On Fri, Jul 8, 2016 at 12:20 PM, Christoph Lameter wrote:
> On Fri, 8 Jul 2016, Kees Cook wrote:
>
>> Is check_valid_pointer() making sure the pointer is within the usable
>> size? It seemed like it was checking that it was within the slub
>> object (checks against s-&g
set within slab object. */
offset = (ptr - page_address(page)) % s->size;
/* Adjust offset for meta data and padding. */
offset -= s->size - s->object_size;
/* Make sure offset and size are within bounds of the
allocation size. */
if (offset &l
On Thu, Jul 7, 2016 at 12:35 AM, Michael Ellerman wrote:
> Kees Cook writes:
>
>> Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
>> SLUB allocator to catch any copies that may span objects.
>>
>> Based on code from PaX and grsecurity.
On Thu, Jul 7, 2016 at 12:35 PM, Rik van Riel wrote:
> On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:
>>
>> + /* Allow kernel rodata region (if not marked as Reserved).
>> */
>> + if (ptr >= (const void *)__start_rodata &&
>>
On Thu, Jul 7, 2016 at 4:01 AM, Arnd Bergmann wrote:
> On Wednesday, July 6, 2016 3:25:20 PM CEST Kees Cook wrote:
>> This is the start of porting PAX_USERCOPY into the mainline kernel. This
>> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY. The
>> wor
On Thu, Jul 7, 2016 at 3:42 AM, Thomas Gleixner wrote:
> On Wed, 6 Jul 2016, Kees Cook wrote:
>> +
>> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
>> + const void *frame = NULL;
>> + const void *oldframe;
>> +#endif
>
> That&#x
On Thu, Jul 7, 2016 at 3:30 AM, Christian Borntraeger
wrote:
> On 07/07/2016 12:25 AM, Kees Cook wrote:
>> Hi,
>>
>> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
>> writing tests (now in lkdtm in -next) for Casey's earlier port[2], I
>
On Thu, Jul 7, 2016 at 1:37 AM, Baruch Siach wrote:
> Hi Kees,
>
> On Wed, Jul 06, 2016 at 03:25:20PM -0700, Kees Cook wrote:
>> +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR
>
> Should be CONFIG_HARDENED_USERCOPY to match the slab/slub implementation
> con
On Thu, Jul 7, 2016 at 6:07 AM, Mark Rutland wrote:
> Hi,
>
> On Wed, Jul 06, 2016 at 03:25:23PM -0700, Kees Cook wrote:
>> Enables CONFIG_HARDENED_USERCOPY checks on arm64. As done by KASAN in -next,
>> renames the low-level functions to __arch_copy_*_user() so a st
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLUB allocator to catch any copies that may span objects.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
init/Kconfig | 1 +
mm/slub.c| 27 +++
2 files changed, 28 insertions
Enables CONFIG_HARDENED_USERCOPY checks on sparc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/sparc/Kconfig | 1 +
arch/sparc/include/asm/uaccess_32.h | 14 ++
arch/sparc/include/asm/uaccess_64.h | 11 +--
3 files changed, 20
Enables CONFIG_HARDENED_USERCOPY checks on powerpc.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/uaccess.h | 21 +++--
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/arch
Enables CONFIG_HARDENED_USERCOPY checks on ia64.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/ia64/Kconfig | 1 +
arch/ia64/include/asm/uaccess.h | 18 +++---
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/arch/ia64
Enables CONFIG_HARDENED_USERCOPY checks on x86. This is done both in
copy_*_user() and __copy_*_user() because copy_*_user() actually calls
down to _copy_*_user() and not __copy_*_user().
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/x86/Kconfig | 2
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLAB allocator to catch any copies that may span objects.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
init/Kconfig | 1 +
mm/slab.c| 30 ++
2 files changed, 31
Enables CONFIG_HARDENED_USERCOPY checks on arm64. As done by KASAN in -next,
renames the low-level functions to __arch_copy_*_user() so a static inline
can do additional work before the copy.
