner Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/tile/tilepro.c | 9

[PATCH 01/13] timer: Convert schedule_timeout() to use from_timer()

eliminated. Cc: John Stultz Cc: Thomas Gleixner Cc: Stephen Boyd Signed-off-by: Kees Cook --- include/linux/timer.h | 8 kernel/time/timer.c | 26 +++--- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/include/linux/timer.h b/include/linux/timer.h index

[PATCH 02/13] timer: Remove init_timer_pinned_deferrable() in favor of timer_setup()

Mackerras Cc: Michael Ellerman Cc: Thomas Gleixner Cc: linux...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- drivers/cpufreq/powernv-cpufreq.c | 13 +++-- include/linux/timer.h | 2 -- 2 files changed, 7 insertions(+), 8 deletions(-) di

Re: [PATCH] mm: fix RODATA_TEST failure "rodata_test: test data was not read only"

On Mon, Oct 2, 2017 at 1:08 PM, Segher Boessenkool wrote: > On Mon, Oct 02, 2017 at 12:29:45PM -0700, Kees Cook wrote: >> On Mon, Sep 25, 2017 at 12:41 PM, Segher Boessenkool >> wrote: >> > On Mon, Sep 25, 2017 at 04:01:55PM +, David Laight wrote: >> >>

Re: [PATCH] mm: fix RODATA_TEST failure "rodata_test: test data was not read only"

l data. >> >> My guess is that the linker script is putting .srodata in with .sdata. > > .srodata does not *exist* (in the ABI). So, I still think this is a bug. The variable is marked const: this is not a _suggestion_. :) If the compiler produces output where the variable is writable, that's a bug. I can't tell if this bug is related: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=9571 -Kees -- Kees Cook Pixel Security

Re: [PATCH] mm: fix RODATA_TEST failure "rodata_test: test data was not read only"

1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/rodata_test.c b/mm/rodata_test.c > index 6bb4deb12e78..d908c8769b48 100644 > --- a/mm/rodata_test.c > +++ b/mm/rodata_test.c > @@ -14,7 +14,7 @@ > #include > #include > > -const int rodata_test

[PATCH v2 19/31] timer: Remove open-coded casts for .data and .function

: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: net...@vger.kernel.org Cc: linux-s...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook Acked-by: Tyrel Datwyler # for ibmvscsi --- drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++ d

Re: [linux-next][Oops] memory hot-unplug results fault instruction address at /include/linux/list.h:104

rn off the defrag $ echo 0 > khugepaged/defrag > 3. Write random to memory path > 4. Set huge pages numbers > 5. Turn on defrag $ echo 1 > khugepaged/defrag > > > new trace: > -- > Unable to handle kernel paging request for data at address > 0x5deadbeef108 This looks like use-after-list-removal, that value appears to be LIST_POISON1. Try enabling CONFIG_DEBUG_LIST to see if you get better details? -Kees -- Kees Cook Pixel Security

[PATCH 19/31] timer: Remove open-coded casts for .data and .function

: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: net...@vger.kernel.org Cc: linux-s...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- drivers/net/irda/bfin_sir.c | 5 +++-- drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++ d

Re: [RFC Part1 PATCH v3 10/17] resource: Provide resource struct in resource walk callback

k start and end arguments > are pulled from the resource structure, the callback functions can obtain > them from the resource structure directly. > > Signed-off-by: Tom Lendacky > Signed-off-by: Brijesh Singh This is a nice clean up even without the refactoring need. :) Reviewed-

Re: [PATCH] powerpc/nvram: use memdup_user

t: > kfree(tmp); > +out: > return ret; > - > } > > static long dev_nvram_ioctl(struct file *file, unsigned int cmd, > -- > 2.9.3 > -- Kees Cook Pixel Security

Re: [PATCH 3/4] powerpc: Reduce ELF_ET_DYN_BASE

On Mon, Jun 26, 2017 at 6:04 AM, Michael Ellerman wrote: > Kees Cook writes: > >> On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman >> wrote: >>> Kees Cook writes: >>> >>>> Now that explicitly executed loaders are loaded in the mmap region,

Re: [PATCH v2 1/5] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

On Fri, Jun 23, 2017 at 1:59 PM, Kees Cook wrote: > For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs > are loaded below the mmap region. This means they can be made to collide > (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological > stack regio

