On Sun, May 12, 2024 at 09:32:40PM +0200, Joel Granados wrote:
> On Sat, May 11, 2024 at 11:51:18AM +0200, Thomas Weißschuh wrote:
> > Hi Kees,
> >
> > On 2024-05-08 10:11:35+, Kees Cook wrote:
> > > On Wed, Apr 24, 2024 at 08:12:34PM -0700, Jakub Kicinski wrot
10 go via their respective subsystems, and once all
of those are in Linus's tree, send patch 11 as a stand-alone PR.
(From patch 11, it looks like the seccomp read/write function changes
could be split out? I'll do that now...)
-Kees
--
Kees Cook
___
tps://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings
> [1]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Signed-off-by: Justin Stitt
Looks good; thanks!
Reviewed-by: Kees Cook
--
Kees Cook
32 n_type; /* NT_VMCOREDD */
> - __u8 name[8]; /* LINUX\0\0\0 */
> - __u8 dump_name[VMCOREDD_MAX_NAME_BYTES]; /* Device dump's name */
> + __u8 name[8] __nonstring; /* LINUX\0\0\0 */
> + __u8 dump_name[VMCOREDD_MAX_NAME_BYTES] __nonstring; /* Device dump's
> name */
> };
Unfortunately since this is UAPI, we can't sanely use __nonstring here.
:(
--
Kees Cook
e of the kernel and run time
> memory bloat by ~64 bytes per sentinel (further information Link :
> https://lore.kernel.org/all/zo5yx5jfoggi%2f...@bombadil.infradead.org/)
>
> Remove sentinel element from seccomp_sysctl_table.
>
> Signed-off-by: Joel Granados
Acked-by: Kees Cook
--
Kees Cook
On Fri, 22 Sep 2023 10:52:24 -0700, Kees Cook wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
>
On Sat, Sep 23, 2023 at 08:46:47AM +0800, Baoquan He wrote:
> On 09/22/23 at 10:52am, Kees Cook wrote:
> > Prepare for the coming implementation by GCC and Clang of the __counted_by
> > attribute. Flexible array members annotated with __counted_by can have
> > their accesses
functions).
As found with Coccinelle[1], add __counted_by for struct crash_mem.
[1]
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Eric Biederman
Cc: kexec@lists.infradead.org
Signed-off-by: Kees Cook
---
include/linux/crash_core.h | 2 +-
1 file changed
On September 11, 2023 6:55:32 PM PDT, Dave Airlie wrote:
>On Tue, 12 Sept 2023 at 11:27, Kees Cook wrote:
>>
>> On September 8, 2023 12:59:39 PM PDT, Philipp Stanner
>> wrote:
>> >Hi!
>> >
>> >David Airlie suggested that we could
rivers/gpu/drm/drm_lease.c | 4 +--
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 +--
> include/linux/string.h | 40 +
> kernel/kexec.c | 2 +-
> kernel/watch_queue.c
ould be more appropriate to set the correct alignment so that tools
> do not have to rely on guesswork. FreeBSD coredumps set p_align to 4 as
> well.
>
> [...]
Applied to for-next/execve, thanks!
[1/1] coredump, vmcore: Set p_align to 4 for PT_NOTE
https://git.kernel.org/kees/
64-bit processes to avoid the other special case?
(And do we need to make some changes to make sure we are actually
aligned?)
-Kees
--
Kees Cook
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
no longer folded under KEXEC_SIG in menuconfig,
which makes it harder to find. I would prefer seeing KEXEC_SIG (and
KEXEC_SIG_FORCE) moved out of the per-arch Kconfig files into a common
location, and then arch Kconfig can add something like:
select ARCH_SUPPORTS_KEXEC
> config K
b folder to use new header.
> Though for time being include new header back to kernel.h to avoid twisted
> indirected includes for existing users.
>
> Signed-off-by: Andy Shevchenko
I like it! Do you have a multi-arch CI to do allmodconfig builds to
double-check this?
