In preparation for handling records off to pstore_mkfile(), allocate the
record instead of reusing stack. This still always frees the record,
though, since pstore_mkfile() isn't yet keeping it.
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 30 ++
1 file ch
The argument list for the pstore_read() interface is unwieldy. This changes
passes the new struct pstore_record instead. The erst backend was already
doing something similar internally.
Signed-off-by: Kees Cook
---
arch/powerpc/kernel/nvram_64.c| 61 +++---
drivers/acpi
pstore_mkfile() shouldn't have to memcpy the record contents. It can use
the existing copy instead. This adjusts the allocation lifetime management
and renames the contents variable from "data" to "buf" to assist moving to
struct pstore_record in the future.
Signed-o
Currently, pstore_mkfile() performs a memcpy() of the record contents,
so it can live anywhere. However, this is needlessly wasteful. In
preparation of pstore_mkfile() keeping the record contents, always
allocate a buffer for the contents.
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 38
This adds documentation for struct pstore_info, which also includes
the basic API the backends need to implement.
Signed-off-by: Kees Cook
---
include/linux/pstore.h | 133 +++--
1 file changed, 128 insertions(+), 5 deletions(-)
diff --git a/include
Similar to the pstore_info read() callback, there were too many arguments.
This switches to the new struct pstore_record pointer instead. This adds
"reason" and "part" to the record structure as well.
Signed-off-by: Kees Cook
---
arch/powerpc/kernel/nvram_64.c| 27 +-
Instead of the long list of arguments, just pass the new record struct.
Signed-off-by: Kees Cook
---
fs/pstore/inode.c| 57 +---
fs/pstore/internal.h | 5 +
fs/pstore/platform.c | 6 +-
3 files changed, 34 insertions(+), 34 deletions
This moves the record decompression logic out to a separate function
to avoid the deep indentation.
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 67 +---
1 file changed, 37 insertions(+), 30 deletions(-)
diff --git a/fs/pstore/platform.c b
The read/mkfile pair pass the same arguments and should be cleared
between calls. Move to a structure and wipe it after every loop.
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 55 +++---
include/linux/pstore.h | 28
Technically, it might be possible for struct pstore_info to go out of
scope after the module_put(), so report the backend name first.
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/pstore/platform.c b/fs/pstore
When built as a module and running with update_ms >= 0, pstore will Oops
during module unload since the work timer is still running. This makes sure
the worker is stopped before unloading.
Signed-off-by: Kees Cook
Cc: sta...@vger.kernel.org
---
fs/pstore/platform.c | 10 +-
1 f
3 ("pstore: Correctly initialize spinlock and flags")
Signed-off-by: Kees Cook
Cc: sta...@vger.kernel.org
---
fs/pstore/ram_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index bc927e30bdcc..e11672aa4575 100644
--- a/
For a long time I've been bothered by the complexity of argument passing
in the pstore internals, which makes understanding things and changing
things extremely fragile.
With the proposal of a new backend (EPI capsules), and my attempts to
reorganize things for the proposed multiple-pmsg frontend,
Uncommon errors are better to get reported to dmesg so developers can
more easily figure out why pstore is unhappy with a backend attempting
to register.
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/pstore
ordug
> Cc: Scott Wood
> Cc: Kumar Gala
> Cc: Daniel Cashman
> Signed-off-by: Bhupesh Sharma
> Reviewed-by: Kees Cook
This " at " should be "@", but otherwise, yay v2! :)
-Kees
--
Kees Cook
Pixel Security
On Thu, Feb 2, 2017 at 10:08 AM, Bhupesh Sharma wrote:
> On Thu, Feb 2, 2017 at 7:51 PM, Kees Cook wrote:
>> On Wed, Feb 1, 2017 at 9:42 PM, Bhupesh Sharma wrote:
>>> The 2nd patch increases the ELF_ET_DYN_BASE value from the current
>>> hardcoded value of 0x
> Cc: Scott Wood
> Cc: Kumar Gala
> Cc: Daniel Cashman
> Cc: Kees Cook
> Signed-off-by: Bhupesh Sharma
> ---
> arch/powerpc/Kconfig | 34 ++
> arch/powerpc/mm/mmap.c | 7 ---
> 2 files changed, 38 insertions(+), 3 dele
randomization. 0x2000 is way better since it randomizes
up from there towards the mmap area.
