From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED007C433E4 for ; Thu, 16 Jul 2020 07:30:25 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BC6B22071B for ; Thu, 16 Jul 2020 07:30:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="Phc6jm75" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BC6B22071B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=driverdev-devel-bounces@linuxdriverproject.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 575252049E; Thu, 16 Jul 2020 07:30:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0hvURHtL4AlC; Thu, 16 Jul 2020 07:30:19 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 9D95620456; Thu, 16 Jul 2020 07:30:19 +0000 (UTC) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 45E691BF3BF for ; Thu, 16 Jul 2020 07:30:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 3DD438A51D for ; Thu, 16 Jul 2020 07:30:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNJWfL4PJm0F for ; Thu, 16 Jul 2020 07:30:17 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by hemlock.osuosl.org (Postfix) with ESMTPS id 193478A4DB for ; Thu, 16 Jul 2020 07:30:17 +0000 (UTC) Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D622D206C1; Thu, 16 Jul 2020 07:30:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594884616; bh=mn6iTBJseqW6x95DXLzjCrLI7Ry2VVFhniqqXYPIzaE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Phc6jm75BYs2701ce9G8bX4UnXRMO9gP//NOxj7gAtA+SR+gVk+ehe0idhpetsJbC 6qT1RZjEEosqxo95k/Yl4CU/mLc7bykaJGRcZSAU6YGhwz/a2yRCZIMAj+095bxmQv 6PeXnkbT8e99OL/8Dd8AnTc+6KMVnZ5RGOVEV95A= Date: Thu, 16 Jul 2020 09:30:10 +0200 From: Greg Kroah-Hartman To: Kees Cook Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API Message-ID: <20200716073010.GB971895@kroah.com> References: <20200716030847.1564131-1-keescook@chromium.org> <20200716030847.1564131-4-keescook@chromium.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200716030847.1564131-4-keescook@chromium.org> X-BeenThere: driverdev-devel@linuxdriverproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Driver Project Developer List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kuppuswamy Sathyanarayanan , Douglas Anderson , Oscar Carter , Mitchell Blank Jr , kernel-hardening@lists.openwall.com, Peter Zijlstra , kgdb-bugreport@lists.sourceforge.net, Sebastian Andrzej Siewior , alsa-devel@alsa-project.org, Takashi Iwai , Christian Gromm , Kevin Curtis , Will Deacon , devel@driverdev.osuosl.org, linux-s390@vger.kernel.org, Daniel Thompson , Jonathan Corbet , Masahiro Yamada , "Rafael J. Wysocki" , Julian Wiedmann , "Matthew Wilcox \(Oracle\)" , Christian Borntraeger , Nishka Dasgupta , Jiri Slaby , Jakub Kicinski , Guenter Roeck , Wambui Karuga , Vasily Gorbik , Heiko Carstens , linux-input@vger.kernel.org, Ursula Braun , Stephen Boyd , Chris Packham , Harald Freudenberger , Thomas Gleixner , Jaroslav Kysela , Felipe Balbi , Kyungtae Kim , netdev@vger.kernel.org, Dmitry Torokhov , Allen Pais , linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Jason Wessel , Karsten Graul , Romain Perier , "David S. Miller" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: driverdev-devel-bounces@linuxdriverproject.org Sender: "devel" On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote: > From: Romain Perier > > Nowadays, modern kernel subsystems that use callbacks pass the data > structure associated with a given callback as argument to the callback. > The tasklet subsystem remains one which passes an arbitrary unsigned > long to the callback function. This has several problems: > > - This keeps an extra field for storing the argument in each tasklet > data structure, it bloats the tasklet_struct structure with a redundant > .data field > > - No type checking can be performed on this argument. Instead of > using container_of() like other callback subsystems, it forces callbacks > to do explicit type cast of the unsigned long argument into the required > object type. > > - Buffer overflows can overwrite the .func and the .data field, so > an attacker can easily overwrite the function and its first argument > to whatever it wants. > > Add a new tasklet initialization API, via DECLARE_TASKLET() and > tasklet_setup(), which will replace the existing ones. > > This work is greatly inspired by the timer_struct conversion series, > see commit e99e88a9d2b0 ("treewide: setup_timer() -> timer_setup()") > > To avoid problems with both -Wcast-function-type (which is enabled in > the kernel via -Wextra is several subsystems), and with mismatched > function prototypes when build with Control Flow Integrity enabled, > this adds the "use_callback" member to let the tasklet caller choose > which union member to call through. Once all old API uses are removed, > this and the .data member will be removed as well. (On 64-bit this does > not grow the struct size as the new member fills the hole after atomic_t, > which is also "int" sized.) > > Signed-off-by: Romain Perier > Co-developed-by: Allen Pais > Signed-off-by: Allen Pais > Co-developed-by: Kees Cook > Signed-off-by: Kees Cook > --- > include/linux/interrupt.h | 24 +++++++++++++++++++++++- > kernel/softirq.c | 18 +++++++++++++++++- > 2 files changed, 40 insertions(+), 2 deletions(-) Reviewed-by: Greg Kroah-Hartman _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF1E3C433E1 for ; Thu, 16 Jul 2020 15:42:04 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 56FEA2076D for ; Thu, 16 Jul 2020 15:42:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=alsa-project.org header.i=@alsa-project.org header.b="XdIbSloU"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="Phc6jm75" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 56FEA2076D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=alsa-devel-bounces@alsa-project.org Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id D500D15E5; Thu, 16 Jul 2020 17:41:12 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz D500D15E5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1594914122; bh=mn6iTBJseqW6x95DXLzjCrLI7Ry2VVFhniqqXYPIzaE=; h=Date:From:To:Subject:References:In-Reply-To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=XdIbSloU2xDc+hDUGz2jf+oBV8CXRolHfSSfSyfC5HvGvLf0Aun5CLmrtJIjWpJ5F KJFR+2GnUckX+QTEyQIc21o8+h15R2eyuX427LIvJISSJUYss7Fis40Lfn1pU+h0Js SFRikxwrx1tpII2fgj+fh+x3l3NrSB9xQ4TZ95N0= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id 4B02AF8026A; Thu, 16 Jul 2020 17:40:20 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 1C453F801EC; Thu, 16 Jul 2020 09:30:26 +0200 (CEST) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id A99BDF8014C for ; Thu, 16 Jul 2020 09:30:19 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz A99BDF8014C Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="Phc6jm75" Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D622D206C1; Thu, 16 Jul 2020 07:30:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594884616; bh=mn6iTBJseqW6x95DXLzjCrLI7Ry2VVFhniqqXYPIzaE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Phc6jm75BYs2701ce9G8bX4UnXRMO9gP//NOxj7gAtA+SR+gVk+ehe0idhpetsJbC 6qT1RZjEEosqxo95k/Yl4CU/mLc7bykaJGRcZSAU6YGhwz/a2yRCZIMAj+095bxmQv 6PeXnkbT8e99OL/8Dd8AnTc+6KMVnZ5RGOVEV95A= Date: Thu, 16 Jul 2020 09:30:10 +0200 From: Greg Kroah-Hartman To: Kees Cook Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API Message-ID: <20200716073010.GB971895@kroah.com> References: <20200716030847.1564131-1-keescook@chromium.org> <20200716030847.1564131-4-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200716030847.1564131-4-keescook@chromium.org> X-Mailman-Approved-At: Thu, 16 Jul 2020 17:40:14 +0200 Cc: Kuppuswamy Sathyanarayanan , Douglas Anderson , Oscar Carter , Mitchell Blank Jr , kernel-hardening@lists.openwall.com, Peter Zijlstra , kgdb-bugreport@lists.sourceforge.net, Sebastian Andrzej Siewior , alsa-devel@alsa-project.org, Takashi Iwai , Christian Gromm , Kevin Curtis , Will Deacon , devel@driverdev.osuosl.org, linux-s390@vger.kernel.org, Daniel Thompson , Jonathan Corbet , Masahiro Yamada , "Rafael J. Wysocki" , Julian Wiedmann , "Matthew Wilcox \(Oracle\)" , Christian Borntraeger , Nishka Dasgupta , Jiri Slaby , Jakub Kicinski , Guenter Roeck , Wambui Karuga , Vasily Gorbik , Heiko Carstens , linux-input@vger.kernel.org, Ursula Braun , Stephen Boyd , Chris Packham , Harald Freudenberger , Thomas Gleixner , Felipe Balbi , Kyungtae Kim , netdev@vger.kernel.org, Dmitry Torokhov , Allen Pais , linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Jason Wessel , Karsten Graul , Romain Perier , "David S. Miller" X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote: > From: Romain Perier > > Nowadays, modern kernel subsystems that use callbacks pass the data > structure associated with a given callback as argument to the callback. > The tasklet subsystem remains one which passes an arbitrary unsigned > long to the callback function. This has several problems: > > - This keeps an extra field for storing the argument in each tasklet > data structure, it bloats the tasklet_struct structure with a redundant > .data field > > - No type checking can be performed on this argument. Instead of > using container_of() like other callback subsystems, it forces callbacks > to do explicit type cast of the unsigned long argument into the required > object type. > > - Buffer overflows can overwrite the .func and the .data field, so > an attacker can easily overwrite the function and its first argument > to whatever it wants. > > Add a new tasklet initialization API, via DECLARE_TASKLET() and > tasklet_setup(), which will replace the existing ones. > > This work is greatly inspired by the timer_struct conversion series, > see commit e99e88a9d2b0 ("treewide: setup_timer() -> timer_setup()") > > To avoid problems with both -Wcast-function-type (which is enabled in > the kernel via -Wextra is several subsystems), and with mismatched > function prototypes when build with Control Flow Integrity