Acked-by: Kees
On Wed, Jul 29, 2020 at 12:48:06AM +, Luis Chamberlain wrote:
> On Wed, Jul 22, 2020 at 12:30:03PM -0700, Kees Cook wrote:
> > On non-EFI systems, it wasn't possible to test the platform firmware
> > loader because it will have never set "checked_fw" during __init.
&g
rash dump.
The scope of LKDTM has shifted a bit, and I'm fine with tests that
don't cause crashes as long as they're part of testing system-wide
defenses, etc. It's easier to collect similar tests together (even if
they don't break the system).
--
Kees Cook
_
t does this return on your test system:
echo $(cat /sys/kernel/security/lsm)
(I wonder if I have IMA configured differently...)
Mimi, have you had a chance to test these changes?
--
Kees Cook
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
On Thu, Jul 23, 2020 at 10:41:07PM -0700, Scott Branden wrote:
>
>
> On 2020-07-23 12:15 p.m., Kees Cook wrote:
> > On Wed, Jul 22, 2020 at 03:29:26PM -0700, Scott Branden wrote:
> > > These changes don't pass the kernel-selftest for partial reads I added
>
On Fri, Jul 24, 2020 at 11:23:37AM -0700, Kees Cook wrote:
> On Thu, Jul 23, 2020 at 10:41:07PM -0700, Scott Branden wrote:
> >
> >
> > On 2020-07-23 12:15 p.m., Kees Cook wrote:
> > > On Wed, Jul 22, 2020 at 03:29:26PM -0700, Scott Branden wrote:
> > >
this now too...
--
Kees Cook
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
asurement() with a valid "file" and NULL "buf" is handled
correctly -- I misunderstood these changes). I will send a corrected
patch.
-Kees
[1]
https://lore.kernel.org/lkml/20200706232309.12010-10-scott.bran...@broadcom.com/
--
Kees Cook
From: Scott Branden
Add request_partial_firmware_into_buf() to allow for portions of a
firmware file to be read into a buffer. This is needed when large firmware
must be loaded in portions from a file on memory constrained systems.
Signed-off-by: Scott Branden
Co-developed-by: Kees Cook
ata loads
(e.g. init_module(2) and firmware userspace helper), which will happen
in subsequent patches.
Additionally prepare IMA to start processing these cases.
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/fallback.c | 2 +-
.../base/firmware_loader/fallback_platform.c
These routines are used in places outside of exec(2), so in preparation
for refactoring them, move them into a separate source file,
fs/kernel_read_file.c.
Acked-by: Scott Branden
Signed-off-by: Kees Cook
---
fs/Makefile | 3 +-
fs/exec.c | 132
firm
ware_request_platform()")
Cc: sta...@vger.kernel.org
Acked-by: Scott Branden
Signed-off-by: Kees Cook
---
To aid in backporting, this change is made before moving
kernel_read_file() to separate header/source files.
---
drivers/base/firmware_loader/fallback_platform.c | 5 -
1 file
Branden
Reviewed-by: Christoph Hellwig
Acked-by: Greg Kroah-Hartman
Link:
https://lore.kernel.org/r/20200706232309.12010-2-scott.bran...@broadcom.com
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/main.c | 1 +
fs/exec.c | 1 +
include/linux/fs.h
into a pre-allocated buffer")
Fixes: fd90bc559bfb ("ima: based on policy verify firmware signatures
(pre-allocated buffer)")
Fixes: 4f0496d8ffa3 ("ima: based on policy warn about loading firmware
(pre-allocated buffer)")
Cc: sta...@vger.kernel.org
Acked-by: Scott Branden
Signed-off-b
(or reject such cases). Adjust all
existing LSMs to retain existing behavior.
Signed-off-by: Kees Cook
---
fs/kernel_read_file.c | 2 +-
include/linux/ima.h | 6 --
include/linux/lsm_hook_defs.h | 2 +-
include/linux/lsm_hooks.h | 3 +++
include/linux/
e, the LSM hooks can report whether a full file has been
read or not so that the contents can be reasoned about.