Is there a reason to avoid the 32-bit memory range for the ELF addresses?
-Kees
--
Kees Cook
Pixel Security
plement the same for PPC64 in upstream.
>
> Sorry for the long mail, but would really appreciate if someone can
> help me understand the details here.
Hopefully this helped a bit. I would literally draw out the memory
map, and double-check nothing can collide at your max values.
-Kees
--
Kees Cook
Nexus Security
-common.h, upstream gcc moved it under c-family in
> 2010 after the release of 4.5, so it should be where gcc-common.h expects
> it and i'm not sure how it ended up at its old location for you.
That is rather odd. What distro was the PPC test done on? (Or were
these manually built gcc versions?)
-Kees
--
Kees Cook
Nexus Security
le
> if the load header requests that.
>
> The patch was originally posted in 2012 by Jason Gunthorpe
> and apparently ignored:
>
> https://lkml.org/lkml/2012/9/30/138
>
> Lightly run-tested.
>
> Signed-off-by: Jason Gunthorpe
> Signed-off-by: Denys Vlasenko
> Acked-by:
an ACK from
> Kees/Emese?
That would be fine by me. Please consider the whole series:
Acked-by: Kees Cook
Thanks!
-Kees
> ---
> arch/powerpc/Kconfig | 1 +
> scripts/Makefile.gcc-plugins | 8
> 2 files changed, 9 insertions(+)
>
> diff --git a/arch/powerpc/Kco
On Tue, Nov 15, 2016 at 2:45 PM, Andrew Donnellan
wrote:
> On 16/11/16 09:41, Kees Cook wrote:
>>
>> Just checking in: did these patches materialize? I'd love to see
>> plugins working on v4.10 for ppc.
>
>
> Working on it!
> https://github.com/
ATENT_ENTROPY_PLUGIN is conditioned on
> CONFIG_PAX_LATENT_ENTROPY rather than CONFIG_GCC_PLUGIN_LATENT_ENTROPY, so
> it doesn't get exported correctly.
>
> Will submit fixes along with patches to enable plugins on powerpc once I get
> that sorted.
>
> (In future please
gt;
> https://lkml.org/lkml/2012/9/30/138
>
> Lightly run-tested.
>
> Signed-off-by: Jason Gunthorpe
> Signed-off-by: Denys Vlasenko
> Acked-by: Kees Cook
> Acked-by: Michael Ellerman
> Tested-by: Jason Gunthorpe
> CC: Andrew Morton
> CC: Benjamin Herrensc
Hi,
Jason just reminded me about this patch. :)
Denys, can you resend a v7 with all the Acked/Reviewed/Tested-bys
added and send it To: akpm, with everyone else (and lkml) in CC? That
should be the easiest way for Andrew to pick it up.
Thanks!
-Kees
On Mon, Oct 24, 2016 at 5:17 PM, Kees Cook
On Thu, Oct 20, 2016 at 3:45 PM, Jason Gunthorpe
wrote:
> On Tue, Oct 04, 2016 at 09:54:12AM -0700, Kees Cook wrote:
>> On Mon, Oct 3, 2016 at 5:18 PM, Michael Ellerman wrote:
>> > Kees Cook writes:
>> >
>> >> On Mon, Oct 3, 2016 at 9:13 AM, Denys V
3,7 @@ static ssize_t dlpar_cpu_remove(struct device_node *dn,
> u32 drc_index)
> {
> int rc;
>
> - pr_debug("Attemping to remove CPU %s, drc index: %x\n",
> + pr_debug("Attempting to remove CPU %s, drc index: %x\n",
> dn->name,
On Mon, Oct 3, 2016 at 5:18 PM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> On Mon, Oct 3, 2016 at 9:13 AM, Denys Vlasenko wrote:
>>> On 32-bit powerpc the ELF PLT sections of binaries (built with --bss-plt,
>>> or with a toolchain which defaults to it) look l
gt;
> https://lkml.org/lkml/2012/9/30/138
>
> Lightly run-tested.
