s.bytes[i] != 0 and i < 4 instead
> > of insn.prefixes.nbytes.
> >
> > Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> > Reported-by: Kees Cook
> > Signed-off-by: Masami Hiramatsu
> > ---
> > arch/x86/boot/co
prefixes.nbytes.
>
> Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove
> uprobes breakpoints")
> Cc: sta...@vger.kernel.org
> Reported-by: Kees Cook
This should probably be:
Reported-by: syzbot+9b64b619f10f19d19...@syzkaller.appspotmail.com
Debugged
On Wed, Dec 02, 2020 at 10:49:29PM +0900, Masahiro Yamada wrote:
> Documentation/process/changes.rst says the minimal GCC version is 4.9.
> Hence, BUILDING_GCC_VERSION is greater than or equal to 4009.
>
> Signed-off-by: Masahiro Yamada
Acked-by: Kees Cook
Do you w
apply it directly, please feel free to add
> >
> > Reviewed-by: Masahiro Yamada
>
>
> BTW, gcc plugins are always compiled with g++.
>
> Why do we need to compile the following in the first place?
>
> class test {
> public:
> int test;
> } test = {
> .test = 1
> };
>
>
> I think any C++ compiler will succeed
> in compiling such simple code.
>
>
>
> So,
>
> test -e "$gccplugins_dir/include/plugin-version.h"
>
> looks enough to me.
>
>
>
> What is the intention of this compile test?
Yeah, I'd agree: we're just looking for a g++ and plugin-version.h.
--
Kees Cook
On Wed, Dec 02, 2020 at 11:37:38AM +0900, Masahiro Yamada wrote:
> On Wed, Dec 2, 2020 at 5:56 AM Kees Cook wrote:
> >
> > On Tue, Dec 01, 2020 at 10:31:37PM +0900, Masahiro Yamada wrote:
> > > On Wed, Nov 25, 2020 at 7:22 AM Kees Cook wrote:
> > > >
> &
On Wed, Dec 02, 2020 at 11:42:21AM +0900, Masahiro Yamada wrote:
> On Wed, Dec 2, 2020 at 2:31 AM Kees Cook wrote:
> >
> > On Mon, Nov 30, 2020 at 12:01:31PM +, Will Deacon wrote:
> > > Hi Sami,
> > >
> > > On Wed, Nov 18, 2020 at 02:07:14PM -080
gt; public:
> int test;
I'm fine dropping this -- I think the need for that portion of the
script's test has evaporated as we've brought the minimum GCC version
up into the neighborhood of "modern".
As for dropping GCC plugins entirely, I'd prefer not -- the big hold-out
for the very paranoid system builders is the randstruct plugin (though
they tend to also use the entropy one too). Clang's version of randstruct
has not gotten unstuck yet.
--
Kees Cook
6c590
>
> Reported-by: syzbot+9b64b619f10f19d19...@syzkaller.appspotmail.com
> Fixes: 4b2bd5fec007 ("proc: fix timerslack_ns CAP_SYS_NICE check when
> adjusting self")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
--
Kees Cook
the overhead is consistently less than 5ns on my
> test box.
>
> Cc: Matthew Wilcox
> Cc: Andy Lutomirski
> Cc: Paul Gofman
> Cc: Kees Cook
> Cc: linux-...@vger.kernel.org
> Signed-off-by: Gabriel Krisman Bertazi
Acked-by: Kees Cook
--
Kees Cook
on overhead: 9.7% (+13ns).
>
> Signed-off-by: Gabriel Krisman Bertazi
Reviewed-by: Kees Cook
--
Kees Cook
L_WORK_EXIT as
> well, just to prevent a trace exit event when dispatch was triggered.
> For that, the on_syscall_dispatch() examines context to skip the
> tracepoint, audit and other work.
>
> Signed-off-by: Gabriel Krisman Bertazi
Acked-by: Kees Cook
--
Kees Cook
had an fd added that it has no
idea about.
The former problem seems like a userspace issue. :P But, to help, yeah, is
signal blocking best? Either explicit (at filter apply time) or implicit
(all user_notif-triggering syscalls get all signals blocks automatically)?
For the latter problem, I think we need to get back to Tycho's original
method: add fd and finish syscall in a single action. I can't see any
other way to get around the need for atomicity...
--
Kees Cook
LINE__, _metadata->name, ##__VA_ARGS__)
>
> /**
> - * SKIP(statement, fmt, ...)
> + * SKIP()
> *
> * @statement: statement to run after reporting SKIP
> * @fmt: format string
> * @...: optional arguments
Please add something like this to retain the "p
On Tue, Dec 01, 2020 at 01:09:08PM +0100, Mauro Carvalho Chehab wrote:
> The kernel-doc markup is wrong: it is asking the tool to document
> struct refcount_struct, instead of documenting typedef refcount_t.
