Re: [PATCH -next] powerpc: add support for syscall stack randomization

2022-05-10 Thread Kees Cook
percpu, etc) memory contents tends to be easier than arbitrary + * location memory exposures. + */ #define choose_random_kstack_offset(rand) do { \ if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ _kstack_offset)) {\ -- Kees Cook

Re: [PATCH v6 00/23] Rust support

2022-05-07 Thread Kees Cook
it's hard to develop against -next. :) Should we give it a try for this coming merge window? -- Kees Cook

Re: [PATCH RFC 2/8] arm64: stacktrace: Add arch_within_stack_frames

2022-04-18 Thread Kees Cook
to block the exposure of canaries and PAC bits, though, so I'm not opposed, but I'd like to get a better sense of how "heavy" this might be. Thanks! -Kees -- Kees Cook

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

2022-04-07 Thread Kees Cook
o ro_after_init. Honestly, I actually this this patch should be modified to _add_ a new test for EXEC_RO_AFTER_INIT, and leave the existing .rodata one alone... -Kees -- Kees Cook

Re: [PATCH v5 3/8] powerpc/mm/ptdump: debugfs handler for W+X checks at runtime

2022-04-06 Thread Kees Cook
t; + return 0; > +} > + > +DEFINE_SIMPLE_ATTRIBUTE(check_wx_fops, NULL, check_wx_debugfs_set, "%llu\n"); > + > +static int ptdump_check_wx_init(void) > +{ > + return debugfs_create_file("check_wx_pages", 0200, NULL, > +NULL, _wx_fops) ? 0 : -ENOMEM; > +} > +device_initcall(ptdump_check_wx_init); > #endif > > static int ptdump_init(void) > -- > 2.25.1 > -- Kees Cook

Re: [PATCH v4 00/13] Fix LKDTM for PPC64/IA64/PARISC v4

2022-03-09 Thread Kees Cook
werpc/linux.git/log/?h=topic/func-desc-lkdtm Thanks! I've got some core changes coming for lkdtm, but I'm waiting until after the merge window to rebase them and get them into -next. -- Kees Cook

Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr

2022-03-02 Thread Kees Cook
On Wed, Mar 02, 2022 at 12:18:45PM -0800, Linus Torvalds wrote: > On Wed, Mar 2, 2022 at 12:07 PM Kees Cook wrote: > > > > I've long wanted to change kfree() to explicitly set pointers to NULL on > > free. https://github.com/KSPP/linux/issues/87 > > We've had this dis

Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr

2022-03-02 Thread Kees Cook
them into something like kfree_no_null() and redefine kfree() itself: #define kfree_no_null(x) do { void *__ptr = (x); __kfree(__ptr); } while (0) #define kfree(x) do { __kfree(x); x = NULL; } while (0) -- Kees Cook

Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr

2022-03-01 Thread Kees Cook
atch $ split-on-maintainer treewide.patch $ ls 0*.patch If you have a build log before the patch that spits out warnings, the --build-log argument can extract those warnings on a per-file basis, too (though this can be fragile). -- Kees Cook

Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr

2022-03-01 Thread Kees Cook
y shadows variables. :) Another way to try to catch misused shadow variables is -Wunused-but-set-varible, but it, too, has tons of false positives. I tried to capture some of the rationale and research here: https://github.com/KSPP/linux/issues/152 -- Kees Cook

Re: [PATCH v2] usercopy: Check valid lifetime via stack depth

2022-02-24 Thread Kees Cook
On Thu, Feb 24, 2022 at 08:58:20AM +, David Laight wrote: > From: Kees Cook > > Sent: 24 February 2022 06:04 > > > > Under CONFIG_HARDENED_USERCOPY=y, when exact stack frame boundary checking > > is not available (i.e. everything except x86 with FRAME_POINTER

[PATCH v2] usercopy: Check valid lifetime via stack depth

2022-02-24 Thread Kees Cook
Cc: Andrew Morton Cc: linux...@kvack.org Reported-by: Muhammad Usama Anjum Signed-off-by: Kees Cook --- v1: https://lore.kernel.org/all/20220216201449.2087956-1-keesc...@chromium.org/ v2: adjust for only some archs having current_stack_pointer --- arch/arm/Kconfig | 1 + arch/arm64/Kconfig |

Re: [PATCH] powerpc/32: Clear volatile regs on syscall exit

2022-02-23 Thread Kees Cook
if this is actually leaking kernel pointers (or data) that's pretty bad. :| If you really want to leave it build-time selectable, maybe add a new config that gets "select"ed by CONFIG_ZERO_CALL_USED_REGS? (And you may want to consider wiping all "unused" registers at syscall entry as well.) -Kees > 1: lwz r2,GPR2(r1) > lwz r1,GPR1(r1) > rfi > -- > 2.34.1 > -- Kees Cook

Re: [PATCH v4 00/13] Fix LKDTM for PPC64/IA64/PARISC v4

2022-02-16 Thread Kees Cook
On Wed, Feb 16, 2022 at 11:22:33PM +1100, Michael Ellerman wrote: > Kees Cook writes: > > On Tue, Feb 15, 2022 at 01:40:55PM +0100, Christophe Leroy wrote: > >> PPC64/IA64/PARISC have function descriptors. LKDTM doesn't work > >> on those three architectures becau

