lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <202306271729.813C8788@keescook>
Date:   Tue, 27 Jun 2023 17:34:57 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Alexander Lobakin <aleksander.lobakin@...el.com>,
        Alexander Potapenko <glider@...gle.com>,
        Alex Deucher <alexander.deucher@....com>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        Arnd Bergmann <arnd@...db.de>,
        Arne Welzel <arne.welzel@...elight.com>,
        Azeem Shaikh <azeemshaikh38@...il.com>,
        Bill Wendling <morbo@...gle.com>,
        Christoph Hellwig <hch@...radead.org>,
        Conor Dooley <conor.dooley@...rochip.com>,
        "Darrick J. Wong" <djwong@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Fangrui Song <maskray@...gle.com>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Hans de Goede <hdegoede@...hat.com>,
        Jakub Kicinski <kuba@...nel.org>, Jan Kara <jack@...e.cz>,
        Joe Perches <joe@...ches.com>,
        John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
        John Stultz <jstultz@...gle.com>,
        Jozsef Kadlecsik <kadlec@...filter.org>,
        Kees Cook <keescook@...omium.org>,
        Marco Elver <elver@...gle.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Miguel Ojeda <ojeda@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Palmer Dabbelt <palmer@...osinc.com>,
        Simon Horman <simon.horman@...igine.com>,
        Song Liu <song@...nel.org>,
        Thorsten Leemhuis <linux@...mhuis.info>,
        Tyrel Datwyler <tyreld@...ux.ibm.com>,
        Wyes Karny <wyes.karny@....com>, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: [GIT PULL] hardening updates for v6.5-rc1

Hi Linus,

Please pull these hardening updates for v6.5-rc1. There are 3 areas of
note:

- A bunch of strlcpy()->strscpy() conversions ended up living in my tree
  since they were either Acked by maintainers for me to carry, or got
  ignored for multiple weeks (and were trivial changes).

- The compiler option -fstrict-flex-arrays=3 has been enabled globally,
  and has been in -next for the entire devel cycle. This changes compiler
  diagnostics (though mainly just -Warray-bounds which is disabled) and
  potential UBSAN_BOUNDS and FORTIFY _warning_ coverage. In other words,
  there are no new restrictions, just potentially new warnings. Any new
  FORTIFY warnings we've seen have been fixed (usually in their
  respective subsystem trees). For more details, see commit
  df8fc4e934c12b906d08050d7779f292b9c5c6b5.

- The under-development compiler attribute __counted_by has been added
  so that we can start annotating flexible array members with their
  associated structure member that tracks the count of flexible array
  elements at run-time. It is possible (likely?) that the exact syntax
  of the attribute will change before it is finalized, but GCC and Clang
  are working together to sort it out. Any changes can be made to the
  macro while we continue to add annotations. As an example, I have a
  treewide commit waiting with such annotations found via Coccinelle:
  https://git.kernel.org/linus/adc5b3cb48a049563dc673f348eab7b6beba8a9b
  See commit dd06e72e68bcb4070ef211be100d2896e236c8fb for more details.

These and the other updates and fixes are noted below.

Thanks!

-Kees

The following changes since commit f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6:

  Linux 6.4-rc2 (2023-05-14 12:51:40 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.5-rc1

for you to fetch changes up to acf15e07eb06507c69f92394c36052677029b0a8:

  netfilter: ipset: Replace strlcpy with strscpy (2023-06-20 13:35:37 -0700)

----------------------------------------------------------------
hardening updates for v6.5-rc1

- Fix KMSAN vs FORTIFY in strlcpy/strlcat (Alexander Potapenko)

- Convert strreplace() to return string start (Andy Shevchenko)

- Flexible array conversions (Arnd Bergmann, Wyes Karny, Kees Cook)

- Add missing function prototypes seen with W=1 (Arnd Bergmann)

- Fix strscpy() kerndoc typo (Arne Welzel)

- Replace strlcpy() with strscpy() across many subsystems which were
  either Acked by respective maintainers or were trivial changes that
  went ignored for multiple weeks (Azeem Shaikh)

- Remove unneeded cc-option test for UBSAN_TRAP (Nick Desaulniers)

- Add KUnit tests for strcat()-family

- Enable KUnit tests of FORTIFY wrappers under UML

- Add more complete FORTIFY protections for strlcat()

- Add missed disabling of FORTIFY for all arch purgatories.