>
> Fix it.
>
> Signed-off-by: Mauro Carvalho Chehab
Acked-by: Kee
el.org/kees/c/cbf82e35031b
[2/9] pstore/blk: update the command line example
https://git.kernel.org/kees/c/45a8af4412b1
[3/9] pstore/blk: remove {un,}register_pstore_blk
https://git.kernel.org/kees/c/b6f8ed33ab2b
(I tweaked #3 with a small added comment.)
--
Kees Cook
On Tue, Dec 01, 2020 at 10:31:37PM +0900, Masahiro Yamada wrote:
> On Wed, Nov 25, 2020 at 7:22 AM Kees Cook wrote:
> >
> > On Thu, Nov 19, 2020 at 01:13:27PM -0800, Nick Desaulniers wrote:
> > > On Thu, Nov 19, 2020 at 12:57 PM Nathan Chancellor
> > > wrote:
&g
erface, and I don't expect to be
making big changes to the existing structures.
With feedback on patch 1 addressed, I'd be happy to Ack this going via
the mmc tree.
--
Kees Cook
pr_info("%s registered as psblk backend\n", cxt->dev_name);
> + return;
> +
> +free_data:
> + kfree(data);
> +free_stop:
> + kfree(stop);
> +free_cmd:
> + kfree(cmd);
> +free_mrq:
> + kfree(mrq);
> +free_sub:
> + kfree(cxt->sub);
> +out:
> + return;
> +}
> +
> +void unregister_mmcpstore(void)
> +{
> + struct mmcpstore_context *cxt = _cxt;
> +
> + unregister_pstore_device(>dev);
> + kfree(cxt->mrq->data);
> + kfree(cxt->mrq->stop);
> + kfree(cxt->mrq->cmd);
> + kfree(cxt->mrq);
> + kfree(cxt->sub);
> + cxt->card = NULL;
> +}
> diff --git a/include/linux/mmc/core.h b/include/linux/mmc/core.h
> index 29aa50711626..3889c2a90faa 100644
> --- a/include/linux/mmc/core.h
> +++ b/include/linux/mmc/core.h
> @@ -166,6 +166,10 @@ struct mmc_request {
>
> struct mmc_card;
>
> +#if IS_ENABLED(CONFIG_MMC_PSTORE)
> +void mmc_wait_for_pstore_req(struct mmc_host *, struct mmc_request *);
> +#endif
> +
> void mmc_wait_for_req(struct mmc_host *host, struct mmc_request *mrq);
> int mmc_wait_for_cmd(struct mmc_host *host, struct mmc_command *cmd,
> int retries);
> diff --git a/include/linux/mmc/host.h b/include/linux/mmc/host.h
> index c079b932330f..7d6751005ac6 100644
> --- a/include/linux/mmc/host.h
> +++ b/include/linux/mmc/host.h
> @@ -173,6 +173,18 @@ struct mmc_host_ops {
>*/
> int (*multi_io_quirk)(struct mmc_card *card,
> unsigned int direction, int blk_size);
> +
> +#if IS_ENABLED(CONFIG_MMC_PSTORE)
> + /*
> + * The following two APIs are introduced to support mmcpstore
> + * functionality. Cleanup API to terminate the ongoing and
> + * pending requests before a panic write post, and polling API
> + * to ensure that write succeeds before the Kernel dies.
> + */
> + void(*req_cleanup_pending)(struct mmc_host *host);
> + int (*req_completion_poll)(struct mmc_host *host,
> + unsigned long timeout);
> +#endif
> };
>
> struct mmc_cqe_ops {
> --
> 2.17.1
>
Otherwise, sure, this looks good to me as far as pstore is concerned.
--
Kees Cook
on(void)
> }
>
> ctx = crypto_alloc_comp(zbackend->name, 0, 0);
> - if (IS_ERR_OR_NULL(ctx)) {
> + if (IS_ERR(ctx)) {
> kfree(buf);
> pr_err("crypto_alloc_comp('%s') failed: %ld\n", zbackend->name,
> PTR_ERR(ctx));
> --
> 2.17.1
>
--
Kees Cook
to analyze valuable
post-mortem data especially on the embedded development or in the process
of bringing up new boards. Change this value to be a Kconfig option
with the default of old PSTORE_DEFAULT_KMSG_BYTES
Signed-off-by: Vasile-Laurentiu Stanimir
Signed-off-by: Kees Cook
---
This was sent off
; __pstore_blk_init(devname);
> }
> #endif /* MODULE */
> +#endif /* CONFIG_BLOCK */
>
> /* get information of pstore/blk */
> int pstore_blk_get_config(struct pstore_blk_config *info)
> --
> 2.28.0
>
--
Kees Cook
t;
> + if (IS_BUILTIN(CONFIG_PSTORE_BLK))
> + pstore_blk_early_init();
> +
I hate this being a special-case in kernel_init. For ramoops, we use:
postcore_initcall(ramoops_init);
which is much better than open coding this here.