Re: [PATCH v4 00/13] Fix LKDTM for PPC64/IA64/PARISC v4

2022-02-15 Thread Kees Cook
+++- > include/asm-generic/sections.h | 15 - > include/linux/kallsyms.h | 2 +- > kernel/extable.c | 24 +++- > tools/testing/selftests/lkdtm/tests.txt | 1 + > 25 files changed, 155 insertions(+), 144 deletions(-) > > -- > 2.34.1 > -- Kees Cook

Re: [PATCH v4 01/13] powerpc: Fix 'sparse' checking on PPC64le

2022-02-15 Thread Kees Cook
se it won't set > PPC64_ELF_ABI_v2 macro for PPC64le and won't check the correct code. > > Signed-off-by: Christophe Leroy Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v3 12/12] lkdtm: Add a test for function descriptors protection

2022-02-10 Thread Kees Cook
--- a/tools/testing/selftests/lkdtm/tests.txt +++ b/tools/testing/selftests/lkdtm/tests.txt @@ -44,6 +44,7 @@ ACCESS_NULL WRITE_RO WRITE_RO_AFTER_INIT WRITE_KERN +WRITE_OPD REFCOUNT_INC_OVERFLOW REFCOUNT_ADD_OVERFLOW REFCOUNT_INC_NOT_ZERO_OVERFLOW (Though for the future I've been considering making the selftests an opt-out list so the "normal" stuff doesn't need to keep getting added there.) Thanks! Acked-by: Kees Cook -Kees -- Kees Cook

Re: [PATCH v3 11/12] lkdtm: Fix execute_[user]_location()

2022-02-10 Thread Kees Cook
n from adding _text) but also, that does help keep it clear. :) Acked-by: Kees Cook -Kees > --- > drivers/misc/lkdtm/perms.c | 37 - > 1 file changed, 28 insertions(+), 9 deletions(-) > > diff --git a/drivers/misc/lkdtm/perms.c b/drivers/

Re: [PATCH v3 08/12] asm-generic: Refactor dereference_[kernel]_function_descriptor()

2022-02-10 Thread Kees Cook
reaks after > patch 10 with CONFIG_LKDTM=m. Oh good catch! (There have been a few cases of LKDTM=m being the only thing needed a symbol, so I've pondered giving it a namespace or constructing a little ifdef wrapper... but this seems ok to export...) -- Kees Cook

Re: [PATCH v3 04/12] powerpc: Prepare func_desc_t for refactorisation

2022-02-10 Thread Kees Cook
gt; + return (func_desc_t){addr}; There's only 1 element in the struct, so okay, but it hurt my eyes a little. I would have been happier with: return (func_desc_t){ .addr = addr; }; But of course that also looks bonkers because it starts with "return". So no matter what I do m

Re: [PATCH v3 01/12] powerpc: Move and rename func_descr_t

2022-02-10 Thread Kees Cook
gt; > Signed-off-by: Christophe Leroy I like the name. :) Reviewed-by: Kees Cook -- Kees Cook

Re: [powerpc] ftrace warning kernel/trace/ftrace.c:2068 with code-patching selftests

2022-01-27 Thread Kees Cook
nfo. An additional note is that x86 is built with "-2G addressing" (-mcmodel=kernel). There was some work done to make it actually PIE, which would allow the KASLR base to move further: https://github.com/KSPP/linux/issues/38 -Kees -- Kees Cook

Re: [PATCH v3 11/12] lkdtm: Fix execute_[user]_location()

2022-01-19 Thread Kees Cook
ss_vm(current, (unsigned long)dst, do_nothing, > > > +    copied = access_process_vm(current, (unsigned long)dst, > > > do_nothing_text, > > > EXEC_SIZE, FOLL_WRITE); > > >   if (copied < EXEC_SIZE) > > >   return; > > > -    pr_info("attempting bad execution at %px\n", func); > > > +    pr_info("attempting bad execution at %px\n", dst); > > > +    func = setup_function_descriptor(, dst); > > >   func(); > > >   pr_err("FAIL: func returned\n"); > > >   } > > > @@ -153,7 +171,8 @@ void lkdtm_EXEC_VMALLOC(void) > > >   void lkdtm_EXEC_RODATA(void) > > >   { > > > -    execute_location(lkdtm_rodata_do_nothing, CODE_AS_IS); > > > + > > > execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing), > > > > > > + CODE_AS_IS); > > >   } > > >   void lkdtm_EXEC_USERSPACE(void) > > > -- Kees Cook

Re: [PATCH] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()

2022-01-19 Thread Kees Cook
gs in get_wchan()"). > The solution could be applied to powerpc architecture too. > > As Andrey Ryabinin said, get_wchan() is racy by design, it may > access volatile stack of running task, thus it may access > redzone in a stack frame and cause KASAN to warn about this

Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs

2021-12-01 Thread Kees Cook
On Wed, Nov 24, 2021 at 11:08:25AM +1100, Michael Ellerman wrote: > Kees Cook writes: > > On Mon, Nov 22, 2021 at 04:43:36PM +1100, Michael Ellerman wrote: > >> LEROY Christophe writes: > >> > Le 18/11/2021 à 21:36, Kees Cook a écrit : > >> >> In prep

Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs

2021-11-22 Thread Kees Cook
On Mon, Nov 22, 2021 at 04:43:36PM +1100, Michael Ellerman wrote: > LEROY Christophe writes: > > Le 18/11/2021 à 21:36, Kees Cook a écrit : > >> In preparation for FORTIFY_SOURCE performing compile-time and run-time > >> field bounds checking for memset(), avoid i

Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs

2021-11-19 Thread Kees Cook
cross-member memcpy() calls (which is usually undesirable) or add a struct group so it can be seen as a "single member" memcpy again (and usually results in 0 differences in binary output). :) -- Kees Cook

Re: [PATCH] powerpc/signal32: Use struct_group() to zero spe regs

2021-11-19 Thread Kees Cook
On Fri, Nov 19, 2021 at 08:46:27AM +, LEROY Christophe wrote: > > > Le 18/11/2021 à 21:36, Kees Cook a écrit : > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across &

[PATCH] powerpc/signal32: Use struct_group() to zero spe regs

2021-11-18 Thread Kees Cook
Werror=attribute-warning] 195 |__write_overflow_field(); |^~~~ Reported-by: kernel test robot Signed-off-by: Kees Cook --- arch/powerpc/include/asm/processor.h | 6 -- arch/powerpc/kernel/signal_32.c | 14 +- 2 files changed, 13 inse

Re: Build regressions/improvements in v5.16-rc1

2021-11-15 Thread Kees Cook
org/r/20211006181544.1670992-1-keesc...@chromium.org Ah, I found it: http://kisskb.ellerman.id.au/kisskb/buildresult/14660585/log/ it's actually: inlined from 'kasan_memcmp' at /kisskb/src/lib/test_kasan.c:897:2: and inlined from 'kasan_memchr' at /kisskb/src/lib/test_kasan.c:872:2: I can send a patch doing the same as what [1] does for these cases too. -- Kees Cook

Re: Build regressions/improvements in v5.16-rc1

2021-11-15 Thread Kees Cook
see if I can reproduce this. Is this with W=1? -Kees [2] https://www.ozlabs.org/~akpm/mmotm/broken-out/kasan-test-consolidate-workarounds-for-unwanted-__alloc_size-protection.patch -- Kees Cook

Re: [PATCH 07/20] signal/powerpc: On swapcontext failure force SIGSEGV

2021-10-21 Thread Kees Cook
git > Fixes: 756f1ae8a44e ("PPC32: Rework signal code and add a swapcontext system > call.") > Fixes: 04879b04bf50 ("[PATCH] ppc64: VMX (Altivec) support & signal32 rework, > from Ben Herrenschmidt") > Signed-off-by: "Eric W. Biederman" This looks right to me. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v2 13/13] lkdtm: Add a test for function descriptors protection

2021-10-15 Thread Kees Cook
t;" : "=m"(func)); Since this is a descriptor, I assume no icache flush is needed. Are function descriptors strictly dcache? (Is anything besides just a barrier needed?) > + func(); > +} > + > void lkdtm_EXEC_DATA(void) > { > execute_location(data_area, CODE_WRITE); > -- > 2.31.1 > -- Kees Cook

Re: [PATCH v2 11/13] lkdtm: Fix lkdtm_EXEC_RODATA()

2021-10-15 Thread Kees Cook
;attempting bad execution at %px\n", > + dereference_function_descriptor(lkdtm_rodata_do_nothing)); > + lkdtm_rodata_do_nothing(); > + pr_err("FAIL: func returned\n"); > } > > void lkdtm_EXEC_USERSPACE(void) > -- > 2.31.1 > -- Kees Cook

Re: [PATCH v2 12/13] lkdtm: Fix execute_[user]_location()

2021-10-15 Thread Kees Cook
c/sections.h > +++ b/include/asm-generic/sections.h > @@ -70,6 +70,11 @@ typedef struct { > } func_desc_t; > #endif > > +static inline bool have_function_descriptors(void) > +{ > + return __is_defined(HAVE_FUNCTION_DESCRIPTORS); > +} > + > /* random extra sections (if any). Override > * in asm/sections.h */ > #ifndef arch_is_kernel_text This hunk seems like it should live in a separate patch. -- Kees Cook

Re: [PATCH 2/2] kbuild: use more subdir- for visiting subdirectories while cleaning

2021-10-13 Thread Kees Cook
uild"), we can use the "subdir- += boot" trick for > all architectures. This can take advantage of the parallel option (-j) > for "make clean". > > I also cleaned up the comments. The "archdep" target does not exist. > > Signed-off-by: Masahiro Yamada I like the clean-up! Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v1 05/10] asm-generic: Define 'funct_descr_t' to commonly describe function descriptors

