| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Aug 2022 10:53:32 -0700
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org, GONG Ruiqi <gongruiqi1@...wei.com>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Justin Stitt <justinstitt@...gle.com>,
Kees Cook <keescook@...omium.org>,
Lukas Bulwahn <lukas.bulwahn@...il.com>,
Matthias Kaehlcke <mka@...omium.org>,
Mike Snitzer <snitzer@...nel.org>
Subject: [GIT PULL] kernel hardening updates for v5.20-rc1
Hi Linus,
Please pull these kernel hardening updates for v5.20-rc1. Two
cross-maintainer notes: the dm-verity/loadpin changes are Acked by
Mike Snitzer but they have been carried in my treer; the LKDTM change
is duplicated in the drivers/misc tree (it was late in cycle when Greg
and I both picked it up).
Thanks!
-Kees
The following changes since commit a111daf0c53ae91e71fd2bfe7497862d14132e3e:
Linux 5.19-rc3 (2022-06-19 15:06:47 -0500)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.20-rc1
for you to fetch changes up to 27603a606fda0806d7c08914bc976931aa42020e:
dm: verity-loadpin: Drop use of dm_table_get_num_targets() (2022-07-28 21:48:12 -0700)
----------------------------------------------------------------
hardening updates for v5.20-rc1
- Fix Sparse warnings with randomizd kstack (GONG, Ruiqi)
- Replace uintptr_t with unsigned long in usercopy (Jason A. Donenfeld)
- Fix Clang -Wforward warning in LKDTM (Justin Stitt)
- Fix comment to correctly refer to STRICT_DEVMEM (Lukas Bulwahn)
- Introduce dm-verity binding logic to LoadPin LSM (Matthias Kaehlcke)
- Clean up warnings and overflow and KASAN tests (Kees Cook)
----------------------------------------------------------------
GONG, Ruiqi (1):
stack: Declare {randomize_,}kstack_offset to fix Sparse warnings
Jason A. Donenfeld (1):
usercopy: use unsigned long instead of uintptr_t
Justin Stitt (1):
drivers: lkdtm: fix clang -Wformat warning
Kees Cook (3):
MAINTAINERS: Add a general "kernel hardening" section
lib: overflow: Do not define 64-bit tests on 32-bit
kasan: test: Silence GCC 12 warnings
Lukas Bulwahn (1):
x86: mm: refer to the intended config STRICT_DEVMEM in a comment
Matthias Kaehlcke (4):
dm: Add verity helpers for LoadPin
LoadPin: Enable loading from trusted dm-verity devices
dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation
dm: verity-loadpin: Drop use of dm_table_get_num_targets()
MAINTAINERS | 21 ++++-
arch/x86/mm/init.c | 2 +-
drivers/md/Makefile | 1 +
drivers/md/dm-verity-loadpin.c | 75 +++++++++++++++++
drivers/md/dm-verity-target.c | 33 +++++++-
drivers/md/dm-verity.h | 4 +
drivers/misc/lkdtm/bugs.c | 2 +-
include/linux/dm-verity-loadpin.h | 27 ++++++
include/uapi/linux/loadpin.h | 22 +++++
init/main.c | 1 +
lib/overflow_kunit.c | 6 ++
lib/test_kasan.c | 10 +++
mm/usercopy.c | 2 +-
security/loadpin/Kconfig | 16 ++++
security/loadpin/loadpin.c | 167 +++++++++++++++++++++++++++++++++++++-
15 files changed, 380 insertions(+), 9 deletions(-)
create mode 100644 drivers/md/dm-verity-loadpin.c
create mode 100644 include/linux/dm-verity-loadpin.h
create mode 100644 include/uapi/linux/loadpin.h
--
Kees Cook
Powered by blists - more mailing lists