Signed-off-by: Kees Cook
---
arch/arm64/Kconfig | 2 ++
arch/arm64/include/asm/uaccess.h
Enables CONFIG_HARDENED_USERCOPY checks on arm.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook
---
arch/arm/Kconfig | 1 +
arch/arm/include/asm/uaccess.h | 11 +--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm/Kconfig b/arch
contained by the current stack frame (when there is
arch/build support for identifying stack frames)
- object must not overlap with kernel text
Signed-off-by: Kees Cook
---
arch/Kconfig| 7 ++
include/linux/slab.h| 12 +++
include/linux/thread_info.h | 15 +++
m
Hi,
This is a start of the mainline port of PAX_USERCOPY[1]. After I started
writing tests (now in lkdtm in -next) for Casey's earlier port[2], I
kept tweaking things further and further until I ended up with a whole
new patch series. To that end, I took Rik's feedback and made a number
of other c
(Oops, forgot to send this series through the lsm list...)
On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook wrote:
> There has been a long-standing (and documented) issue with seccomp
> where ptrace can be used to change a syscall out from under seccomp.
> This is a problem for containers
On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski wrote:
> On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook wrote:
>> This moves seccomp after ptrace on x86 to that seccomp can catch changes
>> made by ptrace. Emulation should skip the rest of processing too.
>>
>> We can
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: Jeff Dike
Cc: Richard Weinberger
Cc: user-mode-linux-de...@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: Chris Metcalf
---
arch/tile/kernel/ptrace.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c
index
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: Michael Ellerman
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: linuxppc-dev@lists.ozlabs.org
---
arch/powerpc/kernel/ptrace.c | 44 +++-
1 file
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: Heiko Carstens
Cc: Martin Schwidefsky
Cc: linux-s...@vger.kernel.org
---
arch/s390/kernel/ptrace.c | 21 +
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: Ralf Baechle
Cc: "Maciej W. Rozycki"
Cc: James Hogan
Cc: linux-m...@linux-mips.org
---
arch/mips/kernel/ptrace.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
di
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: "James E.J. Bottomley"
Cc: Helge Deller
Cc: linux-par...@vger.kernel.org
---
arch/parisc/kernel/ptrace.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: Catalin Marinas
Cc: Will Deacon
Cc: Mark Rutland
Cc: linux-arm-ker...@lists.infradead.org
---
arch/arm64/kernel/ptrace.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook
Cc: Russell King
Cc: linux-arm-ker...@lists.infradead.org
---
arch/arm/kernel/ptrace.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/arch/arm/kernel/ptrace.c b
places where ptrace is desired even under seccomp filters.
This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations.
Signed-off-by: Kees Cook
Cc: Andy Lutomirski
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 176 --
1 file changed, 165 insertions
Since nothing is using the 2-phase API, and it adds more complexity than
benefit, remove it.
Signed-off-by: Kees Cook
Cc: Andy Lutomirski
---
include/linux/seccomp.h | 6 ---
kernel/seccomp.c| 129 +++-
2 files changed, 41 insertions(+), 94
Andy Lutomirski
Signed-off-by: Kees Cook
Cc: x...@kernel.org
Cc: Andy Lutomirski
---
arch/x86/entry/common.c | 22 --
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
index df56ca394877..81c0e12d831c 100644
From: Andy Lutomirski
I added two-phase syscall entry work back when the entry slow path
was very slow. Nowadays, the entry slow path is fast and two-phase
entry work serves no purpose. Remove it.
Signed-off-by: Andy Lutomirski
Signed-off-by: Kees Cook
---
arch/x86/entry/common.c
When RET_TRACE triggers, a tracer may change a syscall into something that
should be filtered by seccomp. This re-runs seccomp after a trace event
to make sure things continue to pass.
Signed-off-by: Kees Cook
Cc: Andy Lutomirski
---
kernel/seccomp.c | 21 ++---
1 file changed
Signed-off-by: Andy Lutomirski
Signed-off-by: Kees Cook
---
arch/arm/kernel/ptrace.c | 2 +-
arch/arm64/kernel/ptrace.c| 2 +-
arch/mips/kernel/ptrace.c | 2 +-
arch/parisc/kernel/ptrace.c | 2 +-
arch/powerpc/kernel/ptrace.c | 2 +-
arch/s390
There has been a long-standing (and documented) issue with seccomp
where ptrace can be used to change a syscall out from under seccomp.
