1. 08 Feb, 2023 4 commits
    • Eric Biggers's avatar
      randstruct: disable Clang 15 support · 78f7a3fd
      Eric Biggers authored
      The randstruct support released in Clang 15 is unsafe to use due to a
      bug that can cause miscompilations: "-frandomize-layout-seed
      inconsistently randomizes all-function-pointers structs"
      (https://github.com/llvm/llvm-project/issues/60349).  It has been fixed
      on the Clang 16 release branch, so add a Clang version check.
      
      Fixes: 035f7f87 ("randstruct: Enable Clang support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Acked-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Reviewed-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarBill Wendling <morbo@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20230208065133.220589-1-ebiggers@kernel.org
      78f7a3fd
    • Kees Cook's avatar
      uaccess: Add minimum bounds check on kernel buffer size · 04ffde13
      Kees Cook authored
      While there is logic about the difference between ksize and usize,
      copy_struct_from_user() didn't check the size of the destination buffer
      (when it was known) against ksize. Add this check so there is an upper
      bounds check on the possible memset() call, otherwise lower bounds
      checks made by callers will trigger bounds warnings under -Warray-bounds.
      Seen under GCC 13:
      
      In function 'copy_struct_from_user',
          inlined from 'iommufd_fops_ioctl' at
      ../drivers/iommu/iommufd/main.c:333:8:
      ../include/linux/fortify-string.h:59:33: warning: '__builtin_memset' offset [57, 4294967294] is out of the bounds [0, 56] of object 'buf' with type 'union ucmd_buffer' [-Warray-bounds=]
         59 | #define __underlying_memset     __builtin_memset
            |                                 ^
      ../include/linux/fortify-string.h:453:9: note: in expansion of macro '__underlying_memset'
        453 |         __underlying_memset(p, c, __fortify_size); \
            |         ^~~~~~~~~~~~~~~~~~~
      ../include/linux/fortify-string.h:461:25: note: in expansion of macro '__fortify_memset_chk'
        461 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \
            |                         ^~~~~~~~~~~~~~~~~~~~
      ../include/linux/uaccess.h:334:17: note: in expansion of macro 'memset'
        334 |                 memset(dst + size, 0, rest);
            |                 ^~~~~~
      ../drivers/iommu/iommufd/main.c: In function 'iommufd_fops_ioctl':
      ../drivers/iommu/iommufd/main.c:311:27: note: 'buf' declared here
        311 |         union ucmd_buffer buf;
            |                           ^~~
      
      Cc: Christian Brauner <brauner@kernel.org>
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Dinh Nguyen <dinguyen@kernel.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Alexander Potapenko <glider@google.com>
      Acked-by: default avatarAleksa Sarai <cyphar@cyphar.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/lkml/20230203193523.never.667-kees@kernel.org/
      04ffde13
    • Kees Cook's avatar
      arm64: Support Clang UBSAN trap codes for better reporting · 25b84002
      Kees Cook authored
      When building with CONFIG_UBSAN_TRAP=y on arm64, Clang encodes the UBSAN
      check (handler) type in the esr. Extract this and actually report these
      traps as coming from the specific UBSAN check that tripped.
      
      Before:
      
        Internal error: BRK handler: 00000000f20003e8 [#1] PREEMPT SMP
      
      After:
      
        Internal error: UBSAN: shift out of bounds: 00000000f2005514 [#1] PREEMPT SMP
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarMukesh Ojha <quic_mojha@quicinc.com>
      Reviewed-by: default avatarFangrui Song <maskray@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: John Stultz <jstultz@google.com>
      Cc: Yongqin Liu <yongqin.liu@linaro.org>
      Cc: Sami Tolvanen <samitolvanen@google.com>
      Cc: Yury Norov <yury.norov@gmail.com>
      Cc: Andrey Konovalov <andreyknvl@gmail.com>
      Cc: Marco Elver <elver@google.com>
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: llvm@lists.linux.dev
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      25b84002
    • Kees Cook's avatar
      coda: Avoid partial allocation of sig_inputArgs · 48df1335
      Kees Cook authored
      GCC does not like having a partially allocated object, since it cannot
      reason about it for bounds checking when it is passed to other code.
      Instead, fully allocate sig_inputArgs. (Alternatively, sig_inputArgs
      should be defined as a struct coda_in_hdr, if it is actually not using
      any other part of the union.) Seen under GCC 13:
      
