[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <202403111702.828C918E55@keescook>
Date: Mon, 11 Mar 2024 18:18:31 -0700
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org,
Alexander Lobakin <aleksander.lobakin@...el.com>,
Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Andrey Konovalov <andreyknvl@...il.com>,
Andrey Ryabinin <ryabinin.a.a@...il.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Andy Shevchenko <andy@...nel.org>,
Andy Shevchenko <andy.shevchenko@...il.com>,
Arnd Bergmann <arnd@...db.de>, Bill Wendling <morbo@...gle.com>,
Dan Carpenter <dan.carpenter@...aro.org>,
Douglas Anderson <dianders@...omium.org>,
Fangrui Song <maskray@...gle.com>,
Geert Uytterhoeven <geert@...ux-m68k.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Guenter Roeck <linux@...ck-us.net>,
Guixiong Wei <guixiongwei@...il.com>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Hao Luo <haoluo@...gle.com>,
Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>,
Jacob Keller <jacob.e.keller@...el.com>,
Jakub Kicinski <kuba@...nel.org>,
Jani Nikula <jani.nikula@...el.com>,
Jingzi Meng <mengjingzi@....ac.cn>,
John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Juergen Gross <jgross@...e.com>,
Justin Stitt <justinstitt@...gle.com>,
Kees Cook <keescook@...omium.org>,
Kent Overstreet <kent.overstreet@...ux.dev>,
kernel test robot <lkp@...el.com>, linux-doc@...r.kernel.org,
linux-hardening@...r.kernel.org, linux-kbuild@...r.kernel.org,
linux-sh@...r.kernel.org, linux-um@...ts.infradead.org,
llvm@...ts.linux.dev, Lukas Bulwahn <lukas.bulwahn@...il.com>,
Marco Elver <elver@...gle.com>, Mark Rutland <mark.rutland@....com>,
Masahiro Yamada <masahiroy@...nel.org>,
Matthieu Baerts <matttbe@...nel.org>,
Michael Ellerman <mpe@...erman.id.au>,
Michal Wajdeczko <michal.wajdeczko@...el.com>,
Miguel Ojeda <ojeda@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Nicolas Schier <nicolas@...sle.eu>,
Nicolas Schier <n.schier@....de>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
Richard Weinberger <richard@....at>, Rich Felker <dalias@...c.org>,
Sachin Sant <sachinp@...ux.ibm.com>,
Sam Ravnborg <sam@...nborg.org>,
syzkaller <syzkaller@...glegroups.com>,
Tanzir Hasan <tanzirh@...gle.com>,
Tycho Andersen <tandersen@...flix.com>,
Vasiliy Kovalev <kovalev@...linux.org>,
Vegard Nossum <vegard.nossum@...cle.com>,
Yoshinori Sato <ysato@...rs.sourceforge.jp>
Subject: [GIT PULL] hardening updates for v6.9-rc1
Hi Linus,
Please pull these kernel hardening updates for v6.9-rc1. As is pretty
normal for this tree, there are changes all over the place, especially
for small fixes, selftest improvements, and improved macro usability.
Some header changes ended up landing via this tree as they depended on
the string header cleanups. Also, a notable set of changes is the work
for the reintroduction of the UBSAN signed integer overflow sanitizer
so that we can continue to make improvements on the compiler side to
make this sanitizer a more viable future security hardening option.
Everything has been in -next for a while, but there are a couple small
merge conflicts to deal with:
kbuild tree:
https://lore.kernel.org/linux-next/20240226165811.56f71171@canb.auug.org.au/
bcachefs tree:
https://lore.kernel.org/linux-next/20240301154351.1d097566@canb.auug.org.au/
Later in the merge window I intend to send some macro adjustment
collateral changes, but since they're mechanical, I figured it would be
simpler to wait for the end of -rc1.
Thanks!