> /*
>* Ok, we have completed the initial bootup, and
>* we're essentially up and running. Get rid of the
> --
> 2.28.0
>
--
Kees Cook
ct pstore_device_info - back-end pstore/blk driver structure.
> - *
> - * @total_size: The total size in bytes pstore/blk can use. It must be
> greater
> - * than 4096 and be multiple of 4096.
> - * @flags: Refer to macro starting with PSTORE_FLAGS defined in
> - * linux/pstore.h. It means what front-ends this device support.
> - * Zero means all backends for compatible.
> - * @ops: operations to access the device.
> - */
> -struct pstore_device_info {
> - unsigned long total_size;
> - unsigned int flags;
> - const struct pstore_zone_ops *ops;
> -};
> -
> -int register_pstore_device(struct pstore_device_info *dev);
> -void unregister_pstore_device(struct pstore_device_info *dev);
> +int register_pstore_device(const struct pstore_zone_ops *ops,
> + unsigned long total_size, unsigned int flags);
> +void unregister_pstore_device(const struct pstore_zone_ops *ops);
>
> /**
> * struct pstore_blk_config - the pstore_blk backend configuration
> --
> 2.28.0
>
--
Kees Cook
hers
> @@ -38,20 +26,35 @@ typedef ssize_t (*pstore_zone_erase_op)(size_t, loff_t);
> * On success, the number of bytes should be returned, others
> * excluding -ENOMSG mean error. -ENOMSG means to try next zone.
> */
> -struct pstore_zone_info {
> - struct module *owner;
> +struct pstore_zone_ops {
> const char *name;
> + ssize_t (*read)(char *buf, size_t count, loff_t pos);
> + ssize_t (*write)(const char *buf, size_t bytes, loff_t pos);
> + ssize_t (*erase)(size_t byes, loff_t pos);
> + ssize_t (*panic_write)(const char *buf, size_t bytes, loff_t pos);
> +};
>
> +/**
> + * struct pstore_zone_info - pstore/zone back-end driver structure
> + *
> + * @ops: Operations to access the zone.
> + * @total_size: The total size in bytes pstore/zone can use. It must be
> greater
> + * than 4096 and be multiple of 4096.
> + * @kmsg_size: The size of oops/panic zone. Zero means disabled,
> otherwise,
> + * it must be multiple of SECTOR_SIZE(512 Bytes).
> + * @max_reason: Maximum kmsg dump reason to store.
> + * @pmsg_size: The size of pmsg zone which is the same as @kmsg_size.
> + * @console_size:The size of console zone which is the same as @kmsg_size.
> + * @ftrace_size:The size of ftrace zone which is the same as @kmsg_size.
> + */
> +struct pstore_zone_info {
> + const struct pstore_zone_ops *ops;
> unsigned long total_size;
> unsigned long kmsg_size;
> int max_reason;
> unsigned long pmsg_size;
> unsigned long console_size;
> unsigned long ftrace_size;
> - pstore_zone_read_op read;
> - pstore_zone_write_op write;
> - pstore_zone_erase_op erase;
> - pstore_zone_write_op panic_write;
> };
>
> extern int register_pstore_zone(struct pstore_zone_info *info);
> --
> 2.28.0
>
--
Kees Cook
int pstore_blk_get_config(struct pstore_blk_config *info)
> }
> EXPORT_SYMBOL_GPL(pstore_blk_get_config);
>
> -static int __init pstore_blk_init(void)
> -{
> - int ret = 0;
> -
> - mutex_lock(_blk_lock);
> - if (!pstore_zone_info && best_effort && blkdev[0])
> - ret = __register_pstore_blk();
> - mutex_unlock(_blk_lock);
> -
> - return ret;
> -}
> -late_initcall(pstore_blk_init);
> -
> -static void __exit pstore_blk_exit(void)
> -{
> - struct pstore_device_info dev = { };
> -
> - mutex_lock(_blk_lock);
> - if (pstore_zone_info)
> - dev.read = pstore_zone_info->read;
> - __unregister_pstore_device();
> - if (psblk_bdev)
> - psblk_put_bdev(psblk_bdev, blkdev);
> - mutex_unlock(_blk_lock);
> -}
> -module_exit(pstore_blk_exit);
> -
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("WeiXiong Liao ");
> MODULE_AUTHOR("Kees Cook ");
> --
> 2.28.0
>
--
Kees Cook
a full
generic block device implementation.