enabled, > this adds the "use_callback" member to let the tasklet caller choose > which union member to call through. Once all old API uses are removed, > this and the .data member will be removed as well. (On 64-bit this does > not grow the struct size as the new member fills the hole after atomic_t, > which is also "int" sized.) > > Signed-off-by: Romain Perier > Co-developed-by: Allen Pais > Signed-off-by: Allen Pais > Co-developed-by: Kees Cook > Signed-off-by: Kees Cook > --- > include/linux/interrupt.h | 24 +++++++++++++++++++++++- > kernel/softirq.c | 18 +++++++++++++++++- > 2 files changed, 40 insertions(+), 2 deletions(-) Reviewed-by: Greg Kroah-Hartman From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF586C433E7 for ; Thu, 16 Jul 2020 07:30:35 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 2FC4D2074B for ; Thu, 16 Jul 2020 07:30:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="Phc6jm75" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2FC4D2074B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-19340-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 7725 invoked by uid 550); 16 Jul 2020 07:30:29 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 7690 invoked from network); 16 Jul 2020 07:30:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594884616; bh=mn6iTBJseqW6x95DXLzjCrLI7Ry2VVFhniqqXYPIzaE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Phc6jm75BYs2701ce9G8bX4UnXRMO9gP//NOxj7gAtA+SR+gVk+ehe0idhpetsJbC 6qT1RZjEEosqxo95k/Yl4CU/mLc7bykaJGRcZSAU6YGhwz/a2yRCZIMAj+095bxmQv 6PeXnkbT8e99OL/8Dd8AnTc+6KMVnZ5RGOVEV95A= Date: Thu, 16 Jul 2020 09:30:10 +0200 From: Greg Kroah-Hartman To: Kees Cook Cc: Kuppuswamy Sathyanarayanan , "Rafael J. Wysocki" , Oscar Carter , Mitchell Blank Jr , kernel-hardening@lists.openwall.com, Peter Zijlstra , kgdb-bugreport@lists.sourceforge.net, Sebastian Andrzej Siewior , alsa-devel@alsa-project.org, Allen Pais , Christian Gromm , Will Deacon , devel@driverdev.osuosl.org, Jonathan Corbet , Daniel Thompson , "David S. Miller" , Masahiro Yamada , Takashi Iwai , Julian Wiedmann , "Matthew Wilcox (Oracle)" , Christian Borntraeger , Nishka Dasgupta , Jiri Slaby , Jakub Kicinski , Guenter Roeck , Wambui Karuga , Vasily Gorbik , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, Heiko Carstens , linux-input@vger.kernel.org, Ursula Braun , Stephen Boyd , Chris Packham , Harald Freudenberger , Thomas Gleixner , Jaroslav Kysela , Felipe Balbi , Kyungtae Kim , netdev@vger.kernel.org, Dmitry Torokhov , Douglas Anderson , Kevin Curtis , linux-usb@vger.kernel.org, Jason Wessel , Romain Perier , Karsten Graul Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API Message-ID: <20200716073010.GB971895@kroah.com> References: <20200716030847.1564131-1-keescook@chromium.org> <20200716030847.1564131-4-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200716030847.1564131-4-keescook@chromium.org> On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote: > From: Romain Perier > > Nowadays, modern kernel subsystems that use callbacks pass the data > structure associated with a given callback as argument to the callback. > The tasklet subsystem remains one which passes an arbitrary unsigned > long to the callback function. This has several problems: > > - This keeps an extra field for storing the argument in each tasklet > data structure, it bloats the tasklet_struct structure with a redundant > .data field > > - No type checking can be performed on this argument. Instead of > using container_of() like other callback subsystems, it forces callbacks > to do explicit type cast of the unsigned long argument into the required > object type. > > - Buffer overflows can overwrite the .func and the .data field, so > an attacker can easily overwrite the function and its first argument > to whatever it wants. > > Add a new tasklet initialization API, via DECLARE_TASKLET() and > tasklet_setup(), which will replace the existing ones. > > This work is greatly inspired by the timer_struct conversion series, > see commit e99e88a9d2b0 ("treewide: setup_timer() -> timer_setup()") > > To avoid problems with both -Wcast-function-type (which is enabled in > the kernel via -Wextra is several subsystems), and with mismatched > function prototypes when build with Control Flow Integrity enabled, > this adds the "use_callback" member to let the tasklet caller choose > which union member to call through. Once all old API uses are removed, > this and the .data member will be removed as well. (On 64-bit this does > not grow the struct size as the new member fills the hole after atomic_t, > which is also "int" sized.) > > Signed-off-by: Romain Perier > Co-developed-by: Allen Pais > Signed-off-by: Allen Pais > Co-developed-by: Kees Cook > Signed-off-by: Kees Cook > --- > include/linux/interrupt.h | 24 +++++++++++++++++++++++- > kernel/softirq.c | 18 +++++++++++++++++- > 2 files changed, 40 insertions(+), 2 deletions(-) Reviewed-by: Greg Kroah-Hartman