* [PATCH] vgacon: fix function prototypes @ 2018-03-10 6:40 ` Joao Moreira 0 siblings, 0 replies; 6+ messages in thread From: Joao Moreira @ 2018-03-10 6:40 UTC (permalink / raw) To: kernel-hardening; +Cc: linux-kernel, danielmicay, keescook It is possible to indirectly invoke functions with prototypes that do not match those of the respectively used function pointers by using void types. Despite widely used as a feature for relaxing function invocation, this should be avoided when possible as it may prevent the use of heuristics such as prototype matching-based Control-Flow Integrity, which can be used to prevent ROP-based attacks. Given the above, the current efforts to improve the Linux security, and the upcoming kernel support to compilers with CFI features, fix prototypes in vgacon console driver. Another similar fix can be seen in [1]. [1] https://android-review.googlesource.com/c/kernel/common/+/602010 Signed-off-by: João Moreira <jmoreira@suse.de> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> --- drivers/video/console/vgacon.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index a17ba1465815..f00b630f6839 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, * The console `switch' structure for the VGA based console */ -static int vgacon_dummy(struct vc_data *c) +static int vgacon_clear(struct vc_data *c) { return 0; } -#define DUMMY (void *) vgacon_dummy +static void vgacon_putc(struct vc_data *c, int a, int b, int d) +{ + return; +} + +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) +{ + return; +} const struct consw vga_con = { .owner = THIS_MODULE, .con_startup = vgacon_startup, .con_init = vgacon_init, .con_deinit = vgacon_deinit, - .con_clear = DUMMY, - .con_putc = DUMMY, - .con_putcs = DUMMY, + .con_clear = vgacon_clear, + .con_putc = vgacon_putc, + .con_putcs = vgacon_putcs, .con_cursor = vgacon_cursor, .con_scroll = vgacon_scroll, .con_switch = vgacon_switch, -- 2.13.6 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] vgacon: fix function prototypes @ 2018-03-10 6:40 ` Joao Moreira 0 siblings, 0 replies; 6+ messages in thread From: Joao Moreira @ 2018-03-10 6:40 UTC (permalink / raw) To: kernel-hardening; +Cc: linux-kernel, danielmicay, keescook It is possible to indirectly invoke functions with prototypes that do not match those of the respectively used function pointers by using void types. Despite widely used as a feature for relaxing function invocation, this should be avoided when possible as it may prevent the use of heuristics such as prototype matching-based Control-Flow Integrity, which can be used to prevent ROP-based attacks. Given the above, the current efforts to improve the Linux security, and the upcoming kernel support to compilers with CFI features, fix prototypes in vgacon console driver. Another similar fix can be seen in [1]. [1] https://android-review.googlesource.com/c/kernel/common/+/602010 Signed-off-by: João Moreira <jmoreira@suse.de> --- drivers/video/console/vgacon.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index a17ba1465815..f00b630f6839 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, * The console `switch' structure for the VGA based console */ -static int vgacon_dummy(struct vc_data *c) +static int vgacon_clear(struct vc_data *c) { return 0; } -#define DUMMY (void *) vgacon_dummy +static void vgacon_putc(struct vc_data *c, int a, int b, int d) +{ + return; +} + +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) +{ + return; +} const struct consw vga_con = { .owner = THIS_MODULE, .con_startup = vgacon_startup, .con_init = vgacon_init, .con_deinit = vgacon_deinit, - .con_clear = DUMMY, - .con_putc = DUMMY, - .con_putcs = DUMMY, + .con_clear = vgacon_clear, + .con_putc = vgacon_putc, + .con_putcs = vgacon_putcs, .con_cursor = vgacon_cursor, .con_scroll = vgacon_scroll, .con_switch = vgacon_switch, -- 2.13.6 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] vgacon: fix function prototypes 2018-03-10 6:40 ` Joao Moreira (?) @ 2018-03-10 15:27 ` Kees Cook [not found] ` <CGME20180312140620epcas1p10db98576017a2e4ef9a6ada74eb5daf0@epcas1p1.samsung.com> -1 siblings, 1 reply; 6+ messages in thread From: Kees Cook @ 2018-03-10 15:27 UTC (permalink / raw) To: Joao Moreira, Greg KH; +Cc: Kernel Hardening, LKML, Daniel Micay On Fri, Mar 9, 2018 at 10:40 PM, Joao Moreira <jmoreira@suse.de> wrote: > It is possible to indirectly invoke functions with prototypes that do not > match those of the respectively used function pointers by using void types. > Despite widely used as a feature for relaxing function invocation, this > should be avoided when possible as it may prevent the use of heuristics > such as prototype matching-based Control-Flow Integrity, which can be used > to prevent ROP-based attacks. > > Given the above, the current efforts to improve the Linux security, and the > upcoming