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/main.c | 2 +-
fs/kernel_read_file.c | 78 -
include/linux/kernel_read_file.h
In preparation for adding partial read support, add an optional output
argument to kernel_read_file*() that reports the file size so callers
can reason more easily about their reading progress.
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/main.c | 1 +
fs/kernel_read_file.c
o
longer be negative (and was never called with a negative value). Adjust
callers to use it as a "maximum size" when *buf is NULL.
Signed-off-by: Kees Cook
---
fs/kernel_read_file.c| 34 +++-
include/linux/kernel_read_file.h | 8
securit
Instead of passing opt_flags around so much, store it in the private
structure so it can be examined by internals without needing to add more
arguments to functions.
Co-developed-by: Scott Branden
Signed-off-by: Scott Branden
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader
,
0, NULL);
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/fallback.c | 8
.../base/firmware_loader/fallback_platform.c | 7 ++-
security/integrity/ima/ima_main.c | 20 +--
3 files changed, 20 insertions(+), 15 deletions
offset into file to request
Also update firmware selftests to use the new partial read test API.
Signed-off-by: Scott Branden
Co-developed-by: Kees Cook
Signed-off-by: Kees Cook
---
This merges Scott's two test patches into one and I refactored the
selftests to not be batched, test the no-file
Now that there is an API for checking loaded contents for modules
loaded without a file, call into the LSM hooks.
Signed-off-by: Kees Cook
---
kernel/module.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index d56cb34d9a2f
The firmware tests would always time out for me. Add a correct timeout,
including details on how the value was reached. Additionally allow the
test harness to skip comments in settings files and report how long a
given timeout was.
Signed-off-by: Kees Cook
---
tools/testing/selftests/firmware
the way. It's now got Scott's
firmware patches ported and everything tests clean for me.
I think the intention is for this to go via Greg's tree since Scott's
driver code will depend on it?
Thanks, and let me know what you think,
-Kees
Kees Cook (15):
test_firmware: Test platform fw loading
nforcement of the symbol visibility.
Fixes: 548193cba2a7 ("test_firmware: add support for firmware_request_platform")
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/firmware/efi/embedded-firmware.c | 21 -
drivers/firmware/efi/embedded-firmware.h | 19
ng.
Fixes: e4c2c0ff00ec ("firmware: Add new platform fallback mechanism and
firmware_request_platform()")
Cc: sta...@vger.kernel.org
Acked-by: Scott Branden
Signed-off-by: Kees Cook
---
To aid in backporting, this change is made before moving
kernel_read_file() to separate head
In preparation for refactoring kernel_read_file*(), remove the redundant
"size" argument which is not needed: it can be included in the return
code, with callers adjusted. (VFS reads already cannot be larger than
INT_MAX.)
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/m
On Tue, Jul 21, 2020 at 02:43:07PM -0700, Scott Branden wrote:
> On 2020-07-17 10:43 a.m., Kees Cook wrote:
> > In preparation for refactoring kernel_read_file*(), remove the redundant
> > "size" argument which is not needed: it can be included in the return
> > co
series, but
I wanted to really exercise the corners that the firmware suite pokes
at).
--
Kees Cook
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
On Fri, Jul 17, 2020 at 12:04:18PM -0700, Scott Branden wrote:
> On 2020-07-17 10:43 a.m., Kees Cook wrote:
> > In preparation for refactoring kernel_read_file*(), remove the redundant
> > "size" argument which is not needed: it can be included in the return
>
>
ng.
Fixes: e4c2c0ff00ec ("firmware: Add new platform fallback mechanism and
firmware_request_platform()")
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook
---
To aid in backporting, this change is made before moving
kernel_read_file() to separate header/source files.
---
dr
In preparation for adding partial read support, add an optional output
argument to kernel_read_file*() that reports the file size so callers
can reason more easily about their reading progress.
