at build time or a system is booted with
"slab_common.usercopy_fallback=0", usercopy whitelists will BUG() instead
of WARN(). This is useful for admins that want to use usercopy whitelists
immediately.
Suggested-by: Matthew Garrett
Signed-off-by: Kees Cook
---
include/linux/slab.h |
Enberg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: Andrew Morton
Cc: linux...@kvack.org
Signed-off-by: Kees Cook
---
mm/slab_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/slab_common.c b/mm/slab_common.c
index 8ac2a6320a6c..d00cd3f0f8ac 100644
--- a/mm/slab_common.
vide usage trace]
Cc: Ingo Molnar
Cc: Andrew Morton
Cc: Thomas Gleixner
Cc: Andy Lutomirski
Signed-off-by: Kees Cook
Acked-by: Rik van Riel
---
kernel/fork.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 432eadf6b58c..82f2a0441d3b
ler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Cc: "David S. Miller"
Cc: Eric Dumazet
Cc: P
This whitelists the FPU register state portion of the thread_struct for
copying to userspace, instead of the default entire struct.
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: x...@kernel.org
Cc: Borislav Petkov
Cc: Andy Lutomirski
Cc: Mathias Krause
Signed-of
jun_hu
Cc: linux-arm-ker...@lists.infradead.org
Signed-off-by: Kees Cook
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/processor.h | 8
2 files changed, 9 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a93339f5178f..c84477e6a884 100644
riginal code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: split from network patch, provide usage trace]
Cc: "David S. Miller"
Cc: Alexey Kuznetsov
Cc: Hideaki YOSHIFUJI
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
net
kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
include/net/sctp/structs.h | 9 +++--
net/sctp/socket.c | 8
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 16f949eef52f..6168e34
Using %p was already mostly useless in the usercopy overflow reports,
so this removes it entirely to avoid confusion now that %p-hashing
is enabled.
Fixes: ad67b74d2469d9b8 ("printk: hash addresses printed with %p")
Signed-off-by: Kees Cook
---
mm/usercopy.c | 9 -
1 file
eil Horman
Cc: "David S. Miller"
Cc: linux-s...@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
net/sctp/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index efbc8f52c531..15491491ec88 100644
---
urity/PaX code.
Signed-off-by: David Windsor
[kees: split from network patch, provide usage trace]
Cc: "David S. Miller"
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
net/caif/caif_socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/caif/caif_socket.c b/net/
telist]
Cc: "David S. Miller"
Cc: Eric Dumazet
Cc: Paolo Abeni
Cc: David Howells
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
include/net/sock.h | 2 ++
net/core/sock.c| 6 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/net/sock.h b/include
ovide usage trace]
Cc: Luis de Bethencourt
Cc: Salah Triki
Signed-off-by: Kees Cook
Acked-by: Luis de Bethencourt
---
fs/befs/linuxvfs.c | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index ee236231cafa..af2832aaeec5 100
ing
cache-managed memory falls entirely within the slab's usercopy region.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
Signed-off-by: Kees Cook
---
dri
ndsor
[kees: adjust commit log, provide usage trace]
Cc: Steve French
Cc: linux-c...@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/cifs/cifsfs.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 31b7565b1617..29f4b0290fbd
on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: Christoph Hellwig
Signed-off-by: Kees Cook
---
fs/freevxfs/vxfs_sup
tanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: Boaz Harrosh
Signed-off-by: Kees Cook
---
fs/exofs/super.c | 7 +--
1 file changed, 5
es: adjust commit log, provide usage trace]
Cc: Evgeniy Dushistov
Signed-off-by: Kees Cook
---
fs/ufs/super.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index 4d497e9c6883..652a77702aec 100644
--- a/fs/ufs/super.c
+++ b/fs/ufs/su
This refactors the hardened usercopy reporting code so that the object
offset can be included in the report. Having the offset can be much more
helpful in understanding usercopy bugs.
Signed-off-by: Kees Cook
---
include/linux/slab.h| 11 +++--
include/linux/thread_info.h | 2 +
mm
c patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: Mike Marshall
Signed-off-by: Kees
Instead of doubling the size, push the start position up by 16 bytes to
still trigger an overflow. This allows to verify that offset reporting
is working correctly.