>
> Signed-off-by: Jason Gunthorpe
> Signed-off-by: Denys Vlasenko
> Acked-by: Kees Cook
> Acked-by: Michael Ellerman
> CC: Benjamin Herrenschmidt
> CC: Paul Mackerras
> CC: "Aneesh Kumar K.V&quo
oader to check the X bit in the relevant load header
>> and create 0 filled anonymous mappings that are executable
>> if the load header requests that.
> ...
>>
>> Signed-off-by: Jason Gunthorpe
>> Signed-off-by: Denys Vlasenko
>> Reviewed-by: Kees Cook
>&g
> and apparently ignored:
>
> https://lkml.org/lkml/2012/9/30/138
>
> Lightly run-tested.
>
> Signed-off-by: Jason Gunthorpe
> Signed-off-by: Denys Vlasenko
> CC: Benjamin Herrenschmidt
> CC: Paul Mackerras
> CC: Kees Cook
> CC: Oleg Nesterov
> CC: Michael
gt;
> https://lkml.org/lkml/2012/9/30/138
>
> Lightly run-tested.
>
> Signed-off-by: Jason Gunthorpe
> Signed-off-by: Denys Vlasenko
> CC: Benjamin Herrenschmidt
> CC: Paul Mackerras
> CC: Kees Cook
> CC: Oleg Nesterov ,
> CC: Michael Ellerman
> CC: Florian We
a/drivers/misc/lkdtm_rodata.c
> +++ b/drivers/misc/lkdtm_rodata.c
> @@ -4,7 +4,7 @@
> */
> #include "lkdtm.h"
>
> -void lkdtm_rodata_do_nothing(void)
> +void notrace lkdtm_rodata_do_nothing(void)
> {
> /* Does nothing. We just want an architecture agnostic
On Mon, Aug 1, 2016 at 8:12 PM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> On Mon, Aug 1, 2016 at 5:37 AM, Michael Ellerman wrote:
>>> Kees Cook writes:
>>>
>>>> This adds a function that lives in the .rodata section. The section
>>>&g
On Mon, Aug 1, 2016 at 5:37 AM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> This adds a function that lives in the .rodata section. The section
>> flags are corrected using objcopy since there is no way with gcc to
>> declare section flags in an architecture-agnost
On Mon, Jul 25, 2016 at 7:03 PM, Michael Ellerman wrote:
> Josh Poimboeuf writes:
>
>> On Thu, Jul 21, 2016 at 11:34:25AM -0700, Kees Cook wrote:
>>> On Wed, Jul 20, 2016 at 11:52 PM, Michael Ellerman
>>> wrote:
>>> > Kees Cook writes:
>>>
On Mon, Jul 25, 2016 at 12:16 PM, Laura Abbott wrote:
> On 07/20/2016 01:27 PM, Kees Cook wrote:
>>
>> Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
>> SLUB allocator to catch any copies that may span objects. Includes a
>> redzone handlin
On Fri, Jul 22, 2016 at 5:36 PM, Laura Abbott wrote:
> On 07/20/2016 01:26 PM, Kees Cook wrote:
>>
>> Hi,
>>
>> [This is now in my kspp -next tree, though I'd really love to add some
>> additional explicit Tested-bys, Reviewed-bys, or Acked-bys. If you&#x
On Wed, Jul 20, 2016 at 11:52 PM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> diff --git a/mm/usercopy.c b/mm/usercopy.c
>> new file mode 100644
>> index ..e4bf4e7ccdf6
>> --- /dev/null
>> +++ b/mm/usercopy.c
>> @@ -0,0 +1,234 @@
Enables CONFIG_HARDENED_USERCOPY checks on s390.
