diff mbox

[1/2] powerpc: Don't fortify prom_init

Message ID 20170522013233.21780-2-dja@axtens.net (mailing list archive)
State New, archived
Headers show

Commit Message

Daniel Axtens May 22, 2017, 1:32 a.m. UTC
prom_init is a bit special; in theory it should be able to be
linked separately to the kernel. To keep this from getting too
complex, the symbols that prom_init.c uses are checked.

Fortification adds symbols, and it gets quite messy as it includes
things like panic(). So just don't fortify prom_init.c for now.

Cc: Kees Cook <keescook@chromium.org>
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>

---

This will need to go in before the main fortify support, but it
doesn't make any sense in the absence of fortify. I think it would
make most sense for Kees to queue this up with the main fortify patch,
with an Ack from mpe?

---
 arch/powerpc/kernel/prom_init.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Michael Ellerman May 22, 2017, 10:04 a.m. UTC | #1
Daniel Axtens <dja@axtens.net> writes:
> prom_init is a bit special; in theory it should be able to be
> linked separately to the kernel. To keep this from getting too
> complex, the symbols that prom_init.c uses are checked.
>
> Fortification adds symbols, and it gets quite messy as it includes
> things like panic(). So just don't fortify prom_init.c for now.

Calling panic() at that point is unlikely to work well.

> Cc: Kees Cook <keescook@chromium.org>
> Cc: Daniel Micay <danielmicay@gmail.com>
> Signed-off-by: Daniel Axtens <dja@axtens.net>
>
> ---
>
> This will need to go in before the main fortify support, but it
> doesn't make any sense in the absence of fortify. I think it would
> make most sense for Kees to queue this up with the main fortify patch,
> with an Ack from mpe?

Yeah that's fine by me.

> diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
> index dd8a04f3053a..613f79f03877 100644
> --- a/arch/powerpc/kernel/prom_init.c
> +++ b/arch/powerpc/kernel/prom_init.c
> @@ -15,6 +15,9 @@
>  
>  #undef DEBUG_PROM
>  
> +/* we cannot use FORTIFY as it brings in new symbols */
> +#define __NO_FORTIFY
> +
>  #include <stdarg.h>
>  #include <linux/kernel.h>
>  #include <linux/string.h>

Acked-by: Michael Ellerman <mpe@ellerman.id.au>

cheers
diff mbox

Patch

diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
index dd8a04f3053a..613f79f03877 100644
--- a/arch/powerpc/kernel/prom_init.c
+++ b/arch/powerpc/kernel/prom_init.c
@@ -15,6 +15,9 @@ 
 
 #undef DEBUG_PROM
 
+/* we cannot use FORTIFY as it brings in new symbols */
+#define __NO_FORTIFY
+
 #include <stdarg.h>
 #include <linux/kernel.h>
 #include <linux/string.h>