Signed-off-by: Kees Cook
---
drivers/misc/lkdtm_usercopy.c | 13 +
1 file changed, 9 insertions(+), 4 deletions
v4:
- refactor reporting to include offset and remove %p
- explicitly WARN by default for the whitelisting
- add KVM whitelists and harden ioctl handling
v3:
- added LKDTM update patch
- downgrade BUGs to WARNs and fail closed
- add Acks/Reviews from v2
v2:
- added tracing of allocation and usage
clarations]
[kees: convert BUGs to WARNs and fail closed]
[kees: add attack surface reduction analysis to commit log]
Cc: Christoph Lameter
Cc: Pekka Enberg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: Andrew Morton
Cc: linux...@kvack.org
Cc: linux-...@vger.kernel.org
Signed-off-by: Kees Cook
---
inc
On Wed, Jan 10, 2018 at 10:31 AM, Christopher Lameter wrote:
> On Tue, 9 Jan 2018, Kees Cook wrote:
>
>> @@ -3823,11 +3825,9 @@ int __check_heap_object(const void *ptr, unsigned
>> long n, struct page *page,
>
> Could we do the check in mm_slab_common.c for all allocators
On Wed, Jan 10, 2018 at 10:28 AM, Christopher Lameter wrote:
> On Tue, 9 Jan 2018, Kees Cook wrote:
>
>> +struct kmem_cache *kmem_cache_create_usercopy(const char *name,
>> + size_t size, size_t align, slab_flags_t flags,
>> + s
On Wed, Jan 10, 2018 at 7:25 AM, Christopher Lameter wrote:
> On Tue, 9 Jan 2018, Kees Cook wrote:
>
>> -static void report_usercopy(unsigned long len, bool to_user, const char
>> *type)
>> +int report_usercopy(const char *name, const char *detail, bool to_user,
>&
riginal code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: split from network patch, provide usage trace]
Cc: "David S. Miller"
Cc: Alexey Kuznetsov
Cc: Hideaki YOSHIFUJI
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
net
linux-fsde...@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/fhandle.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/fhandle.c b/fs/fhandle.c
index 0ace128f5d23..0ee727485615 100644
--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -69,8 +69,7 @@ static long do_sys_name_to_handle(s
derstanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, add usage trace]
Cc: Alexander Viro
Cc: linux-fsde...@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/d
ARM does not carry FPU state in the thread structure, so it can declare
no usercopy whitelist at all.
Cc: Russell King
Cc: Ingo Molnar
Cc: Christian Borntraeger
Cc: "Peter Zijlstra (Intel)"
Cc: linux-arm-ker...@lists.infradead.org
Signed-off-by: Kees Cook
---
arch/a
t log, provide usage trace]
Cc: Dave Kleikamp
Cc: jfs-discuss...@lists.sourceforge.net
Signed-off-by: Kees Cook
Acked-by: Dave Kleikamp
---
fs/jfs/super.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 90373aebfdca..1b9264fd54b6 1006
security/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: "Theodore Ts'o"
Cc: Andreas Dilger
Cc: linux-e...@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/ext4/super.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-
berg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: Andrew Morton
Cc: Laura Abbott
Cc: Ingo Molnar
Cc: Mark Rutland
Cc: linux...@kvack.org
Cc: linux-...@vger.kernel.org
Signed-off-by: Kees Cook
---
mm/slab.c | 22 +++---
mm/slab.h | 2 ++
mm/slub.c | 23
/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: Jan Kara
Cc: linux-e...@vger.kernel.org
Signed-off-by: Kees Cook
Acked-by: Jan Kara
---
fs/ext2/super.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/ext2/supe
ned-off-by: David Windsor
[kees: merged in moved kmalloc hunks, adjust commit log]
Cc: Pekka Enberg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: Andrew Morton
Cc: linux...@kvack.org
Cc: linux-...@vger.kernel.org
Signed-off-by: Kees Cook
Acked-by: Christoph Lameter
---
mm/slab.c| 3 ++-
at build time or a system is booted with
"slab_common.usercopy_fallback=0", usercopy whitelists will BUG() instead
of WARN(). This is useful for admins that want to use usercopy whitelists
immediately.
