On Mon, Apr 29, 2024 at 03:16:50PM -0700, Nathan Chancellor wrote:
> On Fri, Apr 26, 2024 at 03:29:44PM -0700, Kees Cook wrote:
> [...]
> > +# Enable Kernel Control Flow Integrity (currently Clang only).
> > +CONFIG_CFI_CLANG=y
> > +# CONFIG_CFI_PERMISSIVE is not set
>
> Should this be a part of
On Mon, 2024-04-29 at 12:49 -0700, Kees Cook wrote:
> On Mon, Apr 29, 2024 at 06:39:28PM +, Justin Stitt wrote:
> > I am going to quote Lee Jones who has been doing some snprintf ->
> > scnprintf refactorings:
> >
> > "There is a general misunderstanding amongst engineers that
> >
On Mon, 29 Apr 2024, Kees Cook wrote:
> this isn't a case where we can show identical binary output, since this
> actively adds overflow checking via kcalloc() internals.
>
> ...
>
> it is a trivially correct change that uses a more robust API and more
> idiomatic allocation sizeof()s
If a
Quoting Nathan Chancellor (2024-04-25 09:55:52)
> Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
> __counted_by") annotated the hws member of 'struct clk_hw_onecell_data'
> with __counted_by, which informs the bounds sanitizer about the number
> of elements in hws, so that it
Quoting Nathan Chancellor (2024-04-25 09:55:51)
> Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
> __counted_by") annotated the hws member of 'struct clk_hw_onecell_data'
> with __counted_by, which informs the bounds sanitizer about the number
> of elements in hws, so that it
*(options++) = 0;
#ifdef __sparc__
if (!strcmp(str, "ttya"))
- strcpy(buf, "ttyS0");
+ strscpy(buf, "ttyS0");
if (!strcmp(str, "ttyb"))
- strcpy(buf, "ttyS1");
+ strscpy(buf, "ttyS1&qu
On Fri, Apr 26, 2024 at 03:29:44PM -0700, Kees Cook wrote:
> Add some stuff that got missed along the way:
>
> - CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y so SCS vs PAC is hardware
> selectable.
>
> - CONFIG_X86_KERNEL_IBT=y while a default, just be sure.
>
> - CONFIG_CFI_CLANG=y for x86 and arm64.
On Mon, Apr 29, 2024 at 08:50:30PM +, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
>
> This kernel config option is simply assigned with the resume_file
>
strncpy() is deprecated for use on NUL-terminated destination strings
[1] and as such we should prefer more robust and less ambiguous string
interfaces.
This kernel config option is simply assigned with the resume_file
buffer. It should be NUL-terminated but not necessarily NUL-padded as
per its
Le 27/04/2024 à 18:45, Erick Archer a écrit :
This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1].
Here the multiplication is obviously safe. However, using kcalloc*()
is more appropriate [2] and improves readability. This
On Mon, Apr 29, 2024 at 02:31:19PM -0400, Martin K. Petersen wrote:
>
> Kees,
>
> >> This patch seems to be lost. Gustavo reviewed it on January 15, 2024
> >> but the patch has not been applied since.
> >
> > This looks correct to me. I can pick this up if no one else snags it?
>
> I guess my
On Mon, Apr 29, 2024 at 01:50:46PM -0600, Gustavo A. R. Silva wrote:
>
> > > diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
> > > index fe23e862921d..c4c6b8810701 100644
> > > --- a/include/net/bluetooth/hci.h
> > > +++ b/include/net/bluetooth/hci.h
> > > @@ -2026,7
t; > Link: https://github.com/KSPP/linux/issues/202
> >> >> > Signed-off-by: Gustavo A. R. Silva
> >> >> > Reviewed-by: Jeff Johnson
> >> >> > Signed-off-by: Kalle Valo
> >> >>
> >> >> Patch applied to ath-
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index fe23e862921d..c4c6b8810701 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -2026,7 +2026,7 @@ struct hci_cp_le_set_ext_adv_data {
__u8 operation;
__u8 frag_pref;
On Mon, Apr 29, 2024 at 12:42:23PM -0600, Gustavo A. R. Silva wrote:
>
>
> On 4/29/24 12:30, Kees Cook wrote:
> > On Wed, Mar 06, 2024 at 10:18:59AM -0600, Gustavo A. R. Silva wrote:
> > >
> > > > Thanks for the improvements, however we are mostly at the end of
> > > > development period for
On Mon, Apr 29, 2024 at 06:39:28PM +, Justin Stitt wrote:
> I am going to quote Lee Jones who has been doing some snprintf ->
> scnprintf refactorings:
>
> "There is a general misunderstanding amongst engineers that
> {v}snprintf() returns the length of the data *actually* encoded into the
>
Hi,
This adds memcpy() fortify KUnit tests, similar to how the others
were done. This is in preparation for removing the 0-sized destination
exclusion now that we seem to be in good shape now after removing all
our 0-sized arrays.
-Kees
Kees Cook (3):
kunit/fortify: Rename tests to use
Add fortify tests for memcpy() and memmove(). This can use a similar
method to the fortify_panic() replacement, only we can do it for what
was the WARN_ONCE(), which can be redefined.
Since this is primarily testing the fortify behaviors of the memcpy()
and memmove() defenses, the tests for
The recommended conventions for KUnit tests is ${module}_test_${what}.
Adjust the fortify tests to match.
Signed-off-by: Kees Cook
---
Cc: linux-hardening@vger.kernel.org
---
lib/fortify_kunit.c | 80 ++---
1 file changed, 40 insertions(+), 40
When running KUnit fortify tests, we're already doing precise tracking
of which warnings are getting hit. Don't fill the logs with WARNs unless
we've been explicitly built with DEBUG enabled.
