mbox series

[GIT,PULL] hardening updates for v6.9-rc1

Message ID 202403111702.828C918E55@keescook (mailing list archive)
State Mainlined
Headers show
Series [GIT,PULL] hardening updates for v6.9-rc1 | expand

Pull-request

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc1

Message

Kees Cook March 12, 2024, 1:18 a.m. UTC
Hi Linus,

Please pull these kernel hardening updates for v6.9-rc1. As is pretty
normal for this tree, there are changes all over the place, especially
for small fixes, selftest improvements, and improved macro usability.
Some header changes ended up landing via this tree as they depended on
the string header cleanups. Also, a notable set of changes is the work
for the reintroduction of the UBSAN signed integer overflow sanitizer
so that we can continue to make improvements on the compiler side to
make this sanitizer a more viable future security hardening option.

Everything has been in -next for a while, but there are a couple small
merge conflicts to deal with:

kbuild tree:
	https://lore.kernel.org/linux-next/20240226165811.56f71171@canb.auug.org.au/

bcachefs tree:
	https://lore.kernel.org/linux-next/20240301154351.1d097566@canb.auug.org.au/

Later in the merge window I intend to send some macro adjustment
collateral changes, but since they're mechanical, I figured it would be
simpler to wait for the end of -rc1.

Thanks!

-Kees

The following changes since commit 41bccc98fb7931d63d03f326a746ac4d429c1dd3:

  Linux 6.8-rc2 (2024-01-28 17:01:12 -0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc1

for you to fetch changes up to 3fe1eb4dd2e4b872ffb7b9b081b34ffcfa934ba7:

  selftests/powerpc: Fix load_unaligned_zeropad build failure (2024-03-05 10:29:15 -0800)

----------------------------------------------------------------
hardening updates for v6.9-rc1

- string.h and related header cleanups (Tanzir Hasan, Andy Shevchenko)

- VMCI memcpy() usage and struct_size() cleanups (Vasiliy Kovalev, Harshit
  Mogalapalli)

- selftests/powerpc: Fix load_unaligned_zeropad build failure (Michael
  Ellerman)

- hardened Kconfig fragment updates (Marco Elver, Lukas Bulwahn)

- Handle tail call optimization better in LKDTM (Douglas Anderson)

- Use long form types in overflow.h (Andy Shevchenko)

- Add flags param to string_get_size() (Andy Shevchenko)

- Add Coccinelle script for potential struct_size() use (Jacob Keller)

- Fix objtool corner case under KCFI (Josh Poimboeuf)

- Drop 13 year old backward compat CAP_SYS_ADMIN check (Jingzi Meng)

- Add str_plural() helper (Michal Wajdeczko, Kees Cook)

- Ignore relocations in .notes section

- Add comments to explain how __is_constexpr() works

- Fix m68k stack alignment expectations in stackinit Kunit test

- Convert string selftests to KUnit

- Add KUnit tests for fortified string functions

- Improve reporting during fortified string warnings

- Allow non-type arg to type_max() and type_min()

- Allow strscpy() to be called with only 2 arguments

- Add binary mode to leaking_addresses scanner

- Various small cleanups to leaking_addresses scanner

- Adding wrapping_*() arithmetic helper

- Annotate initial signed integer wrap-around in refcount_t

- Add explicit UBSAN section to MAINTAINERS

- Fix UBSAN self-test warnings

- Simplify UBSAN build via removal of CONFIG_UBSAN_SANITIZE_ALL

- Reintroduce UBSAN's signed overflow sanitizer

----------------------------------------------------------------
Andy Shevchenko (4):
      kernel.h: Move upper_*_bits() and lower_*_bits() to wordpart.h
      kernel.h: Move lib/cmdline.c prototypes to string.h
      overflow: Use POD in check_shl_overflow()
      lib/string_helpers: Add flags param to string_get_size()

Douglas Anderson (3):
      lkdtm: Make lkdtm_do_action() return to avoid tail call optimization
      lkdtm/bugs: Adjust lkdtm_HUNG_TASK() to avoid tail call optimization
      lkdtm/bugs: In lkdtm_HUNG_TASK() use BUG(), not BUG_ON(1)

