From patchwork Tue Mar 12 01:18:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13589437 Received: from mail-oa1-f54.google.com (mail-oa1-f54.google.com [209.85.160.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D550117CD for ; Tue, 12 Mar 2024 01:18:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710206315; cv=none; b=P8HP002YG6zTNJ9EJ9tP7ZooYof2IovKOLsNiOzz19QDooQoxWfxksiJhZSLFyRyLLLlAXbfIw44BC4Msay/+XOrnpO8Y6dG455M3eG+Un7IWkEJGNXKTa+ojEQu9YsYn2XfEILAp+DBJb7jb2DKd4my9VfaVtuXX3YDv1XHBwg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710206315; c=relaxed/simple; bh=LlDPdGUSuEysW+0IelyZlJYvm8m/D/jWNozdLA6bZqs=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=ofQ1/sHbvn9YF/E6zc6QSp6s+XgNLDiUEkR4Ks76mWKshZxZ9f6iVxax2VYygeRtmzAxR1SssUpadp/1UXLJaeTZ1IpuQUxTvk5s7qg7OoUvtXgCwos77oe+V6PcwwDJvpkgCMmUmc0hFoASeaJVg6USYf44Y+CQRuwLeOP+CoA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=P1yz4TxU; arc=none smtp.client-ip=209.85.160.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="P1yz4TxU" Received: by mail-oa1-f54.google.com with SMTP id 586e51a60fabf-221ffba5c8bso801014fac.1 for ; Mon, 11 Mar 2024 18:18:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1710206313; x=1710811113; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=nTIpAV28U7eYXX05YBdvGn20WGUMvQJYSHzcZsEDIko=; b=P1yz4TxUTPj+ml8I7flaiDTqPx9Vceff+s+vxdZSc44lQ5LYoy51TFutSm7+gBuXOU G7Wfx2UUIF86EG/VA2wPi25v2dTsLsub2yHOyZ2PD7viIvdRErzm9tQakR6ap7nkbAqx 6SylJUy01ktCzLDxq6GiIIxEmbl4OeYyHTxEw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710206313; x=1710811113; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nTIpAV28U7eYXX05YBdvGn20WGUMvQJYSHzcZsEDIko=; b=u31RfkGz9w8YuOONIGAO6uMdvrMa4fAPpgWyP3y1QTpF0OvmJNQHSoHoShgIEyTSMS JdQGztkhsRzbIssEJu6m74kxPzrvClCDyJjEVvrIdoOMvNqEkwTCdM1Lprh6oP5/kCP/ rqhTyhcVzUMo6Ey15VShEUhpyPRVVPGDKunDutQv76fg+Xrmb2ukUKCX1s0s3ZAD8D1f yDhwoXOlUpOtY0T5wS6JQfZ2hkCT8GSYgsTvCNMG90Add4n28c223rT9DMmJjHSjnpCy USrMkXtVCSp8whADGRk9IwLvEXKfDr5hmPxli7AZTLY7aXvtMhLit/QgdRiO+VlV+f/T rNdg== X-Forwarded-Encrypted: i=1; AJvYcCUzBoPTISLq9of4gkIChjVmOdQznSLTuiITcRL2/vep8LbIf+m31RVJHDUjvoJge7iS/RtHq9PxTnYeoUTBRYZNfv+uxLkaTh6/yIpfWzMZ X-Gm-Message-State: AOJu0Yxw8d2JIKcDKtabV74s5Q6sLF7FHYa1HsZEBPP/oVAkgCX4G+XN 5tCG/pIKonLEtq6zV0lewmWecxE8lIzDUY0NV98eLLaopq1THQtXOHHsToZFeg== X-Google-Smtp-Source: AGHT+IGa2+n/kL5yHpIt+c14VdLJqa5M0PfowwbIe6llPlKW5ygTTklzFdMVZkC5IAHXYgOfOSzKgg== X-Received: by 2002:a05:6870:a110:b0:220:dc43:f9f2 with SMTP id m16-20020a056870a11000b00220dc43f9f2mr9272891oae.38.1710206312947; Mon, 11 Mar 2024 18:18:32 -0700 (PDT) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id u13-20020a056a00124d00b006e58663dd0asm4944826pfi.110.2024.03.11.18.18.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Mar 2024 18:18:32 -0700 (PDT) Date: Mon, 11 Mar 2024 18:18:31 -0700 From: Kees Cook To: Linus Torvalds Cc: linux-kernel@vger.kernel.org, Alexander Lobakin , Al Viro , Andrew Morton , Andrey Konovalov , Andrey Ryabinin , Andy Shevchenko , Andy Shevchenko , Andy Shevchenko , Arnd Bergmann , Bill Wendling , Dan Carpenter , Douglas Anderson , Fangrui Song , Geert Uytterhoeven , Greg Kroah-Hartman , Guenter Roeck , Guixiong Wei , "Gustavo A. R. Silva" , Hao Luo , Harshit Mogalapalli , Jacob Keller , Jakub Kicinski , Jani Nikula , Jingzi Meng , John Paul Adrian Glaubitz , Josh Poimboeuf , Juergen Gross , Justin Stitt , Kees Cook , Kent Overstreet , kernel test robot , linux-doc@vger.kernel.org, linux-hardening@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-sh@vger.kernel.org, linux-um@lists.infradead.org, llvm@lists.linux.dev, Lukas Bulwahn , Marco Elver , Mark Rutland , Masahiro Yamada , Matthieu Baerts , Michael Ellerman , Michal Wajdeczko , Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Nicolas Schier , Nicolas Schier , Peter Zijlstra , Randy Dunlap , Richard Weinberger , Rich Felker , Sachin Sant , Sam Ravnborg , syzkaller , Tanzir Hasan , Tycho Andersen , Vasiliy Kovalev , Vegard Nossum , Yoshinori Sato Subject: [GIT PULL] hardening updates for v6.9-rc1 Message-ID: <202403111702.828C918E55@keescook> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline Hi Linus, Please pull these kernel hardening updates for v6.9-rc1. As is pretty normal for this tree, there are changes all over the place, especially for small fixes, selftest improvements, and improved macro usability. Some header changes ended up landing via this tree as they depended on the string header cleanups. Also, a notable set of changes is the work for the reintroduction of the UBSAN signed integer overflow sanitizer so that we can continue to make improvements on the compiler side to make this sanitizer a more viable future security hardening option. Everything has been in -next for a while, but there are a couple small merge conflicts to deal with: kbuild tree: https://lore.kernel.org/linux-next/20240226165811.56f71171@canb.auug.org.au/ bcachefs tree: https://lore.kernel.org/linux-next/20240301154351.1d097566@canb.auug.org.au/ Later in the merge window I intend to send some macro adjustment collateral changes, but since they're mechanical, I figured it would be simpler to wait for the end of -rc1. Thanks! -Kees The following changes since commit 41bccc98fb7931d63d03f326a746ac4d429c1dd3: Linux 6.8-rc2 (2024-01-28 17:01:12 -0800) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc1 for you to fetch changes up to 3fe1eb4dd2e4b872ffb7b9b081b34ffcfa934ba7: selftests/powerpc: Fix load_unaligned_zeropad build failure (2024-03-05 10:29:15 -0800) ---------------------------------------------------------------- hardening updates for v6.9-rc1 - string.h and related header cleanups (Tanzir Hasan, Andy Shevchenko) - VMCI memcpy() usage and struct_size() cleanups (Vasiliy Kovalev, Harshit Mogalapalli) - selftests/powerpc: Fix load_unaligned_zeropad build failure (Michael Ellerman) - hardened Kconfig fragment updates (Marco Elver, Lukas Bulwahn) - Handle tail call optimization better in LKDTM (Douglas Anderson) - Use long form types in overflow.h (Andy Shevchenko) - Add flags param to string_get_size() (Andy Shevchenko) - Add Coccinelle script for potential struct_size() use (Jacob Keller) - Fix objtool corner case under KCFI (Josh Poimboeuf) - Drop 13 year old backward compat CAP_SYS_ADMIN check (Jingzi Meng) - Add str_plural() helper (Michal Wajdeczko, Kees Cook) - Ignore relocations in .notes section - Add comments to explain how __is_constexpr() works - Fix m68k stack alignment expectations in stackinit Kunit test - Convert string selftests to KUnit - Add