Suggested-by: Matthew Garrett
Signed-off-by: Kees Cook
---
include/linux/slab.h |
vger.kernel.org
Signed-off-by: Kees Cook
---
fs/dcache.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/dcache.c b/fs/dcache.c
index 5c7df1df81ff..92ad7a2168e1 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3601,8 +3601,9 @@ static void __init dcache_init(void)
*
clarations]
[kees: convert BUGs to WARNs and fail closed]
[kees: add attack surface reduction analysis to commit log]
Cc: Pekka Enberg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: Andrew Morton
Cc: linux...@kvack.org
Cc: linux-...@vger.kernel.org
Signed-off-by: Kees Cook
Acked-by: Christoph Lameter
--
Using %p was already mostly useless in the usercopy overflow reports,
so this removes it entirely to avoid confusion now that %p-hashing
is enabled.
Fixes: ad67b74d2469d9b8 ("printk: hash addresses printed with %p")
Signed-off-by: Kees Cook
---
mm/usercopy.c | 9 -
1 file
tanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: Boaz Harrosh
Signed-off-by: Kees Cook
---
fs/exofs/super.c | 7 +--
1 file changed, 5
ler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Cc: "David S. Miller"
Cc: Eric Dumazet
Cc: P
vide usage trace]
Cc: Ingo Molnar
Cc: Andrew Morton
Cc: Thomas Gleixner
Cc: Andy Lutomirski
Signed-off-by: Kees Cook
Acked-by: Rik van Riel
---
kernel/fork.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 432eadf6b58c..82f2a0441d3b
c patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: Mike Marshall
Signed-off-by: Kees
Lutomirski
Signed-off-by: Kees Cook
Acked-by: Rik van Riel
---
kernel/fork.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 82f2a0441d3b..0e086af148f2 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -282,8 +282,9 @@ static voi
es: adjust commit log, provide usage trace]
Cc: Evgeniy Dushistov
Signed-off-by: Kees Cook
---
fs/ufs/super.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index 4d497e9c6883..652a77702aec 100644
--- a/fs/ufs/super.c
+++ b/fs/ufs/su
This whitelists the FPU register state portion of the thread_struct for
copying to userspace, instead of the default entire struct.
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: x...@kernel.org
Cc: Borislav Petkov
Cc: Andy Lutomirski
Cc: Mathias Krause
Signed-of
icholas Piggin
Cc: Laura Abbott
Cc: "Mickaël Salaün"
Cc: Ingo Molnar
Cc: Thomas Gleixner
Cc: Andy Lutomirski
Signed-off-by: Kees Cook
Acked-by: Rik van Riel
---
arch/Kconfig | 11 +++
include/linux/sched/task.h | 14 ++
kernel/
eil Horman
Cc: "David S. Miller"
Cc: linux-s...@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
net/sctp/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index efbc8f52c531..15491491ec88 100644
---
ndsor
[kees: adjust commit log, provide usage trace]
Cc: Steve French
Cc: linux-c...@vger.kernel.org
Signed-off-by: Kees Cook
---
fs/cifs/cifsfs.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 31b7565b1617..29f4b0290fbd
Enberg
Cc: David Rientjes
Cc: Joonsoo Kim
Cc: Andrew Morton
Cc: linux...@kvack.org
Signed-off-by: Kees Cook
---
mm/slab_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/slab_common.c b/mm/slab_common.c
index 8ac2a6320a6c..d00cd3f0f8ac 100644
--- a/mm/slab_common.
flags argument---the previous code was exiting with -EINVAL but still
doing the copy.
This technically is a userspace ABI breakage, but since no one should be
using the ioctl, it's a good occasion to see if someone actually
complains.
Cc: kernel-harden...@lists.openwall.com
Cc: Kees Cook
urity/PaX code.