This is a problem for containers and other wider seccomp filtered
environments where ptrace needs to remain available, as it allows
for an escape of the seccomp fi
On Fri, Feb 5, 2016 at 2:46 AM, David Laight wrote:
> From: Kees Cook
>> Sent: 04 February 2016 21:01
>> Some callers of strtobool were passing a pointer to unterminated strings.
>> In preparation of adding multi-character processing to kstrtobool, update
>> the
Some callers of strtobool were passing a pointer to unterminated strings.
In preparation of adding multi-character processing to kstrtobool, update
the callers to not pass single-character pointers, and switch to using the
new kstrtobool_from_user helper where possible.
Signed-off-by: Kees Cook
Add support for "on" and "off" when converting to boolean.
Signed-off-by: Kees Cook
---
v3:
- add dropped descripion change, andy.shevchenko
---
lib/kstrtox.c | 20 +---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/lib/kstrtox.c b
Create the kstrtobool_from_user helper and moves strtobool logic into
the new kstrtobool (matching all the other kstrto* functions). Provides
an inline wrapper for existing strtobool callers.
Signed-off-by: Kees Cook
---
v3:
- drop needless "base" argument, rasmus
---
include/linu
This changes several users of manual "on"/"off" parsing to use strtobool.
Some side-effects:
- these uses will now parse y/n/1/0 meaningfully too
- the early_param uses will now bubble up parse errors
Signed-off-by: Kees Cook
Acked-by: Heiko Carstens
Acked-by: Mic
This consolidates logic for handling "on"/"off" parsing for bools into the
strtobool function, by way of moving it into kstrtobool (with helpers),
and updating various callers.
v3:
- removed unused "base" argument
- fixed missing description change
- retained inverted __setup return values
- remov
On Thu, Feb 4, 2016 at 3:55 PM, Rasmus Villemoes
wrote:
> On Thu, Feb 04 2016, Kees Cook wrote:
>
>> Create the kstrtobool_from_user helper and moves strtobool logic into
>> the new kstrtobool (matching all the other kstrto* functions). Provides
>> an inline wrappe
On Thu, Feb 4, 2016 at 4:11 PM, Kees Cook wrote:
> On Thu, Feb 4, 2016 at 3:04 PM, Andy Shevchenko
> wrote:
>> On Thu, Feb 4, 2016 at 11:00 PM, Kees Cook wrote:
>>> This changes several users of manual "on"/"off" parsing to use strtobool.
>
On Thu, Feb 4, 2016 at 3:04 PM, Andy Shevchenko
wrote:
> On Thu, Feb 4, 2016 at 11:00 PM, Kees Cook wrote:
>> This changes several users of manual "on"/"off" parsing to use strtobool.
>> (Which means they will now parse y/n/1/0 meaningfully too.)
>>
>
On Thu, Feb 4, 2016 at 3:00 PM, Andy Shevchenko
wrote:
> On Thu, Feb 4, 2016 at 11:00 PM, Kees Cook wrote:
>> Add support for "on" and "off" when converting to boolean.
>>
>> Signed-off-by: Kees Cook
>> ---
>> lib/kstrtox.c | 14 +
On Thu, Feb 4, 2016 at 2:59 PM, Andy Shevchenko
wrote:
> On Thu, Feb 4, 2016 at 11:00 PM, Kees Cook wrote:
>> Some callers of strtobool were passing a pointer to unterminated strings.
>> In preparation of adding multi-character processing to kstrtobool, update
>> the calle
On Thu, Feb 4, 2016 at 2:43 PM, Andy Shevchenko
wrote:
> On Thu, Feb 4, 2016 at 11:00 PM, Kees Cook wrote:
>> Create the kstrtobool_from_user helper and moves strtobool logic into
>> the new kstrtobool (matching all the other kstrto* functions). Provides
>> an inline
Some callers of strtobool were passing a pointer to unterminated strings.
In preparation of adding multi-character processing to kstrtobool, update
the callers to not pass single-character pointers, and switch to using the
new kstrtobool_from_user helper where possible.
Signed-off-by: Kees Cook
Create the kstrtobool_from_user helper and moves strtobool logic into
the new kstrtobool (matching all the other kstrto* functions). Provides
an inline wrapper for existing strtobool callers.