Re: [PATCH v2 0/5] Use ELF_ET_DYN_BASE only for PIE

On Sat, Jun 24, 2017 at 2:11 AM, Russell King - ARM Linux wrote: > On Fri, Jun 23, 2017 at 01:59:55PM -0700, Kees Cook wrote: >> This is v2 (to refresh the 5 patches in -mm) for moving ELF_ET_DYN_BASE >> safely lower. Changes are clarifications in the commit logs (suggested >&

[PATCH v2 1/5] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

4MB would be used (since the NULL address is avoided). Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and suggestions on how to implement this solution. Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR") Cc: sta...@vger.kernel.org Cc: x...@kernel.org Sign

[PATCH v2 2/5] arm: Move ELF_ET_DYN_BASE to 4MB

running PIE on 32-bit ARM will have an MMU, so the tight mapping is not needed. Cc: sta...@vger.kernel.org Cc: Russell King Signed-off-by: Kees Cook --- arch/arm/include/asm/elf.h | 8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/arch/arm/include/asm/elf.h b/arch/arm

[PATCH v2 5/5] s390: Move ELF_ET_DYN_BASE to 4GB / 4MB

close to the NULL address. Cc: sta...@vger.kernel.org Cc: Heiko Carstens Cc: Martin Schwidefsky Signed-off-by: Kees Cook --- arch/s390/include/asm/elf.h | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h

[PATCH v2 4/5] powerpc: Move ELF_ET_DYN_BASE to 4GB / 4MB

-bit pointers. On 32-bit use 4MB, which is the traditional x86 minimum load location, likely to avoid historically requiring a 4MB page table entry when only a portion of the first 4MB would be used (since the NULL address is avoided). Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook Acked-by

[PATCH v2 3/5] arm64: Move ELF_ET_DYN_BASE to 4GB / 4MB

: Catalin Marinas Cc: Mark Rutland Signed-off-by: Kees Cook --- arch/arm64/include/asm/elf.h | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 5d1700425efe..8790fb09f689 100644 --- a/arch/arm64/include/asm

[PATCH v2 0/5] Use ELF_ET_DYN_BASE only for PIE

This is v2 (to refresh the 5 patches in -mm) for moving ELF_ET_DYN_BASE safely lower. Changes are clarifications in the commit logs (suggested by mpe), a compat think-o fix for arm64 (thanks to Ard), and to add Rik and mpe's Acks. Quoting patch 1/5: The ELF_ET_DYN_BASE position was originally int

Re: [PATCH 3/4] powerpc: Reduce ELF_ET_DYN_BASE

On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman wrote: > Kees Cook writes: > >> Now that explicitly executed loaders are loaded in the mmap region, >> position PIE binaries lower in the address space to avoid possible >> collisions with mmap or stack regions. For

Re: [kernel-hardening] [PATCH 2/4] arm64: Reduce ELF_ET_DYN_BASE

On Fri, Jun 23, 2017 at 6:52 AM, Kees Cook wrote: > On Thu, Jun 22, 2017 at 11:57 PM, Ard Biesheuvel > wrote: >> Hi Kees, >> >> On 22 June 2017 at 18:06, Kees Cook wrote: >>> Now that explicitly executed loaders are loaded in the mmap region, >>> positi

Re: [kernel-hardening] [PATCH 2/4] arm64: Reduce ELF_ET_DYN_BASE

On Thu, Jun 22, 2017 at 11:57 PM, Ard Biesheuvel wrote: > Hi Kees, > > On 22 June 2017 at 18:06, Kees Cook wrote: >> Now that explicitly executed loaders are loaded in the mmap region, >> position PIE binaries lower in the address space to avoid possible >> collisions

[PATCH 1/4] arm: Reduce ELF_ET_DYN_BASE

Now that explicitly executed loaders are loaded in the mmap region, position PIE binaries lower in the address space to avoid possible collisions with mmap or stack regions. Signed-off-by: Kees Cook --- arch/arm/include/asm/elf.h | 8 ++-- 1 file changed, 2 insertions(+), 6 deletions

[PATCH 2/4] arm64: Reduce ELF_ET_DYN_BASE

Now that explicitly executed loaders are loaded in the mmap region, position PIE binaries lower in the address space to avoid possible collisions with mmap or stack regions. For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit address space for 32-bit pointers. Signed-off-by: Kees

