Re: [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy

On Tue, Apr 18, 2017 at 4:24 PM, Mickaël Salaün <m...@digikod.net> wrote: > On 19/04/2017 00:53, Kees Cook wrote: >> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün <m...@digikod.net> wrote: >>> +#ifdef CONFIG_SECCOMP_FILTER >> >> Isn't CONFIG_SECCOMP_FIL

Re: [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp()

On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün <m...@digikod.net> wrote: > The semantic is unchanged. This will be useful for the Landlock > integration with seccomp (next commit). > > Signed-off-by: Mickaël Salaün <m...@digikod.net> > Cc: Kees Cook <keesc...@chrom

Re: [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy

ure) > * add an early check to exit as soon as possible if the current process > does not have Landlock rules > > Changes since v3: > * remove the hard link with seccomp (suggested by Andy Lutomirski and > Kees Cook): > * remove the cookie which could imply multiple evaluatio

Re: [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock

anup and rebase > > Signed-off-by: Mickaël Salaün <m...@digikod.net> > Cc: Alexei Starovoitov <a...@kernel.org> > Cc: Andy Lutomirski <l...@amacapital.net> > Cc: Daniel Borkmann <dan...@iogearbox.net> > Cc: David S. Miller <da...@davemloft.net> > Cc

Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem

On Tue, Apr 18, 2017 at 4:16 PM, Casey Schaufler <ca...@schaufler-ca.com> wrote: > On 4/18/2017 3:44 PM, Mickaël Salaün wrote: >> On 19/04/2017 00:17, Kees Cook wrote: >>> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün <m...@digikod.net> wrote: >>>

Re: [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing

ng seccomp uses, in which case I'm less inclined to kick landlock out of seccomp.c. :) Looks like it's coming along nicely! Thanks for continuing to work on this! -Kees -- Kees Cook Pixel Security

Re: [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock

On Tue, Apr 18, 2017 at 4:53 PM, Mickaël Salaün <m...@digikod.net> wrote: > On 19/04/2017 01:16, Kees Cook wrote: >> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün <m...@digikod.net> wrote: >>> --- /dev/null >>> +++ b/tools/testing/selftests/landlock/Ma

Re: [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism

d-off-by: Mickaël Salaün <m...@digikod.net> > Cc: Andy Lutomirski <l...@amacapital.net> > Cc: Arnaldo Carvalho de Melo <a...@kernel.org> > Cc: Kees Cook <keesc...@chromium.org> > Cc: Shuah Khan <sh...@kernel.org> > Cc: Will Drewry <w...@chromium.org

Re: [PATCH] drivers/net/wan/z85230.c: Use designated initializers

On Tue, Aug 1, 2017 at 3:29 PM, David Miller <da...@davemloft.net> wrote: > From: Kees Cook <keesc...@chromium.org> > Date: Sun, 30 Jul 2017 18:31:17 -0700 > >> In preparation for the randstruct gcc plugin performing randomization of >> structures that ar

Re: [PATCH 1/4] MIPS/seccomp: Fix indirect syscall args

__secure_computing() access to syscall > arguments.") > Signed-off-by: James Hogan <james.ho...@imgtec.com> > Cc: Ralf Baechle <r...@linux-mips.org> > Cc: David Daney <david.da...@cavium.com> > Cc: Kees Cook <keesc...@chromium.org> > Cc: Andy Lu

Re: [PATCH v2] arm: eBPF JIT compiler

gt; I just need a good machine. I've got all this set up now, and it faults during the test: Unable to handle kernel NULL pointer dereference at virtual address 0008 ... CPU: 0 PID: 1922 Comm: test_progs Not tainted 4.12.0+ #60 ... PC is at __htab_map_lookup_elem+0x54/0x1f4 I'll see if I can send you this disk image... -Kees -- Kees Cook Pixel Security

Re: [PATCH v2] arm: eBPF JIT compiler

Russell, can you > please help with sending this patch to ARM patch tracker? If some other folks can Ack this, I can throw it at the patch tracker for you. I'll report back on my findings. -Kees -- Kees Cook Pixel Security