Signed-off-by: Kees Cook
---
Cc: linux-hardening@vger.kernel.org
---
lib/fortify_kunit.c | 9 -
gt; structure [-Wflex-array-member-not-at-end]
>> >> >
>> >> > Link: https://github.com/KSPP/linux/issues/202
>> >> > Signed-off-by: Gustavo A. R. Silva
>> >> > Reviewed-by: Jeff Johnson
>> >> > Signed-off-by: Kalle Valo
On 4/29/24 12:30, Kees Cook wrote:
On Wed, Mar 06, 2024 at 10:18:59AM -0600, Gustavo A. R. Silva wrote:
Thanks for the improvements, however we are mostly at the end of
development period for v6.8 kernel. Let me postpone applying the patches
until closing the next merge window (for v6.9),
I am going to quote Lee Jones who has been doing some snprintf ->
scnprintf refactorings:
"There is a general misunderstanding amongst engineers that
{v}snprintf() returns the length of the data *actually* encoded into the
destination array. However, as per the C99 standard {v}snprintf()
really
Kees,
>> This patch seems to be lost. Gustavo reviewed it on January 15, 2024
>> but the patch has not been applied since.
>
> This looks correct to me. I can pick this up if no one else snags it?
I guess my original reply didn't make it out, I don't see it in the
archives.
My objections
On Wed, Mar 06, 2024 at 10:18:59AM -0600, Gustavo A. R. Silva wrote:
>
> > Thanks for the improvements, however we are mostly at the end of
> > development period for v6.8 kernel. Let me postpone applying the patches
> > until closing the next merge window (for v6.9), since we need the term to
>
On Mon, Apr 29, 2024 at 07:40:58PM +0200, Erick Archer wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
>
> As the "rb" variable is a pointer to "struct perf_buffer" and this
> structure ends in a flexible
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz :
On Fri, 26 Apr 2024 10:45:17 -0600 you wrote:
> Prepare for the coming implementation by GCC and Clang of the
> __counted_by attribute. Flexible array members annotated with
> __counted_by can have
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz :
On Fri, 26 Apr 2024 16:52:46 -0600 you wrote:
> Prepare for the coming implementation by GCC and Clang of the
> __counted_by attribute. Flexible array members annotated with
> __counted_by can have
On Fri, Apr 26, 2024 at 04:52:46PM -0600, Gustavo A. R. Silva wrote:
> Prepare for the coming implementation by GCC and Clang of the
> __counted_by attribute. Flexible array members annotated with
> __counted_by can have their accesses bounds-checked at run-time
> via CONFIG_UBSAN_BOUNDS (for
sues/202
> >> > Signed-off-by: Gustavo A. R. Silva
> >> > Reviewed-by: Jeff Johnson
> >> > Signed-off-by: Kalle Valo
> >>
> >> Patch applied to ath-next branch of ath.git, thanks.
> >>
> >> cbb0697e0ded wifi: wil6210: wmi: Use _
On Sun, Apr 28, 2024 at 03:29:34PM +0200, Erick Archer wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
>
> As the "dl" variable is a pointer to "struct rfcomm_dev_list_req" and
> this structure ends in a
On Sat, Apr 27, 2024 at 07:23:36PM +0200, Erick Archer wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
>
> As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
> structure ends in a flexible
On Sat, Apr 27, 2024 at 06:45:23PM +0200, Erick Archer wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1].
>
> Here the multiplication is obviously safe. However, using kcalloc*()
> is more appropriate [2] and
This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1][2].
As the "rb" variable is a pointer to "struct perf_buffer" and this
structure ends in a flexible array:
struct perf_buffer {
[...]
void*data_pages[];
};
On Sat, Apr 27, 2024 at 05:05:56PM +0200, Erick Archer wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
>
> As the "ff" variable is a pointer to "struct ff_device" and this
> structure ends in a flexible array:
anch of ath.git, thanks.
>>
>> cbb0697e0ded wifi: wil6210: wmi: Use __counted_by() in struct
>> wmi_set_link_monitor_cmd and avoid -Wfamnae warning
>
> Hi,
>
> I was just walking through our patch tracker and noticed that I don't
> see this patch include in -next yet (as o
On Tue, 02 Apr 2024 20:39:49 +, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
>
> data_page wants to be NUL-terminated and NUL-padded, use strscpy_pad to
>
On Sat, Mar 30, 2024 at 05:17:53PM +0100, Erick Archer wrote:
> Use 2-factor multiplication argument form kcalloc() instead
> of kzalloc().
>
> Also, it is preferred to use sizeof(*pointer) instead of
> sizeof(type) due to the type of the variable can change and
> one needs not change the former
On Sat, Mar 30, 2024 at 03:32:59PM +0100, Erick Archer wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
>
> As the "box" variable is a pointer to "struct intel_uncore_box" and
> this structure ends in a flexible
202
> > Signed-off-by: Gustavo A. R. Silva
> > Reviewed-by: Jeff Johnson
> > Signed-off-by: Kalle Valo
>
> Patch applied to ath-next branch of ath.git, thanks.
>
> cbb0697e0ded wifi: wil6210: wmi: Use __counted_by() in struct
> wmi_set_link_monitor_cmd and avoid
On Mon, Mar 25, 2024 at 12:03:25PM -0600, Gustavo A. R. Silva wrote:
> -Wflex-array-member-not-at-end is coming in GCC-14, and we are getting
> ready to enable it globally.
>
> There is currently an object (`msg`) in multiple structures that
> contains a flexible structure (`struct glink_msg`),
41 matches
Mail list logo