Signed-off-by: Kees Cook
---
arch/s390/Kconfig | 1 +
arch/s390/lib/uaccess.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index a8c259059adf..9f694311c9ed 100644
--- a/arch/s390/Kconfig
+++ b
Enables CONFIG_HARDENED_USERCOPY checks on sparc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/sparc/Kconfig | 1 +
arch/sparc/include/asm/uaccess_32.h | 14 ++
arch/sparc/include/asm/uaccess_64.h | 11 +--
3 files changed, 20
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLUB allocator to catch any copies that may span objects. Includes a
redzone handling fix discovered by Michael Ellerman.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-by: Michael Ellerman
---
init
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLAB allocator to catch any copies that may span objects.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-by: Valdis Kletnieks
---
init/Kconfig | 1 +
mm/slab.c| 30
he current process stack
- object must be contained by a valid stack frame (when there is
arch/build support for identifying stack frames)
- object must not overlap with kernel text
Signed-off-by: Kees Cook
Tested-by: Valdis Kletnieks
Tested-by: Michael Ellerman
---
include/linux/slab.h
Enables CONFIG_HARDENED_USERCOPY checks on powerpc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-by: Michael Ellerman
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/uaccess.h | 21 +++--
2 files changed, 20 insertions(+), 2
Enables CONFIG_HARDENED_USERCOPY checks on ia64.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/ia64/Kconfig | 1 +
arch/ia64/include/asm/uaccess.h | 18 +++---
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/arch/ia64
Enables CONFIG_HARDENED_USERCOPY checks on arm64. As done by KASAN in -next,
renames the low-level functions to __arch_copy_*_user() so a static inline
can do additional work before the copy.
Signed-off-by: Kees Cook
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/uaccess.h
Enables CONFIG_HARDENED_USERCOPY checks on arm.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/arm/Kconfig | 1 +
arch/arm/include/asm/uaccess.h | 11 +--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm/Kconfig b/arch
Enables CONFIG_HARDENED_USERCOPY checks on x86. This is done both in
copy_*_user() and __copy_*_user() because copy_*_user() actually calls
down to _copy_*_user() and not __copy_*_user().
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-by: Valdis Kletnieks
---
arch/x86
From: Laura Abbott
Code such as hardened user copy[1] needs a way to tell if a
page is CMA or not. Add is_migrate_cma_page in a similar way
to is_migrate_isolate_page.
[1]http://article.gmane.org/gmane.linux.kernel.mm/155238
Signed-off-by: Laura Abbott
Signed-off-by: Kees Cook
---
include
Hi,
[This is now in my kspp -next tree, though I'd really love to add some
additional explicit Tested-bys, Reviewed-bys, or Acked-bys. If you've
looked through any part of this or have done any testing, please consider
sending an email with your "*-by:" line. :)]
This is a start of the mainline p
This creates per-architecture function arch_within_stack_frames() that
should validate if a given object is contained by a kernel stack frame.
Initial implementation is on x86.
This is based on code from PaX.
Signed-off-by: Kees Cook
---
arch/Kconfig | 9
arch
On Wed, Jul 20, 2016 at 9:02 AM, David Laight wrote:
> From: Kees Cook
>> Sent: 20 July 2016 16:32
> ...
>> Yup: that's exactly what it's doing: walking up the stack. :)
>
> Remind me to make sure all our customers run kernels with it disabled.
What's
On Wed, Jul 20, 2016 at 2:52 AM, David Laight wrote:
> From: Kees Cook
>> Sent: 15 July 2016 22:44
>> This is a start of the mainline port of PAX_USERCOPY[1].
> ...