2021-10-13 Thread Kees Cook
On Wed, Oct 13, 2021 at 09:23:56AM +0200, Christophe Leroy wrote: > > > Le 13/10/2021 à 09:01, Kees Cook a écrit : > > On Mon, Oct 11, 2021 at 05:25:32PM +0200, Christophe Leroy wrote: > > > We have three architectures using function descriptors, each with its > >

Re: [PATCH v1 09/10] lkdtm: Fix lkdtm_EXEC_RODATA()

2021-10-13 Thread Kees Cook
; if (IS_ERR(func)) return; pr_info("attempting bad execution at %px\n", dst); func(); pr_err("FAIL: func returned\n"); } What are the conditions for which dereference_symbol_descriptor works but dereference _function_descriptor doesn't? -- Kees Cook

Re: [PATCH v1 10/10] lkdtm: Fix execute_[user]_location()

2021-10-13 Thread Kees Cook
t); > do_nothing(); > > - copied = access_process_vm(current, (unsigned long)dst, do_nothing, > + copied = access_process_vm(current, (unsigned long)dst, do_nothing_text, > EXEC_SIZE, FOLL_WRITE); > if (copied < EXEC_SIZE) > return; > - pr_info("attempting bad execution at %px\n", func); > + func = setup_function_descriptor(, dst); > + if (IS_ERR(func)) > + return; > + > + pr_info("attempting bad execution at %px\n", dst); Same here. > func(); > pr_err("FAIL: func returned\n"); > } > -- > 2.31.1 > -- Kees Cook

Re: [PATCH v1 09/10] lkdtm: Fix lkdtm_EXEC_RODATA()

2021-10-13 Thread Kees Cook
r(lkdtm_rodata_do_nothing)); > + lkdtm_rodata_do_nothing(); > + pr_err("FAIL: func returned\n"); > } > > void lkdtm_EXEC_USERSPACE(void) > -- > 2.31.1 > -- Kees Cook

Re: [PATCH v1 08/10] lkdtm: Really write into kernel text in WRITE_KERN

2021-10-13 Thread Kees Cook
ng); > + ptr = dereference_symbol_descriptor(do_overwritten); But otherwise, yup, I expect there will be a bunch of things like this to clean up in LKDTM. :| Sorry about that! Acked-by: Kees Cook > > pr_info("attempting bad %zu byte write at %px\n", size, ptr); > memcpy((void *)ptr, (unsigned char *)do_nothing, size); > -- > 2.31.1 > -- Kees Cook

Re: [PATCH v1 07/10] lkdtm: Force do_nothing() out of line

2021-10-13 Thread Kees Cook
s. > > Signed-off-by: Christophe Leroy Acked-by: Kees Cook -- Kees Cook

Re: [PATCH v1 06/10] asm-generic: Refactor dereference_[kernel]_function_descriptor()

2021-10-13 Thread Kees Cook
ons.h | 18 ++ > 5 files changed, 18 insertions(+), 72 deletions(-) A diffstat to love. :) Reviewed-by: Kees Cook > > diff --git a/arch/ia64/include/asm/sections.h > b/arch/ia64/include/asm/sections.h > index 929b5c535620..d9addaea8339 100644 > --- a/arch/

Re: [PATCH v1 05/10] asm-generic: Define 'funct_descr_t' to commonly describe function descriptors

2021-10-13 Thread Kees Cook
descriptors, nit: funct_descr_t reads weird to me. why not func_desc_t ? Either way: Reviewed-by: Kees Cook > to avoid a forest of #ifdefs. > > Signed-off-by: Christophe Leroy > --- > arch/ia64/include/asm/sections.h| 1 + > arch/parisc/include/asm/sections.h | 1 + >

Re: [PATCH v1 04/10] asm-generic: Use HAVE_DEREFERENCE_FUNCTION_DESCRIPTOR to define associated stubs

2021-10-13 Thread Kees Cook
empty #if/#else in the commit log, as I, like Helge, mentally tripped over it in the review. :) Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v1 03/10] ia64: Rename 'ip' to 'addr' in 'struct fdesc'

2021-10-13 Thread Kees Cook
> ia64 has 'ip' > parisc has 'addr' > > Vote for 'addr' and update 'struct fdesc' accordingly. > > Signed-off-by: Christophe Leroy Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v1 02/10] powerpc: Rename 'funcaddr' to 'addr' in 'struct ppc64_opd_entry'

2021-10-13 Thread Kees Cook
> ia64 has 'ip' > parisc has 'addr' > > Vote for 'addr' and update 'struct ppc64_opd_entry' accordingly. > > Signed-off-by: Christophe Leroy Reasonable. :) Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v1 01/10] powerpc: Move 'struct ppc64_opd_entry' back into asm/elf.h

2021-10-13 Thread Kees Cook
tures. > > Fixes: 2d291e902791 ("Fix compile failure with non modular builds") > Signed-off-by: Christophe Leroy I'd agree with Arnd: this is a reasonable cleanup and nothing should be using it. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()

2021-10-08 Thread Kees Cook
your patches? I would appreciate that since b4 yells at me when patches aren't signed. :) -Kees [1] https://github.com/mricon/patatt -- Kees Cook