Signed-off-by: David Windsor
[kees: split from network patch, provide usage trace]
Cc: "David S. Miller"
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
net/caif/caif_socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/caif/caif_socket.c b/net/
kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
include/net/sctp/structs.h | 9 +++--
net/sctp/socket.c | 8
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 16f949eef52f..6168e34
on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: Christoph Hellwig
Signed-off-by: Kees Cook
---
fs/freevxfs/vxfs_sup
telist]
Cc: "David S. Miller"
Cc: Eric Dumazet
Cc: Paolo Abeni
Cc: David Howells
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook
---
include/net/sock.h | 2 ++
net/core/sock.c| 6 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/net/sock.h b/include
+ lustre assert uses:
$ git grep -E 'sizeof\(\(\((struct )?[a-zA-Z_]+ \*\)0\)->' | \
grep -v staging/lustre | wc -l
65
Signed-off-by: Kees Cook
---
include/linux/stddef.h | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/include/linux/stddef.h b/
ing
cache-managed memory falls entirely within the slab's usercopy region.
Signed-off-by: David Windsor
[kees: adjust commit log, provide usage trace]
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
Signed-off-by: Kees Cook
---
dri
understanding hardened usercopy bugs.
Signed-off-by: Kees Cook
---
include/linux/slab.h | 12 +++
mm/slab.c| 8 ++---
mm/slub.c| 14
mm/usercopy.c| 95 +++-
4 files changed, 57 insertions(+), 72 deletions
available to the slab allocators, and adds new "detail"
and "offset" arguments.
Signed-off-by: Kees Cook
---
mm/slab.h | 6 ++
mm/usercopy.c | 24 +++-
tools/objtool/check.c | 1 +
3 files changed, 26 insertions(+), 5 deletions
Instead of doubling the size, push the start position up by 16 bytes to
still trigger an overflow. This allows to verify that offset reporting
is working correctly.
Signed-off-by: Kees Cook
---
drivers/misc/lkdtm_usercopy.c | 13 +
1 file changed, 9 insertions(+), 4 deletions
v5:
- add Acks
- split stddef changes into separate patch
- further refactor reporting code for readability
- adjust enforcement code for greater readability
v4:
- refactor reporting to include offset and remove %p
- explicitly WARN by default for the whitelisting
- add KVM whitelists and harden i
This updates the USERCOPY_HEAP_FLAG_* tests to USERCOPY_HEAP_WHITELIST_*,
since the final form of usercopy whitelisting ended up using an offset/size
window instead of the earlier proposed allocation flags.
Signed-off-by: Kees Cook
---
drivers/misc/lkdtm.h | 4 +-
drivers/misc
ovide usage trace]
Cc: Luis de Bethencourt
Cc: Salah Triki
Signed-off-by: Kees Cook
Acked-by: Luis de Bethencourt
---
fs/befs/linuxvfs.c | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index ee236231cafa..af2832aaeec5 100
jun_hu
Cc: linux-arm-ker...@lists.infradead.org
Signed-off-by: Kees Cook
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/processor.h | 8
2 files changed, 9 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a93339f5178f..c84477e6a884 100644
.
For now, allow writing to the entire struct on all architectures.
The KVM tree will not refine this to an architecture-specific
subset of struct kvm_vcpu_arch.
Cc: kernel-harden...@lists.openwall.com
Cc: Kees Cook
Cc: Christian Borntraeger
Cc: Christoffer Dall
Cc: Radim Krčmář
Signed-off-by
nks! And yes, confirmed, the kspp tree version should be used to
resolve this conflict.
-Kees
--
Kees Cook
Pixel Security
On Thu, Jan 11, 2018 at 9:01 AM, Theodore Ts'o wrote:
> On Wed, Jan 10, 2018 at 06:02:45PM -0800, Kees Cook wrote:
>> The ext4 symlink pathnames, stored in struct ext4_inode_info.i_data
>> and therefore contained in the ext4_inode_cache slab cache, need
>> to b
On Thu, Jan 11, 2018 at 2:24 AM, Russell King - ARM Linux
wrote:
> On Wed, Jan 10, 2018 at 06:03:06PM -0800, Kees Cook wrote:
>> ARM does not carry FPU state in the thread structure, so it can declare
>> no usercopy whitelist at all.
