From: Kees Cook <keescook@chromium.org> To: kernel-hardening@lists.openwall.com Cc: Kees Cook <keescook@chromium.org>, Emese Revfy <re.emese@gmail.com>, linux-kernel@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Josh Triplett <josh@joshtriplett.org>, pageexec@freemail.hu, spender@grsecurity.net, mmarek@suse.com, yamada.masahiro@socionext.com, linux-kbuild@vger.kernel.org, minipli@ld-linux.so, linux@armlinux.org.uk, catalin.marinas@arm.com, linux@rasmusvillemoes.dk, david.brown@linaro.org, benh@kernel.crashing.org, tglx@linutronix.de, akpm@linux-foundation.org, jlayton@poochiereds.net, sam@ravnborg.org Subject: [PATCH v4 4/4] initify: Mark functions with the __unverified_nocapture attribute Date: Fri, 16 Dec 2016 14:06:24 -0800 [thread overview] Message-ID: <1481925984-98605-5-git-send-email-keescook@chromium.org> (raw) In-Reply-To: <1481925984-98605-1-git-send-email-keescook@chromium.org> From: Emese Revfy <re.emese@gmail.com> This attribute disables the compile data flow verification of the designated nocapture parameters of the function. Use it only on function parameters that are difficult for the plugin to analyze. Signed-off-by: Emese Revfy <re.emese@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> --- include/linux/compiler-gcc.h | 1 + include/linux/compiler.h | 4 ++++ lib/vsprintf.c | 4 ++-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index 1e11ee911c3e..4ebb3ba17631 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -207,6 +207,7 @@ */ #ifdef INITIFY_PLUGIN #define __nocapture(...) __attribute__((nocapture(__VA_ARGS__))) +#define __unverified_nocapture(...) __attribute__((unverified_nocapture(__VA_ARGS__))) #endif /* diff --git a/include/linux/compiler.h b/include/linux/compiler.h index 8b3dcc790bb6..1bde420f07bb 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -437,6 +437,10 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s # define __nocapture(...) #endif +#ifndef __unverified_nocapture +# define __unverified_nocapture(...) +#endif + /* * Tell gcc if a function is cold. The compiler will assume any path * directly leading to the call is unlikely. diff --git a/lib/vsprintf.c b/lib/vsprintf.c index a192761d338a..cb964b51f9f8 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -118,7 +118,7 @@ long long simple_strtoll(const char *cp, char **endp, unsigned int base) } EXPORT_SYMBOL(simple_strtoll); -static noinline_for_stack __nocapture(1) +static noinline_for_stack __nocapture(1) __unverified_nocapture(1) int skip_atoi(const char **s) { int i = 0; @@ -1570,7 +1570,7 @@ int kptr_restrict __read_mostly; * function pointers are really function descriptors, which contain a * pointer to the real address. */ -static noinline_for_stack __nocapture(1) +static noinline_for_stack __nocapture(1) __unverified_nocapture(1) char *pointer(const char *fmt, char *buf, char *end, void *ptr, struct printf_spec spec) { -- 2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: kernel-hardening@lists.openwall.com Cc: Kees Cook <keescook@chromium.org>, Emese Revfy <re.emese@gmail.com>, linux-kernel@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Josh Triplett <josh@joshtriplett.org>, pageexec@freemail.hu, spender@grsecurity.net, mmarek@suse.com, yamada.masahiro@socionext.com, linux-kbuild@vger.kernel.org, minipli@ld-linux.so, linux@armlinux.org.uk, catalin.marinas@arm.com, linux@rasmusvillemoes.dk, david.brown@linaro.org, benh@kernel.crashing.org, tglx@linutronix.de, akpm@linux-foundation.org, jlayton@poochiereds.net, sam@ravnborg.org Subject: [kernel-hardening] [PATCH v4 4/4] initify: Mark functions with the __unverified_nocapture attribute Date: Fri, 16 Dec 2016 14:06:24 -0800 [thread overview] Message-ID: <1481925984-98605-5-git-send-email-keescook@chromium.org> (raw) In-Reply-To: <1481925984-98605-1-git-send-email-keescook@chromium.org> From: Emese Revfy <re.emese@gmail.com> This attribute disables the compile data flow verification of the designated nocapture parameters of the function. Use it only on function parameters that are difficult for the plugin to analyze. Signed-off-by: Emese Revfy <re.emese@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> --- include/linux/compiler-gcc.h | 1 + include/linux/compiler.h | 4 ++++ lib/vsprintf.c | 4 ++-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index 1e11ee911c3e..4ebb3ba17631 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -207,6 +207,7 @@ */ #ifdef INITIFY_PLUGIN #define __nocapture(...) __attribute__((nocapture(__VA_ARGS__))) +#define __unverified_nocapture(...) __attribute__((unverified_nocapture(__VA_ARGS__))) #endif /* diff --git a/include/linux/compiler.h b/include/linux/compiler.h index 8b3dcc790bb6..1bde420f07bb 