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/main.c | 1 +
fs/kernel_read_file.c
e, the LSM hooks can report whether a full file has been
read or not so that the contents can be reasoned about.
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/main.c | 2 +-
fs/kernel_read_file.c | 78 -
include/linux/kernel_read_file.h
ata loads
(e.g. init_module(2) and firmware userspace helper), which will happen
in subsequent patches.
Additionally prepare IMA to start processing these cases.
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/fallback.c | 2 +-
.../base/firmware_loader/fallback_platform.c
(or reject such cases). Adjust all
existing LSMs to retain existing behavior.
Signed-off-by: Kees Cook
---
fs/kernel_read_file.c | 2 +-
include/linux/ima.h | 6 --
include/linux/lsm_hook_defs.h | 2 +-
include/linux/lsm_hooks.h | 3 +++
include/linux/
Branden
Reviewed-by: Christoph Hellwig
Acked-by: Greg Kroah-Hartman
Link:
https://lore.kernel.org/r/20200706232309.12010-2-scott.bran...@broadcom.com
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/main.c | 1 +
fs/exec.c | 1 +
include/linux/fs.h
o
longer be negative (and was never called with a negative value). Adjust
callers to use it as a "maximum size" when *buf is NULL.
Signed-off-by: Kees Cook
---
fs/kernel_read_file.c| 34 +++-
include/linux/kernel_read_file.h | 8
securit
These routines are used in places outside of exec(2), so in preparation
for refactoring them, move them into a separate source file,
fs/kernel_read_file.c.
Signed-off-by: Kees Cook
---
fs/Makefile | 3 +-
fs/exec.c | 132
fs
,
0, NULL);
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/fallback.c | 8
.../base/firmware_loader/fallback_platform.c | 7 ++-
security/integrity/ima/ima_main.c | 20 +--
3 files changed, 20 insertions(+), 15 deletions
Now that there is an API for checking loaded contents for modules
loaded without a file, call into the LSM hooks.
Cc: Jessica Yu
Signed-off-by: Kees Cook
---
kernel/module.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
into a pre-allocated buffer")
Fixes: fd90bc559bfb ("ima: based on policy verify firmware signatures
(pre-allocated buffer)")
Fixes: 4f0496d8ffa3 ("ima: based on policy warn about loading firmware
(pre-allocated buffer)")
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook
firm
ware_request_platform()")
Cc: sta...@vger.kernel.org
Signed-off-by: Kees Cook
---
To aid in backporting, this change is made before moving
kernel_read_file() to separate header/source files.
---
drivers/base/firmware_loader/fallback_platform.c | 5 -
1 file changed, 4 insertions(+),
In preparation for refactoring kernel_read_file*(), remove the redundant
"size" argument which is not needed: it can be included in the return
code, with callers adjusted. (VFS reads already cannot be larger than
INT_MAX.)
Signed-off-by: Kees Cook
---
drivers/base/firmware_loader/m
relocation.
I'll keep poking at the firmware tests...
-Kees
[1] https://lore.kernel.org/lkml/202007161415.10D015477@keescook/
Kees Cook (12):
firmware_loader: EFI firmware loader must handle pre-allocated buffer
fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum
fs/kernel_read_fi
elle and, audited and fixed
> manually.
>
> Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
> Signed-off-by: Gustavo A. R. Silva
Reviewed-by: Kees Cook
--
Kees Cook
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
lled 4 ms)
> <5>[ 70.921642] CPU7: shutdown
> <6>[ 70.922650] psci: CPU7 killed (polled 0 ms)
>
> Signed-off-by: Pavel Tatashin
Reviewed-by: Kees Cook
--
Kees Cook
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
disallow_writes(file);
while (processed < size-of-file) {
buf = read(file, size...)
security_file_read_partial(buf)
}
ret = security_file_read_finished(file);
if (ret < 0) {
allow_writes(file);
ile into a buffer once, calls the
> generic post security hook, before providing the buffer to the caller.