Signed-off-by: Kees Cook
---
include/linux/kernel.h | 3 +++
include/linux/string.h | 6 +-
lib
This consolidates logic for handling "on"/"off" parsing for bools into
the strtobool function, by way of moving it into kstrtobool (with helpers),
and updating various callers.
arch/powerpc/kernel/rtasd.c|9 ---
arch/powerpc/platforms/pseries/hotplug-cpu.c | 10
a
This changes several users of manual "on"/"off" parsing to use strtobool.
(Which means they will now parse y/n/1/0 meaningfully too.)
Signed-off-by: Kees Cook
Acked-by: Heiko Carstens
Acked-by: Michael Ellerman
Cc: x...@kernel.org
Cc: linuxppc-dev@lists.oz
Add support for "on" and "off" when converting to boolean.
Signed-off-by: Kees Cook
---
lib/kstrtox.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/lib/kstrtox.c b/lib/kstrtox.c
index e18f088704d7..09e83a19a96d 100644
--- a/lib/kstrtox.c
+++ b/lib
On Mon, Feb 1, 2016 at 5:17 AM, Andy Shevchenko
wrote:
> On Thu, Jan 28, 2016 at 4:17 PM, Kees Cook wrote:
>> Some callers of strtobool were passing a pointer to unterminated strings.
>> This fixes the issue and consolidates some logic in cifs.
>
> My comments below.
>
This changes several users of manual "on"/"off" parsing to use strtobool.
Signed-off-by: Kees Cook
Cc: x...@kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
---
arch/powerpc/kernel/rtasd.c | 10 +++---
arch/powerpc/platforms/p
Several places in the kernel expect to use "on" and "off" for their
boolean signifiers, so add them to strtobool.
Signed-off-by: Kees Cook
Cc: Rasmus Villemoes
Cc: Daniel Borkmann
---
lib/string.c | 24 +---
1 file changed, 21 insertions(+), 3 deleti
This consolidates logic for handling "on"/"off" parsing for bools into
the existing strtobool function. This requires making sure callers are
passing NULL-terminated strings.
-Kees
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://list
Some callers of strtobool were passing a pointer to unterminated strings.
This fixes the issue and consolidates some logic in cifs.
Signed-off-by: Kees Cook
Cc: Amitkumar Karwar
Cc: Nishant Sarmukadam
Cc: Kalle Valo
Cc: Steve French
Cc: linux-c...@vger.kernel.org
---
drivers/net/wireless
nges to this patch.
>
> Ard Biesheuvel (3):
> x86: kallsyms: disable absolute percpu symbols on !SMP
> kallsyms: don't overload absolute symbol type for percpu symbols
> kallsyms: add support for relative offsets in kallsyms address table
Still works for me!
Reviewed-by:
ubject to dynamic relocation when the build time and runtime
> offsets of the kernel image are different"?
IIUC, this means that the relocation work done after decompression now
doesn't have to do relocation updates for all these values, which
means a smaller relocation table
racted from the runtime
> address of _text to produce the actual address. Positive values are used as
> they are found in the table.
>
> Support for the above is enabled by setting CONFIG_KALLSYMS_TEXT_RELATIVE.
>
> Signed-off-by: Ard Biesheuvel
Reviewed-by: Kees Cook
400 KB for a KALLSYMS_ALL build, and about 100 KB
> reduction in compressed size. (with CONFIG_RELOCATABLE=y)
>
> Signed-off-by: Ard Biesheuvel
Tested-by: Kees Cook
-Kees
> ---
> I tested this with my Ubuntu Wily box's config-4.2.0-23-generic, and
> got the following resu
> parameter again. We do this restore using orig_gpr3, which may have been
> modified by seccomp, which allows seccomp to modify the first syscall
> paramater and allow the syscall to proceed.
>
> We need to #ifdef the the additional handling of r3 for seccomp, so move
> it all out
ses syscall_restart? Seems like ARM remains
the odd-arch-out on this. :P)
Thanks!
-Kees
>
> Acked-by: Kees Cook
> Signed-off-by: Michael Ellerman
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 9 -
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
>
call
> through seccomp.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/include/asm/syscall.h | 11 ---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/syscall.h
> b/arc
hack from samples/seccomp/bpf-helper.h which changes the offset
> on big endian to account for this.