Re: [PATCH v2] arm: eBPF JIT compiler

On Wed, Jul 5, 2017 at 3:11 PM, Kees Cook <keesc...@chromium.org> wrote: > On Fri, Jun 23, 2017 at 3:39 PM, Shubham Bansal > <illusionist@gmail.com> wrote: >> Hi Russell,Daniel and Kees, >> >> I am attaching the latest patch with this mail. It included supp

[PATCH] drivers/net/wan/z85230.c: Use designated initializers

In preparation for the randstruct gcc plugin performing randomization of structures that are entirely function pointers, use designated initializers so the compiler doesn't get angry. Reported-by: kbuild test robot <fengguang...@intel.com> Signed-off-by: Kees Cook <keesc...@chr

Re: [PATCH] ipx: call ipxitf_put() in ioctl error path

equire a configured interface, it would be mitigated with module autoload blocking: https://lkml.org/lkml/2017/4/19/1088 (Yes, yes, I know both are still being worked on, but this is a good example to show another case where they'd have been useful.) -Kees -- Kees Cook Pixel Security

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

w before I send the > patch. I'd say send what you have right now, as it's a good starting point for future work. I'll be curious to see the benchmarks, etc. It can be a base for further optimization. Thanks for chipping away at this! -Kees -- Kees Cook Pixel Security

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

ded system-wide as we can't allow >> module loading per-ns. To validate the behavior I was comparing it >> with insmod/modprobe, if that doesn't allow because of lack of this >> capability in default-ns, then this *indirect* method of loading >> module should not allow the same action and the behavior should be >> consistent. So with that logic if userspace asks for a random >> char-device if insmod/modprobe cannot load it, then this method should >> not load it either for the consistency, right? > > > This patch will break applications that expected modules being auto loaded. I would prefer that we continue to look at the autoloading restrictions series, since that will be more flexible and cover a wider set of cases: https://lkml.org/lkml/2017/4/19/1086 -Kees -- Kees Cook Pixel Security

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

after code refactoring. Thanks for all the help > you guys. I really really appreciate it. > > Special thanks to Kees and Daniel. :) > > Best, > Shubham Bansal > > > On Thu, May 11, 2017 at 9:00 PM, Kees Cook <keesc...@chromium.org> wrote: >> On Thu, May 11

[PATCH] libertas: Remove function entry/exit debugging

In at least one place, the enter/exit debugging was not being correctly matched. Based on mailing list feedback, it was desired to drop all of these in favor of using ftrace instead. Suggested-by: Joe Perches <j...@perches.com> Suggested-by: Kalle Valo <kv...@codeaurora.org> Signed-

[PATCH v3] libertas: Avoid reading past end of buffer

not leak rodata contents. Additionally adjust indentation to keep checkpatch.pl happy. This was found with the future CONFIG_FORTIFY_SOURCE feature. Cc: Daniel Micay <danielmi...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- v3: - drop needless "*"; joe - fix

[PATCH] libertas: Avoid reading past end of buffer

. This was found with the future CONFIG_FORTIFY_SOURCE feature. Cc: Daniel Micay <danielmi...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/net/wireless/marvell/libertas/mesh.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/

Re: [PATCH] libertas: Avoid reading past end of buffer

On Tue, May 9, 2017 at 9:33 PM, Joe Perches <j...@perches.com> wrote: > On Tue, 2017-05-09 at 16:23 -0700, Kees Cook wrote: >> Using memcpy() from a string that is shorter than the length copied means >> the destination buffer is being filled with arbitrary data from the ker

[PATCH] libertas: Avoid reading past end of buffer

not leak rodata contents. Additionally adjust indentation to keep checkpatch.pl happy. This was found with the future CONFIG_FORTIFY_SOURCE feature. Cc: Daniel Micay <danielmi...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- v2: use ETH_GSTRING_LEN; joe --- drivers/

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

e this, so I'd suggest ignoring this config for now unless you can find someone with that hardware that you can work with to test it. In the case of CONFIG_FRAME_POINTER, I assume you built a THUMB2_KERNEL? I'd read the notes in arch/arm/Kconfig.debug for 'config FRAME_POINTER'. -Kees -- Kees Cook Pixel Security