- Enable -fstrict-flex-arrays=3 globally

- Tightening UBSAN_BOUNDS when using GCC

- Improve checkpatch to check for strcpy, strncpy, and fake flex arrays

- Improve use of const variables in FORTIFY

- Add requested struct_size_t() helper for types not pointers

- Add __counted_by macro for annotating flexible array size members

----------------------------------------------------------------
Alexander Potapenko (1):
      string: use __builtin_memcpy() in strlcpy/strlcat

Andy Shevchenko (3):
      jbd2: Avoid printing outside the boundary of the buffer
      lib/string_helpers: Change returned value of the strreplace()
      kobject: Use return value of strreplace()

Arnd Bergmann (2):
      autofs: use flexible array in ioctl structure
      ubsan: add prototypes for internal functions

Arne Welzel (1):
      fortify: strscpy: Fix flipped q and p docstring typo

Azeem Shaikh (27):
      dlm: Replace all non-returning strlcpy with strscpy
      NFS: Prefer strscpy over strlcpy calls
      vboxsf: Replace all non-returning strlcpy with strscpy
      scsi: ibmvscsi: Replace all non-returning strlcpy with strscpy
      scsi: qedi: Replace all non-returning strlcpy with strscpy
      scsi: bnx2i: Replace all non-returning strlcpy with strscpy
      scsi: aacraid: Replace all non-returning strlcpy with strscpy
      scsi: 3w-9xxx: Replace all non-returning strlcpy with strscpy
      tracing: Replace all non-returning strlcpy with strscpy
      drm/radeon: Replace all non-returning strlcpy with strscpy
      drm/amd/pm: Replace all non-returning strlcpy with strscpy
      befs: Replace all non-returning strlcpy with strscpy
      ftrace: Replace all non-returning strlcpy with strscpy
      drm/display/dp_mst: Replace all non-returning strlcpy with strscpy
      drm/rockchip: Replace all non-returning strlcpy with strscpy
      drm/mediatek: Replace all non-returning strlcpy with strscpy
      drm/sun4i: hdmi: Replace all non-returning strlcpy with strscpy
      drm/i2c: tda998x: Replace all non-returning strlcpy with strscpy
      staging: most: Replace all non-returning strlcpy with strscpy
      clocksource: Replace all non-returning strlcpy with strscpy
      Hexagon: Replace all non-returning strlcpy with strscpy
      sparc64: Replace all non-returning strlcpy with strscpy
      of/flattree: Replace all non-returning strlcpy with strscpy
      sh: Replace all non-returning strlcpy with strscpy
      kallsyms: Replace all non-returning strlcpy with strscpy
      uml: Replace strlcpy with strscpy
      netfilter: ipset: Replace strlcpy with strscpy

Kees Cook (18):
      ubsan: Tighten UBSAN_BOUNDS on GCC
      kunit: tool: Enable CONFIG_FORTIFY_SOURCE under UML
      fortify: Allow KUnit test to build without FORTIFY
      string: Add Kunit tests for strcat() family
      fortify: Use const variables for __member_size tracking
      fortify: Add protection for strlcat()
      fortify: strcat: Move definition to use fortified strlcat()
      kbuild: Enable -fstrict-flex-arrays=3
      overflow: Add struct_size_t() helper
      md/raid5: Convert stripe_head's "dev" to flexible array member
      lkdtm/bugs: Switch from 1-element array to flexible array
      Compiler Attributes: Add __counted_by macro
      checkpatch: Check for strcpy and strncpy too
      x86/purgatory: Do not use fortified string functions
      s390/purgatory: Do not use fortified string functions
      riscv/purgatory: Do not use fortified string functions
      checkpatch: Check for 0-length and 1-element arrays
      um: Use HOST_DIR for mrproper

Nick Desaulniers (1):
      ubsan: remove cc-option test for UBSAN_TRAP

Wyes Karny (1):
      acpi: Replace struct acpi_table_slit 1-element array with flex-array