>
> Signed-off-by: Michael Ellerman
Acked-by: Kees Cook
Thanks for fixing the error message! :)
-Kees
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++
> 1 file cha
> parameter again. We do this restore using orig_gpr3, which may have been
> modified by seccomp, which allows seccomp to modify the first syscall
> paramater and allow the syscall to proceed.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
>
e only
> user of SIGSYS in the kernel is seccomp filter, which we don't support
> yet.
>
> So before we enable seccomp filter, add compat handling for SIGSYS.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/include/asm/compat.h
d never modify it.
>
> Update syscall_set_arguments() while we're here, even though it's never
> used.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/include/asm/syscall.h | 16 +---
> 1 file changed, 13 insert
ce to update.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/include/asm/syscall.h | 19 ---
> 1 file changed, 8 insertions(+), 11 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/syscall.h
> b/arch/p
hough the value passed
> in is already negative.
>
> So remove the negation in syscall_set_return_value(), and expect the
> caller to do it like all other implementations do.
>
> Also add a comment about the ccr handling.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: K
ompat, and doesn't deal with TIF_NOERROR.
>
> Although we could fix those, until it has a caller and it's clear what
> semantics the caller wants it's just untested code. So drop it.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> ar
t; is given.
>
> Signed-off-by: Michael Ellerman
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/kernel/entry_32.S | 4
> arch/powerpc/kernel/entry_64.S | 23 ++--
> arch/powerpc/kernel/ptrace.c | 48
> --
>
been updated to
> use force_successful_syscall_return().
>
> I have also checked all the powerpc specific syscalls, and believe that
> none of them expect to return a non-error value between -MAX_ERRNO and
> -516. So this change should be safe ...
>
> Acked-by: Benjamin Herren
On Wed, Jul 15, 2015 at 12:37 AM, Michael Ellerman wrote:
> Wire up the syscall number and regs so the tests work on powerpc.
>
> Signed-off-by: Michael Ellerman
Acked-by: Kees Cook
-Kees
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 9 -
> 1 file cha
"
> +#endif
Ah-ha! Yes, thanks. Could you change the #error to something that
describes the particular (impossible) failure condition? "wut? Unknown
__BYTE_ORDER?!". Not a huge deal, but I always like verbose errors. :)
Especially for "impossible" situations. :)
-Kees
>
>
nfo;
> static volatile int TRAP_nr;
> static void TRAP_action(int nr, siginfo_t *info, void *void_context)
> {
> + fprintf(stderr, "in TRAP_action\n");
> + fprintf(stderr, "info->si_call_addr %p\n", i
haustive
> test one could repeat this sequence for every register in the architecture.
>
> This should work the same on all architectures supporting kprobes. You just
> have to use the appropriate register names for your architecture after the
> "%"
nel/ptrace.c | 39 +-
> include/linux/ptrace.h | 51
> kernel/ptrace.c| 38 ++
> 16 files changed, 116 insertions(+), 363 deletions(-)
> delete mode 100644 arch/sh/kernel/pt
On Tue, Mar 17, 2015 at 7:47 AM, Will Deacon wrote:
> On Wed, Mar 04, 2015 at 09:10:47PM +0000, Kees Cook wrote:
>> In preparation for splitting out ET_DYN ASLR, this refactors the use of
>> mmap_rnd() to be used similarly to arm and x86. This additionally enables
>> mma
On Wed, Mar 4, 2015 at 5:27 PM, Kees Cook wrote:
> Most architectures don't need to do much special for the strict-mode
> seccomp syscall entries. Remove the redundant headers and reduce the
> others.
>
> Signed-off-by: Kees Cook
Hi Andrew,
Just a quick ping: are you
On Mon, Mar 9, 2015 at 9:19 AM, Russell King - ARM Linux
wrote:
> On Tue, Mar 03, 2015 at 06:10:15PM -0800, Kees Cook wrote:
>> To address the "offset2lib" ASLR weakness[1], this separates ET_DYN
>> ASLR from mmap ASLR, as already done on s390. The architectures
>&g
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. The obsolete sigreturn syscall override
is retained in 32-bit mode, and the ia32 syscall overrides are used in
the compat case. Remaining definitions were identical.
Signed-off-by: Kees Cook
Most architectures don't need to do much special for the strict-mode
seccomp syscall entries. Remove the redundant headers and reduce the
others.