Re: [PATCH v4 next 2/3] modules:capabilities: automatic module loading restriction

lid */ > + if (capable(CAP_SYS_MODULE) || > + (allow_cap > 0 && capable(allow_cap))) With the allow_cap check already happening in my suggestion for __request_module(), it's not needed here. (In fact, it's not even really needed to plumb this into the hook, I don't think? Regardless, I remain a fan. :) -Kees -- Kees Cook Pixel Security

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

suffered, and that's mainly the const blinding, I assume. Please post your current patch. Thanks for this! -Kees -- Kees Cook Pixel Security #0 TAX interp: 757 645 650 jitted: 234 171 195 30.9% 26.5% 30.0% harden: 239 218 229

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

ntly the only user of > security_kernel_module_request() hook. > > Based on patch by Rusty Russell: > https://lkml.org/lkml/2017/4/26/735 > > Cc: Serge Hallyn <se...@hallyn.com> > Cc: Andy Lutomirski <l...@kernel.org> > Suggested-by: Rusty Russell <ru...@rustcorp

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

g user process memory. Here, it's CAP_SYS_MODULE... it's hard to imagine the situation where a CAP_SYS_MODULE-capable process could write to this sysctl but NOT issue direct modprobe requests, but it's _possible_ via crazy symlink games to trick capable processes into writing to sysctls. We've seen this multiple times before, and it's a way for attackers to turn a single privileged write into a privileged exec. I might turn the question around, though: why would we want to have it changeable at this setting? I'm fine leaving that piece off, either way. -Kees -- Kees Cook Pixel Security

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

p-watchdogs.txt You can raise the softlockup time-out by changing the number of seconds here: /proc/sys/kernel/watchdog_thresh I think the softlockup is counting the entire runtime of the bpf_tests run, so if it takes 30 seconds to run, put at least 15 into /proc/sys/kernel/watchdog_thresh -Kees -- Kees Cook Pixel Security

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

make sure people know it's not considered fully done. :) -Kees -- Kees Cook Pixel Security

Re: [PATCH 0/5] atm: Adjustments for some function implementations

seq_putc() in lec_info() > > net/atm/lec.c | 55 +++ > 1 file changed, 27 insertions(+), 28 deletions(-) These all look fine to me. Thanks! Reviewed-by: Kees Cook <keesc...@chromium.org> -Kees -- Kees Cook Pixel Security

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

On Mon, May 22, 2017 at 10:03 PM, Shubham Bansal <illusionist@gmail.com> wrote: > On Tue, May 23, 2017 at 9:52 AM, Kees Cook <keesc...@chromium.org> wrote: >> On Mon, May 22, 2017 at 8:34 PM, Shubham Bansal >> <illusionist@gmail.com> wrote: >>>

Re: arch: arm: bpf: Converting cBPF to eBPF for arm 32 bit

all land at the same time. Any thoughts on this Daniel? -Kees -- Kees Cook Pixel Security

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni <tix...@gmail.com> wrote: > On Tue, May 23, 2017 at 12:20 AM, Kees Cook <keesc...@chromium.org> wrote: >> On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni <tix...@gmail.com> wrote: >>> This is a preparation patch

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

e systems start implementing CONFIG_STATIC_USERMODEHELPER and kernel.modprobe becomes read-only (though the userspace implementation may allow for some way to disable it, etc). I just like avoiding the upcall to modprobe at all. -Kees -- Kees Cook Pixel Security

Re: [PATCH] nfc: Fix the sockaddr length sanitization in llcp_sock_connect

disclosure of up to ~70 uninitialized bytes from the kernel stack to > user-mode clients capable of creating AFC_NFC sockets. > > Signed-off-by: Mateusz Jurczyk <mjurc...@google.com> Acked-by: Kees Cook <keesc...@chromium.org> -Kees > --- > net/nfc/llcp_sock.c | 3 +--

Re: [PATCH] nfc: Ensure presence of required attributes in the activate_target netlink handler

unhandled NULL pointer > dereference exceptions which can be triggered by malicious user-mode > programs, if they omit one or both of these attributes. > > Signed-off-by: Mateusz Jurczyk <mjurc...@google.com> Acked-by: Kees Cook <keesc...@chromium.org> -Kees > --- > ne