Re: [PATCH] lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()

2021-10-08 Thread Kees Cook
t; > > > Fixes: e9e08a07385e ("lkdtm: support llvm-objcopy") > > Thanks for the patch; sorry I broke this. > Reviewed-by: Nick Desaulniers Hah! Whoops; sorry I don't have an inverted version of this test! I should have caught this when it broke. :| -Kees -- Kees Cook

Re: [RFC PATCH 4/8] powerpc: add CPU field to struct thread_info

2021-09-30 Thread Kees Cook
sted it at all, if you > >> > can point me at a > >> > git tree with the dependencies I'd be happy to run some tests over it. > >> > >> Actually I realised I can just drop the last patch. > >> > >> So that looks fine, passes my standard quic

Re: [RFC PATCH 4/8] powerpc: add CPU field to struct thread_info

2021-09-29 Thread Kees Cook
sted it at all, if you > >> > can point me at a > >> > git tree with the dependencies I'd be happy to run some tests over it. > >> > >> Actually I realised I can just drop the last patch. > >> > >> So that looks fine, passes my standard quic

Re: [PATCH] mm: Remove HARDENED_USERCOPY_FALLBACK

2021-09-21 Thread Kees Cook
/github.com/KSPP/linux/issues/153 > Signed-off-by: Stephen Kitt > Suggested-by: Kees Cook Thanks for doing this! Acked-by: Kees Cook -- Kees Cook

[PATCH for-next 01/25] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp

2021-08-22 Thread Kees Cook
s what is being wiped. Cc: Tyrel Datwyler Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook Acked-by: Marti

[PATCH for-next 02/25] powerpc: Split memset() to avoid multi-field overflow

2021-08-22 Thread Kees Cook
. Cc: Benjamin Herrenschmidt Cc: Qinglang Miao Cc: "Gustavo A. R. Silva" Cc: Hulk Robot Cc: Wang Wensheng Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook Reviewed-by: Michael Ellerman Link: https://lore.kernel.org/lkml/87czqsnmw9@mpe.ellerman.id.au --- drivers/macin

Re: [PATCH v2 57/63] powerpc/signal32: Use struct_group() to zero spe regs

2021-08-20 Thread Kees Cook
On Fri, Aug 20, 2021 at 05:49:35PM +1000, Michael Ellerman wrote: > Kees Cook writes: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across > > neighboring fields. >

Re: [PATCH v2 61/63] powerpc: Split memset() to avoid multi-field overflow

2021-08-18 Thread Kees Cook
On Wed, Aug 18, 2021 at 08:42:18AM +0200, Christophe Leroy wrote: > > > Le 18/08/2021 à 08:05, Kees Cook a écrit : > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across &

[PATCH v2 57/63] powerpc/signal32: Use struct_group() to zero spe regs

2021-08-18 Thread Kees Cook
e use struct_group()? >> [-Werror=attribute-warning] 195 |__write_overflow_field(); |^~~~ Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Christophe Leroy Cc: Sudeep Holla Cc: linuxppc-dev@lists.ozlabs.org Reported-by: kernel test ro

[PATCH v2 61/63] powerpc: Split memset() to avoid multi-field overflow

2021-08-18 Thread Kees Cook
. Cc: Benjamin Herrenschmidt Cc: Qinglang Miao Cc: "Gustavo A. R. Silva" Cc: Hulk Robot Cc: Wang Wensheng Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook Reviewed-by: Michael Ellerman Link: https://lore.kernel.org/lkml/87czqsnmw9@mpe.ellerman.id.au --- drivers/macin

[PATCH v2 36/63] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp

2021-08-18 Thread Kees Cook
s what is being wiped. Cc: Tyrel Datwyler Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook Acked-by: Marti

Re: [PATCH v5 2/8] lkdtm/powerpc: Add test to hijack a patch mapping

2021-08-11 Thread Kees Cook
it gets exposed to malicious discovery, so probably not. I suspect the best is to just do the BUILTIN check, since building LKDTM as a module on a _production_ kernel is rare if it exists at all. The only downside is needing to completely reboot to perform updated tests, but then, I frequently find myself breaking the kernel badly on bad tests, so I have to reboot anyway. ;) -Kees -- Kees Cook

[PATCH] ibmvnic: Use strscpy() instead of strncpy()

2021-06-21 Thread Kees Cook
: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook --- drivers/net/ethernet/ibm/ibmvnic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/d

Re: [PATCH] crypto: nx: Fix memcpy() over-reading in nonce

2021-06-18 Thread Kees Cook
On Thu, Jun 17, 2021 at 04:08:15PM +1000, Michael Ellerman wrote: > Kees Cook writes: > > Fix typo in memcpy() where size should be CTR_RFC3686_NONCE_SIZE. > > > > Fixes: 030f4e968741 ("crypto: nx - Fix reentrancy bugs") > > Cc: sta...@vger.kernel.org >