Harshit Mogalapalli (2):
      VMCI: Use struct_size() in kmalloc()
      VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

Jacob Keller (1):
      coccinelle: semantic patch to check for potential struct_size calls

Jingzi Meng (1):
      cap_syslog: remove CAP_SYS_ADMIN when dmesg_restrict

Josh Poimboeuf (1):
      objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks

Kees Cook (31):
      MAINTAINERS: Add UBSAN section
      ubsan: Use Clang's -fsanitize-trap=undefined option
      ubsan: Silence W=1 warnings in self-test
      ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL
      ubsan: Reintroduce signed overflow sanitizer
      string: Redefine strscpy_pad() as a macro
      string: Allow 2-argument strscpy()
      string: Allow 2-argument strscpy_pad()
      um: Convert strscpy() usage to 2-argument style
      overflow: Adjust check_*_overflow() kern-doc to reflect results
      overflow: Introduce wrapping_add(), wrapping_sub(), and wrapping_mul()
      overflow: Introduce wrapping_assign_add() and wrapping_assign_sub()
      coccinelle: Add rules to find str_plural() replacements
      refcount: Annotated intentional signed integer wrap-around
      fortify: Split reporting and avoid passing string pointer
      fortify: Allow KUnit test to build without FORTIFY
      fortify: Provide KUnit counters for failure testing
      fortify: Add KUnit tests for runtime overflows
      fortify: Improve buffer overflow reporting
      MAINTAINERS: Update LEAKING_ADDRESSES details
      leaking_addresses: Use File::Temp for /tmp files
      leaking_addresses: Ignore input device status lines
      leaking_addresses: Provide mechanism to scan binary files
      sparc: vdso: Disable UBSAN instrumentation
      lib: stackinit: Adjust target string to 8 bytes for m68k
      x86, relocs: Ignore relocations in .notes section
      overflow: Allow non-type arg to type_max() and type_min()
      compiler.h: Explain how __is_constexpr() works
      sh: Fix build with CONFIG_UBSAN=y
      string: Convert selftest to KUnit
      string: Convert helpers selftest to KUnit

Lukas Bulwahn (2):
      hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment
      hardening: drop obsolete DRM_LEGACY from config fragment

Marco Elver (1):
      hardening: Enable KFENCE in the hardening config

Michael Ellerman (1):
      selftests/powerpc: Fix load_unaligned_zeropad build failure

Michal Wajdeczko (1):
      lib/string_choices: Add str_plural() helper

Tanzir Hasan (2):
      kernel.h: removed REPEAT_BYTE from kernel.h
      lib/string: shrink lib/string.i via IWYU

Vasiliy Kovalev (1):
      VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()