> (Note using firmware pre-allocated memory might be an issue.)
>
> Partial reading firmware will result in needing to pre-read the entire
> file, most likely on the security pre ho
be
> as a mean for assuring a security policy (in paranoid mode)
> case where no single taint is allowed for the running system.
>
> Suggested-by: Qian Cai
> Signed-off-by: Rafael Aquini
Reviewed-by: Kees Cook
--
Kees Cook
___
kexec m
where the check for a "reserved" memory
area should live.
For example, this is how both mem_avoid_memmap() and the setup_data
memory areas are handled.
Is there a reason mem_avoid_overlap() can't be used here?
--
Kees Cook
___
kexec ma
On Thu, Feb 27, 2020 at 10:42:53AM +0800, Baoquan He wrote:
> On 02/06/20 at 09:51am, Kristen Carlson Accardi wrote:
> > On Thu, 2020-02-06 at 04:32 -0800, Kees Cook wrote:
>
> > > In the past, making kallsyms entirely unreadable seemed to break
> > > weird
>
the previous patch
> and to return -EPERM if the kernel is locked down for consistency with
> other lockdowns. Modified by Matthew Garrett to remove the IMA
> integration, which will be replaced by integrating with the IMA
> architecture policy patches.]
>
> Signed-off-by: Jiri Bo
xec reboot.
>
> Signed-off-by: Dave Young
Reviewed-by: Kees Cook
-Kees
> Signed-off-by: David Howells
> Signed-off-by: Matthew Garrett
> cc: kexec@lists.infradead.org
> ---
> arch/x86/kernel/kexec-bzimage64.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --
this situation.
>
> This does not affect kexec_file_load() syscall which can check for a
> signature on the image to be booted.
>
> Signed-off-by: David Howells
Reviewed-by: Kees Cook
-Kees
> Signed-off-by: Matthew Garrett
> Acked-by: Dave Young
> cc: kexec@lis
On Tue, Nov 27, 2018 at 3:29 PM, Baoquan He wrote:
> On 11/27/18 at 02:16pm, Kees Cook wrote:
>> Why is KERNELOFFSET= not sufficient?
>>
>> See commit b6085a865762 ("x86, kaslr: export offset in VMCOREINFO ELF notes")
>>
>> +
>> VMCOREINFO_SYMBOL(init_top_pgt);
>> vmcoreinfo_append_str("NUMBER(pgtable_l5_enabled)=%d\n",
>> pgtable_l5_enabled());
>> +#ifdef CONFIG_RANDOMIZE_BASE
>> + VMCOREINFO_NUMBER(page_offset_base);
>> +#endif
>>
>> #ifdef CONFIG_NUMA
>>
: Mimi Zohar
> Cc: Luis R. Rodriguez
> Cc: Stephen Boyd
> Cc: Bjorn Andersson
> Cc: Ard Biesheuvel
I can't decide if it's worth adding the link (maybe using the
lkml.kernel.org url[1]) directly in the code or not.
Either way:
Reviewed-by: Kees Cook
-Kees
[1]
https://lk
ok and makes the corresponding changes
> in SELinux, LoadPin, and IMA.
>
> Signed-off-by: Mimi Zohar
> Cc: Jeff Vander Stoep
> Cc: Casey Schaufler
> Cc: Kees Cook
> Acked-by: Jessica Yu
> Acked-by: Paul Moore
Acked-by: Kees Cook
Thanks!
which verifies kernel modules,
> firmware, kexec image, and/or the IMA policy signatures. This build time
> policy is automatically enabled at runtime and persists after loading a
> custom policy.
>
> Signed-off-by: Mimi Zohar
Reviewed-by: Kees Cook
-Kees
On Fri, Jul 13, 2018 at 11:06 AM, Mimi Zohar wrote:
> With an IMA policy requiring signed firmware, this patch prevents
> the sysfs fallback method of loading firmware.