[PATCH] crypto: nx: Fix memcpy() over-reading in nonce

2021-06-16 Thread Kees Cook
Fix typo in memcpy() where size should be CTR_RFC3686_NONCE_SIZE. Fixes: 030f4e968741 ("crypto: nx - Fix reentrancy bugs") Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/crypto/nx/nx-aes-ctr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers

Re: [PATCH v1 1/1] kernel.h: Split out panic and oops helpers

2021-04-06 Thread Kees Cook
b folder to use new header. > Though for time being include new header back to kernel.h to avoid twisted > indirected includes for existing users. > > Signed-off-by: Andy Shevchenko I like it! Do you have a multi-arch CI to do allmodconfig builds to double-check this? Acked-by: Kees Cook -Kees -- Kees Cook

Re: [PATCH next v3 12/15] printk: introduce a kmsg_dump iterator

2021-02-25 Thread Kees Cook
ers/hv/vmbus_drv.c | 7 +-- > drivers/mtd/mtdoops.c | 8 +-- > fs/pstore/platform.c | 8 +-- Reviewed-by: Kees Cook # pstore -Kees > include/linux/kmsg_dump.h | 38 --- > kernel/debug/kdb/kd

Re: linux-next: build warning after merge of the akpm tree

2020-12-09 Thread Kees Cook
ernel/vmlinux.lds.S > index 3b4c26e94328..0318ba436f34 100644 > --- a/arch/powerpc/kernel/vmlinux.lds.S > +++ b/arch/powerpc/kernel/vmlinux.lds.S > @@ -296,6 +296,10 @@ SECTIONS > #else > .data : AT(ADDR(.data) - LOAD_OFFSET) { > DATA_DATA > +#ifdef CONFIG_UBSAN &

Re: [PATCH v2 2/2] kbuild: Disable CONFIG_LD_ORPHAN_WARN for ld.lld 10.0.1

2020-12-02 Thread Kees Cook
On Wed, Dec 02, 2020 at 11:37:38AM +0900, Masahiro Yamada wrote: > On Wed, Dec 2, 2020 at 5:56 AM Kees Cook wrote: > > > > On Tue, Dec 01, 2020 at 10:31:37PM +0900, Masahiro Yamada wrote: > > > On Wed, Nov 25, 2020 at 7:22 AM Kees Cook wrote: > > > > > &

Re: [PATCH v2 2/2] kbuild: Disable CONFIG_LD_ORPHAN_WARN for ld.lld 10.0.1

2020-12-01 Thread Kees Cook
On Tue, Dec 01, 2020 at 10:31:37PM +0900, Masahiro Yamada wrote: > On Wed, Nov 25, 2020 at 7:22 AM Kees Cook wrote: > > > > On Thu, Nov 19, 2020 at 01:13:27PM -0800, Nick Desaulniers wrote: > > > On Thu, Nov 19, 2020 at 12:57 PM Nathan Chancellor > > > wrote: &g

Re: [PATCH v2 2/2] kbuild: Disable CONFIG_LD_ORPHAN_WARN for ld.lld 10.0.1

2020-11-24 Thread Kees Cook
t; Reported-by: Arvind Sankar > > Reported-by: kernelci.org bot > > Reported-by: Mark Brown > > Reviewed-by: Kees Cook > > Signed-off-by: Nathan Chancellor > > Thanks for the additions in v2. > Reviewed-by: Nick Desaulniers I'm going to carry this for a few days in -next, and if no one screams, ask Linus to pull it for v5.10-rc6. Thanks! -- Kees Cook

Re: [PATCH v2 1/2] kbuild: Hoist '--orphan-handling' into Kconfig

2020-11-20 Thread Kees Cook
upported architectures the same, introduce > CONFIG_ARCH_WANT_LD_ORPHAN_WARN, which an architecture can select to > gain this automatically after all of the sections are specified and size > asserted. A special thanks to Kees Cook for the help text on this > config. > > Link:

Re: [PATCH 1/2] kbuild: Hoist '--orphan-handling' into Kconfig

2020-11-17 Thread Kees Cook
upported architectures the same, introduce > CONFIG_ARCH_WANT_LD_ORPHAN_WARN, which an architecture can select to > gain this automatically after all of the sections are specified and size > asserted. A special thanks to Kees Cook for the help text on this > config. > > Link: https

Re: [PATCH 2/2] kbuild: Disable CONFIG_LD_ORPHAN_WARN for ld.lld 10.0.1

2020-11-17 Thread Kees Cook
>= 11 depends on $(ld-option,--orphan-handling=warn) Otherwise, yeah, looks good to me. With this and the other suggestions, please consider it: Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH seccomp v2 0/8] seccomp: add bitmap cache support on remaining arches and report cache in procfs

2020-11-17 Thread Kees Cook
8] xtensa: Enable seccomp architecture tracking https://git.kernel.org/kees/c/4f408bc643aa [8/8] seccomp/cache: Report cache data through /proc/pid/seccomp_cache https://git.kernel.org/kees/c/49a6968cc78f -- Kees Cook

Re: [PATCH seccomp 0/8] seccomp: add bitmap cache support on remaining arches and report cache in procfs