KUnit tests for fortified string functions - Improve reporting during fortified string warnings - Allow non-type arg to type_max() and type_min() - Allow strscpy() to be called with only 2 arguments - Add binary mode to leaking_addresses scanner - Various small cleanups to leaking_addresses scanner - Adding wrapping_*() arithmetic helper - Annotate initial signed integer wrap-around in refcount_t - Add explicit UBSAN section to MAINTAINERS - Fix UBSAN self-test warnings - Simplify UBSAN build via removal of CONFIG_UBSAN_SANITIZE_ALL - Reintroduce UBSAN's signed overflow sanitizer ---------------------------------------------------------------- Andy Shevchenko (4): kernel.h: Move upper_*_bits() and lower_*_bits() to wordpart.h kernel.h: Move lib/cmdline.c prototypes to string.h overflow: Use POD in check_shl_overflow() lib/string_helpers: Add flags param to string_get_size() Douglas Anderson (3): lkdtm: Make lkdtm_do_action() return to avoid tail call optimization lkdtm/bugs: Adjust lkdtm_HUNG_TASK() to avoid tail call optimization lkdtm/bugs: In lkdtm_HUNG_TASK() use BUG(), not BUG_ON(1) Harshit Mogalapalli (2): VMCI: Use struct_size() in kmalloc() VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Jacob Keller (1): coccinelle: semantic patch to check for potential struct_size calls Jingzi Meng (1): cap_syslog: remove CAP_SYS_ADMIN when dmesg_restrict Josh Poimboeuf (1): objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks Kees Cook (31): MAINTAINERS: Add UBSAN section ubsan: Use Clang's -fsanitize-trap=undefined option ubsan: Silence W=1 warnings in self-test ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL ubsan: Reintroduce signed overflow sanitizer string: Redefine strscpy_pad() as a macro string: Allow 2-argument strscpy() string: Allow 2-argument strscpy_pad() um: Convert strscpy() usage to 2-argument style overflow: Adjust check_*_overflow() kern-doc to reflect results overflow: Introduce wrapping_add(), wrapping_sub(), and wrapping_mul() overflow: Introduce wrapping_assign_add() and wrapping_assign_sub() coccinelle: Add rules to find str_plural() replacements refcount: Annotated intentional signed integer wrap-around fortify: Split reporting and avoid passing string pointer fortify: Allow KUnit test to build without FORTIFY fortify: Provide KUnit counters for failure testing fortify: Add KUnit tests for runtime overflows fortify: Improve buffer overflow reporting MAINTAINERS: Update LEAKING_ADDRESSES details leaking_addresses: Use File::Temp for /tmp files leaking_addresses: Ignore input device status lines leaking_addresses: Provide mechanism to scan binary files sparc: vdso: Disable UBSAN instrumentation lib: stackinit: Adjust target string to 8 bytes for m68k x86, relocs: Ignore relocations in .notes section overflow: Allow non-type arg to type_max() and type_min() compiler.h: Explain how __is_constexpr() works sh: Fix build with CONFIG_UBSAN=y string: Convert selftest to KUnit string: Convert helpers selftest to KUnit Lukas Bulwahn (2): hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment hardening: drop obsolete DRM_LEGACY from config fragment Marco Elver (1): hardening: Enable KFENCE in the hardening config Michael Ellerman (1): selftests/powerpc: Fix load_unaligned_zeropad build