>> - if address range is in the current process stack, it must be within the
>> current stack frame
On Tue, Jul 19, 2016 at 12:12 PM, Kees Cook wrote:
> On Mon, Jul 18, 2016 at 6:52 PM, Laura Abbott wrote:
>> On 07/15/2016 02:44 PM, Kees Cook wrote:
>>> +static inline const char *check_heap_object(const void *ptr, unsigned
>>> long n,
>>> +
define is_migrate_cma_page(_page) false
> #endif
>
> #define for_each_migratetype_order(order, type) \
> --
> 2.7.4
>
--
Kees Cook
Chrome OS & Brillo Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
On Tue, Jul 19, 2016 at 1:14 PM, Christian Borntraeger
wrote:
> On 07/19/2016 09:31 PM, Kees Cook wrote:
>> On Tue, Jul 19, 2016 at 2:21 AM, Christian Borntraeger
>> wrote:
>>> On 07/15/2016 11:44 PM, Kees Cook wrote:
>>>> +config HAVE_ARCH_LINEAR_KERNEL_MAP
On Tue, Jul 19, 2016 at 2:21 AM, Christian Borntraeger
wrote:
> On 07/15/2016 11:44 PM, Kees Cook wrote:
>> +config HAVE_ARCH_LINEAR_KERNEL_MAPPING
>> + bool
>> + help
>> + An architecture should select this if it has a secondary linear
>> + ma
On Mon, Jul 18, 2016 at 6:52 PM, Laura Abbott wrote:
> On 07/15/2016 02:44 PM, Kees Cook wrote:
>>
>> This is the start of porting PAX_USERCOPY into the mainline kernel. This
>> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY. The
>> work is based o
On Mon, Jul 18, 2016 at 6:06 PM, Laura Abbott wrote:
> On 07/15/2016 02:44 PM, Kees Cook wrote:
>>
>> This is the start of porting PAX_USERCOPY into the mainline kernel. This
>> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY. The
>> work is based o
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLUB allocator to catch any copies that may span objects. Includes a
redzone handling fix discovered by Michael Ellerman.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-by: Michael Ellerman
---
init
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLAB allocator to catch any copies that may span objects.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-By: Valdis Kletnieks
---
init/Kconfig | 1 +
mm/slab.c| 30
Enables CONFIG_HARDENED_USERCOPY checks on sparc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/sparc/Kconfig | 1 +
arch/sparc/include/asm/uaccess_32.h | 14 ++
arch/sparc/include/asm/uaccess_64.h | 11 +--
3 files changed, 20
Enables CONFIG_HARDENED_USERCOPY checks on s390.
Signed-off-by: Kees Cook
---
arch/s390/Kconfig | 1 +
arch/s390/lib/uaccess.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index a8c259059adf..9f694311c9ed 100644
--- a/arch/s390/Kconfig
+++ b
Enables CONFIG_HARDENED_USERCOPY checks on ia64.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/ia64/Kconfig | 1 +
arch/ia64/include/asm/uaccess.h | 18 +++---
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/arch/ia64
Enables CONFIG_HARDENED_USERCOPY checks on powerpc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-by: Michael Ellerman
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/uaccess.h | 21 +++--
2 files changed, 20 insertions(+), 2
Enables CONFIG_HARDENED_USERCOPY checks on x86. This is done both in
copy_*_user() and __copy_*_user() because copy_*_user() actually calls
down to _copy_*_user() and not __copy_*_user().
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
Tested-By: Valdis Kletnieks
---
arch/x86
Enables CONFIG_HARDENED_USERCOPY checks on arm64. As done by KASAN in -next,
renames the low-level functions to __arch_copy_*_user() so a static inline
can do additional work before the copy.
Signed-off-by: Kees Cook
---
arch/arm64/Kconfig | 2 ++
arch/arm64/include/asm/uaccess.h
contained by the current stack frame (when there is
arch/build support for identifying stack frames)
- object must not overlap with kernel text
Signed-off-by: Kees Cook
Tested-By: Valdis Kletnieks
Tested-by: Michael Ellerman
---
arch/Kconfig| 7 ++
include/linux/slab.h
Hi,
[I'm going to carry this series in my kspp -next tree now, though I'd
really love to have some explicit Acked-bys or Reviewed-bys. If you've
looked through it or tested it, please consider it. :) (I added Valdis
and mpe's Tested-bys where they seemed correct, thank you!)]
This is a start of t
This creates per-architecture function arch_within_stack_frames() that
should validate if a given object is contained by a kernel stack frame.
Initial implementation is on x86.
This is based on code from PaX.
Signed-off-by: Kees Cook
---
arch/Kconfig | 9
arch
Enables CONFIG_HARDENED_USERCOPY checks on arm.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/arm/Kconfig | 1 +
arch/arm/include/asm/uaccess.h | 11 +--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm/Kconfig b/arch
it handling could be done separately from this without actually
> needing special treatment for USERCOPY. Could expose is as something
> like panic_on_oops=2 as a balance between the existing options.
