1. 07 Sep, 2022 11 commits
    • Matthias Kaehlcke's avatar
      dm: verity-loadpin: Only trust verity targets with enforcement · 916ef623
      Matthias Kaehlcke authored
      Verity targets can be configured to ignore corrupted data blocks.
      LoadPin must only trust verity targets that are configured to
      perform some kind of enforcement when data corruption is detected,
      like returning an error, restarting the system or triggering a
      panic.
      
      Fixes: b6c1c574 ("dm: Add verity helpers for LoadPin")
      Reported-by: default avatarSarthak Kukreti <sarthakkukreti@chromium.org>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Reviewed-by: default avatarSarthak Kukreti <sarthakkukreti@chromium.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20220907133055.1.Ic8a1dafe960dc0f8302e189642bc88ebb785d274@changeid
      916ef623
    • Matthias Kaehlcke's avatar
      LoadPin: Fix Kconfig doc about format of file with verity digests · aafc203b
      Matthias Kaehlcke authored
      The doc for CONFIG_SECURITY_LOADPIN_VERITY says that the file with verity
      digests must contain a comma separated list of digests. That was the case
      at some stage of the development, but was changed during the review
      process to one digest per line. Update the Kconfig doc accordingly.
      Reported-by: default avatarJae Hoon Kim <kimjae@chromium.org>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Fixes: 3f805f8c ("LoadPin: Enable loading from trusted dm-verity devices")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20220829174557.1.I5d202d1344212a3800d9828f936df6511eb2d0d1@changeid
      aafc203b
    • Kees Cook's avatar
      um: Enable FORTIFY_SOURCE · ba38961a
      Kees Cook authored
      Enable FORTIFY_SOURCE so running Kunit tests can test fortified
      functions.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarDavid Gow <davidgow@google.com>
      Link: https://lore.kernel.org/r/20220210003224.773957-1-keescook@chromium.org
      ba38961a
    • Kees Cook's avatar
      lkdtm: Update tests for memcpy() run-time warnings · 325bf6d8
      Kees Cook authored
      Clarify the LKDTM FORTIFY tests, and add tests for the mem*() family of
      functions, now that run-time checking is distinct.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Shuah Khan <shuah@kernel.org>
      Cc: linux-kselftest@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      325bf6d8
    • Kees Cook's avatar
      fortify: Add run-time WARN for cross-field memcpy() · 54d9469b
      Kees Cook authored
      Enable run-time checking of dynamic memcpy() and memmove() lengths,
      issuing a WARN when a write would exceed the size of the target struct
      member, when built with CONFIG_FORTIFY_SOURCE=y. This would have
      caught all of the memcpy()-based buffer overflows in the last 3 years,
      specifically covering all the cases where the destination buffer size
      is known at compile time.
      
      This change ONLY adds a run-time warning. As false positives are currently
      still expected, this will not block the overflow. The new warnings will
      look like this:
      
        memcpy: detected field-spanning write (size N) of single field "var->dest" (size M)
        WARNING: CPU: n PID: pppp at source/file/path.c:nr function+0xXX/0xXX [module]
      
      There may be false positives in the kernel where intentional
      field-spanning writes are happening. These need to be addressed
      similarly to how the compile-time cases were addressed: add a
      struct_group(), split the memcpy(), or some other refactoring.
      
      In order to make counting/investigating instances of added runtime checks
      easier, each instance includes the destination variable name as a WARN
      argument, prefixed with 'field "'. Therefore, on an x86_64 defconfig
      build, it is trivial to inspect the build artifacts to find instances.
      For example on an x86_64 defconfig build, there are 78 new run-time
      memcpy() bounds checks added:
      
        $ for i in vmlinux $(find . -name '*.ko'); do \
            strings "$i" | grep '^field "'; done | wc -l
        78
      
      Simple cases where a destination buffer is known to be a dynamic size
      do not generate a WARN. For example:
      
      struct normal_flex_array {
      	void *a;
      	int b;
      	u32 c;
      	size_t array_size;
      	u8 flex_array[];
      };
      
      struct normal_flex_array *instance;
      ...
      /* These will be ignored for run-time bounds checking. */
      memcpy(instance, src, len);
      memcpy(instance->flex_array, src, len);
      
      However, one of the dynamic-sized destination cases is irritatingly
      unable to be detected by the compiler: when using memcpy() to target
      a composite struct member which contains a trailing flexible array
      struct. For example:
      
      struct wrapper {
      	int foo;
      	char bar;
      	struct normal_flex_array embedded;
      };
      
      struct wrapper *instance;
      ...
      /* This will incorrectly WARN when len > sizeof(instance->embedded) */
      memcpy(&instance->embedded, src, len);
      
      These cases end up appearing to the compiler to be sized as if the
      flexible array had 0 elements. :( For more details see:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832
      https://godbolt.org/z/vW6x8vh4P
      
      These "composite flexible array structure destination" cases will be
      need to be flushed out and addressed on a case-by-case basis.
      