>
> This comment seems to be misleadin
On Thu, Jan 11, 2018 at 9:06 AM, Christopher Lameter wrote:
> On Wed, 10 Jan 2018, Kees Cook wrote:
>
>> diff --git a/mm/slab.h b/mm/slab.h
>> index ad657ffa44e5..7d29e69ac310 100644
>> --- a/mm/slab.h
>> +++ b/mm/slab.h
>> @@ -526,4 +526,10 @@ static inlin
On Mon, Jan 15, 2018 at 4:24 AM, Dave P Martin wrote:
> On Thu, Jan 11, 2018 at 02:03:05AM +0000, Kees Cook wrote:
>> This whitelists the FPU register state portion of the thread_struct for
>> copying to userspace, instead of the default entire structure.
>>
>> Cc: C
UGIN_LATENT_ENTROPY
default 1280 if (!64BIT && PARISC)
default 1024 if (!64BIT && !PARISC)
default 2048 if 64BIT
Just dropping the defconfig there should fix it. (And I think it was
just a mistake to port that value when splitting the um defconfig in
commit e40f04d040c6 ("arch/um: make it work with defconfig and
x86_64").
-Kees
--
Kees Cook
Pixel Security
-2936,7 +2936,7 @@ static int rtnl_newlink(struct sk_buff *skb, struct
>> nlmsghdr *nlh,
>> }
>>
>> if (m_ops) {
>> - if (ops->slave_maxtype > RTNL_SLAVE_MAX_TYPE)
>> + if (m_ops->slave_maxtype > RTNL_SLAVE_MAX_TYPE)
>> return -EINVAL;
>
>
> Oh nice
>
> CC Kees Cook.
Argh. Thank you, yes.
Acked-by: Kees Cook
-Kees
--
Kees Cook
Pixel Security
like the real source of
the problem.
I swear this was different handling of READ_IMPLIES_EXEC between
x86_64 and ia32, but I can't find it. (i.e. I thought the default for
64-bit was to assume NX stack even when the gnustack marking was
missing.)
Is the file for the driver coming out of /dev? Seems like that should
be mounted noexec and it would solve this too. (Though now I wonder
why /dev isn't noexec by default? /dev/pts is noexec...
Regardless, if you wanted to add a "ignore READ_IMPLIES_EXEC" flag to
struct file, maybe this bit could be populated by drivers?
--
Kees Cook
On Thu, Apr 18, 2019 at 2:01 AM Jason Gunthorpe wrote:
>
> On Thu, Apr 18, 2019 at 01:30:07AM -0500, Kees Cook wrote:
>
> > Anything running with READ_IMPLIES_EXEC (i.e. a gnu stack marked WITH
> > execute) should be considered broken. Now, the trouble is that this
> >
NING: sum of
> probable bitmasks, consider |
Applied, thanks!
[1/1] selftests/seccomp: Use bitwise instead of arithmetic operator for flags
https://git.kernel.org/kees/c/76993fe3c1e4
Sorry for the massive delay on this one! I lost this email in my inbox. :)
--
Kees Cook
changes for feedback. I was
surprised to find the changes in the seccomp selftests today in Linus's
tree. I didn't seem to get CCed on this series, even though
get_maintainers shows this:
$ ./scripts/get_maintainer.pl 0001-selftests-seccomp-add-xtensa-support.mbox
Kees Cook (supporter:
Emese Revfy
> Signed-off-by: Thibaut Sautereau
Yes, that looks correct. Thank you!
Acked-by: Kees Cook
I'm not sure the best tree for this. Ted, Andrew, Linus? I'll take it
via my gcc plugin tree if no one else takes it. :)
--
Kees Cook
On Tue, Oct 06, 2020 at 04:28:09AM +0200, Willy Tarreau wrote:
> Hi Kees,
>
> On Mon, Oct 05, 2020 at 07:12:29PM -0700, Kees Cook wrote:
> > On Fri, Oct 02, 2020 at 05:16:11PM +0200, Thibaut Sautereau wrote:
> > > From: Thibaut Sautereau
> > >
> > >
[heavily trimmed CC list because I think lkml is ignoring this
thread...]
On Thu, Jul 30, 2020 at 09:03:55AM +0200, Thomas Gleixner wrote:
> Kees,
>
> Kees Cook writes:
> > This is the infrastructure changes to prepare the tasklet API for
> > conversion to passing the
On Fri, Aug 07, 2020 at 01:29:24PM -0700, John Stultz wrote:
> On Thu, Jul 9, 2020 at 11:28 AM Kees Cook wrote:
> >
> > Duplicate the cleanups from commit 2618d530dd8b ("net/scm: cleanup
> > scm_detach_fds") into the compat code.