kernel support to compilers with CFI features, fix prototypes in > vgacon console driver. > > Another similar fix can be seen in [1]. > > [1] https://android-review.googlesource.com/c/kernel/common/+/602010 > > Signed-off-by: João Moreira <jmoreira@suse.de> Whoops, I missed this one. :) Thanks! Greg, do you need this resent directly to you? Acked-by: Kees Cook <keescook@chromium.org> -Kees > --- > drivers/video/console/vgacon.c | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) > > diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c > index a17ba1465815..f00b630f6839 100644 > --- a/drivers/video/console/vgacon.c > +++ b/drivers/video/console/vgacon.c > @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, > * The console `switch' structure for the VGA based console > */ > > -static int vgacon_dummy(struct vc_data *c) > +static int vgacon_clear(struct vc_data *c) > { > return 0; > } > > -#define DUMMY (void *) vgacon_dummy > +static void vgacon_putc(struct vc_data *c, int a, int b, int d) > +{ > + return; > +} > + > +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) > +{ > + return; > +} > > const struct consw vga_con = { > .owner = THIS_MODULE, > .con_startup = vgacon_startup, > .con_init = vgacon_init, > .con_deinit = vgacon_deinit, > - .con_clear = DUMMY, > - .con_putc = DUMMY, > - .con_putcs = DUMMY, > + .con_clear = vgacon_clear, > + .con_putc = vgacon_putc, > + .con_putcs = vgacon_putcs, > .con_cursor = vgacon_cursor, > .con_scroll = vgacon_scroll, > .con_switch = vgacon_switch, > -- > 2.13.6 > -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <CGME20180312140620epcas1p10db98576017a2e4ef9a6ada74eb5daf0@epcas1p1.samsung.com>]
* Re: [PATCH] vgacon: fix function prototypes [not found] ` <CGME20180312140620epcas1p10db98576017a2e4ef9a6ada74eb5daf0@epcas1p1.samsung.com> @ 2018-03-12 14:06 ` Bartlomiej Zolnierkiewicz 0 siblings, 0 replies; 6+ messages in thread From: Bartlomiej Zolnierkiewicz @ 2018-03-12 14:06 UTC (permalink / raw) To: Kees Cook Cc: Joao Moreira, Greg KH, Kernel Hardening, LKML, Daniel Micay, linux-fbdev Hi, On Saturday, March 10, 2018 07:27:21 AM Kees Cook wrote: > On Fri, Mar 9, 2018 at 10:40 PM, Joao Moreira <jmoreira@suse.de> wrote: > > It is possible to indirectly invoke functions with prototypes that do not > > match those of the respectively used function pointers by using void types. > > Despite widely used as a feature for relaxing function invocation, this > > should be avoided when possible as it may prevent the use of heuristics > > such as prototype matching-based Control-Flow Integrity, which can be used > > to prevent ROP-based attacks. > > > > Given the above, the current efforts to improve the Linux security, and the > > upcoming kernel support to compilers with CFI features, fix prototypes in > > vgacon console driver. > > > > Another similar fix can be seen in [1]. > > > > [1] https://android-review.googlesource.com/c/kernel/common/+/602010 > > > > Signed-off-by: João Moreira <jmoreira@suse.de> > > Whoops, I missed this one. :) Thanks! Greg, do you need this resent > directly to you? I would prefer for drivers/video/console/ changes to go through fbdev tree (like suggested by scripts/get_maintainers.pl).. However since Greg has already merged your CFI patches: Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> > Acked-by: Kees Cook <keescook@chromium.org> > > -Kees > > > --- > > drivers/video/console/vgacon.c | 18 +++++++++++++----- > > 1 file changed, 13 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c > > index a17ba1465815..f00b630f6839 100644 > > --- a/drivers/video/console/vgacon.c > > +++ b/drivers/video/console/vgacon.c > > @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, > > * The console `switch' structure for the VGA based console > > */ > > > > -static int vgacon_dummy(struct vc_data *c) > > +static int vgacon_clear(struct vc_data *c) > > { > > return 0; > > } > > > > -#define DUMMY (void *) vgacon_dummy > > +static void vgacon_putc(struct vc_data *c, int a, int b, int d) > > +{ > > + return; > > +} > > + > > +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) > > +{ > > + return; > > +} > > > > const struct consw vga_con = { > > .owner = THIS_MODULE, > > .con_startup = vgacon_startup, > > .con_init = vgacon_init, > > .con_deinit = vgacon_deinit, > > - .con_clear = DUMMY, > > - .con_putc = DUMMY, > > - .con_putcs = DUMMY, > > + .con_clear = vgacon_clear, > > + .con_putc = vgacon_putc, > > + .con_putcs = vgacon_putcs, > > .con_cursor = vgacon_cursor, > > .con_scroll = vgacon_scroll, > > .con_switch = vgacon_switch, > > -- > > 2.13.6 Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] vgacon: fix function prototypes @ 2018-03-12 14:06 ` Bartlomiej Zolnierkiewicz 0 siblings, 0 replies; 6+ messages in thread From: Bartlomiej Zolnierkiewicz @ 2018-03-12 14:06 UTC (permalink / raw) To: Kees Cook Cc: Joao Moreira, Greg KH, Kernel Hardening, LKML, Daniel Micay, linux-fbdev Hi, On Saturday, March 10, 2018 07:27:21 AM Kees Cook wrote: > On Fri, Mar 9, 2018 at 10:40 PM, Joao Moreira <jmoreira@suse.de> wrote: > > It is possible to indirectly invoke functions with prototypes that do not > > match those of the respectively used function pointers by using void types. > > Despite widely used as a feature for relaxing function invocation, this > > should be avoided when possible as it may prevent the use of heuristics > > such as prototype matching-based Control-Flow Integrity, which can be used > > to prevent ROP-based attacks. > > > > Given the above, the current efforts to improve the Linux security, and the > > upcoming kernel support to compilers with CFI features, fix prototypes in > > vgacon console driver. > > > > Another similar fix can be seen in [1]. > > > > [1] https://android-review.googlesource.com/c/kernel/common/+/602010 > > > > Signed-off-by: João Moreira <jmoreira@suse.de> > > Whoops, I missed this one. :) Thanks! Greg, do you need this resent > directly to you? I would prefer for drivers/video/console/ changes to go through fbdev tree (like suggested by scripts/get_maintainers.pl).. However since Greg has already merged your CFI patches: Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> > Acked-by: Kees Cook <keescook@chromium.org> > > -Kees > > > --- > > drivers/video/console/vgacon.c | 18 +++++++++++++----- > > 1 file changed, 13 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c > > index a17ba1465815..f00b630f6839 100644 > > --- a/drivers/video/console/vgacon.c > > +++ b/drivers/video/console/vgacon.c > > @@ -1407,21 +1407,29 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, > > * The console `switch' structure for the VGA based console > > */ > > > > -static int vgacon_dummy(struct vc_data *c) > > +static int vgacon_clear(struct vc_data *c) > > { > > return 0; > > } > > > > -#define DUMMY (void *) vgacon_dummy > > +static void vgacon_putc(struct vc_data *c, int a, int b, int d) > > +{ > > + return; > > +} > > + > > +static void vgacon_putcs(struct vc_data *c, ushort *s, int a, int b, int d) > > +{ > > + return; > > +} > > > > const struct consw vga_con = { > > .owner = THIS_MODULE, > > .con_startup = vgacon_startup, > > .con_init = vgacon_init, > > .con_deinit = vgacon_deinit, > > - .con_clear = DUMMY, > > - .con_putc = DUMMY, > > - .con_putcs = DUMMY, > > + .con_clear = vgacon_clear, > > + .con_putc = vgacon_putc, > > + .con_putcs = vgacon_putcs, > > .con_cursor = vgacon_cursor, > > .con_scroll = vgacon_scroll, > > .con_switch = vgacon_switch, > > -- > > 2.13.6 Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] vgacon: fix function prototypes 2018-03-10 6:40 ` Joao Moreira (?) (?) @ 2018-03-14 17:03 ` Greg KH -1 siblings, 0 replies; 6+ messages in thread From: Greg KH @ 2018-03-14 17:03 UTC (permalink / raw) To: Joao Moreira; +Cc: kernel-hardening, linux-kernel, danielmicay, keescook On Sat, Mar 10, 2018 at 03:40:59AM -0300, Joao Moreira wrote: > It is possible to indirectly invoke functions with prototypes that do not > match those of the respectively used function pointers by using void types. > Despite widely used as a feature for relaxing function invocation, this > should be avoided when possible as it may prevent the use of heuristics > such as prototype matching-based Control-Flow Integrity, which can be used > to prevent ROP-based attacks. > > Given the above, the current efforts to improve the Linux security, and the > upcoming kernel support to compilers with CFI features, fix prototypes in > vgacon console driver. > > Another similar fix can be seen in [1]. > > [1] https://android-review.googlesource.com/c/kernel/common/+/602010 > > Signed-off-by: João Moreira <jmoreira@suse.de> > Acked-by: Kees Cook <keescook@chromium.org> > Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> > --- > drivers/video/console/vgacon.c | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) This fails the build :( drivers/video/console/vgacon.c:1432:15: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types] .con_putcs = vgacon_putcs, ^~~~~~~~~~~~ What tree should this go to? It doesn't apply at all to my tty tree, which is where I thought it should go, so I tried a different one and got this mess :( confused, greg k-h ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-03-14 17:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-10 6:40 [PATCH] vgacon: fix function prototypes Joao Moreira
2018-03-10 6:40 ` Joao Moreira
2018-03-10 15:27 ` Kees Cook
[not found] ` <CGME20180312140620epcas1p10db98576017a2e4ef9a6ada74eb5daf0@epcas1p1.samsung.com>
2018-03-12 14:06 ` Bartlomiej Zolnierkiewicz
2018-03-12 14:06 ` Bartlomiej Zolnierkiewicz
2018-03-14 17:03 ` Greg KH
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.