>
> Signed-off-by: Mimi Zohar
> Cc: Luis R. Rodriguez
> Cc: Matthew Garrett
Reviewed-by: Kees Cook
-K
On Fri, Jul 13, 2018 at 11:05 AM, Mimi Zohar wrote:
> Add an LSM hook prior to allowing firmware sysfs fallback loading.
>
> Signed-off-by: Mimi Zohar
> Acked-by: Luis R. Rodriguez
Reviewed-by: Kees Cook
-Kees
--
Kees Cook
Pi
On Fri, Jul 13, 2018 at 11:05 AM, Mimi Zohar wrote:
> The original kexec_load syscall can not verify file signatures, nor can
> the kexec image be measured. Based on policy, deny the kexec_load
> syscall.
>
> Signed-off-by: Mimi Zohar
> Cc: Eric Biederman
> Cc: Kees Coo
the original kexec_load syscall.
>
> Signed-off-by: Mimi Zohar
> Cc: Eric Biederman
> Cc: Kees Cook
> Acked-by: Serge Hallyn
Acked-by: Kees Cook
-Kees
--
Kees Cook
Pixel Security
___
kexec mailing list
kexec@lists.infradead.org
http://
ed-off-by: Mimi Zohar
> Cc: Eric Biederman
> Cc: Luis R. Rodriguez
> Cc: Kees Cook
> Cc: Casey Schaufler
> Acked-by: Serge Hallyn
Acked-by: Kees Cook
-Kees
--
Kees Cook
Pixel Security
___
kexec mailing list
kexec@lists.infradead.
ay be able to.
I don't see a PAGEFLAG for DMA, but I do see ZONE_DMA for
page_zone()... So maybe something like
struct page *page;
page = virt_to_page(address);
if (!page)
fail closed...
if (page_zone(page) == ZONE_DMA)
handle dma case...
else
non-dma
But I've CCed Laura and Rik, who I always lean on when I have these
kinds of page questions...
-Kees
--
Kees Cook
Pixel Security
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
On Tue, Jun 5, 2018 at 2:35 PM, Mimi Zohar wrote:
> On Tue, 2018-06-05 at 12:45 -0700, Kees Cook wrote:
>
>> And if you must have a separate enum, please change this to fail
>> closed instead of open (and mark the fall-through):
>>
>> int rc = -EPERM;
>>
>
LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
> LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
> LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
> --
> 2.7.5
>
--
Kees Cook
Pixel Security
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
On Tue, Jun 5, 2018 at 6:25 AM, Serge E. Hallyn wrote:
> Quoting Kees Cook (keesc...@chromium.org):
>> On Mon, Jun 4, 2018 at 9:09 PM, Serge E. Hallyn wrote:
>> > Personally I agree with Eric and prefer a new hook. I don't feel strongly
>> > enough about it to k
ile descriptor"?
-Kees
--
Kees Cook
Pixel Security
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
(IMA coverage and policy). 1 and 8 seem needless to me. If the
objection is that isn't use on non-file objects, sure, rename it. But
I don't see a _logical_ difference between the proposed and existing
callsites. enum kernel_read_file_id covers the "type" already
-Kees
--
Kees Cook
Pixel Security
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
, which did not like the memcmp() of a "0 byte"
array. This drops the __weak and uses an extern instead, since both
users define kexec_purgatory.