Re: [PATCH v2 08/20] randstruct: Whitelist NIU struct page overloading

On Sun, May 28, 2017 at 1:15 AM, Christoph Hellwig <h...@infradead.org> wrote: > On Fri, May 26, 2017 at 01:17:12PM -0700, Kees Cook wrote: >> The NIU ethernet driver intentionally stores a page struct pointer on >> top of the "mapping" field. Whitelist this case:

Re: [PATCH v2 08/20] randstruct: Whitelist NIU struct page overloading

[trying again with correct linux-mm address...] On Sun, May 28, 2017 at 1:15 AM, Christoph Hellwig <h...@infradead.org> wrote: > On Fri, May 26, 2017 at 01:17:12PM -0700, Kees Cook wrote: >> The NIU ethernet driver intentionally stores a page struct pointer on >> top o

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

be > we already have this. Otherwise, tightening caps needed for implicit > loads should just be a normal yes/no setting IMO. Yup, /proc/sys/kernel/modules_disabled already does this. -- Kees Cook Pixel Security

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

oload logic in the following patches. That way the "infrastructure" changes happen separately and do not change any behaviors, but moves the caps test down where its wanted in the LSM, before then augmenting the logic. > I just need a bit of free time to check again everything and will send > a v5 with all requested changes. Great, thank you! -Kees -- Kees Cook Pixel Security

Re: [PATCH v2] arm: eBPF JIT compiler

bably go in via the ARM patch tracker? Russell does that sound okay to you? -Kees -- Kees Cook Pixel Security

Re: [PATCH 0/6] Constant Time Memory Comparisons Are Important

leak timing information, >> which could then be used to iteratively forge a MAC. > > Do you have any pointers where I could learn more about this? While not using C specifically, this talks about the problem generally: https://www.chosenplaintext.ca/articles/beginners-guide-constant-time-cryptography.html -Kees -- Kees Cook Pixel Security

[PATCH] DECnet: Use container_of() for embedded struct

Instead of a direct cross-type cast, use conatiner_of() to locate the embedded structure, even in the face of future struct layout randomization. Signed-off-by: Kees Cook <keesc...@chromium.org> --- net/decnet/dn_neigh.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-)

[PATCH] bna: Avoid reading past end of buffer

. Cc: Daniel Micay <danielmi...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/b

[PATCH] qlge: Avoid reading past end of buffer

. Cc: Daniel Micay <danielmi...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c b/drivers/net/ethernet

[PATCH] bna: ethtool: Avoid reading past end of buffer

. Cc: Daniel Micay <danielmi...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet

[PATCH] ray_cs: Avoid reading past end of buffer

. This was found with the future CONFIG_FORTIFY_SOURCE feature. Cc: Daniel Micay <danielmi...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/net/wireless/ray_cs.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireles

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Wed, May 24, 2017 at 7:16 AM, Djalal Harouni <tix...@gmail.com> wrote: > On Tue, May 23, 2017 at 9:19 PM, Kees Cook <keesc...@google.com> wrote: >> On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni <tix...@gmail.com> wrote: >> Even in the existing code, the

Re: [PATCH v2] arm: eBPF JIT compiler

Forwarding this to net-dev and eBPF folks, who weren't on CC... -Kees On Thu, May 25, 2017 at 4:13 PM, Shubham Bansal wrote: > The JIT compiler emits ARM 32 bit instructions. Currently, It supports > eBPF only. Classic BPF is supported because of the conversion by BPF

[PATCH v3 22/31] sctp: Copy struct sctp_sock.autoclose to userspace using put_user()

t commit log] Cc: Vlad Yasevich <vyasev...@gmail.com> Cc: Neil Horman <nhor...@tuxdriver.com> Cc: "David S. Miller" <da...@davemloft.net> Cc: linux-s...@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- net/sctp/sock

[PATCH v3 30/31] usercopy: Restrict non-usercopy caches to size 0

ter <c...@linux.com> Cc: Pekka Enberg <penb...@kernel.org> Cc: David Rientjes <rient...@google.com> Cc: Joonsoo Kim <iamjoonsoo@lge.com> Cc: Andrew Morton <a...@linux-foundation.org> Cc: linux...@kvack.org Signed-off-by: Kees Cook <keesc...@chromium.org> ---