Reviewed-by: Kees Cook
>
> Signed-off-by: Christoph Hellwig
> ---
> Documentation/admin-guide/pstore-blk.rst | 8 +--
> fs/pstore/blk.c | 79 ++--
> include/linux/pstore_
r_pstore_blk(MAJOR(psblk_bdev->bd_dev));
> - else {
> - struct pstore_device_info dev = { };
> -
> - if (pstore_zone_info)
> - dev.read = pstore_zone_info->read;
> - __unregister_pstore_device();
> - }
> + psblk_put_bdev(psblk_bdev, blkdev);
> mutex_unlock(_blk_lock);
> }
> module_exit(pstore_blk_exit);
> --
> 2.28.0
>
--
Kees Cook
or to a
path is also fine.
Reviewed-by: Kees Cook
> ---
> Documentation/admin-guide/pstore-blk.rst | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Documentation/admin-guide/pstore-blk.rst
> b/Documentation/admin-guide/pstore-blk.rst
> index 296d
but if 128M is needed for pstore, something is likely very very
wrong. :)
Reviewed-by: Kees Cook
--
Kees Cook
in a while, so given the review
history and its use (for years now) in Android, I will carry v8 (assuming
all is fine with it) it in -next unless there are objections.
--
Kees Cook
h;
continue;
goto ;
return [expression];
[3] https://cwe.mitre.org/data/definitions/484.html
--
Kees Cook
On Mon, Nov 23, 2020 at 03:53:31PM +0100, Christoph Hellwig wrote:
> On Fri, Oct 16, 2020 at 03:54:25PM -0700, Kees Cook wrote:
> > On Fri, Oct 16, 2020 at 03:20:38PM +0200, Christoph Hellwig wrote:
> > > this series cleans up and massively simplifies the pstore-blk code,
> &
t; Reported-by: Arvind Sankar
> > Reported-by: kernelci.org bot
> > Reported-by: Mark Brown
> > Reviewed-by: Kees Cook
> > Signed-off-by: Nathan Chancellor
>
> Thanks for the additions in v2.
> Reviewed-by: Nick Desaulniers
I'm going to carry this for a few days in -next, and if no one screams,
ask Linus to pull it for v5.10-rc6.
Thanks!
--
Kees Cook
change switches SCS to use virtually mapped shadow stacks for
> tasks, which increases shadow stack size to a full page and provides
> more robust overflow detection, similarly to VMAP_STACK.
>
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
t;%pk". It did not work because people did
>not use it.
>
> 3. I am not sure about the output when the address is not from
>userspace. Printing ("fault") is not much helpful. Printing
>hashed value might be confusing. Well, I am still not sure
>that it is really safe to print real userspace addresses
>by default.
I think this should just be %px. Or better yet, not printed at all. See
Linus's prior comments:
https://www.kernel.org/doc/html/latest/process/deprecated.html#p-format-specifier
--
Kees Cook
flags instead of TIF
> flags for !CONFIG_GENERIC_ENTRY. Also, add safeguards to catch this at
> compilation time.
>
> Reported-by: Naresh Kamboju
> Suggested-by: Jann Horn
> Signed-off-by: Gabriel Krisman Bertazi
Thanks for getting this fixed!
3136b93c3fb2 ("entry: Expose helpers to migrate TIF to SYSCALL_WORK flags")
Reviewed-by: Kees Cook
--
Kees Cook
are still bugs being found from it -- we need to finish this and shut
the door on it for good.)
--
Kees Cook
On Mon, Nov 23, 2020 at 05:32:51PM -0800, Nick Desaulniers wrote:
> On Sun, Nov 22, 2020 at 8:17 AM Kees Cook wrote:
> >
> > On Fri, Nov 20, 2020 at 11:51:42AM -0800, Jakub Kicinski wrote:
> > > If none of the 140 patches here fix a real bug, and there is no chan
On Fri, Nov 20, 2020 at 11:51:42AM -0800, Jakub Kicinski wrote:
> On Fri, 20 Nov 2020 11:30:40 -0800 Kees Cook wrote:
> > On Fri, Nov 20, 2020 at 10:53:44AM -0800, Jakub Kicinski wrote:
> > > On Fri, 20 Nov 2020 12:21:39 -0600 Gustavo A. R. Silva wrote:
> > > > This
TO.html
> > +
> > + If unsure, say Y.
> > endchoice
>
> The two LTO_CLANG_* options need to depend on HAS_LTO_CLANG, of course.
Whoops, yes. Thanks for catching that. :)
--
Kees Cook
ocs: Document Syscall User Dispatch
>
> Aside from the one little nit this looks good to me.
>
> Acked-by: Peter Zijlstra (Intel)
Agreed, and thank you Gabriel for the SYSCALL_WORK series too. :) That's
so nice to have!
--
Kees Cook
e current
> patches couldn't be extended in the future if needed, unless I'm
> mistaken.
Yes, I'd prefer this series go in as-is, and if there is a need for
extending the API, arg2 can have more values added.
