archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <>
To: Linus Torvalds <>
	Bart Van Assche <>,
	Bill Wendling <>,
	Sami Tolvanen <>,
	Matthias Kaehlcke <>,
	"Gustavo A. R. Silva" <>,
	Kees Cook <>
Subject: [GIT PULL] kernel hardening updates for v6.1-rc1
Date: Sat, 1 Oct 2022 10:46:51 -0700	[thread overview]
Message-ID: <202210011003.B89BF8B@keescook> (raw)

Hi Linus,

Please pull these kernel hardening updates for v6.1-rc1. Most of
the collected changes here are fixes across the tree for various
hardening features (noted in the tag commit log below).

The most notable new feature here is the addition of the memcpy()
overflow warning (under CONFIG_FORTIFY_SOURCE), which is the next step
on the path to killing the common class of "trivially detectable" buffer
overflow conditions (i.e. on arrays with sizes known at compile time)
that have resulted in many exploitable vulnerabilities over the years
(e.g. BleedingTooth).

This feature is expected to still have some undiscovered false
positives. It's been in -next for a full development cycle and all
the reported false positives have been fixed in their respective trees.
All the known-bad code patterns we could find with Coccinelle are
also either fixed in their respective trees or in flight.

The commit log[1] for the feature has extensive details, but I'll repeat
here that this is a warning _only_, and is not intended to actually block
overflows (yet). The many patches fixing array sizes and struct members
have been landing for several years now, and we're finally able to turn
this on to find any remaining stragglers.

1 expected conflict is minimal:




The following changes since commit 1c23f9e627a7b412978b4e852793c5e3c3efc555:

  Linux 6.0-rc2 (2022-08-21 17:32:54 -0700)

are available in the Git repository at: tags/hardening-v6.1-rc1

for you to fetch changes up to 2120635108b35ecad9c59c8b44f6cbdf4f98214e:

  Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 (2022-10-01 07:46:05 -0700)

hardening updates for v6.1-rc1

Various fixes across several hardening areas:

- loadpin: Fix verity target enforcement (Matthias Kaehlcke).

- zero-call-used-regs: Add missing clobbers in paravirt (Bill Wendling).

- CFI: clean up sparc function pointer type mismatches (Bart Van Assche).

- Clang: Adjust compiler flag detection for various Clang changes (Sami
  Tolvanen, Kees Cook).

- fortify: Fix warnings in arch-specific code in sh, ARM, and xen.

Improvements to existing features:

- testing: improve overflow KUnit test, introduce fortify KUnit test,
  add more coverage to LKDTM tests (Bart Van Assche, Kees Cook).

- overflow: Relax overflow type checking for wider utility.

New features:

- string: Introduce strtomem() and strtomem_pad() to fill a gap in
  strncpy() replacement needs.

- um: Enable FORTIFY_SOURCE support.

- fortify: Enable run-time struct member memcpy() overflow warning.

Bart Van Assche (4):
      testing/selftests: Add tests for the is_signed_type() macro
      overflow, tracing: Define the is_signed_type() macro once
      lib: Improve the is_signed_type() kunit test
      sparc: Unbreak the build

Bill Wendling (2):
      x86/paravirt: clean up typos and grammaros
      x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled

Kees Cook (17):
      overflow: Allow mixed type arguments
      overflow: Split up kunit tests for smaller stack frames
      string: Introduce strtomem() and strtomem_pad()
      fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
      fortify: Add KUnit test for FORTIFY_SOURCE internals
      fortify: Use SIZE_MAX instead of (size_t)-1
      fortify: Add run-time WARN for cross-field memcpy()
      lkdtm: Update tests for memcpy() run-time warnings
      um: Enable FORTIFY_SOURCE
      kunit/memcpy: Avoid pathological compile-time string size
      sh: machvec: Use char[] for section boundaries
      fortify: Adjust KUnit test for modular build
      ARM: decompressor: Include
      x86/entry: Work around Clang __bdos() bug
      fortify: Explicitly check bounds are compile-time constants
      fortify: Convert to struct vs member helpers
      hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero

Matthias Kaehlcke (3):
      LoadPin: Fix Kconfig doc about format of file with verity digests
      dm: verity-loadpin: Only trust verity targets with enforcement
      LoadPin: Require file with verity root digests to have a header

Sami Tolvanen (1):
      Makefile.extrawarn: Move -Wcast-function-type-strict to W=1

 Documentation/process/deprecated.rst    |  11 +-
 MAINTAINERS                             |   1 +
 Makefile                                |   4 +-
 arch/arm/boot/compressed/  |   2 +
 arch/sh/include/asm/sections.h          |   2 +-
 arch/sh/kernel/machvec.c                |  10 +-
 arch/sparc/include/asm/smp_32.h         |  15 +-
 arch/sparc/kernel/leon_smp.c            |  12 +-
 arch/sparc/kernel/sun4d_smp.c           |  12 +-
 arch/sparc/kernel/sun4m_smp.c           |  10 +-
 arch/sparc/mm/srmmu.c                   |  29 ++--
 arch/um/Kconfig                         |   1 +
 arch/um/os-Linux/user_syms.c            |   1 +
 arch/x86/include/asm/paravirt_types.h   |  27 ++--
 arch/x86/xen/enlighten_pv.c             |   3 +-
 drivers/md/dm-verity-loadpin.c          |   8 ++
 drivers/md/dm-verity-target.c           |  16 +++
 drivers/md/dm-verity.h                  |   1 +
 drivers/misc/lkdtm/fortify.c            |  96 +++++++++++--
 include/linux/compiler.h                |   6 +
 include/linux/fortify-string.h          | 245 +++++++++++++++++++++++---------
 include/linux/overflow.h                |  73 +++++-----
 include/linux/string.h                  |  43 ++++++
 include/linux/trace_events.h            |   2 -
 lib/Kconfig.debug                       |  21 +++
 lib/Makefile                            |   2 +
 lib/fortify_kunit.c                     |  76 ++++++++++
 lib/is_signed_type_kunit.c              |  53 +++++++
 lib/memcpy_kunit.c                      |  59 +++++++-
 lib/overflow_kunit.c                    | 177 ++++++++++++++++-------
 scripts/Makefile.extrawarn              |   1 +
 security/Kconfig.hardening              |  14 +-
 security/loadpin/Kconfig                |   7 +-
 security/loadpin/loadpin.c              |  16 ++-
 tools/testing/selftests/lkdtm/tests.txt |   8 +-
 35 files changed, 821 insertions(+), 243 deletions(-)
 create mode 100644 lib/fortify_kunit.c
 create mode 100644 lib/is_signed_type_kunit.c

Kees Cook

             reply	other threads:[~2022-10-01 17:46 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-01 17:46 Kees Cook [this message]
2022-10-04  0:36 ` [GIT PULL] kernel hardening updates for v6.1-rc1 pr-tracker-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202210011003.B89BF8B@keescook \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).