| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202503170859.6188E2CEBE@keescook>
Date: Mon, 17 Mar 2025 09:04:32 -0700
From: Kees Cook <kees@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org,
Andy Shevchenko <andy.shevchenko@...il.com>,
Arulpandiyan Vadivel <arulpandiyan.vadivel@...mens.com>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Dave Hansen <dave.hansen@...ux.intel.com>,
David Gow <davidgow@...gle.com>, Ingo Molnar <mingo@...nel.org>,
Justin Stitt <justinstitt@...gle.com>, Kees Cook <kees@...nel.org>,
kernel test robot <lkp@...el.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Larysa Zaremba <larysa.zaremba@...el.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Mel Gorman <mgorman@...hsingularity.net>,
Michael Kelley <mhklinux@...look.com>,
Mickaël Salaün <mic@...ikod.net>,
Miguel Ojeda <ojeda@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Oleg Nesterov <oleg@...hat.com>, Paul Moore <paul@...l-moore.com>,
R Sundar <prosunofficial@...il.com>,
Stephen Rothwell <sfr@...b.auug.org.au>,
Venkat Rao Bagalkote <venkat88@...ux.vnet.ibm.com>
Subject: [GIT PULL] hardening updates for v6.15-rc1
Hi Linus,
Please pull these hardening updates for v6.15-rc1. As usual, it's
scattered changes all over. Patches touching things outside of our
traditional areas in the tree have been Acked by maintainers or were
trivial changes.
Thanks!
-Kees
The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:
Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.15-rc1
for you to fetch changes up to b688f369ae0d5d25865f5441fa62e54c7d5d0de6:
compiler_types: Introduce __nonstring_array (2025-03-12 13:21:09 -0700)
----------------------------------------------------------------
hardening updates for v6.15-rc1
- loadpin: remove unsupported MODULE_COMPRESS_NONE (Arulpandiyan Vadivel)
- samples/check-exec: Fix script name (Mickaël Salaün)
- yama: remove needless locking in yama_task_prctl() (Oleg Nesterov)
- lib/string_choices: Sort by function name (R Sundar)
- hardening: Allow default HARDENED_USERCOPY to be set at compile time
(Mel Gorman)
- uaccess: Split out compile-time checks into ucopysize.h
- kbuild: clang: Support building UM with SUBARCH=i386
- x86: Enable i386 FORTIFY_SOURCE on Clang 16+
- ubsan/overflow: Rework integer overflow sanitizer option
- Add missing __nonstring annotations for callers of memtostr*()/strtomem*()
- Add __must_be_noncstr() and have memtostr*()/strtomem*() check for it
- Introduce __nonstring_array for silencing future GCC 15 warnings
----------------------------------------------------------------
Arulpandiyan Vadivel (1):
loadpin: remove MODULE_COMPRESS_NONE as it is no longer supported
Kees Cook (18):
uaccess: Introduce ucopysize.h
scsi: mptfusion: Mark device strings as nonstring
scsi: mpi3mr: Mark device strings as nonstring
scsi: mpt3sas: Mark device strings as nonstring
scsi: qla2xxx: Mark device strings as nonstring
string: kunit: Mark nonstring test strings as __nonstring
x86/tdx: Mark message.bytes as nonstring
uapi: stddef.h: Introduce __kernel_nonstring
nilfs2: Mark on-disk strings as nonstring
compiler.h: Introduce __must_be_noncstr()
string.h: Validate memtostr*()/strtomem*() arguments more carefully
kbuild: clang: Support building UM with SUBARCH=i386
ubsan/overflow: Rework integer overflow sanitizer option to turn on everything
ubsan/overflow: Enable pattern exclusions
ubsan/overflow: Enable ignorelist parsing and add type filter
x86/build: Remove -ffreestanding on i386 with GCC
hardening: Enable i386 FORTIFY_SOURCE on Clang 16+
compiler_types: Introduce __nonstring_array
Mel Gorman (4):
mm: security: Move hardened usercopy under 'Kernel hardening options'
mm: security: Allow default HARDENED_USERCOPY to be set at compile time
mm: security: Check early if HARDENED_USERCOPY is enabled
fortify: Move FORTIFY_SOURCE under 'Kernel hardening options'
Mickaël Salaün (1):
samples/check-exec: Fix script name
Oleg Nesterov (1):
yama: don't abuse rcu_read_lock/get_task_struct in yama_task_prctl()
R Sundar (1):
lib/string_choices: Rearrange functions in sorted order
Documentation/admin-guide/kernel-parameters.txt | 4 +-
MAINTAINERS | 1 +
arch/x86/Makefile | 4 +-
arch/x86/coco/tdx/tdx.c | 4 +-
drivers/message/fusion/mptsas.c | 8 +--
drivers/scsi/mpi3mr/mpi3mr_transport.c | 8 +--
drivers/scsi/mpt3sas/mpi/mpi2_cnfg.h | 2 +-
drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 +--
drivers/scsi/qla2xxx/qla_mr.h | 4 +-
include/linux/compiler.h | 18 ++++++-
include/linux/compiler_types.h | 23 ++++++--
include/linux/string.h | 16 ++++--
include/linux/string_choices.h | 24 ++++-----
include/linux/thread_info.h | 48 -----------------
include/linux/uaccess.h | 2 +-
include/linux/ucopysize.h | 63 ++++++++++++++++++++++
include/linux/uio.h | 2 +-
include/uapi/linux/nilfs2_ondisk.h | 3 +-
include/uapi/linux/stddef.h | 6 +++
init/Kconfig | 3 ++
kernel/configs/hardening.config | 2 +-
lib/Kconfig.ubsan | 25 ++++-----
lib/string_kunit.c | 4 +-
lib/test_ubsan.c | 18 +++++--
lib/ubsan.c | 28 +++++++++-
lib/ubsan.h | 8 +++
mm/usercopy.c | 18 ++++---
.../{run-script-ask.inc => run-script-ask.sh} | 0
scripts/Makefile.clang | 2 +
scripts/Makefile.lib | 4 +-
scripts/Makefile.ubsan | 10 +++-
scripts/integer-wrap-ignore.scl | 3 ++
security/Kconfig | 21 --------
security/Kconfig.hardening | 33 ++++++++++++
security/loadpin/Kconfig | 2 +-
security/yama/yama_lsm.c | 9 +---
36 files changed, 285 insertions(+), 153 deletions(-)
create mode 100644 include/linux/ucopysize.h
rename samples/check-exec/{run-script-ask.inc => run-script-ask.sh} (100%)
create mode 100644 scripts/integer-wrap-ignore.scl
--
Kees Cook
Powered by blists - more mailing lists