2020-11-03 Thread Kees Cook
/asm/seccomp.h > create mode 100644 arch/parisc/include/asm/seccomp.h > create mode 100644 arch/xtensa/include/asm/seccomp.h > > > base-commit: 38c37e8fd3d2590c4234d8cfbc22158362f0eb04 > -- > 2.29.2 -- Kees Cook

Re: [PATCH v2 3/3] selftests/lkdtm: Enable selftest for SLB multihit

2020-09-25 Thread Kees Cook
LEAK_ERASING OK: the rest of the thread stack is properly erased > CFI_FORWARD_PROTO > +PPC_SLB_MULTIHIT Recovered Please squash this into the lkdtm patch -- I'd like test implementation and kselftest awareness to go in together. -- Kees Cook

Re: [PATCH v2 2/3] lkdtm/powerpc: Add SLB multihit test

2020-09-25 Thread Kees Cook
le(); > +} What does this do? > + > +void lkdtm_PPC_SLB_MULTIHIT(void) > +{ > + if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) { > + inject_vmalloc_slb_multihit(); > + inject_kmalloc_slb_multihit(); > + insert_dup_slb_entry_0(); > + } > + pr_info("Recovered from SLB multihit. (Ignore this message on non HPTE > machines)"); Is this bad? If so, I'd expect pr_err("FAIL: ...") Can HPTE machines be detected so that an XFAIL can be emitted instead? Since there are three (two?) distinct regions being tested, should these be separate tests? Right now there is no way to separate a vmalloc failure from a kmalloc failure, and no way to fail the first without hiding the result from the latter (or maybe the machine cannot survive this test? ... which should also be a comment.) And finally, assuming a successful test (or testing from a separate thread later), so there any state that needs to be restored (or cleaned up before doing the "insert" calls)? Thanks! -- Kees Cook

[PATCH v2 1/4] selftests/seccomp: Record syscall during ptrace entry

2020-09-19 Thread Kees Cook
/20200911181012.171027-1-casca...@canonical.com/ Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 40 +-- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp

[PATCH v2 4/4] selftests/clone3: Avoid OS-defined clone_args

2020-09-19 Thread Kees Cook
As the UAPI headers start to appear in distros, we need to avoid outdated versions of struct clone_args to be able to test modern features; rename to "struct __clone_args". Additionally update the struct size macro names to match UAPI names. Signed-off-by: Kees Cook --- tools/testing

[PATCH v2 0/4] selftests/seccomp: Refactor change_syscall()

2020-09-19 Thread Kees Cook
syscall number/return handling for powerpc. Additionally fixes clone3 (which seccomp depends on for testing) to run under MIPS where an old struct clone_args has become visible. (FWIW, I expect to take these via the seccomp tree.) Thanks, Kees Cook (4): selftests/seccomp: Record syscall during ptrace

[PATCH v2 2/4] selftests/seccomp: Allow syscall nr and ret value to be set separately

2020-09-19 Thread Kees Cook
In preparation for setting syscall nr and ret values separately, refactor the helpers to take a pointer to a value, so that a NULL can indicate "do not change this respective value". This is done to keep the regset read/write happening once and in one code path. Signed-off-by:

[PATCH v2 3/4] selftests/seccomp: powerpc: Set syscall return during ptrace syscall exit

2020-09-19 Thread Kees Cook
/20200911181012.171027-1-casca...@canonical.com/ Fixes: 58d0a862f573 ("seccomp: add tests for ptrace hole") Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 25 --- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/seccomp/sec

Re: [PATCH 14/15] selftests/clone3: Avoid OS-defined clone_args

2020-09-18 Thread Kees Cook
On Tue, Sep 15, 2020 at 06:25:28PM +0200, Christian Brauner wrote: > On Sat, Sep 12, 2020 at 04:08:19AM -0700, Kees Cook wrote: > > As the UAPI headers start to appear in distros, we need to avoid > > outdated versions of struct clone_args to be able to test modern > > featur

Re: [PATCH 03/15] selftests/seccomp: mips: Define SYSCALL_NUM_SET macro

2020-09-18 Thread Kees Cook
On Tue, Sep 15, 2020 at 05:55:46PM +0200, Christian Brauner wrote: > On Sat, Sep 12, 2020 at 04:08:08AM -0700, Kees Cook wrote: > > Remove the mips special-case in change_syscall(). > > > > Signed-off-by: Kees Cook > > --- > > tools/testing/sel

Re: [PATCH] selftests/seccomp: fix ptrace tests on powerpc

2020-09-17 Thread Kees Cook
On Sun, Sep 13, 2020 at 10:34:23PM +1000, Michael Ellerman wrote: > Thadeu Lima de Souza Cascardo writes: > > On Tue, Sep 08, 2020 at 04:18:17PM -0700, Kees Cook wrote: > >> On Tue, Jun 30, 2020 at 01:47:39PM -0300, Thadeu Lima de Souza Cascardo > >> wrote: > .

