| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202308281138.5E9835A@keescook>
Date: Mon, 28 Aug 2023 11:42:58 -0700
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Anton Ivanov <anton.ivanov@...bridgegreys.com>,
Azeem Shaikh <azeemshaikh38@...il.com>,
Christian Brauner <brauner@...nel.org>,
David Windsor <dwindsor@...il.com>,
Elena Reshetova <elena.reshetova@...el.com>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Hans Liljestrand <ishkamiel@...il.com>,
Jann Horn <jannh@...gle.com>,
Jarkko Sakkinen <jarkko@...nel.org>,
Juergen Gross <jgross@...e.com>,
Justin Stitt <justinstitt@...gle.com>,
Marco Elver <elver@...gle.com>,
Mark Rutland <mark.rutland@....com>,
Miguel Ojeda <ojeda@...nel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Song Liu <song@...nel.org>,
"Steven Rostedt (Google)" <rostedt@...dmis.org>,
Yonghong Song <yonghong.song@...ux.dev>,
Zhen Lei <thunder.leizhen@...wei.com>,
linux-hardening@...r.kernel.org
Subject: [GIT PULL] hardening updates for v6.6-rc1
Hi Linus,
Please pull these hardening updates for v6.6-rc1. As has become normal,
changes are scattered around the tree (either explicitly maintainer
Acked or for trivial stuff that went ignored). Details in the log below,
and all have been in -next for a while.
Thanks!
-Kees
The following changes since commit fdf0eaf11452d72945af31804e2a1048ee1b574c:
Linux 6.5-rc2 (2023-07-16 15:10:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.6-rc1
for you to fetch changes up to 5f536ac6a5a7b67351e4e5ae4f9e1e57d31268e6:
LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by (2023-08-25 16:07:30 -0700)
----------------------------------------------------------------
hardening updates for v6.6-rc1
- Carve out the new CONFIG_LIST_HARDENED as a more focused subset of
CONFIG_DEBUG_LIST (Marco Elver).
- Fix kallsyms lookup failure under Clang LTO (Yonghong Song).
- Clarify documentation for CONFIG_UBSAN_TRAP (Jann Horn).
- Flexible array member conversion not carried in other tree (Gustavo
A. R. Silva).
- Various strlcpy() and strncpy() removals not carried in other trees
(Azeem Shaikh, Justin Stitt).
- Convert nsproxy.count to refcount_t (Elena Reshetova).
- Add handful of __counted_by annotations not carried in other trees,
as well as an LKDTM test.
- Fix build failure with gcc-plugins on GCC 14+.
- Fix selftests to respect SKIP for signal-delivery tests.
- Fix CFI warning for paravirt callback prototype.
- Clarify documentation for seq_show_option_n() usage.
----------------------------------------------------------------
Azeem Shaikh (4):
soc: fsl: qe: Replace all non-returning strlcpy with strscpy
um: Remove strlcpy declaration
perf: Replace strlcpy with strscpy
EISA: Replace all non-returning strlcpy with strscpy
Elena Reshetova (1):
nsproxy: Convert nsproxy.count to refcount_t
Gustavo A. R. Silva (1):
alpha: Replace one-element array with flexible-array member
Jann Horn (1):
ubsan: Clarify Kconfig text for CONFIG_UBSAN_TRAP
Justin Stitt (2):
um: vector: refactor deprecated strncpy
um: refactor deprecated strncpy to memcpy
Kees Cook (8):
seq_file: seq_show_option_n() is used for precise sizes
x86/paravirt: Fix tlb_remove_table function callback prototype warning
selftests/harness: Actually report SKIP for signal tests
gcc-plugins: Rename last_stmt() for GCC 14+
Compiler Attributes: counted_by: Adjust name and identifier expansion
lkdtm: Add FAM_BOUNDS test for __counted_by
integrity: Annotate struct ima_rule_opt_list with __counted_by
LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by
Marco Elver (4):
compiler_types: Introduce the Clang __preserve_most function attribute
list_debug: Introduce inline wrappers for debug checks
list: Introduce CONFIG_LIST_HARDENED
hardening: Move BUG_ON_DATA_CORRUPTION to hardening options
Yonghong Song (2):
kallsyms: Fix kallsyms_selftest failure
kallsyms: Change func signature for cleanup_symbol_name()
arch/alpha/kernel/osf_sys.c | 2 +-
arch/arm64/kvm/hyp/nvhe/Makefile | 2 +-
arch/arm64/kvm/hyp/nvhe/list_debug.c | 8 ++-
arch/um/drivers/mconsole_kern.c | 4 +-
arch/um/drivers/vector_user.c | 4 +-
arch/um/include/shared/user.h | 1 -
arch/um/os-Linux/umid.c | 6 +-
arch/x86/kernel/paravirt.c | 8 ++-
drivers/eisa/eisa-bus.c | 2 +-
drivers/misc/lkdtm/bugs.c | 51 +++++++++++++++--
drivers/soc/fsl/qe/qe.c | 4 +-
include/linux/compiler_attributes.h | 26 ++++-----
include/linux/compiler_types.h | 28 +++++++++
include/linux/dm-verity-loadpin.h | 2 +-
include/linux/list.h | 89 +++++++++++++++++++++++++++--
include/linux/nsproxy.h | 7 +--
include/linux/seq_file.h | 7 ++-
include/uapi/linux/stddef.h | 4 ++
kernel/events/core.c | 6 +-
kernel/kallsyms.c | 27 ++++-----
kernel/kallsyms_selftest.c | 23 +-------
kernel/nsproxy.c | 4 +-
lib/Kconfig.debug | 21 +++----
lib/Kconfig.ubsan | 10 +++-
lib/Makefile | 2 +-
lib/list_debug.c | 16 +++---
scripts/gcc-plugins/gcc-common.h | 4 ++
security/Kconfig.hardening | 23 ++++++++
security/integrity/ima/ima_policy.c | 4 +-
security/loadpin/loadpin.c | 3 +-
tools/testing/selftests/kselftest_harness.h | 11 ++--
31 files changed, 286 insertions(+), 123 deletions(-)
--
Kees Cook
Powered by blists - more mailing lists