      ../fs/coda/upcall.c: In function 'coda_upcall':
      ../fs/coda/upcall.c:801:22: warning: array subscript 'union inputArgs[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds=]
        801 |         sig_inputArgs->ih.opcode = CODA_SIGNAL;
            |                      ^~
      
      Cc: Jan Harkes <jaharkes@cs.cmu.edu>
      Cc: coda@cs.cmu.edu
      Cc: codalist@coda.cs.cmu.edu
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20230127223921.never.882-kees@kernel.org
      48df1335
  2. 02 Feb, 2023 2 commits
  3. 27 Jan, 2023 7 commits
  4. 25 Jan, 2023 3 commits
  5. 19 Jan, 2023 5 commits
  6. 13 Jan, 2023 2 commits
  7. 05 Jan, 2023 2 commits
    • Kees Cook's avatar
      fortify: Use __builtin_dynamic_object_size() when available · 439a1bca
      Kees Cook authored
      Since the commits starting with c37495d6 ("slab: add __alloc_size
      attributes for better bounds checking"), the compilers have runtime
      allocation size hints available in some places. This was immediately
      available to CONFIG_UBSAN_BOUNDS, but CONFIG_FORTIFY_SOURCE needed
      updating to explicitly make use of the hints via the associated
      __builtin_dynamic_object_size() helper. Detect and use the builtin when
      it is available, increasing the accuracy of the mitigation. When runtime
      sizes are not available, __builtin_dynamic_object_size() falls back to
      __builtin_object_size(), leaving the existing bounds checking unchanged.
      
      Additionally update the VMALLOC_LINEAR_OVERFLOW LKDTM test to make the
      hint invisible, otherwise the architectural defense is not exercised
      (the buffer overflow is detected in the memset() rather than when it
      crosses the edge of the allocation).
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Tom Rix <trix@redhat.com>
      Cc: linux-hardening@vger.kernel.org
      Cc: llvm@lists.linux.dev
      Reviewed-by: Miguel Ojeda <ojeda@kernel.org> # include/linux/compiler_attributes.h
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      439a1bca
    • Stephen Rothwell's avatar
      rxrpc: replace zero-lenth array with DECLARE_FLEX_ARRAY() helper · b2ba00c2
      Stephen Rothwell authored
      0-length arrays are deprecated, and cause problems with bounds checking.
      Replace with a flexible array:
      
      In file included from include/linux/string.h:253,
                       from include/linux/bitmap.h:11,
                       from include/linux/cpumask.h:12,
                       from arch/x86/include/asm/paravirt.h:17,
                       from arch/x86/include/asm/cpuid.h:62,
                       from arch/x86/include/asm/processor.h:19,
                       from arch/x86/include/asm/cpufeature.h:5,
                       from arch/x86/include/asm/thread_info.h:53,
                       from include/linux/thread_info.h:60,
                       from arch/x86/include/asm/preempt.h:9,
                       from include/linux/preempt.h:78,
                       from include/linux/percpu.h:6,
                       from include/linux/prandom.h:13,
                       from include/linux/random.h:153,
                       from include/linux/net.h:18,
                       from net/rxrpc/output.c:10:
      In function 'fortify_memcpy_chk',
          inlined from 'rxrpc_fill_out_ack' at net/rxrpc/output.c:158:2:
      include/linux/fortify-string.h:520:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()?  [-Werror=attribute-warning]
        520 |                         __write_overflow_field(p_size_field, size);
            |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Link: https://lore.kernel.org/linux-next/20230105132535.0d65378f@canb.auug.org.au/
      Cc: David Howells <dhowells@redhat.com>
      Cc: Marc Dionne <marc.dionne@auristor.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: linux-afs@lists.infradead.org
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      b2ba00c2
  8. 01 Jan, 2023 6 commits
  9. 31 Dec, 2022 2 commits
  10. 30 Dec, 2022 7 commits