Cc: Daniel Micay <danielmi...@gmail.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
v2: use extern instead of _
On Tue, May 9, 2017 at 5:15 PM, Eric W. Biederman <ebied...@xmission.com> wrote:
> Kees Cook <keesc...@chromium.org> writes:
>> kernel/kexec_file.c:33:13: warning: array ‘kexec_purgatory’ assumed to
>> have one element
>> char __weak kexec_purgatory[];
>>
On Tue, May 9, 2017 at 4:13 PM, Daniel Micay <danielmi...@gmail.com> wrote:
> On Tue, 2017-05-09 at 16:06 -0700, Kees Cook wrote:
>> Defining kexec_purgatory as a zero-length char array upsets compile
>> time size checking. Since this is entirely runtime sized, s
niel Micay <danielmi...@gmail.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
kernel/kexec_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..bc86f85f1329 100644
--- a/kernel/kexec_file.c
+++
p_paddr = __pa(m->addr);
>> + else
>> + phdr->p_paddr = (elf_addr_t)-1;
>> phdr->p_filesz = phdr->p_memsz = m->size;
>> phdr->p_align = PAGE_SIZE;
>> }
>>
Well, CONFIG_PROC_KCORE is a generalized root KASLR exposure (though
there are lots of such expo
On Thu, Aug 18, 2016 at 7:41 PM, Baoquan He <b...@redhat.com> wrote:
>
> This makes sense. Makedumpfile need this to parse memory sections.
Yup, good addition.
Acked-by: Kees Cook <keesc...@chromium.org>
-Kees
>
> Ack.
>
> Acked-by: Baoquan He <b...@redha
that there is room for the
> uncompressed image (aligned currently to 256 bytes) followed by the
> size of the compressed image, with any appended DTBs included.
> Anything which is located below that is likely to get trampled by
> the decompressor.
Okay, sounds reasonable to me. :)
-Kees
--
On Wed, Jun 15, 2016 at 2:13 PM, Russell King - ARM Linux
<li...@armlinux.org.uk> wrote:
> On Tue, Jun 14, 2016 at 11:05:23AM -0700, Kees Cook wrote:
>> I'm much less familiar with the ARM decompression stub, but is there a
>> boot image header (like x86 has)? If not, perh
ovide this information so that the boot environment
> can be setup sanely by boot loaders/kexec rather than relying on
> broken heuristics like this.
>
> Thoughts?
I'm much less familiar with the ARM decompression stub, but is there a
boot image header (like x86 has)? If not, perhaps we can invent one,
and it can carry all the details needed for a bootloader to do the
right things.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
m as
> pointers would have gotten not just the capability handling wrong, it
> would have truncated a 64-bit value to 32 bits in that case.
Yup, that's why I was saying I was going to try to cook something up
for -next. It isn't a trivial change. :) Thanks for fixing it up!
-Ke
the future in consideration for a new extensible firmware
>API which will enable to separate usermode helper code out as much
>as possible.
>
> 2) Kees Cook pointed out the the prints already have the device
>associated as dev_*() helpers are used, that should help identify
This makes the error and success paths more readable while trying to
load firmware from the filesystem.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Josh Boyer <jwbo...@fedoraproject.org>
Cc: David Howells <dhowe...@redhat.com>
Cc: Luis R. Rodriguez <mcg...@kernel.or
...@linux.vnet.ibm.com>
Acked-by: Kees Cook <keesc...@chromium.org>
-Kees
> ---
> fs/exec.c | 22 ++
> include/linux/fs.h | 2 ++
> 2 files changed, 24 insertions(+)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index cd2b5b2..5629958 100644
&g
; v2:
> - reordered and squashed firmware patches
> - fix MAX firmware size (Kees Cook)
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Acked-by: Kees Cook <keesc...@chromium.org>
-Kees
> ---
> drivers/base/firmware_class.c | 48
> +++-
On Wed, Feb 3, 2016 at 11:06 AM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> The kernel_read_file security hook is called prior to reading the file
> into memory.
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Acked-by: Kees Cook <keesc...@chromium.org&
r <zo...@linux.vnet.ibm.com>
Acked-by: Kees Cook <keesc...@chromium.org>
-Kees
> ---
> fs/exec.c | 16
> include/linux/fs.h | 2 ++
> 2 files changed, 18 insertions(+)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 1d39c4e..f3a0ce2 100644
&g
Changelog v3:
> - additional bounds checking - Luis
> v2:
> - To simplify patch review, re-ordered patches
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> Reviewed-by: Luis R. Rodriguez <mcg...@suse.com>
Acked-by: Kees Cook <k
1 - 100 of 124 matches
Mail list logo