      Regardless, for the general case of using memcpy() on flexible array
      destinations, future APIs will be created to handle common cases. Those
      can be used to migrate away from open-coded memcpy() so that proper
      error handling (instead of trapping) can be used.
      
      As mentioned, none of these bounds checks block any overflows
      currently. For users that have tested their workloads, do not encounter
      any warnings, and wish to make these checks stop any overflows, they
      can use a big hammer and set the sysctl panic_on_warn=1.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      54d9469b
    • Kees Cook's avatar
      fortify: Use SIZE_MAX instead of (size_t)-1 · 311fb40a
      Kees Cook authored
      Clean up uses of "(size_t)-1" in favor of SIZE_MAX.
      
      Cc: linux-hardening@vger.kernel.org
      Suggested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      311fb40a
    • Kees Cook's avatar
      fortify: Add KUnit test for FORTIFY_SOURCE internals · 875bfd52
      Kees Cook authored
      Add lib/fortify_kunit.c KUnit test for checking the expected behavioral
      characteristics of FORTIFY_SOURCE internals.
      
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Tom Rix <trix@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: "Steven Rostedt (Google)" <rostedt@goodmis.org>
      Cc: Yury Norov <yury.norov@gmail.com>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Sander Vanheule <sander@svanheule.net>
      Cc: linux-hardening@vger.kernel.org
      Cc: llvm@lists.linux.dev
      Reviewed-by: default avatarDavid Gow <davidgow@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      875bfd52
    • Kees Cook's avatar
      fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL · d07c0acb
      Kees Cook authored
      With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe
      a runtime panic while running Android's Compatibility Test Suite's (CTS)
      android.hardware.input.cts.tests. This is stemming from a strlen()
      call in hidinput_allocate().
      
      __compiletime_strlen() is implemented in terms of __builtin_object_size(),
      then does an array access to check for NUL-termination. A quirk of
      __builtin_object_size() is that for strings whose values are runtime
      dependent, __builtin_object_size(str, 1 or 0) returns the maximum size
      of possible values when those sizes are determinable at compile time.
      Example:
      
        static const char *v = "FOO BAR";
        static const char *y = "FOO BA";
        unsigned long x (int z) {
            // Returns 8, which is:
            // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))
            return __builtin_object_size(z ? v : y, 1);
        }
      
      So when FORTIFY_SOURCE is enabled, the current implementation of
      __compiletime_strlen() will try to access beyond the end of y at runtime
      using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.
      
      hidinput_allocate() has a local C string whose value is control flow
      dependent on a switch statement, so __builtin_object_size(str, 1)
      evaluates to the maximum string length, making all other cases fault on
      the last character check. hidinput_allocate() could be cleaned up to
      avoid runtime calls to strlen() since the local variable can only have
      literal values, so there's no benefit to trying to fortify the strlen
      call site there.
      
      Perform a __builtin_constant_p() check against index 0 earlier in the
      macro to filter out the control-flow-dependant case. Add a KUnit test
      for checking the expected behavioral characteristics of FORTIFY_SOURCE
      internals.
      
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Tom Rix <trix@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: "Steven Rostedt (Google)" <rostedt@goodmis.org>
      Cc: David Gow <davidgow@google.com>
      Cc: Yury Norov <yury.norov@gmail.com>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Sander Vanheule <sander@svanheule.net>
      Cc: linux-hardening@vger.kernel.org
      Cc: llvm@lists.linux.dev
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Tested-by: Android Treehugger Robot
      Link: https://android-review.googlesource.com/c/kernel/common/+/2206839Co-developed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      d07c0acb
    • Kees Cook's avatar
      string: Introduce strtomem() and strtomem_pad() · dfbafa70
      Kees Cook authored
      One of the "legitimate" uses of strncpy() is copying a NUL-terminated
      string into a fixed-size non-NUL-terminated character array. To avoid
      the weaknesses and ambiguity of intent when using strncpy(), provide
      replacement functions that explicitly distinguish between trailing
      padding and not, and require the destination buffer size be discoverable
      by the compiler.
      
      For example:
      
      struct obj {
      	int foo;
      	char small[4] __nonstring;
      	char big[8] __nonstring;
      	int bar;
      };
      
      struct obj p;
      
      /* This will truncate to 4 chars with no trailing NUL */
      strncpy(p.small, "hello", sizeof(p.small));
      /* p.small contains 'h', 'e', 'l', 'l' */
      
      /* This will NUL pad to 8 chars. */
      strncpy(p.big, "hello", sizeof(p.big));
      /* p.big contains 'h', 'e', 'l', 'l', 'o', '\0', '\0', '\0' */
      
      When the "__nonstring" attributes are missing, the intent of the
      programmer becomes ambiguous for whether the lack of a trailing NUL
      in the p.small copy is a bug. Additionally, it's not clear whether
      the trailing padding in the p.big copy is _needed_. Both cases
      become unambiguous with:
      
      strtomem(p.small, "hello");
      strtomem_pad(p.big, "hello", 0);
      
      See also https://github.com/KSPP/linux/issues/90
      
      Expand the memcpy KUnit tests to include these functions.
      
      Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      dfbafa70
    • Kees Cook's avatar
      overflow: Split up kunit tests for smaller stack frames · 77974225
      Kees Cook authored
      Under some pathological 32-bit configs, the shift overflow KUnit tests
      create huge stack frames. Split up the function to avoid this,
      separating by rough shift overflow cases.
      
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Cc: Daniel Latypov <dlatypov@google.com>
      Cc: Vitor Massaru Iha <vitor@massaru.org>
      Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Link: https://lore.kernel.org/lkml/202208301850.iuv9VwA8-lkp@intel.comAcked-by: default avatarDaniel Latypov <dlatypov@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      77974225
    • Kees Cook's avatar
      overflow: Allow mixed type arguments · d219d2a9
      Kees Cook authored
      When the check_[op]_overflow() helpers were introduced, all arguments
      were required to be the same type to make the fallback macros simpler.
      However, now that the fallback macros have been removed[1], it is fine
      to allow mixed types, which makes using the helpers much more useful,
      as they can be used to test for type-based overflows (e.g. adding two
      large ints but storing into a u8), as would be handy in the drm core[2].
      
      Remove the restriction, and add additional self-tests that exercise
      some of the mixed-type overflow cases, and double-check for accidental
      macro side-effects.
      
      [1] https://git.kernel.org/linus/4eb6bd55cfb22ffc20652732340c4962f3ac9a91
      [2] https://lore.kernel.org/lkml/20220824084514.2261614-2-gwan-gyeong.mun@intel.com
      
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
      Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: linux-hardening@vger.kernel.org
      Reviewed-by: default avatarAndrzej Hajda <andrzej.hajda@intel.com>
      Reviewed-by: default avatarGwan-gyeong Mun <gwan-gyeong.mun@intel.com>
      Tested-by: default avatarGwan-gyeong Mun <gwan-gyeong.mun@intel.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      d219d2a9
  2. 31 Aug, 2022 2 commits
  3. 22 Aug, 2022 1 commit
  4. 21 Aug, 2022 17 commits
  5. 20 Aug, 2022 9 commits
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.0' of... · 15b3f48a
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix module versioning broken on some architectures
      
       - Make dummy-tools enable CONFIG_PPC_LONG_DOUBLE_128
      
       - Remove -Wformat-zero-length, which has no warning instance
      
       - Fix the order between drivers and libs in modules.order
      
       - Fix false-positive warnings in clang-analyzer
      
      * tag 'kbuild-fixes-v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        scripts/clang-tools: Remove DeprecatedOrUnsafeBufferHandling check
        kbuild: fix the modules order between drivers and libs
        scripts/Makefile.extrawarn: Do not disable clang's -Wformat-zero-length
        kbuild: dummy-tools: pretend we understand __LONG_DOUBLE_128__
        modpost: fix module versioning when a symbol lacks valid CRC
      15b3f48a
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-fixes-for-v6.0-2022-08-19' of... · 16b3d851
      Linus Torvalds authored
      Merge tag 'perf-tools-fixes-for-v6.0-2022-08-19' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull perf tools fixes from Arnaldo Carvalho de Melo:
      
       - Fix alignment for cpu map masks in event encoding.
      
       - Support reading PERF_FORMAT_LOST, perf tool counterpart for a feature
         that was added in this merge window.
      
       - Sync perf tools copies of kernel headers: socket, msr-index, fscrypt,
         cpufeatures, i915_drm, kvm, vhost, perf_event.
      
      * tag 'perf-tools-fixes-for-v6.0-2022-08-19' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux:
        perf tools: Support reading PERF_FORMAT_LOST
        libperf: Add a test case for read formats
        libperf: Handle read format in perf_evsel__read()
        tools headers UAPI: Sync linux/perf_event.h with the kernel sources
        tools headers UAPI: Sync x86's asm/kvm.h with the kernel sources
        tools headers UAPI: Sync KVM's vmx.h header with the kernel sources
        tools include UAPI: Sync linux/vhost.h with the kernel sources
        tools headers kvm s390: Sync headers with the kernel sources
        tools headers UAPI: Sync linux/kvm.h with the kernel sources
        tools headers UAPI: Sync drm/i915_drm.h with the kernel sources
        tools headers cpufeatures: Sync with the kernel sources
        tools headers UAPI: Sync linux/fscrypt.h with the kernel sources
        tools arch x86: Sync the msr-index.h copy with the kernel sources
        perf beauty: Update copy of linux/socket.h with the kernel sources
        perf cpumap: Fix alignment for masks in event encoding
        perf cpumap: Compute mask size in constant time
        perf cpumap: Synthetic events and const/static
        perf cpumap: Const map for max()
      16b3d851
    • Linus Torvalds's avatar
      Merge tag 's390-6.0-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · cc1807b9
      Linus Torvalds authored
      Pull s390 updates from Alexander Gordeev:
      