> >
> > Replace ope
u8 fault_type;
int err;
- if (event->type < FAULT_TYPE_MAX)
- strncpy(type_str, fault_type[event->type],
strlen(fault_type[event->type]));
- else
- strncpy(type_str, "Unknown", strlen("Unknown"));
-
- err = devlink_fmsg_string_pair_put(fmsg, "Fault type", type_str);
+ fault_type = clamp(event->type, FAULT_TYPE_MAX);
+ err = devlink_fmsg_string_pair_put(fmsg, "Fault type",
type_str[fault_type]);
if (err)
return err;
-Kees
[1]
https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings
--
Kees Cook
On Fri, Aug 07, 2020 at 05:02:15PM -0700, John Stultz wrote:
> On Fri, Aug 7, 2020 at 3:18 PM Kees Cook wrote:
> >
> > On Fri, Aug 07, 2020 at 01:29:24PM -0700, John Stultz wrote:
> > > On Thu, Jul 9, 2020 at 11:28 AM Kees Cook wrote:
> > > >
> &
t's the same form as container_of()
> > > and I think we need urgent agreement to not stall everything else so
> > > the most innocuous name is likely to get the widest acceptance.
> >
> > Kees,
> >
> > Will you be sending the newly proposed API to Linus? I have V2
> > which uses container_from()
> > ready to be sent out.
>
> I liked that James swapped the first two arguments so that it matches
> container_of(). Plus it's nice that when you have:
>
> struct whatever *foo = container_from(ptr, foo, member);
>
> Then it means that "ptr == &foo->member".
I'm a bit stalled right now -- the merge window was keeping me busy, and
this week is the Linux Plumbers Conference. This is on my list, but I
haven't gotten back around to it. If you want, feel free to send the
container_from() patch; you might be able to unblock this faster than me
right now. :)
-Kees
--
Kees Cook
.wiki.kernel.org/en/developers/documentation/submittingpatches
FWIW, I don't think a revert is needed here to wait for the from_tasket()
-> container_from() API to land since from_tasklet() is already being
used by other trees. Let's just get this done so we can get closer to
ripping out the old tasklet API. We'll have to do a treewide
from_timer(), from_tasklet() -> container_from() anyway...
--
Kees Cook
0 R15:
>
> [ 1563.658318] Code: 8b 44 24 78 41 39 d8 77 57 41 f6 44 24 34 01 0f 85 24 01
> 00 00 45 85 ff 0f 84 40 04 00 00 49 8b 04 24 49 39 c2 0f 84 1d 02 00 00 <8b>
> 50 28 41 8b 1e 39 d3 0f 88 f4 03 00 00 49 89 c4 29 d3 41 f6
> [ 1563.658365] RIP: tcp_recvmsg+0x1eb/0xb40 RSP: b77e010f7cf8
>
on't depend on being zero. :)
[1] https://gcc.gnu.org/ml/gcc-patches/2014-06/msg00615.html
[2]
https://lkml.kernel.org/r/CA+55aFykZL+cSBJjBBts7ebEFfyGPdMzTmLSxKnT_29=j94...@mail.gmail.com
Signed-off-by: Kees Cook
---
scripts/Makefile.gcc-plugins | 6 ++
scripts/gcc-plugin
kinit: small_hole_runtime_all ok
test_stackinit: big_hole_runtime_all ok
test_stackinit: u8 ok
test_stackinit: u16 ok
test_stackinit: u32 ok
test_stackinit: u64 ok
test_stackinit: char_array ok
test_stackinit: small_hole ok
test_stackinit: big_hole ok
test_stackinit: user ok
test_stackinit: failures: 4
Signed-off-by:
/lkml.kernel.org/r/CA+55aFykZL+cSBJjBBts7ebEFfyGPdMzTmLSxKnT_29=j94...@mail.gmail.com
Kees Cook (3):
treewide: Lift switch variables out of switches
gcc-plugins: Introduce stackinit plugin
lib: Introduce test_stackinit module
arch/x86/xen/enlighten_pv.c | 7 +-
d
: warning: statement will never be executed
[-Wswitch-unreachable]
siginfo_t si;
^~
Signed-off-by: Kees Cook
---
arch/x86/xen/enlighten_pv.c | 7 ---
drivers/char/pcmcia/cm4000_cs.c | 2 +-
drivers/char/ppdev.c | 20
On Thu, Jan 24, 2019 at 4:44 AM Jani Nikula wrote:
>
> On Wed, 23 Jan 2019, Edwin Zimmerman wrote:
> > On Wed, 23 Jan 2019, Jani Nikula wrote:
> >> On Wed, 23 Jan 2019, Greg KH wrote:
> >> > On Wed, Jan 23, 2019 at 03:03:47AM -0800, Kees Cook wrote:
>
ts
> for both.
