lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 11 Apr 2021 14:02:49 +0800
From:   kernel test robot <lkp@...el.com>
To:     Kees Cook <keescook@...omium.org>, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org
Cc:     kbuild-all@...ts.01.org, Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH] LoadPin: Allow filesystem switch when not enforcing

Hi Kees,

I love your patch! Yet something to improve:

[auto build test ERROR on linux/master]
[also build test ERROR on kees/for-next/pstore linus/master v5.12-rc6 next-20210409]
[cannot apply to kees/for-next/loadpin]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Kees-Cook/LoadPin-Allow-filesystem-switch-when-not-enforcing/20210409-073059
base:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-allyesconfig (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
        # https://github.com/0day-ci/linux/commit/3dc7289d9d15396745929884191874dc2cce1afc
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Kees-Cook/LoadPin-Allow-filesystem-switch-when-not-enforcing/20210409-073059
        git checkout 3dc7289d9d15396745929884191874dc2cce1afc
        # save the attached .config to linux build tree
        make W=1 ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

All errors (new ones prefixed by >>):

   In file included from include/linux/kernel.h:16,
                    from include/linux/list.h:9,
                    from include/linux/module.h:12,
                    from security/loadpin/loadpin.c:12:
   security/loadpin/loadpin.c: In function 'report_writable':
>> security/loadpin/loadpin.c:106:4: error: 'load_root_writable' undeclared (first use in this function)
     106 |    load_root_writable ? "writable" : "read-only");
         |    ^~~~~~~~~~~~~~~~~~
   include/linux/printk.h:373:34: note: in definition of macro 'pr_info'
     373 |  printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
         |                                  ^~~~~~~~~~~
   security/loadpin/loadpin.c:106:4: note: each undeclared identifier is reported only once for each function it appears in
     106 |    load_root_writable ? "writable" : "read-only");
         |    ^~~~~~~~~~~~~~~~~~
   include/linux/printk.h:373:34: note: in definition of macro 'pr_info'
     373 |  printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
         |                                  ^~~~~~~~~~~
   security/loadpin/loadpin.c: In function 'loadpin_sb_free_security':
>> security/loadpin/loadpin.c:121:7: error: 'enforced' undeclared (first use in this function); did you mean 'enforce'?
     121 |   if (enforced) {
         |       ^~~~~~~~
         |       enforce
   security/loadpin/loadpin.c: In function 'loadpin_read_file':
   security/loadpin/loadpin.c:135:43: warning: variable 'sysctl_needed' set but not used [-Wunused-but-set-variable]
     135 |  bool load_root_writable, first_root_pin, sysctl_needed;
         |                                           ^~~~~~~~~~~~~


vim +/load_root_writable +106 security/loadpin/loadpin.c

    96	
    97	static void report_writable(struct block_device *bdev)
    98	{
    99		if (bdev) {
   100			char name[BDEVNAME_SIZE];
   101	
   102			bdevname(bdev, name);
   103			pr_info("%s (%u:%u): %s\n", name,
   104				MAJOR(bdev->bd_dev),
   105				MINOR(bdev->bd_dev),
 > 106				load_root_writable ? "writable" : "read-only");
   107		} else {
   108			pr_info("pinned filesystem lacks block device, treating as: writable\n");
   109		}
   110	}
   111	
   112	static void loadpin_sb_free_security(struct super_block *mnt_sb)
   113	{
   114		/*
   115		 * When unmounting the filesystem we were using for load
   116		 * pinning, we acknowledge the superblock release, but make sure
   117		 * no other modules or firmware can be loaded when we are in
   118		 * enforcing mode. Otherwise, allow the root to be reestablished.
   119		 */
   120		if (!IS_ERR_OR_NULL(pinned_root) && mnt_sb == pinned_root) {
 > 121			if (enforced) {
   122				pinned_root = ERR_PTR(-EIO);
   123				pr_info("umount pinned fs: refusing further loads\n");
   124			} else {
   125				pinned_root = NULL;
   126			}
   127		}
   128	}
   129	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (65020 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