--
Kees Cook
upported architectures the same, introduce
> CONFIG_ARCH_WANT_LD_ORPHAN_WARN, which an architecture can select to
> gain this automatically after all of the sections are specified and size
> asserted. A special thanks to Kees Cook for the help text on this
> config.
>
> Link:
On Fri, Nov 20, 2020 at 12:58:41PM -0800, Sami Tolvanen wrote:
> On Fri, Nov 20, 2020 at 12:43 PM Kees Cook wrote:
> >
> > On Fri, Nov 20, 2020 at 01:29:35PM -0700, Nathan Chancellor wrote:
> > > On Fri, Nov 20, 2020 at 11:47:21AM -0800, Kees Cook wrote:
> > > >
On Fri, Nov 20, 2020 at 11:51:42AM -0800, Jakub Kicinski wrote:
> On Fri, 20 Nov 2020 11:30:40 -0800 Kees Cook wrote:
> > On Fri, Nov 20, 2020 at 10:53:44AM -0800, Jakub Kicinski wrote:
> > > On Fri, 20 Nov 2020 12:21:39 -0600 Gustavo A. R. Silva wrote:
> > > > This
On Fri, Nov 20, 2020 at 01:29:35PM -0700, Nathan Chancellor wrote:
> On Fri, Nov 20, 2020 at 11:47:21AM -0800, Kees Cook wrote:
> > On Fri, Nov 20, 2020 at 08:23:11AM -0800, Sami Tolvanen wrote:
> > > Changing the ThinLTO config to a choice and moving it after the main
> >
tps://github.com/KSPP/linux/issues/46
> >
> > I fail to understand what this patchset has to do with that
> > one-element-array issue :(
>
> I think I linked another issue totally not related with that one...
This just looks like a typo. The URL should be:
https://github.com/KSPP/linux/issues/96
--
Kees Cook
is added,
but this could be just a choice like we're done for the stack
initialization. Something like an "LTO" choice of NONE, CLANG_FULL,
CLANG_THIN, and in the future GCC, etc.
--
Kees Cook
us __user annotations
https://git.kernel.org/kees/c/fab686eb0307
--
Kees Cook
ngs are supposed to warn about issues that could
> be bugs. Falling through to default: break; can hardly be a bug?!
It's certainly a place where the intent is not always clear. I think
this makes all the cases unambiguous, and doesn't impact the machine
code, since the compiler will happily optimize away any behavioral
redundancy.
--
Kees Cook
On Tue, Nov 17, 2020 at 02:07:43PM -0800, Sami Tolvanen wrote:
> On Tue, Nov 17, 2020 at 1:45 PM Kees Cook wrote:
> >
> > On Tue, Nov 17, 2020 at 12:59:02PM -0800, Sami Tolvanen wrote:
> > > Instead of casting callback functions to type iw_handler, which trips
>
orted-by: Sedat Dilek
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
-20 11:03:08 -0800)
seccomp fixes for v5.10-rc5
- Fix typos in seccomp selftests on powerpc and sh (Kees Cook)
- Fix PF_SUPERPRIV audit marking in seccomp and ptrace (Mickaël Salaün
On Tue, Nov 17, 2020 at 11:57:20PM +0100, John Paul Adrian Glaubitz wrote:
> On 11/17/20 9:56 PM, Kees Cook wrote:
> > It looks like the seccomp selftests were never actually built for sh.
> > This fixes it, though I don't have an environment to do a runtime test
> > of i
generates a crash at runtime because there is a write overflow in
> destination string.
>
> Signed-off-by: Francis Laniel
> Reviewed-by: Kees Cook
> ---
> drivers/misc/lkdtm/Makefile | 1 +
> drivers/misc/lkdtm/core.c | 1 +
> dr
upported architectures the same, introduce
> CONFIG_ARCH_WANT_LD_ORPHAN_WARN, which an architecture can select to
> gain this automatically after all of the sections are specified and size
> asserted. A special thanks to Kees Cook for the help text on this
> config.
>
> Link: https
>= 11
depends on $(ld-option,--orphan-handling=warn)
Otherwise, yeah, looks good to me. With this and the other suggestions,
please consider it:
Reviewed-by: Kees Cook
--
Kees Cook
[IW_IOCTL_IDX(SIOCSIWGENIE)]= __cfg80211_wext_siwgenie,
> + [IW_IOCTL_IDX(SIOCSIWAUTH)] = __cfg80211_wext_siwauth,
> + [IW_IOCTL_IDX(SIOCGIWAUTH)] = __cfg80211_wext_giwauth,
> + [IW_IOCTL_IDX(SIOCSIWENCODEEXT)]= __cfg80211_wext_siwencodeext,
> + [IW_IOCTL_IDX(SIOCSIWPMKSA)]= __cfg80211_wext_siwpmksa,
> };
>
> const struct iw_handler_def cfg80211_wext_handler = {
>
> base-commit: 9c87c9f41245baa3fc4716cf39141439cf405b01
> --
> 2.29.2.299.gdc1121823c-goog
>
--
Kees Cook
On Tue, Nov 17, 2020 at 10:08:13PM +0100, John Paul Adrian Glaubitz wrote:
> Hi Kees!