[PATCH v3 14/31] vxfs: Define usercopy region in vxfs_inode slab cache

anding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor <d...@nullcore.net> [kees: adjust commit log, provide usage trace] Cc: Christoph Hellwig <h...@infradead.org> Signed-off-by: Kees Cook &

[PATCH v3 20/31] caif: Define usercopy region in caif proto slab cache

igned-off-by: David Windsor <d...@nullcore.net> [kees: split from network patch, provide usage trace] Cc: "David S. Miller" <da...@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- net/caif/caif_socket.c | 2 ++ 1 file changed, 2

[PATCH v3 06/31] vfs: Copy struct mount.mnt_id to userspace using put_user()

t commit log] Cc: Alexander Viro <v...@zeniv.linux.org.uk> Cc: linux-fsde...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- fs/fhandle.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/fhandle.c b/fs/fhandle.c index 58a61f55e0d0..46e0

[PATCH v3 05/31] vfs: Define usercopy region in names_cache slab caches

x.org.uk> Cc: linux-fsde...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- fs/dcache.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index 5f5e7c1fcf4b..34ef9a9169be 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -3642,8 +3642,8 @@

[PATCH v3 09/31] jfs: Define usercopy region in jfs_ip slab cache

ommit log, provide usage trace] Cc: Dave Kleikamp <sha...@kernel.org> Cc: jfs-discuss...@lists.sourceforge.net Signed-off-by: Kees Cook <keesc...@chromium.org> --- fs/jfs/super.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/jfs/super.c b/fs/jfs/super.c ind

[PATCH v3 18/31] net: Define usercopy region in struct proto slab cache

ll-whitelist] Cc: "David S. Miller" <da...@davemloft.net> Cc: Eric Dumazet <eduma...@google.com> Cc: Paolo Abeni <pab...@redhat.com> Cc: David Howells <dhowe...@redhat.com> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- include

[PATCH v3 16/31] cifs: Define usercopy region in cifs_request slab cache

sor <d...@nullcore.net> [kees: adjust commit log, provide usage trace] Cc: Steve French <sfre...@samba.org> Cc: linux-c...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- I wasn't able to actually track down the _usage_ of the cifs_request where it is copied to userspace.

[PATCH v3 01/31] usercopy: Prepare for usercopy whitelisting

oo Kim <iamjoonsoo@lge.com> Cc: Andrew Morton <a...@linux-foundation.org> Cc: linux...@kvack.org Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- include/linux/slab.h | 27 +-- include/linux/slab_def.h | 3 +++

[PATCH v3 02/31] usercopy: Enforce slab cache usercopy region boundaries

bbott <labb...@redhat.com> Cc: Ingo Molnar <mi...@kernel.org> Cc: Mark Rutland <mark.rutl...@arm.com> Cc: linux...@kvack.org Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- mm/slab.c | 16 +++- mm/slub.c | 18 ++

[PATCH v3 27/31] x86: Implement thread_struct whitelist for hardened usercopy

l.org Cc: Borislav Petkov <b...@suse.de> Cc: Andy Lutomirski <l...@kernel.org> Cc: Mathias Krause <mini...@googlemail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> Acked-by: Rik van Riel <r...@redhat.com> --- arch/x86/Kconfig | 1 + arch/x86/include/a

[PATCH v3 00/31] Hardened usercopy whitelisting

v3: - added LKDTM update patch - downgrade BUGs to WARNs and fail closed - add Acks/Reviews from v2 v2: - added tracing of allocation and usage - refactored solutions for task_struct - split up network patches for readability I intend for this to land via my usercopy hardening tree, so Acks,

[PATCH v3 07/31] ext4: Define usercopy region in ext4_inode_cache slab cache

-by: David Windsor <d...@nullcore.net> [kees: adjust commit log, provide usage trace] Cc: "Theodore Ts'o" <ty...@mit.edu> Cc: Andreas Dilger <adilger.ker...@dilger.ca> Cc: linux-e...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- fs/ext4/sup

[PATCH v3 08/31] ext2: Define usercopy region in ext2_inode_cache slab cache

: David Windsor <d...@nullcore.net> [kees: adjust commit log, provide usage trace] Cc: Jan Kara <j...@suse.com> Cc: linux-e...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> Acked-by: Jan Kara <j...@suse.cz> --- fs/ext2/super.c | 12 +++- 1 file changed, 7

