lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <202210011003.B89BF8B@keescook>
Date:   Sat, 1 Oct 2022 10:46:51 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org, Bart Van Assche <bvanassche@....org>,
        Bill Wendling <morbo@...gle.com>,
        Sami Tolvanen <samitolvanen@...gle.com>,
        Matthias Kaehlcke <mka@...omium.org>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Kees Cook <keescook@...omium.org>
Subject: [GIT PULL] kernel hardening updates for v6.1-rc1

Hi Linus,

Please pull these kernel hardening updates for v6.1-rc1. Most of
the collected changes here are fixes across the tree for various
hardening features (noted in the tag commit log below).

The most notable new feature here is the addition of the memcpy()
overflow warning (under CONFIG_FORTIFY_SOURCE), which is the next step
on the path to killing the common class of "trivially detectable" buffer
overflow conditions (i.e. on arrays with sizes known at compile time)
that have resulted in many exploitable vulnerabilities over the years
(e.g. BleedingTooth).

This feature is expected to still have some undiscovered false
positives. It's been in -next for a full development cycle and all
the reported false positives have been fixed in their respective trees.
All the known-bad code patterns we could find with Coccinelle are
also either fixed in their respective trees or in flight.

The commit log[1] for the feature has extensive details, but I'll repeat
here that this is a warning _only_, and is not intended to actually block
overflows (yet). The many patches fixing array sizes and struct members
have been landing for several years now, and we're finally able to turn
this on to find any remaining stragglers.

1 expected conflict is minimal:
- https://lore.kernel.org/linux-next/20220906174946.61819060@canb.auug.org.au/

Thanks!

-Kees

[1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=54d9469bc515dc5fcbc20eecbe19cea868b70d68

The following changes since commit 1c23f9e627a7b412978b4e852793c5e3c3efc555:

  Linux 6.0-rc2 (2022-08-21 17:32:54 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.1-rc1

for you to fetch changes up to 2120635108b35ecad9c59c8b44f6cbdf4f98214e:

  Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 (2022-10-01 07:46:05 -0700)

----------------------------------------------------------------
hardening updates for v6.1-rc1

Various fixes across several hardening areas:

- loadpin: Fix verity target enforcement (Matthias Kaehlcke).

- zero-call-used-regs: Add missing clobbers in paravirt (Bill Wendling).

- CFI: clean up sparc function pointer type mismatches (Bart Van Assche).

- Clang: Adjust compiler flag detection for various Clang changes (Sami
  Tolvanen, Kees Cook).

- fortify: Fix warnings in arch-specific code in sh, ARM, and xen.

Improvements to existing features:

- testing: improve overflow KUnit test, introduce fortify KUnit test,
  add more coverage to LKDTM tests (Bart Van Assche, Kees Cook).

- overflow: Relax overflow type checking for wider utility.

New features:

- string: Introduce strtomem() and strtomem_pad() to fill a gap in
  strncpy() replacement needs.

- um: Enable FORTIFY_SOURCE support.

- fortify: Enable run-time struct member memcpy() overflow warning.

----------------------------------------------------------------
Bart Van Assche (4):
      testing/selftests: Add tests for the is_signed_type() macro
      overflow, tracing: Define the is_signed_type() macro once
      lib: Improve the is_signed_type() kunit test
      sparc: Unbreak the build

Bill Wendling (2):
      x86/paravirt: clean up typos and grammaros
      x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled

Kees Cook (17):
      overflow: Allow mixed type arguments
      overflow: Split up kunit tests for smaller stack frames
      string: Introduce strtomem() and strtomem_pad()
      fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
      fortify: Add KUnit test for FORTIFY_SOURCE internals
      fortify: Use SIZE_MAX instead of (size_t)-1
      fortify: Add run-time WARN for cross-field memcpy()
      lkdtm: Update tests for memcpy() run-time warnings
      um: Enable FORTIFY_SOURCE
      kunit/memcpy: Avoid pathological compile-time string size
      sh: machvec: Use char[] for section boundaries
      fortify: Adjust KUnit test for modular build
      ARM: decompressor: Include .data.rel.ro.local
      x86/entry: Work around Clang __bdos() bug
      fortify: Explicitly check bounds are compile-time constants
      fortify: Convert to struct vs member helpers
      hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero

Matthias Kaehlcke (3):
      LoadPin: Fix Kconfig doc about format of file with verity digests
      dm: verity-loadpin: Only trust verity targets with enforcement
      LoadPin: Require file with verity root digests to have a header

Sami Tolvanen (1):
      Makefile.extrawarn: Move -Wcast-function-type-strict to W=1

 Documentation/process/deprecated.rst    |  11 +-
 MAINTAINERS                             |   1 +
 Makefile                                |   4 +-
 arch/arm/boot/compressed/vmlinux.lds.S  |   2 +
 arch/sh/include/asm/sections.h          |   2 +-
 arch/sh/kernel/machvec.c                |  10 +-
 arch/sparc/include/asm/smp_32.h         |  15 +-
 arch/sparc/kernel/leon_smp.c            |  12 +-
 arch/sparc/kernel/sun4d_smp.c           |  12 +-
 arch/sparc/kernel/sun4m_smp.c           |  10 +-
 arch/sparc/mm/srmmu.c                   |  29 ++--
 arch/um/Kconfig                         |   1 +
 arch/um/os-Linux/user_syms.c            |   1 +
 arch/x86/include/asm/paravirt_types.h   |  27 ++--
 arch/x86/xen/enlighten_pv.c             |   3 +-
 drivers/md/dm-verity-loadpin.c          |   8 ++
 drivers/md/dm-verity-target.c           |  16 +++
 drivers/md/dm-verity.h                  |   1 +
 drivers/misc/lkdtm/fortify.c            |  96 +++++++++++--
 include/linux/compiler.h                |   6 +
 include/linux/fortify-string.h          | 245 +++++++++++++++++++++++---------
 include/linux/overflow.h                |  73 +++++-----
 include/linux/string.h                  |  43 ++++++
 include/linux/trace_events.h            |   2 -
 lib/Kconfig.debug                       |  21 +++
 lib/Makefile                            |   2 +
 lib/fortify_kunit.c                     |  76 ++++++++++
 lib/is_signed_type_kunit.c              |  53 +++++++
 lib/memcpy_kunit.c                      |  59 +++++++-
 lib/overflow_kunit.c                    | 177 ++++++++++++++++-------
 scripts/Makefile.extrawarn              |   1 +
 security/Kconfig.hardening              |  14 +-
 security/loadpin/Kconfig                |   7 +-
 security/loadpin/loadpin.c              |  16 ++-
 tools/testing/selftests/lkdtm/tests.txt |   8 +-
 35 files changed, 821 insertions(+), 243 deletions(-)
 create mode 100644 lib/fortify_kunit.c
 create mode 100644 lib/is_signed_type_kunit.c

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