>
> On 11/17/20 9:56 PM, Kees Cook wrote:
> > It looks like the seccomp selftests were never actually built for sh.
> > This fixes it, though I don't have an environment to do a runti
scussed in the thread, what you had here wouldn't work
in a CFI build if the function prototype of the call site and the
function don't match. (Though I can't tell if .func() is ever called?)
i.e. .func's prototype must match tp_stub_func()'s.
--
Kees Cook
8] xtensa: Enable seccomp architecture tracking
https://git.kernel.org/kees/c/4f408bc643aa
[8/8] seccomp/cache: Report cache data through /proc/pid/seccomp_cache
https://git.kernel.org/kees/c/49a6968cc78f
--
Kees Cook
UPERPRIV when checking capability
https://git.kernel.org/kees/c/cf23705244c9
[2/2] seccomp: Set PF_SUPERPRIV when checking capability
https://git.kernel.org/kees/c/fb14528e4436
--
Kees Cook
A typo sneaked into the powerpc selftest. Fix the name so it builds again.
Fixes: 46138329faea ("selftests/seccomp: powerpc: Fix seccomp return value
testing")
Signed-off-by: Kees Cook
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 4 ++--
1 file changed, 2 insertions(+), 2
It looks like the seccomp selftests were never actually built for sh.
This fixes it, though I don't have an environment to do a runtime test
of it yet.
Fixes: 0bb605c2c7f2b4b3 ("sh: Add SECCOMP_FILTER")
Signed-off-by: Kees Cook
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 4 ++
0xffe00020b3b0 <+146>: ld s6,80(sp)
>0xffe00020b3b2 <+148>: ld s7,72(sp)
>0xffe00020b3b4 <+150>: addisp,sp,144
>0xffe00020b3b6 <+152>: ret
>...
> * 0xffe00020b61c <+766>: auipc ra,0x7f8
> * 0xffe00020b620 <+770>: jalr-1764(ra) # 0xffe000a02f38
> <__stack_chk_fail>
>
> Signed-off-by: Guo Ren
Thanks for getting this working! It looks good to me. :)
Reviewed-by: Kees Cook
--
Kees Cook
Control-Flow Integrity (CFI).
>
> Reported-by: Sedat Dilek
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
> .globl.
>
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
On Tue, Nov 10, 2020 at 05:26:38PM +, Catalin Marinas wrote:
> On Tue, Oct 27, 2020 at 05:19:59PM -0700, Kees Cook wrote:
> > To enable seccomp constant action bitmaps, we need to have a static
> > mapping to the audit architecture and system call table size. Add thes
existing callers expect the "read" value to be int?
--
Kees Cook
IT?).
> Note, other than this, I like the idea. It makes it obvious what these
> atomic variables are being used for, and they can't be abused for other
> things. Nice work.
Agreed: this is a clear wrapping sequence counter. It's only abuse would
be using it in a place where wrapping actually is _not_ safe. (bikeshed:
can we call it wrap_u32 and wrap_u64?)
--
Kees Cook
ks like
runc had several forked processes that got SIGKILLed in quick succession,
and then the entire group got killed by Brute. I haven't narrowed down
what runc is doing here, but it makes me wonder if there might need
to be an exception for user-space delivered signals, as opposed to
kernel-delivered signals...
Thanks again for the work! I'm liking the idea of getting a solid
protection for this. It's been a long-standing hole in upstream. :)
-Kees
--
Kees Cook
age while sysadmins absorbed what the best
practices should be).
Thanks for sending this!
Acked-by: Kees Cook
--
Kees Cook
ed:
> No such file or directory (2)
>
> That's because non-regular hasn't been built, because it's in
> TEST_PROGS, it should be part of TEST_GEN_PROGS to indicate that it
> needs to be built.
Yes, thanks again!
Fixes: 0f71241a8e32 ("selftests/exec: add file type errno tests")
for both:
Acked-by: Kees Cook
--
Kees Cook
On Wed, Nov 04, 2020 at 05:40:51AM -0600, YiFei Zhu wrote:
> On Tue, Nov 3, 2020 at 6:29 PM Kees Cook wrote:
> > Yeah, this is very interesting. That there is anything measurably _slower_
> > with the cache is surprising. Though with only 4 runs, I wonder if it's
> > stil
mething must be off here.