       - Fix a KVM crash on z12 and older machines caused by a wrong
         assumption that Query AP Configuration Information is always
         available.
      
       - Lower severity of excessive Hypervisor filesystem error messages
         when booting under KVM.
      
      * tag 's390-6.0-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/ap: fix crash on older machines based on QCI info missing
        s390/hypfs: avoid error message under KVM
      cc1807b9
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 32dd68f1
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix atomic sleep warnings at boot due to get_phb_number() taking a
         mutex with a spinlock held on some machines.
      
       - Add missing PMU selftests to .gitignores.
      
      Thanks to Guenter Roeck and Russell Currey.
      
      * tag 'powerpc-6.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        selftests/powerpc: Add missing PMU selftests to .gitignores
        powerpc/pci: Fix get_phb_number() locking
      32dd68f1
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · f31c32ef
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "A few minor fixes:
      
         - Fix buffer management in SRP to correct a regression with the login
           authentication feature from v5.17
      
         - Don't iterate over non-present ports in mlx5
      
         - Fix an error introduced by the foritify work in cxgb4
      
         - Two bug fixes for the recently merged ERDMA driver
      
         - Unbreak RDMA dmabuf support, a regresion from v5.19"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA: Handle the return code from dma_resv_wait_timeout() properly
        RDMA/erdma: Correct the max_qp and max_cq capacities of the device
        RDMA/erdma: Using the key in FMR WR instead of MR structure
        RDMA/cxgb4: fix accept failure due to increased cpl_t5_pass_accept_rpl size
        RDMA/mlx5: Use the proper number of ports
        IB/iser: Fix login with authentication
      f31c32ef
    • Guru Das Srinagesh's avatar
      scripts/clang-tools: Remove DeprecatedOrUnsafeBufferHandling check · 4be72c1b
      Guru Das Srinagesh authored
      This `clang-analyzer` check flags the use of memset(), suggesting a more
      secure version of the API, such as memset_s(), which does not exist in
      the kernel:
      
        warning: Call to function 'memset' is insecure as it does not provide
        security checks introduced in the C11 standard. Replace with analogous
        functions that support length arguments or provides boundary checks such
        as 'memset_s' in case of C11
        [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]
      Signed-off-by: default avatarGuru Das Srinagesh <quic_gurus@quicinc.com>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      4be72c1b
    • Masahiro Yamada's avatar
      kbuild: fix the modules order between drivers and libs · 11314751
      Masahiro Yamada authored
      Commit b2c88554 ("kbuild: update modules.order only when contained
      modules are updated") accidentally changed the modules order.
      
      Prior to that commit, the modules order was determined based on
      vmlinux-dirs, which lists core-y/m, drivers-y/m, libs-y/m, in this order.
      
      Now, subdir-modorder lists them in a different order: core-y/m, libs-y/m,
      drivers-y/m.
      
      Presumably, there was no practical issue because the modules in drivers
      and libs are orthogonal, but there is no reason to have this distortion.
      
      Get back to the original order.
      
      Fixes: b2c88554 ("kbuild: update modules.order only when contained modules are updated")
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      11314751
    • Nathan Chancellor's avatar
      scripts/Makefile.extrawarn: Do not disable clang's -Wformat-zero-length · 370655bc
      Nathan Chancellor authored
      There are no instances of this warning in the tree across several
      difference architectures and configurations. This was added by
      commit 26ea6bb1 ("kbuild, LLVMLinux: Supress warnings unless W=1-3")
      back in 2014, where it might have been necessary, but there are no
      instances of it now so stop disabling it to increase warning coverage
      for clang.
      Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      370655bc
    • Jiri Slaby's avatar
      kbuild: dummy-tools: pretend we understand __LONG_DOUBLE_128__ · 0df499ea
      Jiri Slaby authored
      There is a test in powerpc's Kconfig which checks __LONG_DOUBLE_128__
      and sets CONFIG_PPC_LONG_DOUBLE_128 if it is understood by the compiler.
      
      We currently don't handle it, so this results in PPC_LONG_DOUBLE_128 not
      being in super-config generated by dummy-tools. So take this into
      account in the gcc script and preprocess __LONG_DOUBLE_128__ as "1".
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      0df499ea