[PATCH 4/4] s390: Reduce ELF_ET_DYN_BASE

Now that explicitly executed loaders are loaded in the mmap region, position PIE binaries lower in the address space to avoid possible collisions with mmap or stack regions. For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit address space for 32-bit pointers. Signed-off-by: Kees

[PATCH 3/4] powerpc: Reduce ELF_ET_DYN_BASE

Now that explicitly executed loaders are loaded in the mmap region, position PIE binaries lower in the address space to avoid possible collisions with mmap or stack regions. For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit address space for 32-bit pointers. Signed-off-by: Kees

[PATCH 0/4] Reduce ELF_ET_DYN_BASE

This is a follow-up to "binfmt_elf: Use ELF_ET_DYN_BASE only for PIE"[1], which allow ELF_ET_DYN_BASE to be reduced from high in the address space. That patch only changed x86, and this series changes arm, arm64, powerpc, and s390. Since these depend on the mentioned patch (which I'm hoping akpm w

Re: [kernel-hardening] [PATCH] powerpc: Increase ELF_ET_DYN_BASE to 1TB for 64-bit applications

r some situations, etc. To do something like this in upstream, we need to be sure we've sanely dealt with the brk region, which follows the first loaded ELF, and if it's the interpreter, that means brk ends up in mmap area, up near the executable area (near what would become the misnomer of ELF_ET_DYN_BASE -- should be ELF_PIE_BASE). -Kees -- Kees Cook Pixel Security

Re: kernel BUG at mm/usercopy.c:72!

an just fix > it without other fallout. I'll dig a bit more tomorrow if no one beats > me to it. > > Kees, depending on how that turns out we may ask you to revert > 517e1fbeb65f ("mm/usercopy: Drop extra is_vmalloc_or_module() check"). That's fine by me. Let me know what you think would be best. Laura, I don't see much harm in putting this back in place. It seems like it's just a matter of efficiency to have it removed? -Kees -- Kees Cook Pixel Security

Re: [kernel-hardening] [PATCH] add the option of fortified string.h functions

and the compiler can assume it's limited to the size of > the type used to define it which then gets enforced by these fortified > wrappers rather than just used for optimization (in practice, it won't > break much without these, but it could). We'd need something to actually extract the sizes of the asm functions. Right now, that kind of thing is done in the linker scripts, but that may be too late. -Kees -- Kees Cook Pixel Security

Re: [PATCH] Enabled pstore write for powerpc

.flags = PSTORE_FLAGS_DMESG, > .open = nvram_pstore_open, > .read = nvram_pstore_read, > .write = nvram_pstore_write, > -- > 2.7.4 > -- Kees Cook Pixel Security

Re: [PATCH] powerpc/mm: Fix possible out-of-bounds shift in arch_mmap_rnd()

shift = mmap_rnd_compat_bits; > #endif > - rnd = get_random_long() % (1 << shift); > + rnd = get_random_long() % (1ul << shift); > > return rnd << PAGE_SHIFT; > } > -- > 2.7.4 Reviewed-by: Kees Cook -Kees -- Kees Cook Pixel Security

Re: [kernel-hardening] Re: [PATCH v2] powerpc/mm: Add support for runtime configuration of ASLR limits

>>> -rnd = get_random_long() % (1<<(23-PAGE_SHIFT)); >>> -else >>> -rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT)); >>> + shift = mmap_rnd_compat_bits; >>> +#endif >>> +rnd = get_random_long() % (1 << shift); >> >> Nitpick, 1 should be 1UL? Nice catch! > No, shift can only be 29 at most IIRC? The largest value in the kconfigs is 33? > But it's a bit fragile, so I'll change it. Thanks! -Kees -- Kees Cook Pixel Security

Re: [PATCH v2] powerpc/mm: Add support for runtime configuration of ASLR limits

+ > arch/powerpc/mm/mmap.c | 11 ++- > 2 files changed, 50 insertions(+), 5 deletions(-) > > v2: Fix the 32-bit MAX value incorrectly using MIN as spotted by Kees. > > Kees/Bhupesh, would love a Review/Ack/Tested-by from you, I

Re: [PATCH] powerpc/mm: Add support for runtime configuration of ASLR limits

or 32bit, 1GB for 64bit */ > + shift = mmap_rnd_bits; > +#ifdef CONFIG_COMPAT > if (is_32bit_task()) > - rnd = get_random_long() % (1<<(23-PAGE_SHIFT)); > - else > - rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT)); > + shift = mmap_rnd_compat_bits; > +#endif > + rnd = get_random_long() % (1 << shift); > > return rnd << PAGE_SHIFT; > } > -- > 2.7.4 > Yay! Ever closer to being able to extract arch_mmap_rnd() out of arch/ ;) -Kees -- Kees Cook Pixel Security

