1. 08 Feb, 2023 1 commit
    • Kees Cook's avatar
      coda: Avoid partial allocation of sig_inputArgs · 48df1335
      Kees Cook authored
      GCC does not like having a partially allocated object, since it cannot
      reason about it for bounds checking when it is passed to other code.
      Instead, fully allocate sig_inputArgs. (Alternatively, sig_inputArgs
      should be defined as a struct coda_in_hdr, if it is actually not using
      any other part of the union.) Seen under GCC 13:
      
      ../fs/coda/upcall.c: In function 'coda_upcall':
      ../fs/coda/upcall.c:801:22: warning: array subscript 'union inputArgs[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds=]
        801 |         sig_inputArgs->ih.opcode = CODA_SIGNAL;
            |                      ^~
      
      Cc: Jan Harkes <jaharkes@cs.cmu.edu>
      Cc: coda@cs.cmu.edu
      Cc: codalist@coda.cs.cmu.edu
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20230127223921.never.882-kees@kernel.org
      48df1335
  2. 02 Feb, 2023 2 commits
  3. 27 Jan, 2023 7 commits
  4. 25 Jan, 2023 3 commits
  5. 19 Jan, 2023 5 commits
  6. 13 Jan, 2023 2 commits
  7. 05 Jan, 2023 2 commits
    • Kees Cook's avatar
      fortify: Use __builtin_dynamic_object_size() when available · 439a1bca
      Kees Cook authored
      Since the commits starting with c37495d6 ("slab: add __alloc_size
      attributes for better bounds checking"), the compilers have runtime
      allocation size hints available in some places. This was immediately
      available to CONFIG_UBSAN_BOUNDS, but CONFIG_FORTIFY_SOURCE needed
      updating to explicitly make use of the hints via the associated
      __builtin_dynamic_object_size() helper. Detect and use the builtin when
      it is available, increasing the accuracy of the mitigation. When runtime
      sizes are not available, __builtin_dynamic_object_size() falls back to
      __builtin_object_size(), leaving the existing bounds checking unchanged.
      
      Additionally update the VMALLOC_LINEAR_OVERFLOW LKDTM test to make the
      hint invisible, otherwise the architectural defense is not exercised
      (the buffer overflow is detected in the memset() rather than when it
      crosses the edge of the allocation).
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Tom Rix <trix@redhat.com>
      Cc: linux-hardening@vger.kernel.org
      Cc: llvm@lists.linux.dev
      Reviewed-by: Miguel Ojeda <ojeda@kernel.org> # include/linux/compiler_attributes.h
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      439a1bca
    • Stephen Rothwell's avatar
      rxrpc: replace zero-lenth array with DECLARE_FLEX_ARRAY() helper · b2ba00c2
      Stephen Rothwell authored
      0-length arrays are deprecated, and cause problems with bounds checking.
      Replace with a flexible array:
      
      In file included from include/linux/string.h:253,
                       from include/linux/bitmap.h:11,
                       from include/linux/cpumask.h:12,
                       from arch/x86/include/asm/paravirt.h:17,
                       from arch/x86/include/asm/cpuid.h:62,
                       from arch/x86/include/asm/processor.h:19,
                       from arch/x86/include/asm/cpufeature.h:5,
                       from arch/x86/include/asm/thread_info.h:53,
                       from include/linux/thread_info.h:60,
                       from arch/x86/include/asm/preempt.h:9,
                       from include/linux/preempt.h:78,
                       from include/linux/percpu.h:6,
                       from include/linux/prandom.h:13,
                       from include/linux/random.h:153,
                       from include/linux/net.h:18,
                       from net/rxrpc/output.c:10:
      In function 'fortify_memcpy_chk',
          inlined from 'rxrpc_fill_out_ack' at net/rxrpc/output.c:158:2:
      include/linux/fortify-string.h:520:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()?  [-Werror=attribute-warning]
        520 |                         __write_overflow_field(p_size_field, size);
            |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Link: https://lore.kernel.org/linux-next/20230105132535.0d65378f@canb.auug.org.au/
      Cc: David Howells <dhowells@redhat.com>
      Cc: Marc Dionne <marc.dionne@auristor.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: linux-afs@lists.infradead.org
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      b2ba00c2
  8. 01 Jan, 2023 6 commits
  9. 31 Dec, 2022 2 commits
  10. 30 Dec, 2022 10 commits