-Kees
The following changes since commit 41bccc98fb7931d63d03f326a746ac4d429c1dd3:
Linux 6.8-rc2 (2024-01-28 17:01:12 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc1
for you to fetch changes up to 3fe1eb4dd2e4b872ffb7b9b081b34ffcfa934ba7:
selftests/powerpc: Fix load_unaligned_zeropad build failure (2024-03-05 10:29:15 -0800)
----------------------------------------------------------------
hardening updates for v6.9-rc1
- string.h and related header cleanups (Tanzir Hasan, Andy Shevchenko)
- VMCI memcpy() usage and struct_size() cleanups (Vasiliy Kovalev, Harshit
Mogalapalli)
- selftests/powerpc: Fix load_unaligned_zeropad build failure (Michael
Ellerman)
- hardened Kconfig fragment updates (Marco Elver, Lukas Bulwahn)
- Handle tail call optimization better in LKDTM (Douglas Anderson)
- Use long form types in overflow.h (Andy Shevchenko)
- Add flags param to string_get_size() (Andy Shevchenko)
- Add Coccinelle script for potential struct_size() use (Jacob Keller)
- Fix objtool corner case under KCFI (Josh Poimboeuf)
- Drop 13 year old backward compat CAP_SYS_ADMIN check (Jingzi Meng)
- Add str_plural() helper (Michal Wajdeczko, Kees Cook)
- Ignore relocations in .notes section
- Add comments to explain how __is_constexpr() works
- Fix m68k stack alignment expectations in stackinit Kunit test
- Convert string selftests to KUnit
- Add KUnit tests for fortified string functions
- Improve reporting during fortified string warnings
- Allow non-type arg to type_max() and type_min()
- Allow strscpy() to be called with only 2 arguments
- Add binary mode to leaking_addresses scanner
- Various small cleanups to leaking_addresses scanner
- Adding wrapping_*() arithmetic helper
- Annotate initial signed integer wrap-around in refcount_t
- Add explicit UBSAN section to MAINTAINERS
- Fix UBSAN self-test warnings
- Simplify UBSAN build via removal of CONFIG_UBSAN_SANITIZE_ALL
- Reintroduce UBSAN's signed overflow sanitizer
----------------------------------------------------------------
Andy Shevchenko (4):
kernel.h: Move upper_*_bits() and lower_*_bits() to wordpart.h
kernel.h: Move lib/cmdline.c prototypes to string.h
overflow: Use POD in check_shl_overflow()
lib/string_helpers: Add flags param to string_get_size()
Douglas Anderson (3):
lkdtm: Make lkdtm_do_action() return to avoid tail call optimization
lkdtm/bugs: Adjust lkdtm_HUNG_TASK() to avoid tail call optimization
lkdtm/bugs: In lkdtm_HUNG_TASK() use BUG(), not BUG_ON(1)
Harshit Mogalapalli (2):
VMCI: Use struct_size() in kmalloc()
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
Jacob Keller (1):
coccinelle: semantic patch to check for potential struct_size calls
Jingzi Meng (1):
cap_syslog: remove CAP_SYS_ADMIN when dmesg_restrict
Josh Poimboeuf (1):
objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks
Kees Cook (31):
MAINTAINERS: Add UBSAN section
ubsan: Use Clang's -fsanitize-trap=undefined option
ubsan: Silence W=1 warnings in self-test
ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL
ubsan: Reintroduce signed overflow sanitizer
string: Redefine strscpy_pad() as a macro
string: Allow 2-argument strscpy()
string: Allow 2-argument strscpy_pad()
um: Convert strscpy() usage to 2-argument style
overflow: Adjust check_*_overflow() kern-doc to reflect results
overflow: Introduce wrapping_add(), wrapping_sub(), and wrapping_mul()
overflow: Introduce wrapping_assign_add() and wrapping_assign_sub()
coccinelle: Add rules to find str_plural() replacements
refcount: Annotated intentional signed integer wrap-around
fortify: Split reporting and avoid passing string pointer
fortify: Allow KUnit test to build without FORTIFY
fortify: Provide KUnit counters for failure testing
fortify: Add KUnit tests for runtime overflows
fortify: Improve buffer overflow reporting
MAINTAINERS: Update LEAKING_ADDRESSES details
leaking_addresses: Use File::Temp for /tmp files
leaking_addresses: Ignore input device status lines
leaking_addresses: Provide mechanism to scan binary files