I assume this is from Indirect Branch Prediction Barrier (IBPB) and
Single Threaded Indirect Branch Prediction (STIBP) (which get enabled
for threads under seccomp by default).
Try booting with "spectre_v2_user=prctl"
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html#spectre-mitigation-control-command-line
--
Kees Cook
/asm/seccomp.h
> create mode 100644 arch/parisc/include/asm/seccomp.h
> create mode 100644 arch/xtensa/include/asm/seccomp.h
>
>
> base-commit: 38c37e8fd3d2590c4234d8cfbc22158362f0eb04
> --
> 2.29.2
--
Kees Cook
oes it, we
> still have TSYNC, so I don't think this would be a real problem.)
Unfortunately, yes, it happens. TSYNC got designed specifically to
"recapture" these constructor-launched threads. :( It was a common enough
situation Chrome wanted to solve due to some weird GPU libraries that
did this during init before Chrome was running.
--
Kees Cook
is also allows you to defer application of
> the filter until after execve. So unless I'm missing some reason why
> this doesn't work, I think the requested functionality is already
> available.
Oof. Yeah, that's possible, but I view it as kind of not the point of
USER_NOTIF -- I'd rather design a workable solution for the
delayed-apply case.
--
Kees Cook
Hi,
I took a quick look at arm64 and arm for enabling bitmaps, and figured
I'd send these patches to show it. I'll take this via the seccomp tree
if no one sees a problem.
Thanks!
-Kees
Kees Cook (2):
arm64: Enable seccomp architecture tracking
arm: Enable seccomp architecture tracking
To enable seccomp constant action bitmaps, we need to have a static
mapping to the audit architecture and system call table size. Add these
for arm.
Signed-off-by: Kees Cook
---
arch/arm/include/asm/Kbuild| 1 -
arch/arm/include/asm/seccomp.h | 11 +++
2 files changed, 11
pplication of delayed filters? The supervisor is launching
a daemon: mark NR_listen as the apply-point. The supervisor is launching
something totally unknown: mark NR_execve as the apply-point.
If we did that, what happens to non-delayed filters applied between
program start and the apply-point getting tripped?
--
Kees Cook
On Wed, Oct 28, 2020 at 10:13:52PM +0100, Thomas Gleixner wrote:
> On Wed, Oct 28 2020 at 13:49, Kees Cook wrote:
> > On Sat, Oct 24, 2020 at 10:35:15PM +0100, David Woodhouse wrote:
> >> + memset(, 0, sizeof(*msg);
> >
> > This should be:
> >
all aborts, enters signal handler
T: signal handler blocks on unfiltered syscall (e.g. write())
S: starts SECCOMP_IOCTL_NOTIF_RECV
S: gets (stale) seccomp_notif from seccomp_fd
S: sends seccomp_notif_resp, receives ENOENT (or some better errno?)
This is not at all how things are designed internally right now, but
that behavior would work, yes?
--
Kees Cook
iptors are expected to be
default-blocking. It *is* a special fd, though, so maybe it could work.
The only case I can think of it would break would be ioctl-loop case
that is already buggy in that it didn't handle non-zero returns?
--
Kees Cook
rampoline to do so before calling the callback instead of
> just calling the callback directly.
>
> The default for ftrace_ops is going to assume recursion protection unless
> otherwise specified.
>
> Cc: Thomas Meyer
> Cc: Kees Cook
> Signed-off-by: Steven Rostedt (VMware)
Reviewed-by: Kees Cook
--
Kees Cook
To enable seccomp constant action bitmaps, we need to have a static
mapping to the audit architecture and system call table size. Add these
for arm64.
Signed-off-by: Kees Cook
---
arch/arm64/include/asm/seccomp.h | 15 +++
1 file changed, 15 insertions(+)
diff --git a/arch/arm64
);
This should be:
+ memset(msg, 0, sizeof(*msg);
https://groups.google.com/g/clang-built-linux/c/N-DfCPz3alg
> + msg->address_hi = X86_MSI_BASE_ADDRESS_HIGH;
> + msg->arch_addr_lo.base_address = X86_MSI_BASE_ADDRESS_LOW;
> + msg->arch_addr_lo.destid_0_7 = index_from_irqs(vmd, irq);
> }
>
> /*
> --
> 2.26.2
>
--
Kees Cook
rch/xtensa/Kconfig:select HAVE_ARCH_SECCOMP_FILTER
So the "new" promotions would be:
csky
mips
powerpc
riscv
xtensa
Which would leave only these two:
arch/microblaze/Kconfig:select HAVE_ARCH_SECCOMP
arch/sparc/Kconfig: select HAVE_ARCH_SECCOMP if SPARC64
At this point, given the ubiquity of seccomp usage (e.g. systemd), I
guess it's not unreasonable to make it def_bool y?
I'm open to suggestions!