[PATCH v3 15/31] xfs: Define usercopy region in xfs_inode slab cache

id Windsor <d...@nullcore.net> [kees: adjust commit log, provide usage trace] Cc: "Darrick J. Wong" <darrick.w...@oracle.com> Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> Reviewed-by: Darrick J. Wong <darrick.w...@oracle.com> ---

[PATCH v3 24/31] fork: Define usercopy region in mm_struct slab caches

lit patch, provide usage trace] Cc: Ingo Molnar <mi...@kernel.org> Cc: Andrew Morton <a...@linux-foundation.org> Cc: Thomas Gleixner <t...@linutronix.de> Cc: Andy Lutomirski <l...@kernel.org> Signed-off-by: Kees Cook <keesc...@chromium.org> Acked-by: Rik van Riel <r

[PATCH v3 23/31] net: Restrict unwhitelisted proto caches to size 0

gt; Cc: David Howells <dhowe...@redhat.com> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- net/core/sock.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 832dfb03102e..84cd0b362a02 100644 --

[PATCH v3 04/31] dcache: Define usercopy region in dentry_cache slab cache

Cc: Alexander Viro <v...@zeniv.linux.org.uk> Cc: linux-fsde...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- fs/dcache.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index f90141387f01..5f5e7c1fcf4b 100644 --- a/fs/dcache.c +++

[PATCH v3 03/31] usercopy: Mark kmalloc caches as usercopy caches

om> Cc: Andrew Morton <a...@linux-foundation.org> Cc: linux...@kvack.org Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- mm/slab.c| 3 ++- mm/slab.h| 3 ++- mm/slab_common.c | 10 ++ 3 files changed, 10 insertions(+), 6

[PATCH v3 21/31] sctp: Define usercopy region in SCTP proto slab cache

net> Cc: linux-s...@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- include/net/sctp/structs.h | 9 +++-- net/sctp/socket.c | 4 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/net/sctp/structs.h b/incl

[PATCH v3 19/31] ip: Define usercopy region in IP proto slab cache

riginal grsecurity/PaX code. Signed-off-by: David Windsor <d...@nullcore.net> [kees: split from network patch, provide usage trace] Cc: "David S. Miller" <da...@davemloft.net> Cc: Alexey Kuznetsov <kuz...@ms2.inr.ac.ru> Cc: Hideaki YOSHIFUJI <yoshf...@linux-ipv6.or

Re: [PATCH v3 14/31] vxfs: Define usercopy region in vxfs_inode slab cache

0-patch timer_list series. ;) Do you want me to resend the full series to you, or would you prefer something else like a patchwork bundle? (I'll explicitly add you to CC for any future versions, though.) -Kees -- Kees Cook Pixel Security

[PATCH v3 11/31] exofs: Define usercopy region in exofs_inode_cache slab cache

the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor <d...@nullcore.net> [kees: adjust commit log, provide usage trace] Cc: Boaz Harrosh <o...@electrozaur.com> Signed-off-by: Kees Cook <keesc...@chromi

[PATCH v3 13/31] ufs: Define usercopy region in ufs_inode_cache slab cache

[kees: adjust commit log, provide usage trace] Cc: Evgeniy Dushistov <dushis...@mail.ru> Signed-off-by: Kees Cook <keesc...@chromium.org> --- fs/ufs/super.c | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/fs/ufs/super.c b/fs/ufs/super.c index 6440003f8d

[PATCH v3 12/31] orangefs: Define usercopy region in orangefs_inode_cache slab cache

ty/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor <d...@nullcore.net> [kees: adjust commit log, provide usage trace] Cc: Mike Marshall <hub...@omnibond.com> S

[PATCH v3 10/31] befs: Define usercopy region in befs_inode_cache slab cache

provide usage trace] Cc: Luis de Bethencourt <lui...@kernel.org> Cc: Salah Triki <salah.tr...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> Acked-by: Luis de Bethencourt <lui...@kernel.org> --- fs/befs/linuxvfs.c | 14 +- 1 file changed, 9 insertio