Re: [PATCH 00/15] selftests/seccomp: Refactor change_syscall()

2020-09-14 Thread Kees Cook
On Mon, Sep 14, 2020 at 10:15:18PM +1000, Michael Ellerman wrote: > Kees Cook writes: > > Hi, > > > > This refactors the seccomp selftest macros used in change_syscall(), > > in an effort to remove special cases for mips, arm, arm64, and xtensa, > > whic

Re: [PATCH 13/15] selftests/seccomp: powerpc: Set syscall return during ptrace syscall exit

2020-09-14 Thread Kees Cook
On Mon, Sep 14, 2020 at 03:47:13PM +1000, Michael Ellerman wrote: > Kees Cook writes: > > Some archs (like ppc) only support changing the return code during > > syscall exit when ptrace is used. As the syscall number might not > > be available anymore during syscall exit,

[PATCH 15/15] selftests/seccomp: Use __NR_mknodat instead of __NR_mknod

2020-09-12 Thread Kees Cook
The __NR_mknod syscall doesn't exist on arm64 (only __NR_mknodat). Switch to the modern syscall. Fixes: ad5682184a81 ("selftests/seccomp: Check for EPOLLHUP for user_notif") Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- 1 file changed, 1 inser

[PATCH 14/15] selftests/clone3: Avoid OS-defined clone_args

2020-09-12 Thread Kees Cook
As the UAPI headers start to appear in distros, we need to avoid outdated versions of struct clone_args to be able to test modern features. Additionally pull in the syscall numbers correctly. Signed-off-by: Kees Cook --- I needed to fix this to get MIPS to build the seccomp selftests

[PATCH 11/15] selftests/seccomp: Remove SYSCALL_NUM_RET_SHARE_REG in favor of SYSCALL_RET_SET

2020-09-12 Thread Kees Cook
an associated SYSCALL_RET() macro. This also paves the way for architectures that need to do special things to set the return value (e.g. powerpc). Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 33 +-- 1 file changed, 23 insertions(+), 10 deletions

[PATCH 13/15] selftests/seccomp: powerpc: Set syscall return during ptrace syscall exit

2020-09-12 Thread Kees Cook
Suggested-by: Thadeu Lima de Souza Cascardo Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-casca...@canonical.com/ Fixes: 58d0a862f573 ("seccomp: add tests for ptrace hole") Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_

[PATCH 12/15] selftests/seccomp: powerpc: Fix seccomp return value testing

2020-09-12 Thread Kees Cook
...@canonical.com/ Fixes: 5d83c2b37d43 ("selftests/seccomp: Add powerpc support") Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++ 1 file changed, 15 insertions(+) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing

[PATCH 10/15] selftests/seccomp: Avoid redundant register flushes

2020-09-12 Thread Kees Cook
When none of the registers have changed, don't flush them back. This can happen if the architecture uses a non-register way to change the syscall (e.g. arm64) , and a return value hasn't been written. Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 6 -- 1 file

[PATCH 09/15] selftests/seccomp: Convert REGSET calls into ARCH_GETREG/ARCH_SETREG

2020-09-12 Thread Kees Cook
Consolidate the REGSET logic into the new ARCH_GETREG() and ARCH_SETREG() macros, avoiding more #ifdef code in function bodies. Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 42 +++ 1 file changed, 15 insertions(+), 27 deletions(-) diff --git

[PATCH 08/15] selftests/seccomp: Convert HAVE_GETREG into ARCH_GETREG/ARCH_SETREG

2020-09-12 Thread Kees Cook
Instead of special-casing the get/set-registers routines, move the HAVE_GETREG logic into the new ARCH_GETREG() and ARCH_SETREG() macros. Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 27 ++- 1 file changed, 15 insertions(+), 12 deletions(-) diff

[PATCH 07/15] selftests/seccomp: Remove syscall setting #ifdefs

2020-09-12 Thread Kees Cook
With all architectures now using the common SYSCALL_NUM_SET() macro, the arch-specific #ifdef can be removed from change_syscall() itself. Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 16 +++- 1 file changed, 3 insertions(+), 13 deletions(-) diff

[PATCH 06/15] selftests/seccomp: mips: Remove O32-specific macro

2020-09-12 Thread Kees Cook
Instead of having the mips O32 macro special-cased, pull the logic into the SYSCALL_NUM() macro. Additionally include the ABI headers, since these appear to have been missing, leaving __NR_O32_Linux undefined. Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 18

[PATCH 05/15] selftests/seccomp: arm64: Define SYSCALL_NUM_SET macro

2020-09-12 Thread Kees Cook
Remove the arm64 special-case in change_syscall(). Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 27 +-- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests

[PATCH 04/15] selftests/seccomp: arm: Define SYSCALL_NUM_SET macro

2020-09-12 Thread Kees Cook
Remove the arm special-case in change_syscall(). Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 16 ++-- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp

[PATCH 02/15] selftests/seccomp: Provide generic syscall setting macro

2020-09-12 Thread Kees Cook
In order to avoid "#ifdef"s in the main function bodies, create a new macro, SYSCALL_NUM_SET(), where arch-specific logic can live. Signed-off-by: Kees Cook --- tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +-- 1 file changed, 13 insertions(+), 2 deletions(-)

  1   2   3   4   5   6   7   >