mbox series

[GIT,PULL] hardening updates for v6.6-rc1

Message ID 202308281138.5E9835A@keescook (mailing list archive)
State Handled Elsewhere
Headers show
Series [GIT,PULL] hardening updates for v6.6-rc1 | expand

Pull-request

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.6-rc1

Message

Kees Cook Aug. 28, 2023, 6:42 p.m. UTC 
Hi Linus,

Please pull these hardening updates for v6.6-rc1. As has become normal,
changes are scattered around the tree (either explicitly maintainer
Acked or for trivial stuff that went ignored). Details in the log below,
and all have been in -next for a while.

Thanks!

-Kees

The following changes since commit fdf0eaf11452d72945af31804e2a1048ee1b574c:

  Linux 6.5-rc2 (2023-07-16 15:10:37 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.6-rc1

for you to fetch changes up to 5f536ac6a5a7b67351e4e5ae4f9e1e57d31268e6:

  LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by (2023-08-25 16:07:30 -0700)

----------------------------------------------------------------
hardening updates for v6.6-rc1

- Carve out the new CONFIG_LIST_HARDENED as a more focused subset of
  CONFIG_DEBUG_LIST (Marco Elver).

- Fix kallsyms lookup failure under Clang LTO (Yonghong Song).

- Clarify documentation for CONFIG_UBSAN_TRAP (Jann Horn).

- Flexible array member conversion not carried in other tree (Gustavo
  A. R. Silva).

- Various strlcpy() and strncpy() removals not carried in other trees
  (Azeem Shaikh, Justin Stitt).

- Convert nsproxy.count to refcount_t (Elena Reshetova).

- Add handful of __counted_by annotations not carried in other trees,
  as well as an LKDTM test.

- Fix build failure with gcc-plugins on GCC 14+.

- Fix selftests to respect SKIP for signal-delivery tests.

- Fix CFI warning for paravirt callback prototype.

- Clarify documentation for seq_show_option_n() usage.

----------------------------------------------------------------
Azeem Shaikh (4):
      soc: fsl: qe: Replace all non-returning strlcpy with strscpy
      um: Remove strlcpy declaration
      perf: Replace strlcpy with strscpy
      EISA: Replace all non-returning strlcpy with strscpy

Elena Reshetova (1):
      nsproxy: Convert nsproxy.count to refcount_t

Gustavo A. R. Silva (1):
      alpha: Replace one-element array with flexible-array member

Jann Horn (1):
      ubsan: Clarify Kconfig text for CONFIG_UBSAN_TRAP

Justin Stitt (2):
      um: vector: refactor deprecated strncpy
      um: refactor deprecated strncpy to memcpy

Kees Cook (8):
      seq_file: seq_show_option_n() is used for precise sizes
      x86/paravirt: Fix tlb_remove_table function callback prototype warning
      selftests/harness: Actually report SKIP for signal tests
      gcc-plugins: Rename last_stmt() for GCC 14+
      Compiler Attributes: counted_by: Adjust name and identifier expansion
      lkdtm: Add FAM_BOUNDS test for __counted_by
      integrity: Annotate struct ima_rule_opt_list with __counted_by
      LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by

Marco Elver (4):
      compiler_types: Introduce the Clang __preserve_most function attribute
      list_debug: Introduce inline wrappers for debug checks
      list: Introduce CONFIG_LIST_HARDENED
      hardening: Move BUG_ON_DATA_CORRUPTION to hardening options

Yonghong Song (2):
      kallsyms: Fix kallsyms_selftest failure
      kallsyms: Change func signature for cleanup_symbol_name()

 arch/alpha/kernel/osf_sys.c                 |  2 +-
 arch/arm64/kvm/hyp/nvhe/Makefile            |  2 +-
 arch/arm64/kvm/hyp/nvhe/list_debug.c        |  8 ++-
 arch/um/drivers/mconsole_kern.c             |  4 +-
 arch/um/drivers/vector_user.c               |  4 +-
 arch/um/include/shared/user.h               |  1 -
 arch/um/os-Linux/umid.c                     |  6 +-
 arch/x86/kernel/paravirt.c                  |  8 ++-
 drivers/eisa/eisa-bus.c                     |  2 +-
 drivers/misc/lkdtm/bugs.c                   | 51 +++++++++++++++--
 drivers/soc/fsl/qe/qe.c                     |  4 +-
 include/linux/compiler_attributes.h         | 26 ++++-----
 include/linux/compiler_types.h              | 28 +++++++++
 include/linux/dm-verity-loadpin.h           |  2 +-
 include/linux/list.h                        | 89 +++++++++++++++++++++++++++--
 include/linux/nsproxy.h                     |  7 +--
 include/linux/seq_file.h                    |  7 ++-
 include/uapi/linux/stddef.h                 |  4 ++
 kernel/events/core.c                        |  6 +-
 kernel/kallsyms.c                           | 27 ++++-----
 kernel/kallsyms_selftest.c                  | 23 +-------
 kernel/nsproxy.c                            |  4 +-
 lib/Kconfig.debug                           | 21 +++----
 lib/Kconfig.ubsan                           | 10 +++-
 lib/Makefile                                |  2 +-
 lib/list_debug.c                            | 16 +++---
 scripts/gcc-plugins/gcc-common.h            |  4 ++
 security/Kconfig.hardening                  | 23 ++++++++
 security/integrity/ima/ima_policy.c         |  4 +-
 security/loadpin/loadpin.c                  |  3 +-
 tools/testing/selftests/kselftest_harness.h | 11 ++--
 31 files changed, 286 insertions(+), 123 deletions(-)

Comments

pr-tracker-bot@kernel.org Aug. 28, 2023, 8:14 p.m. UTC | #1 
The pull request you sent on Mon, 28 Aug 2023 11:42:58 -0700:

> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.6-rc1

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/727dbda16b83600379061c4ca8270ef3e2f51922

Thank you!