I'm also uncomfortable about BUG() being removed by unsetting
CONFIG_BUG, but
ks.
I'd like it to dump stack and be fatal to the process involved, but
yeah, I guess BUG() would work. Creating an infrastructure for
handling security-related Oopses can be done separately from this (and
I'd like to see that added, since it's a nice bit of configur
On Thu, Jul 14, 2016 at 9:05 PM, Kees Cook wrote:
> On Thu, Jul 14, 2016 at 6:41 PM, Balbir Singh wrote:
>> On Thu, Jul 14, 2016 at 09:04:18PM -0400, Rik van Riel wrote:
>>> On Fri, 2016-07-15 at 09:20 +1000, Balbir Singh wrote:
>>>
>>> > > ==
>>&g
On Thu, Jul 14, 2016 at 7:05 PM, Balbir Singh wrote:
> On Wed, Jul 13, 2016 at 02:56:04PM -0700, Kees Cook wrote:
>> Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
>> SLUB allocator to catch any copies that may span objects. Includes a
>> redzone hand
On Thu, Jul 14, 2016 at 4:20 PM, Balbir Singh wrote:
> On Wed, Jul 13, 2016 at 02:55:55PM -0700, Kees Cook wrote:
>> [...]
>> +++ b/mm/usercopy.c
>> @@ -0,0 +1,219 @@
>> [...]
>> +/*
>> + * Checks if a given pointer and length is contained by the
test -- it should be an extremely rare
situation already since the common Reserved areas (kernel data) will
have already been explicitly tested.
What's the best way to do "next page"? Should it just be:
for ( ; page <= endpage ; ptr += PAGE_SIZE, page = virt_to_head_page(ptr) ) {
if (!PageReserved(page))
return "";
}
return NULL;
?
--
Kees Cook
Chrome OS & Brillo Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
On Thu, Jul 14, 2016 at 12:23 PM, Josh Poimboeuf wrote:
> On Thu, Jul 14, 2016 at 11:10:18AM -0700, Kees Cook wrote:
>> On Wed, Jul 13, 2016 at 10:48 PM, Josh Poimboeuf wrote:
>> > On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote:
>> >> On Wed, Jul 13, 20
On Wed, Jul 13, 2016 at 10:48 PM, Josh Poimboeuf wrote:
> On Wed, Jul 13, 2016 at 03:04:26PM -0700, Kees Cook wrote:
>> On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote:
>> > On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote:
>> >> This cre
On Wed, Jul 13, 2016 at 3:01 PM, Andy Lutomirski wrote:
> On Wed, Jul 13, 2016 at 2:55 PM, Kees Cook wrote:
>> This creates per-architecture function arch_within_stack_frames() that
>> should validate if a given object is contained by a kernel stack frame.
>> Initial imp
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLUB allocator to catch any copies that may span objects. Includes a
redzone handling fix from Michael Ellerman.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
init/Kconfig | 1 +
mm/slub.c| 36
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLAB allocator to catch any copies that may span objects.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
init/Kconfig | 1 +
mm/slab.c| 30 ++
2 files changed, 31
Enables CONFIG_HARDENED_USERCOPY checks on s390.
Signed-off-by: Kees Cook
---
arch/s390/Kconfig | 1 +
arch/s390/lib/uaccess.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index a8c259059adf..9f694311c9ed 100644
--- a/arch/s390/Kconfig
+++ b
Enables CONFIG_HARDENED_USERCOPY checks on sparc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/sparc/Kconfig | 1 +
arch/sparc/include/asm/uaccess_32.h | 14 ++
arch/sparc/include/asm/uaccess_64.h | 11 +--
3 files changed, 20
Enables CONFIG_HARDENED_USERCOPY checks on powerpc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/uaccess.h | 21 +++--
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/arch
Enables CONFIG_HARDENED_USERCOPY checks on ia64.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/ia64/Kconfig | 1 +
arch/ia64/include/asm/uaccess.h | 18 +++---
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/arch/ia64
Enables CONFIG_HARDENED_USERCOPY checks on arm64. As done by KASAN in -next,
renames the low-level functions to __arch_copy_*_user() so a static inline
can do additional work before the copy.