sparc: vdso: Disable UBSAN instrumentation
lib: stackinit: Adjust target string to 8 bytes for m68k
x86, relocs: Ignore relocations in .notes section
overflow: Allow non-type arg to type_max() and type_min()
compiler.h: Explain how __is_constexpr() works
sh: Fix build with CONFIG_UBSAN=y
string: Convert selftest to KUnit
string: Convert helpers selftest to KUnit
Lukas Bulwahn (2):
hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment
hardening: drop obsolete DRM_LEGACY from config fragment
Marco Elver (1):
hardening: Enable KFENCE in the hardening config
Michael Ellerman (1):
selftests/powerpc: Fix load_unaligned_zeropad build failure
Michal Wajdeczko (1):
lib/string_choices: Add str_plural() helper
Tanzir Hasan (2):
kernel.h: removed REPEAT_BYTE from kernel.h
lib/string: shrink lib/string.i via IWYU
Vasiliy Kovalev (1):
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
Documentation/dev-tools/ubsan.rst | 28 +-
MAINTAINERS | 26 +-
arch/arm/Kconfig | 2 +-
arch/arm/boot/compressed/misc.c | 2 +-
arch/arm/boot/compressed/misc.h | 2 +-
arch/arm/include/asm/word-at-a-time.h | 3 +-
arch/arm64/Kconfig | 2 +-
arch/arm64/include/asm/word-at-a-time.h | 3 +-
arch/mips/Kconfig | 2 +-
arch/parisc/Kconfig | 2 +-
arch/powerpc/Kconfig | 2 +-
arch/powerpc/include/asm/word-at-a-time.h | 4 +-
arch/riscv/Kconfig | 2 +-
arch/riscv/include/asm/word-at-a-time.h | 3 +-
arch/s390/Kconfig | 2 +-
arch/s390/include/asm/word-at-a-time.h | 3 +-
arch/sh/boot/compressed/Makefile | 1 +
arch/sh/include/asm/word-at-a-time.h | 2 +
arch/sparc/vdso/Makefile | 1 +
arch/um/drivers/net_kern.c | 2 +-
arch/um/drivers/vector_kern.c | 2 +-
arch/um/drivers/vector_user.c | 4 +-
arch/um/include/shared/user.h | 3 +-
arch/um/os-Linux/drivers/ethertap_user.c | 2 +-
arch/um/os-Linux/drivers/tuntap_user.c | 2 +-
arch/um/os-Linux/umid.c | 6 +-
arch/x86/Kconfig | 2 +-
arch/x86/boot/compressed/misc.c | 2 +-
arch/x86/include/asm/word-at-a-time.h | 3 +-
arch/x86/kvm/mmu/mmu.c | 1 +
arch/x86/tools/relocs.c | 8 +
drivers/misc/lkdtm/bugs.c | 3 +-
drivers/misc/lkdtm/core.c | 22 +-
drivers/misc/vmw_vmci/vmci_datagram.c | 10 +-
fs/namei.c | 2 +-
include/asm-generic/word-at-a-time.h | 3 +-
include/linux/compiler.h | 39 ++
include/linux/compiler_types.h | 9 +-
include/linux/fortify-string.h | 122 ++--
include/linux/kernel.h | 44 +-
include/linux/overflow.h | 115 +++-
include/linux/refcount.h | 9 +-
include/linux/string.h | 86 ++-
include/linux/string_choices.h | 11 +
include/linux/string_helpers.h | 10 +-
include/linux/wordpart.h | 42 ++
kernel/configs/hardening.config | 7 +-
kernel/printk/printk.c | 11 -
lib/Kconfig.debug | 14 +-
lib/Kconfig.ubsan | 28 +-
lib/Makefile | 7 +-
lib/fortify_kunit.c | 662 ++++++++++++++++++++-
lib/overflow_kunit.c | 67 ++-
lib/stackinit_kunit.c | 19 +-
lib/string.c | 23 +-
lib/string_helpers.c | 89 ++-
...est-string_helpers.c => string_helpers_kunit.c} | 255 ++++----
lib/string_kunit.c | 199 +++++++
lib/test_string.c | 257 --------
lib/test_ubsan.c | 41 +-
lib/ubsan.c | 68 +++
lib/ubsan.h | 4 +
scripts/Makefile.lib | 5 +-
scripts/Makefile.ubsan | 5 +-
scripts/coccinelle/api/string_choices.cocci | 41 ++
scripts/coccinelle/misc/struct_size.cocci | 74 +++
scripts/leaking_addresses.pl | 90 ++-
tools/objtool/check.c | 12 +
tools/objtool/noreturns.h | 2 +-
.../selftests/powerpc/primitives/linux/bitops.h | 0
.../selftests/powerpc/primitives/linux/wordpart.h | 1 +
71 files changed, 1949 insertions(+), 688 deletions(-)
create mode 100644 include/linux/wordpart.h
rename lib/{test-string_helpers.c => string_helpers_kunit.c} (67%)
create mode 100644 lib/string_kunit.c
delete mode 100644 lib/test_string.c
create mode 100644 scripts/coccinelle/api/string_choices.cocci
create mode 100644 scripts/coccinelle/misc/struct_size.cocci
create mode 100644 tools/testing/selftests/powerpc/primitives/linux/bitops.h
create mode 120000 tools/testing/selftests/powerpc/primitives/linux/wordpart.h
--
Kees Cook
Powered by blists - more mailing lists