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -437,6 +437,10 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s # define __nocapture(...) #endif +#ifndef __unverified_nocapture +# define __unverified_nocapture(...) +#endif + /* * Tell gcc if a function is cold. The compiler will assume any path * directly leading to the call is unlikely. diff --git a/lib/vsprintf.c b/lib/vsprintf.c index a192761d338a..cb964b51f9f8 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -118,7 +118,7 @@ long long simple_strtoll(const char *cp, char **endp, unsigned int base) } EXPORT_SYMBOL(simple_strtoll); -static noinline_for_stack __nocapture(1) +static noinline_for_stack __nocapture(1) __unverified_nocapture(1) int skip_atoi(const char **s) { int i = 0; @@ -1570,7 +1570,7 @@ int kptr_restrict __read_mostly; * function pointers are really function descriptors, which contain a * pointer to the real address. */ -static noinline_for_stack __nocapture(1) +static noinline_for_stack __nocapture(1) __unverified_nocapture(1) char *pointer(const char *fmt, char *buf, char *end, void *ptr, struct printf_spec spec) { -- 2.7.4
next prev parent reply other threads:[~2016-12-16 22:09 UTC|newest] Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-12-16 22:06 [PATCH v4 0/4] Introduce the initify gcc plugin Kees Cook 2016-12-16 22:06 ` [kernel-hardening] " Kees Cook 2016-12-16 22:06 ` [PATCH v4 1/4] gcc-plugins: Add " Kees Cook 2016-12-16 22:06 ` [kernel-hardening] " Kees Cook 2016-12-16 22:45 ` PaX Team 2016-12-16 22:45 ` [kernel-hardening] " PaX Team 2016-12-16 22:45 ` PaX Team 2016-12-16 23:02 ` Kees Cook 2016-12-16 23:02 ` [kernel-hardening] " Kees Cook 2016-12-16 23:02 ` Kees Cook 2016-12-16 23:15 ` PaX Team 2016-12-16 23:15 ` [kernel-hardening] " PaX Team 2016-12-16 23:15 ` PaX Team 2016-12-16 22:06 ` [PATCH v4 2/4] util: Move type casts into is_kernel_rodata Kees Cook 2016-12-16 22:06 ` [kernel-hardening] " Kees Cook 2016-12-16 22:06 ` [PATCH v4 3/4] initify: Mark functions with the __nocapture attribute Kees Cook 2016-12-16 22:06 ` [kernel-hardening] " Kees Cook 2016-12-16 22:06 ` Kees Cook [this message] 2016-12-16 22:06 ` [kernel-hardening] [PATCH v4 4/4] initify: Mark functions with the __unverified_nocapture attribute Kees Cook 2016-12-16 22:19 ` [PATCH v4 0/4] Introduce the initify gcc plugin Kees Cook 2016-12-16 22:19 ` [kernel-hardening] " Kees Cook 2016-12-16 22:19 ` Kees Cook 2016-12-19 11:10 ` Emese Revfy 2016-12-19 11:10 ` [kernel-hardening] " Emese Revfy 2016-12-19 11:10 ` Emese Revfy 2017-01-04 0:23 ` Kees Cook 2017-01-04 0:23 ` [kernel-hardening] " Kees Cook 2017-01-04 0:23 ` Kees Cook 2017-01-11 0:24 ` Emese Revfy 2017-01-11 0:24 ` [kernel-hardening] " Emese Revfy 2017-01-11 0:24 ` Emese Revfy 2017-01-11 1:09 ` Kees Cook 2017-01-11 1:09 ` [kernel-hardening] " Kees Cook 2017-01-11 1:09 ` Kees Cook 2017-01-12 21:41 ` Emese Revfy 2017-01-12 21:41 ` [kernel-hardening] " Emese Revfy 2017-01-12 21:41 ` Emese Revfy 2017-01-12 23:27 ` Kees Cook 2017-01-12 23:27 ` [kernel-hardening] " Kees Cook 2017-01-12 23:27 ` Kees Cook 2017-01-12 23:40 ` Kees Cook 2017-01-12 23:40 ` [kernel-hardening] " Kees Cook 2017-01-12 23:40 ` Kees Cook 2017-01-17 20:31 ` Emese Revfy 2017-01-17 20:31 ` [kernel-hardening] " Emese Revfy 2017-01-17 20:31 ` Emese Revfy 2017-01-19 1:22 ` Kees Cook 2017-01-19 1:22 ` [kernel-hardening] " Kees Cook 2017-01-19 1:22 ` Kees Cook 2017-02-15 0:23 ` Emese Revfy 2017-02-15 0:23 ` [kernel-hardening] " Emese Revfy 2017-02-15 0:23 ` Emese Revfy 2017-02-15 19:27 ` Kees Cook 2017-02-15 19:27 ` [kernel-hardening] " Kees Cook 2017-02-15 19:27 ` Kees Cook 2017-02-20 21:42 ` Emese Revfy 2017-02-20 21:42 ` [kernel-hardening] " Emese Revfy 2017-02-20 21:42 ` Emese Revfy 2016-12-19 18:24 ` Laura Abbott 2016-12-19 18:24 ` [kernel-hardening] " Laura Abbott 2017-01-04 0:23 ` Kees Cook 2017-01-04 0:23 ` [kernel-hardening] " Kees Cook 2017-01-04 0:23 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1481925984-98605-5-git-send-email-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=akpm@linux-foundation.org \ --cc=arnd@arndb.de \ --cc=benh@kernel.crashing.org \ --cc=catalin.marinas@arm.com \ --cc=david.brown@linaro.org \ --cc=jlayton@poochiereds.net \ --cc=josh@joshtriplett.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-kbuild@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@armlinux.org.uk \ --cc=linux@rasmusvillemoes.dk \ --cc=minipli@ld-linux.so \ --cc=mmarek@suse.com \ --cc=pageexec@freemail.hu \ --cc=re.emese@gmail.com \ --cc=sam@ravnborg.org \ --cc=spender@grsecurity.net \ --cc=tglx@linutronix.de \ --cc=yamada.masahiro@socionext.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.