Signed-off-by: Kees Cook
---
arch/arm64/Kconfig | 2 ++
arch/arm64/include/asm/uaccess.h
This creates per-architecture function arch_within_stack_frames() that
should validate if a given object is contained by a kernel stack frame.
Initial implementation is on x86.
This is based on code from PaX.
Signed-off-by: Kees Cook
---
arch/Kconfig | 9
arch
Enables CONFIG_HARDENED_USERCOPY checks on arm.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/arm/Kconfig | 1 +
arch/arm/include/asm/uaccess.h | 11 +--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm/Kconfig b/arch
contained by the current stack frame (when there is
arch/build support for identifying stack frames)
- object must not overlap with kernel text
Signed-off-by: Kees Cook
---
arch/Kconfig| 7 ++
include/linux/slab.h| 12 +++
include/linux/thread_info.h | 15 +++
m
Enables CONFIG_HARDENED_USERCOPY checks on x86. This is done both in
copy_*_user() and __copy_*_user() because copy_*_user() actually calls
down to _copy_*_user() and not __copy_*_user().
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/x86/Kconfig | 2
Hi,
This is a start of the mainline port of PAX_USERCOPY[1]. After I started
writing tests (now in lkdtm in -next) for Casey's earlier port[2], I
kept tweaking things further and further until I ended up with a whole
new patch series. To that end, I took Rik's feedback and made a number
of other c
t thereafter. In contrast, if I put
> something in .rodata (using 'const', for example), then I must not
> write it *at all* unless I use special helpers (kmap, pax_open_kernel,
> etc). So the practical effect from a programer's perspective of
> __ro_after_init is quite different from .rodata, and I think the names
> should reflect that.
I expect that if/when we add the open/close_kernel logic, we'll have a
new section and it will be named accordingly (since it, too, is not
const-in-the-C-sense, and shouldn't live in the standard .rodata
section).
> (And yes, the upstream kernel should soon have __ro_after_init working
> in modules. And the not-always-const-in-the-C-sense objects using
> accessors will need changes to add those accessors, and we can and
> should change the annotation on the object itself at the same time.
> But if I mark something __ro_after_init, I can write it using normal C
> during init, and there's nothing wrong with that.)
-Kees
--
Kees Cook
Chrome OS & Brillo Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
process.
> For .data..ro_after_init
> the lesson will happen when you try to add back the remaining pieces from PaX,
> such as module handling and not-always-const-in-the-C-sense objects and
> associated
> accessors.
Do you mean the rest of the KERNEXEC (hopefully I'm not confusing
implementation names) code that uses pax_open/close_kernel()? I expect
that to be a gradual addition too, and I'd love participation to get
it and the constify plugin into the kernel.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
or bugs in the code using the cfq_io_cq cache. I suspect the
former. :)
-Kees
--
Kees Cook
Chrome OS & Brillo Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
On Sat, Jul 9, 2016 at 1:25 AM, Ard Biesheuvel
wrote:
> On 9 July 2016 at 04:22, Laura Abbott wrote:
>> On 07/06/2016 03:25 PM, Kees Cook wrote:
>>>
>>> Hi,
>>>
>>> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
>>
On Fri, Jul 8, 2016 at 7:22 PM, Laura Abbott wrote:
> On 07/06/2016 03:25 PM, Kees Cook wrote:
>>
>> Hi,
>>
>> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
>> writing tests (now in lkdtm in -next) for Casey's earlier port[2],
On Fri, Jul 8, 2016 at 1:41 PM, Kees Cook wrote:
> On Fri, Jul 8, 2016 at 12:20 PM, Christoph Lameter wrote:
>> On Fri, 8 Jul 2016, Kees Cook wrote:
>>
>>> Is check_valid_pointer() making sure the pointer is within the usable
>>> size? It seemed like it was che
501 - 600 of 748 matches
Mail list logo