failure Michal Wajdeczko (1): lib/string_choices: Add str_plural() helper Tanzir Hasan (2): kernel.h: removed REPEAT_BYTE from kernel.h lib/string: shrink lib/string.i via IWYU Vasiliy Kovalev (1): VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Documentation/dev-tools/ubsan.rst | 28 +- MAINTAINERS | 26 +- arch/arm/Kconfig | 2 +- arch/arm/boot/compressed/misc.c | 2 +- arch/arm/boot/compressed/misc.h | 2 +- arch/arm/include/asm/word-at-a-time.h | 3 +- arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/word-at-a-time.h | 3 +- arch/mips/Kconfig | 2 +- arch/parisc/Kconfig | 2 +- arch/powerpc/Kconfig | 2 +- arch/powerpc/include/asm/word-at-a-time.h | 4 +- arch/riscv/Kconfig | 2 +- arch/riscv/include/asm/word-at-a-time.h | 3 +- arch/s390/Kconfig | 2 +- arch/s390/include/asm/word-at-a-time.h | 3 +- arch/sh/boot/compressed/Makefile | 1 + arch/sh/include/asm/word-at-a-time.h | 2 + arch/sparc/vdso/Makefile | 1 + arch/um/drivers/net_kern.c | 2 +- arch/um/drivers/vector_kern.c | 2 +- arch/um/drivers/vector_user.c | 4 +- arch/um/include/shared/user.h | 3 +- arch/um/os-Linux/drivers/ethertap_user.c | 2 +- arch/um/os-Linux/drivers/tuntap_user.c | 2 +- arch/um/os-Linux/umid.c | 6 +- arch/x86/Kconfig | 2 +- arch/x86/boot/compressed/misc.c | 2 +- arch/x86/include/asm/word-at-a-time.h | 3 +- arch/x86/kvm/mmu/mmu.c | 1 + arch/x86/tools/relocs.c | 8 + drivers/misc/lkdtm/bugs.c | 3 +- drivers/misc/lkdtm/core.c | 22 +- drivers/misc/vmw_vmci/vmci_datagram.c | 10 +- fs/namei.c | 2 +- include/asm-generic/word-at-a-time.h | 3 +- include/linux/compiler.h | 39 ++ include/linux/compiler_types.h | 9 +- include/linux/fortify-string.h | 122 ++-- include/linux/kernel.h | 44 +- include/linux/overflow.h | 115 +++- include/linux/refcount.h | 9 +- include/linux/string.h | 86 ++- include/linux/string_choices.h | 11 + include/linux/string_helpers.h | 10 +- include/linux/wordpart.h | 42 ++ kernel/configs/hardening.config | 7 +- kernel/printk/printk.c | 11 - lib/Kconfig.debug | 14 +- lib/Kconfig.ubsan | 28 +- lib/Makefile | 7 +- lib/fortify_kunit.c | 662 ++++++++++++++++++++- lib/overflow_kunit.c | 67 ++- lib/stackinit_kunit.c | 19 +- lib/string.c | 23 +- lib/string_helpers.c | 89 ++- ...est-string_helpers.c => string_helpers_kunit.c} | 255 ++++---- lib/string_kunit.c | 199 +++++++ lib/test_string.c | 257 -------- lib/test_ubsan.c | 41 +- lib/ubsan.c | 68 +++ lib/ubsan.h | 4 + scripts/Makefile.lib | 5 +- scripts/Makefile.ubsan | 5 +- scripts/coccinelle/api/string_choices.cocci | 41 ++ scripts/coccinelle/misc/struct_size.cocci | 74 +++ scripts/leaking_addresses.pl | 90 ++- tools/objtool/check.c | 12 + tools/objtool/noreturns.h | 2 +- .../selftests/powerpc/primitives/linux/bitops.h | 0 .../selftests/powerpc/primitives/linux/wordpart.h | 1 + 71 files changed, 1949 insertions(+), 688 deletions(-) create mode 100644 include/linux/wordpart.h rename lib/{test-string_helpers.c => string_helpers_kunit.c} (67%) create mode 100644 lib/string_kunit.c delete mode 100644 lib/test_string.c create mode 100644 scripts/coccinelle/api/string_choices.cocci create mode 100644 scripts/coccinelle/misc/struct_size.cocci create mode 100644 tools/testing/selftests/powerpc/primitives/linux/bitops.h create mode 120000 tools/testing/selftests/powerpc/primitives/linux/wordpart.h