GCC is reasonable at this. The main issue, though, was most of these
places were using the variables in multiple case statements, so they
couldn't be limited to a single block (or they'd need to be manually
repeated in each block, which is even more ugly, IMO).
Whatever the consensus, I'm happy to tweak the patch.
Thanks!
--
Kees Cook
On Thu, Nov 29, 2018 at 3:52 PM David Miller wrote:
>
> From: Kees Cook
> Date: Thu, 29 Nov 2018 15:31:25 -0800
>
> > Did you ever solve this?
>
> I think it was fixed by:
>
> commit 45611c61dd503454b2edae00aabe1e429ec49ebe
> Author: Bernd Eckstein <3erndecks
vers/net/ethernet/sun/sunhme.c | 4 ++--
> drivers/scsi/qlogicpti.h | 2 +-
> fs/notify/inotify/inotify_user.c | 2 +-
> kernel/irq/timings.c | 2 +-
> lib/vsprintf.c| 2 +-
> net/core/skbuff.c | 2 +-
> 17 files changed, 33 insertions(+), 31 deletions(-)
>
> --
> 2.19.1
>
--
Kees Cook
c directly in their
> bpf_jit_compile implementations as well.
Ew, good catch. :P
--
Kees Cook
On Mon, Nov 5, 2018 at 6:56 AM Yangtao Li wrote:
>
> Use DEFINE_SHOW_ATTRIBUTE macro to simplify the code.
>
> Signed-off-by: Yangtao Li
Reviewed-by: Kees Cook
-Kees
> ---
> net/bluetooth/l2cap_core.c | 12 +---
> net/bluetooth/rfcomm/core.c | 12 +---
On Mon, Jan 28, 2019 at 4:12 PM Alexander Popov wrote:
>
> On 23.01.2019 14:03, Kees Cook wrote:
> > This adds a new plugin "stackinit" that attempts to perform unconditional
> > initialization of all stack variables
>
> Hello Kees! Hello everyone!
>
> I
bal
"modules_disabled" sysctl already. The level of granularity of control
here is the issue, and it's what this series solves.
The options I see for module loading control are:
1) monolithic kernel (no modules)
2) modular kernel that flips on modules_disabled after boot (no
modules after boot)
3) modular kernel that allows per-subsystem unpriv module loading (all
modules loadable)
There is a demand for something between 2 and 3 where only root can
load modules. (And as pointed out in the series, this is _especially_
true for containers where the admin may want to leave module loading
alone in the init namespace, but stop any module loading in the
container.)
-Kees
--
Kees Cook
Pixel Security
of this already with the module prefixes. Doing this
per-module would need to be exported to userspace, I think. It'd be
way too fragile sitting in the kernel.
To control this via modprobe, we'd need to expand modprobe to include
the user that is trying to load the module (so it can r
On Mon, Nov 27, 2017 at 3:14 PM, Linus Torvalds
wrote:
> On Mon, Nov 27, 2017 at 2:59 PM, Kees Cook wrote:
>>
>> I don't disagree that a global should be avoided, but I'm struggling
>> to see another option here. We can't break userspace by default so we
&
| 6 --
> kernel/trace/trace.h | 24
> kernel/trace/trace_events_hist.c | 6 +++---
> lib/vsprintf.c | 18 +++---
> 5 files changed, 48 insertions(+), 8 deletions(-)
>
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
301 - 400 of 799 matches
Mail list logo