Re: [kernel-hardening] [PATCH v5 1/4] gcc-plugins: Add the initify gcc plugin

On Mon, Mar 27, 2017 at 8:03 PM, Andrew Donnellan wrote: > On 27/03/17 18:38, Andrew Donnellan wrote: >> >> On 01/02/17 07:24, Kees Cook wrote: >>> >>> From: Emese Revfy >>> >>> The kernel already has a mechanism to free up code and data m

Re: [PATCH] gcc-plugins: update architecture list in documentation

rhaps the docs tree or mine? (I don't currently have any fixes queued; I'm just trying to minimize pull requests going to Linus...) -Kees -- Kees Cook Pixel Security

Re: [next 20170227] CPU remove DLPAR operation WARN @ lib/refcount.c:128

360645] [c008b72dfd90] [c187dc48] vfs_write+0xc8/0x240 > [ 200.360650] [c008b72dfde0] [c187f8b0] SyS_write+0x60/0x110 > [ 200.360656] [c008b72dfe30] [c15cb8e0] system_call+0x38/0xfc > [ 200.360660] Instruction dump: > [ 200.360663] 7d495378 419e0044 2f89 7d434850 7f0a4840 79460020 41de001c > 4099ffbc > [ 200.360675] 3c62ffb6 38636af8 48444249 6000 <0fe0> 38210060 > 3860 e8010010 > [ 200.360686] ---[ end trace 937482186422ac36 ]--- > > I have attached the dmesg log. > > Thanks > -Sachin > > > -- Kees Cook Pixel Security

Re: [PATCH 06/18] pstore: Extract common arguments into structure

On Tue, Mar 7, 2017 at 8:22 AM, Namhyung Kim wrote: > On Tue, Mar 7, 2017 at 6:55 AM, Kees Cook wrote: >> The read/mkfile pair pass the same arguments and should be cleared >> between calls. Move to a structure and wipe it after every loop. >> >> Signed-off-by: Kees

Re: [PATCH 03/18] pstore: Avoid race in module unloading

On Tue, Mar 7, 2017 at 8:16 AM, Namhyung Kim wrote: > Hi Kees, > > On Tue, Mar 7, 2017 at 6:55 AM, Kees Cook wrote: >> Technically, it might be possible for struct pstore_info to go out of >> scope after the module_put(), so report the backend name first. > > But in t

[PATCH 17/18] pstore: Replace arguments for write_buf_user() API

Removes argument list in favor of pstore record, though the user buffer remains passed separately since it must carry the __user annotation. Signed-off-by: Kees Cook --- fs/pstore/platform.c | 35 --- fs/pstore/pmsg.c | 9 ++--- fs/pstore/ram.c

[PATCH 18/18] pstore: Remove write_buf() callback

Now that write() and write_buf() are functionally identical, this removes write_buf(), and renames write_buf_user() to write_user(). Additionally adds sanity-checks for pstore_info's declared functions and flags at registration time. Signed-off-by: Kees Cook --- fs/pstore/ftrace.c

[PATCH 15/18] pstore: Replace arguments for erase() API

This removes the argument list for the erase() callback and replaces it with a pointer to the backend record details to be removed. Signed-off-by: Kees Cook --- drivers/acpi/apei/erst.c | 8 +++- drivers/firmware/efi/efi-pstore.c | 26 +++--- fs/pstore/inode.c

[PATCH 16/18] pstore: Replace arguments for write_buf() API

As with the other API updates, this removes the long argument list in favor of passing a single pstore recaord. Signed-off-by: Kees Cook --- fs/pstore/ftrace.c | 9 +++-- fs/pstore/platform.c | 30 +- fs/pstore/ram.c| 44

[PATCH 14/18] pstore: Do not duplicate record metadata

This switches the inode-private data from carrying duplicate metadata to keeping the record passed in during pstore_mkfile(). Signed-off-by: Kees Cook --- fs/pstore/inode.c| 57 ++-- fs/pstore/platform.c | 6 ++ 2 files changed, 30

<    1   2   3   4   5   6   7   8   >