| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 May 2019 09:20:12 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...en8.de>,
Andy Lutomirski <luto@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: [GIT PULL] objtool changes for v5.2: Add build-time uaccess
permissions and DF validation
Linus,
Please pull the latest core-objtool-for-linus git tree from:
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git core-objtool-for-linus
# HEAD: 29da93fea3ea39ab9b12270cc6be1b70ef201c9e mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
This is a series from Peter Zijlstra that adds x86 build-time uaccess
validation of SMAP to objtool, which will detect and warn about the
following uaccess API usage bugs and weirdnesses:
call to %s() with UACCESS enabled
return with UACCESS enabled
return with UACCESS disabled from a UACCESS-safe function
recursive UACCESS enable
redundant UACCESS disable
UACCESS-safe disables UACCESS
As it turns out not leaking uaccess permissions outside the intended
uaccess functionality is hard when the interfaces are complex and when
such bugs are mostly dormant.
As a bonus we now also check the DF flag. We had at least one
high-profile bug in that area in the early days of Linux, and the
checking is fairly simple. The checks performed and warnings emitted are:
call to %s() with DF set
return with DF set
return with modified stack frame
recursive STD
redundant CLD
It's all x86-only for now, but later on this can also be used for PAN on
ARM and objtool is fairly cross-platform in principle.
While all warnings emitted by this new checking facility that got
reported to us were fixed, there might be GCC version dependent warnings
that were not reported yet - which we'll address, should they trigger.
The warnings are non-fatal build warnings.
Thanks,
Ingo
------------------>
Josh Poimboeuf (1):
tracing: Improve "if" macro code generation
Peter Zijlstra (26):
sched/x86: Save [ER]FLAGS on context switch
x86/ia32: Fix ia32_restore_sigcontext() AC leak
i915, uaccess: Fix redundant CLAC
x86/uaccess: Move copy_user_handle_tail() into asm
x86/uaccess: Fix up the fixup
x86/nospec, objtool: Introduce ANNOTATE_IGNORE_ALTERNATIVE
x86/uaccess, xen: Suppress SMAP warnings
x86/uaccess: Always inline user_access_begin()
x86/uaccess, signal: Fix AC=1 bloat
x86/uaccess: Introduce user_access_{save,restore}()
x86/smap: Ditch __stringify()
x86/uaccess, kasan: Fix KASAN vs SMAP
x86/uaccess, ubsan: Fix UBSAN vs. SMAP
x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP
x86/uaccess, kcov: Disable stack protector
objtool: Set insn->func for alternatives
objtool: Handle function aliases
objtool: Rewrite add_ignores()
objtool: Add --backtrace support
objtool: Rewrite alt->skip_orig
objtool: Fix sibling call detection
objtool: Add UACCESS validation
objtool: Add Direction Flag validation
sched/x86_64: Don't save flags on context switch
x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation
mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
arch/x86/entry/entry_32.S | 2 +
arch/x86/ia32/ia32_signal.c | 29 ++-
arch/x86/include/asm/alternative-asm.h | 11 +
arch/x86/include/asm/alternative.h | 10 +
arch/x86/include/asm/asm.h | 24 --
arch/x86/include/asm/nospec-branch.h | 28 +-
arch/x86/include/asm/smap.h | 37 ++-
arch/x86/include/asm/switch_to.h | 1 +
arch/x86/include/asm/uaccess.h | 12 +-
arch/x86/include/asm/uaccess_64.h | 3 -
arch/x86/include/asm/xen/hypercall.h | 24 +-
arch/x86/kernel/process_32.c | 7 +
arch/x86/kernel/process_64.c | 1 +
arch/x86/kernel/signal.c | 29 ++-
arch/x86/lib/copy_user_64.S | 48 ++++
arch/x86/lib/memcpy_64.S | 3 +-
arch/x86/lib/usercopy_64.c | 20 --
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
include/linux/compiler.h | 2 +-
include/linux/uaccess.h | 2 +
kernel/Makefile | 1 +
kernel/trace/trace_branch.c | 4 +
lib/Makefile | 1 +
lib/strncpy_from_user.c | 5 +-
lib/strnlen_user.c | 4 +-
lib/ubsan.c | 4 +
mm/kasan/Makefile | 3 +
mm/kasan/common.c | 10 +
mm/kasan/report.c | 3 +-
scripts/Makefile.build | 3 +
tools/objtool/arch.h | 8 +-
tools/objtool/arch/x86/decode.c | 21 +-
tools/objtool/builtin-check.c | 4 +-
tools/objtool/builtin.h | 2 +-
tools/objtool/check.c | 400 ++++++++++++++++++++++-------
tools/objtool/check.h | 4 +-
tools/objtool/elf.c | 15 +-
tools/objtool/elf.h | 3 +-
tools/objtool/special.c | 18 ++
tools/objtool/special.h | 1 +
tools/objtool/warn.h | 8 +
41 files changed, 602 insertions(+), 219 deletions(-)
Powered by blists - more mailing lists