[PATCH v3 25/31] fork: Define usercopy region in thread_stack slab caches

ndrew Morton <a...@linux-foundation.org> Cc: Thomas Gleixner <t...@linutronix.de> Cc: Andy Lutomirski <l...@kernel.org> Signed-off-by: Kees Cook <keesc...@chromium.org> Acked-by: Rik van Riel <r...@redhat.com> --- I wasn't able to test this, so anyone with a system that can try

[PATCH v3 17/31] scsi: Define usercopy region in scsi_sense_cache slab cache

n.peter...@oracle.com> Cc: linux-s...@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/scsi/scsi_lib.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 9cf6a80fe297..88bfab251693 1006

[PATCH v3 26/31] fork: Provide usercopy whitelisting for task_struct

Andrew Morton <a...@linux-foundation.org> Cc: Nicholas Piggin <npig...@gmail.com> Cc: Laura Abbott <labb...@redhat.com> Cc: "Mickaël Salaün" <m...@digikod.net> Cc: Ingo Molnar <mi...@kernel.org> Cc: Thomas Gleixner <t...@linutronix.de> Cc: Andy Lutomirs

[PATCH v3 28/31] arm64: Implement thread_struct whitelist for hardened usercopy

c: Ingo Molnar <mi...@kernel.org> Cc: James Morse <james.mo...@arm.com> Cc: "Peter Zijlstra (Intel)" <pet...@infradead.org> Cc: Dave Martin <dave.mar...@arm.com> Cc: zijun_hu <zijun...@htc.com> Cc: linux-arm-ker...@lists.infradead.org Signed-off-by:

[PATCH v3 29/31] arm: Implement thread_struct whitelist for hardened usercopy

..@infradead.org> Cc: linux-arm-ker...@lists.infradead.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- arch/arm/Kconfig | 1 + arch/arm/include/asm/processor.h | 7 +++ 2 files changed, 8 insertions(+) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 7888

[PATCH v3 31/31] lkdtm: Update usercopy tests for whitelisting

This updates the USERCOPY_HEAP_FLAG_* tests to USERCOPY_HEAP_WHITELIST_*, since the final form of usercopy whitelisting ended up using an offset/size window instead of the earlier proposed allocation flags. Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/misc/lkdtm.h

Re: [kernel-hardening] Re: [PATCH v3 03/31] usercopy: Mark kmalloc caches as usercopy caches

On Thu, Sep 21, 2017 at 8:27 AM, Christopher Lameter <c...@linux.com> wrote: > On Wed, 20 Sep 2017, Kees Cook wrote: > >> --- a/mm/slab.c >> +++ b/mm/slab.c >> @@ -1291,7 +1291,8 @@ void __init kmem_cache_init(void) >>*/ >> kmalloc

[PATCH v2 25/31] net/atm/mpc: Use separate static data field with with static timer

t;Reshetova, Elena" <elena.reshet...@intel.com> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- net/atm/mpc.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/atm/mpc.c b/net/atm/mpc.c index 63138c8c2269..3b59a053b7cb 10064

[PATCH v2 13/31] timer: Remove meaningless .data/.function assignments

p.com> Cc: Ganesh Krishna <ganesh.kris...@microchip.com> Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org> Cc: Jens Axboe <ax...@fb.com> Cc: netdev@vger.kernel.org Cc: linux-wirel...@vger.kernel.org Cc: de...@driverdev.osuosl.org Signed-off-by: Kees Cook <keesc...@chromium.

[PATCH v2 19/31] timer: Remove open-coded casts for .data and .function

ev@vger.kernel.org Cc: linux-s...@vger.kernel.org Cc: linuxppc-...@lists.ozlabs.org Signed-off-by: Kees Cook <keesc...@chromium.org> Acked-by: Tyrel Datwyler <tyr...@linux.vnet.ibm.com> # for ibmvscsi --- drivers/scsi/ibmvscsi/ibmvfc.c | 14 ++ drivers/scsi/ibmvscsi/ibmvscsi.c

[PATCH v2 31/31] timer: Switch to testing for .function instead of .data

t;hal.rosenst...@gmail.com> Cc: Dmitry Torokhov <dmitry.torok...@gmail.com> Cc: Jeff Kirsher <jeffrey.t.kirs...@intel.com> Cc: linux...@vger.kernel.org Cc: linux-r...@vger.kernel.org Cc: linux-in...@vger.kernel.org Cc: intel-wired-...@lists.osuosl.org Cc: netdev@vger.kernel.org Signed-off-b