 Documentation/filesystems/autofs-mount-control.rst |   2 +-
 Documentation/filesystems/autofs.rst               |   2 +-
 MAINTAINERS                                        |   1 +
 Makefile                                           |   6 +
 arch/hexagon/kernel/setup.c                        |   6 +-
 arch/microblaze/kernel/prom.c                      |   2 +-
 arch/riscv/purgatory/Makefile                      |   2 +-
 arch/s390/purgatory/Makefile                       |   2 +-
 arch/sh/drivers/dma/dma-api.c                      |   2 +-
 arch/sh/kernel/setup.c                             |   4 +-
 arch/sparc/kernel/ioport.c                         |   2 +-
 arch/sparc/kernel/setup_32.c                       |   2 +-
 arch/sparc/kernel/setup_64.c                       |   2 +-
 arch/sparc/prom/bootstr_32.c                       |   2 +-
 arch/um/Makefile                                   |   2 +-
 arch/um/include/shared/user.h                      |   1 +
 arch/um/os-Linux/drivers/tuntap_user.c             |   2 +-
 arch/x86/purgatory/Makefile                        |   2 +-
 drivers/gpu/drm/amd/amdgpu/atom.c                  |   2 +-
 drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c     |   2 +-
 drivers/gpu/drm/display/drm_dp_helper.c            |   2 +-
 drivers/gpu/drm/display/drm_dp_mst_topology.c      |   2 +-
 drivers/gpu/drm/drm_mipi_dsi.c                     |   2 +-
 drivers/gpu/drm/i2c/tda998x_drv.c                  |   2 +-
 drivers/gpu/drm/mediatek/mtk_hdmi_ddc.c            |   2 +-
 drivers/gpu/drm/radeon/radeon_atombios.c           |   4 +-
 drivers/gpu/drm/radeon/radeon_combios.c            |   4 +-
 drivers/gpu/drm/rockchip/inno_hdmi.c               |   2 +-
 drivers/gpu/drm/rockchip/rk3066_hdmi.c             |   2 +-
 drivers/gpu/drm/sun4i/sun4i_hdmi_i2c.c             |   2 +-
 drivers/md/raid5.c                                 |   4 +-
 drivers/md/raid5.h                                 |   2 +-
 drivers/misc/lkdtm/bugs.c                          |   4 +-
 drivers/most/configfs.c                            |   8 +-
 drivers/net/ethernet/intel/ice/ice_ddp.h           |   9 +-
 drivers/nvme/host/fc.c                             |   8 +-
 drivers/scsi/3w-9xxx.c                             |   2 +-
 drivers/scsi/aacraid/aachba.c                      |   2 +-
 drivers/scsi/bnx2i/bnx2i_init.c                    |   2 +-
 drivers/scsi/hptiop.c                              |   4 +-
 drivers/scsi/ibmvscsi/ibmvscsi.c                   |   6 +-
 drivers/scsi/megaraid/megaraid_sas_base.c          |  12 +-
 drivers/scsi/megaraid/megaraid_sas_fp.c            |   6 +-
 drivers/scsi/qedi/qedi_main.c                      |   2 +-
 drivers/scsi/smartpqi/smartpqi_init.c              |   2 +-
 fs/befs/btree.c                                    |   2 +-
 fs/befs/linuxvfs.c                                 |   2 +-
 fs/dlm/config.c                                    |   4 +-
 fs/jbd2/journal.c                                  |   6 +-
 fs/nfs/nfsroot.c                                   |   2 +-
 fs/vboxsf/super.c                                  |   2 +-
 fs/xfs/libxfs/xfs_btree.h                          |   2 +-
 fs/xfs/scrub/btree.h                               |   2 +-
 include/acpi/actbl3.h                              |   2 +-
 include/linux/compiler_attributes.h                |  13 ++
 include/linux/fortify-string.h                     | 161 ++++++++++++++-------
 include/linux/overflow.h                           |  18 ++-
 include/linux/string.h                             |   2 +-
 include/uapi/linux/auto_dev-ioctl.h                |   2 +-
 kernel/kallsyms.c                                  |   4 +-
 kernel/params.c                                    |   2 +-
 kernel/time/clocksource.c                          |   2 +-
 kernel/trace/ftrace.c                              |  18 +--
 kernel/trace/trace.c                               |   8 +-
 kernel/trace/trace_events.c                        |   4 +-
 kernel/trace/trace_events_inject.c                 |   4 +-
 kernel/trace/trace_kprobe.c                        |   2 +-
 kernel/trace/trace_probe.c                         |   2 +-
 lib/Kconfig.debug                                  |   7 +-
 lib/Kconfig.ubsan                                  |  57 ++++----
 lib/Makefile                                       |   1 +
 lib/fortify_kunit.c                                |  14 ++
 lib/kobject.c                                      |   3 +-
 lib/overflow_kunit.c                               |   2 +-
 lib/strcat_kunit.c                                 | 104 +++++++++++++
 lib/string.c                                       |   4 +-
 lib/string_helpers.c                               |  12 +-
 lib/ubsan.c                                        |   3 -
 lib/ubsan.h                                        |  11 ++
 net/netfilter/ipset/ip_set_hash_netiface.c         |  10 +-
 scripts/Makefile.ubsan                             |   2 +-
 scripts/checkpatch.pl                              |  24 ++-
 tools/testing/kunit/configs/all_tests.config       |   2 +
 tools/testing/kunit/configs/arch_uml.config        |   3 +
 84 files changed, 467 insertions(+), 203 deletions(-)
 create mode 100644 lib/strcat_kunit.c

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