--
Kees Cook
/git.kernel.org/kees/c/e7dc9f1e5f6b
[3/4] x86: Enable seccomp architecture tracking
https://git.kernel.org/kees/c/1f68a4d393fe
[4/4] selftests/seccomp: Compare bitmap vs filter overhead
https://git.kernel.org/kees/c/57a339117e52
--
Kees Cook
.* with .ctors (Kees Cook)
Kees Cook (1):
vmlinux.lds.h: Keep .ctors.* with .ctors
Nathan Chancellor (1):
arm/build: Always handle .ARM.exidx and .ARM.extab sections
arch/arm/kernel/vmlinux.lds.S | 4
include/asm
mutex_lock(>notify_lock);
> knotif = find_notification(filter, unotif.id);
> - if (knotif) {
> + if (knotif)
> knotif->state = SECCOMP_NOTIFY_INIT;
> - up(>notif->request);
> -
On Thu, Oct 15, 2020 at 01:24:03PM +0200, Michael Kerrisk (man-pages) wrote:
> On 10/1/20 1:39 AM, Kees Cook wrote:
> > I'll comment more later, but I've run out of time today and I didn't see
> > anyone mention this detail yet in the existing threads... :)
>
> Later never
On Thu, Oct 22, 2020 at 06:40:08PM -0500, YiFei Zhu wrote:
> On Thu, Oct 22, 2020 at 5:32 PM Kees Cook wrote:
> > I've been going back and forth on this, and I think what I've settled
> > on is I'd like to avoid new CONFIG dependencies just for this feature.
> > Instead, h
On Fri, Oct 23, 2020 at 06:33:24PM +0200, Mauro Carvalho Chehab wrote:
> The documented struct is psz_head and not psz_buffer.
>
> Signed-off-by: Mauro Carvalho Chehab
Reviewed-by: Kees Cook
--
Kees Cook
ot sure
what the right way to document this is.
-Kees
> * @refs: atomic_t counter field
> *
> * The counter saturates at REFCOUNT_SATURATED and will not move once
> --
> 2.26.2
>
--
Kees Cook
-616,7 +616,7 @@
> __EXPECT(expected, #expected, seen, #seen, >=, 0)
>
> /**
> - * EXPECT_NULL(seen)
> + * EXPECT_NULL()
> *
> * @seen: measured value
> *
> @@ -626,7 +626,7 @@
> __EXPECT(NULL, "NULL", seen, #seen, ==, 0)
>
> /**
> - * EXPECT_TRUE(seen)
> + * EXPECT_TRUE()
> *
> * @seen: measured value
> *
> @@ -636,7 +636,7 @@
> __EXPECT(0, "0", seen, #seen, !=, 0)
>
> /**
> - * EXPECT_FALSE(seen)
> + * EXPECT_FALSE()
> *
> * @seen: measured value
> *
> @@ -646,7 +646,7 @@
> __EXPECT(0, "0", seen, #seen, ==, 0)
>
> /**
> - * EXPECT_STREQ(expected, seen)
> + * EXPECT_STREQ()
> *
> * @expected: expected value
> * @seen: measured value
> @@ -657,7 +657,7 @@
> __EXPECT_STR(expected, seen, ==, 0)
>
> /**
> - * EXPECT_STRNE(expected, seen)
> + * EXPECT_STRNE()
> *
> * @expected: expected value
> * @seen: measured value
> --
> 2.26.2
>
--
Kees Cook
On Thu, Oct 22, 2020 at 01:23:55PM -0700, Sami Tolvanen wrote:
> Use scs_alloc() to allocate also IRQ and SDEI shadow stacks instead of
> using statically allocated stacks.
>
> Signed-off-by: Sami Tolvanen
Reviewed-by: Kees Cook
--
Kees Cook
change switches SCS to use virtually mapped shadow stacks,
> which increases shadow stack size to a full page and provides more
> robust overflow detection similarly to VMAP_STACK.
>
> Signed-off-by: Sami Tolvanen
Thanks! I much prefer this to kmem. :)
Reviewed-by: Kees Cook
--
Kees Cook
On Thu, Oct 22, 2020 at 03:52:20PM -0500, YiFei Zhu wrote:
> On Mon, Oct 12, 2020 at 7:31 PM YiFei Zhu wrote:
> >
> > On Mon, Oct 12, 2020 at 5:57 PM Kees Cook wrote:
> > > I think it's fine to just have this "dangle" with a help text update of
> > &
ed by default. I prefer gaining Catalin's suggested
patch[2]. :)
[1]
https://lore.kernel.org/kernel-hardening/1562410493-8661-1-git-send-email-s.mesorac...@gmail.com/
[2] https://lore.kernel.org/linux-arm-kernel/20201022093104.GB1229@gaia/
--
Kees Cook
501 - 600 of 17761 matches
Mail list logo