[PATCH v2 20/31] net/core: Collapse redundant sk_timer callback data assignments

...@google.com> Cc: Paolo Abeni <pab...@redhat.com> Cc: David Howells <dhowe...@redhat.com> Cc: Colin Ian King <colin.k...@canonical.com> Cc: Ingo Molnar <mi...@kernel.org> Cc: linzhang <xiaolou4...@gmail.com> Cc: netdev@vger.kernel.org Cc: linux-h...@vger.kernel.o

[PATCH v2 30/31] appletalk: Remove unneeded synchronization

. Cc: David Howells <dhowe...@redhat.com> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/net/appletalk/ltpc.c | 6 -- 1 file changed, 6 deletions(-) diff --git a/drivers/net/appletalk/ltpc.c b/drivers/net/appletalk/ltpc.c index e4aa374caa4d..

Re: [kernel-hardening] Re: [PATCH v3 03/31] usercopy: Mark kmalloc caches as usercopy caches

On Thu, Sep 21, 2017 at 9:04 AM, Christopher Lameter <c...@linux.com> wrote: > On Thu, 21 Sep 2017, Kees Cook wrote: > >> > So what is the point of this patch? >> >> The DMA kmalloc caches are not whitelisted: > > The DMA kmalloc caches are pretty obsolete

[PATCH] net/decnet: Convert timers to use timer_setup()

gt; Cc: David Ahern <d...@cumulusnetworks.com> Cc: linux-decnet-u...@lists.sourceforge.net Cc: netdev@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Prepare to chang

[PATCH] net/rose: Convert timers to use timer_setup()

ft.net> Cc: linux-h...@vger.kernel.org Cc: netdev@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Prepare to change timer callback argument type") in v4.14-rc3, but should be ot

[PATCH] net/lapb: Convert timers to use timer_setup()

com> Cc: "Reshetova, Elena" <elena.reshet...@intel.com> Cc: linux-...@vger.kernel.org Cc: netdev@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Prepare to change

[PATCH] net/irda/bfin_sir: Convert timers to use timer_setup()

tronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Prepare to change timer callback argument type") in v4.14-rc3, but should be otherwise stand-alone. --- drivers/staging/irda/drivers/bfin_sir.c | 12 +++- 1 file

[PATCH 13/13] workqueue: Convert callback to use from_timer()

In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch workqueue to use from_timer() and pass the timer pointer explicitly. Cc: Tejun Heo <t...@kernel.org> Cc: Lai Jiangshan <jiangshan...@gmail.com> Signed-off-by: Kees Cook <keesc.

[PATCH 04/13] timer: Remove init_timer_pinned() in favor of timer_setup()

This refactors the only users of init_timer_pinned() to use the new timer_setup() and from_timer(). Drops the definition of init_timer_pinned(). Cc: Chris Metcalf <cmetc...@mellanox.com> Cc: Thomas Gleixner <t...@linutronix.de> Cc: netdev@vger.kernel.org Signed-off-by: Kees

[PATCH 00/13] timer: Start conversion to timer_setup()

Hi, This is the first of many timer infrastructure cleanups to simplify the timer API[1]. All of these patches are expected to land via the timer tree, so Acks (or corrections) appreciated. These patches refactor various users of timer API that are NOT just using init_timer() or setup_timer()

[PATCH 03/13] timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack()

<m...@sgi.com> Cc: "James E.J. Bottomley" <j...@linux.vnet.ibm.com> Cc: "Martin K. Petersen" <martin.peter...@oracle.com> Cc: Thomas Gleixner <t...@linutronix.de> Cc: linux...@vger.kernel.org Cc: linux1394-de...@lists.sourceforge.net Cc: linux-s...@vger.kernel.

[PATCH] net/mlx4_core: Convert timers to use timer_setup()

Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Prepare to change timer callback argument type") in v4.14-rc3, but should be otherwise stand-alone. --- drivers/net/ethernet/mellanox/mlx4/cat

<    1   2   3   4   5   6   7   >