Signed-off-by: Kees Cook
---
v3:
- split patch series by architecture
- fix up architectures that need sigreturn overrides (ingo)
v2:
- use K
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. Definitions were identical.
Signed-off-by: Kees Cook
---
arch/parisc/include/asm/Kbuild| 1 +
arch/parisc/include/asm/seccomp.h | 16
2 files changed, 1 insertion
Some architectures may need to override the compat sigreturn definition,
as is already possible in the non-compat case.
Signed-off-by: Kees Cook
---
include/asm-generic/seccomp.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/asm-generic/seccomp.h b/include/asm-generic/seccomp.h
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. The obsolete sigreturn in COMPAT mode
is retained as an override. Remaining definitions are identical, though
they incorrectly appeared in uapi, which has been corrected.
Signed-off-by: Kees
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. COMPAT definitions retain their overrides
and the remaining definitions were identical.
Signed-off-by: Kees Cook
---
arch/mips/include/asm/seccomp.h | 7 ++-
1 file changed, 2 insertions
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. The obsolete sigreturn in COMPAT mode
is retained as an override. Remaining definitions are identical. Also
corrected missing #define for header reinclusion protection.
Signed-off-by: Kees
identical.
Signed-off-by: Kees Cook
---
arch/microblaze/include/asm/seccomp.h | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/arch/microblaze/include/asm/seccomp.h
b/arch/microblaze/include/asm/seccomp.h
index 0d912758a0d7..204618a2ce84 100644
--- a/arch/microblaze/include
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. Definitions were identical.
Signed-off-by: Kees Cook
---
arch/arm/include/asm/Kbuild| 1 +
arch/arm/include/asm/seccomp.h | 11 ---
2 files changed, 1 insertion(+), 11 deletions
In preparation for moving ET_DYN randomization into the ELF loader (which
requires a static ELF_ET_DYN_BASE), this redefines s390's existing ET_DYN
randomization in a call to arch_mmap_rnd(). This refactoring results in
the same ET_DYN randomization on s390.
Signed-off-by: Kees Cook
---
ly created arch_mmap_rnd() into the
ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR,
as was already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE,
which is no longer needed.
Reported-by: Hector Marco-Gisbert
Signed-off-by: Kees Cook
---
arch/arm/Kconfig
On Wed, Mar 4, 2015 at 1:54 PM, Ingo Molnar wrote:
>
> * Kees Cook wrote:
>
>> To address the "offset2lib" ASLR weakness[1], this separates ET_DYN
>> ASLR from mmap ASLR, as already done on s390. The architectures
>> that are already randomizing mmap (arm, a
To address the "offset2lib" ASLR weakness[1], this separates ET_DYN
ASLR from mmap ASLR, as already done on s390. The architectures
that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
and x86), have their various forms of arch_mmap_rnd() made available
via the new CONFIG_ARCH_HAS_EL
(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE
for describing this feature on architectures that support it
(which is a superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390
already supports a separated ET_DYN ASLR from mmap ASLR without the
ARCH_BINFMT_ELF_RANDOMIZE_PIE logic).
Signed-off-by: Kees
In preparation for splitting out ET_DYN ASLR, this moves the ASLR calculations
for mmap on ARM into a separate routine, similar to x86. This also removes
the redundant check of personality (PF_RANDOMIZE is already set before calling
arch_pick_mmap_layout).
Signed-off-by: Kees Cook
---
arch/arm
On Tue, Mar 3, 2015 at 8:16 PM, Michael Ellerman wrote:
> On Mon, 2015-03-02 at 16:19 -0800, Kees Cook wrote:
>> This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips,
>> powerpc, and x86. The problem is that if there is a leak of ASLR from
>> the execu
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm and x86.
Signed-off-by: Kees Cook
Acked-by: Michael Ellerman
---
Can mmap ASLR be safely enabled in the legacy mmap case here? Other archs
use "mm->mmap_base = TASK_UNMAP
igned-off-by: Kees Cook
---
arch/Kconfig | 1 +
arch/arm/include/asm/elf.h | 4
arch/arm64/include/asm/elf.h | 4
arch/mips/include/asm/elf.h| 4
arch/powerpc/include/asm/elf.h | 4
arch/s390/include/asm/elf.h| 3 ---
arch/x86/include/asm/
601 - 700 of 748 matches
Mail list logo