 Documentation/dev-tools/ubsan.rst                  |  28 +-
 MAINTAINERS                                        |  26 +-
 arch/arm/Kconfig                                   |   2 +-
 arch/arm/boot/compressed/misc.c                    |   2 +-
 arch/arm/boot/compressed/misc.h                    |   2 +-
 arch/arm/include/asm/word-at-a-time.h              |   3 +-
 arch/arm64/Kconfig                                 |   2 +-
 arch/arm64/include/asm/word-at-a-time.h            |   3 +-
 arch/mips/Kconfig                                  |   2 +-
 arch/parisc/Kconfig                                |   2 +-
 arch/powerpc/Kconfig                               |   2 +-
 arch/powerpc/include/asm/word-at-a-time.h          |   4 +-
 arch/riscv/Kconfig                                 |   2 +-
 arch/riscv/include/asm/word-at-a-time.h            |   3 +-
 arch/s390/Kconfig                                  |   2 +-
 arch/s390/include/asm/word-at-a-time.h             |   3 +-
 arch/sh/boot/compressed/Makefile                   |   1 +
 arch/sh/include/asm/word-at-a-time.h               |   2 +
 arch/sparc/vdso/Makefile                           |   1 +
 arch/um/drivers/net_kern.c                         |   2 +-
 arch/um/drivers/vector_kern.c                      |   2 +-
 arch/um/drivers/vector_user.c                      |   4 +-
 arch/um/include/shared/user.h                      |   3 +-
 arch/um/os-Linux/drivers/ethertap_user.c           |   2 +-
 arch/um/os-Linux/drivers/tuntap_user.c             |   2 +-
 arch/um/os-Linux/umid.c                            |   6 +-
 arch/x86/Kconfig                                   |   2 +-
 arch/x86/boot/compressed/misc.c                    |   2 +-
 arch/x86/include/asm/word-at-a-time.h              |   3 +-
 arch/x86/kvm/mmu/mmu.c                             |   1 +
 arch/x86/tools/relocs.c                            |   8 +
 drivers/misc/lkdtm/bugs.c                          |   3 +-
 drivers/misc/lkdtm/core.c                          |  22 +-
 drivers/misc/vmw_vmci/vmci_datagram.c              |  10 +-
 fs/namei.c                                         |   2 +-
 include/asm-generic/word-at-a-time.h               |   3 +-
 include/linux/compiler.h                           |  39 ++
 include/linux/compiler_types.h                     |   9 +-
 include/linux/fortify-string.h                     | 122 ++--
 include/linux/kernel.h                             |  44 +-
 include/linux/overflow.h                           | 115 +++-
 include/linux/refcount.h                           |   9 +-
 include/linux/string.h                             |  86 ++-
 include/linux/string_choices.h                     |  11 +
 include/linux/string_helpers.h                     |  10 +-
 include/linux/wordpart.h                           |  42 ++
 kernel/configs/hardening.config                    |   7 +-
 kernel/printk/printk.c                             |  11 -
 lib/Kconfig.debug                                  |  14 +-
 lib/Kconfig.ubsan                                  |  28 +-
 lib/Makefile                                       |   7 +-
 lib/fortify_kunit.c                                | 662 ++++++++++++++++++++-
 lib/overflow_kunit.c                               |  67 ++-
 lib/stackinit_kunit.c                              |  19 +-
 lib/string.c                                       |  23 +-
 lib/string_helpers.c                               |  89 ++-
 ...est-string_helpers.c => string_helpers_kunit.c} | 255 ++++----
 lib/string_kunit.c                                 | 199 +++++++
 lib/test_string.c                                  | 257 --------
 lib/test_ubsan.c                                   |  41 +-
 lib/ubsan.c                                        |  68 +++
 lib/ubsan.h                                        |   4 +
 scripts/Makefile.lib                               |   5 +-
 scripts/Makefile.ubsan                             |   5 +-
 scripts/coccinelle/api/string_choices.cocci        |  41 ++
 scripts/coccinelle/misc/struct_size.cocci          |  74 +++
 scripts/leaking_addresses.pl                       |  90 ++-
 tools/objtool/check.c                              |  12 +
 tools/objtool/noreturns.h                          |   2 +-
 .../selftests/powerpc/primitives/linux/bitops.h    |   0
 .../selftests/powerpc/primitives/linux/wordpart.h  |   1 +
 71 files changed, 1949 insertions(+), 688 deletions(-)
 create mode 100644 include/linux/wordpart.h
 rename lib/{test-string_helpers.c => string_helpers_kunit.c} (67%)
 create mode 100644 lib/string_kunit.c
 delete mode 100644 lib/test_string.c
 create mode 100644 scripts/coccinelle/api/string_choices.cocci
 create mode 100644 scripts/coccinelle/misc/struct_size.cocci
 create mode 100644 tools/testing/selftests/powerpc/primitives/linux/bitops.h
 create mode 120000 tools/testing/selftests/powerpc/primitives/linux/wordpart.h

Comments

pr-tracker-bot@kernel.org March 12, 2024, 10:24 p.m. UTC | #1
The pull request you sent on Mon, 11 Mar 2024 18:18:31 -0700:

> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc1

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/216532e147b2fee6ee830f4a844bbc3cbb9137af

Thank you!