From patchwork Thu Apr 11 18:11:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nathan Chancellor X-Patchwork-Id: 13626508 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDC3313A244; Thu, 11 Apr 2024 18:11:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712859076; cv=none; b=EOP6QrlGjMzQ305MMc0lUxKvhHh8nQnf14EIw3YCtvtBjpYoa6PQwrMo/Bqs87fNY/E/rzZJae8VqkrvbpXDWyxhgrUcH1YAd2yeUAnXKfGG2Ei7LzfnQX4yybc4gNBynpgjZAIJAUHYxOS6bzJ4p/251aNIBAsPR2wLrPkHypI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712859076; c=relaxed/simple; bh=E+pCb+Z9vLlU9oGTaDGgpHqqUQ1HPT9OB7NM+MDiKXY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gDeyOvHbuYtoqFI5i4k9eWL5XVcM8kiB3IgR/hVeQm6KKKEhCevGUlTw1uhkbh1bgo14Utu/bY4wRwcd9xONvGS86XaDLkSkrjFICsl3OhNieuE1iebaUDf5Q8iM8NCp1nngUuR7eFmv8JaZso5fOgQ6TuaH87pyF7FTUXBrkjI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=R0ZmNJJB; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="R0ZmNJJB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19FF4C113CD; Thu, 11 Apr 2024 18:11:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712859075; bh=E+pCb+Z9vLlU9oGTaDGgpHqqUQ1HPT9OB7NM+MDiKXY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=R0ZmNJJBImlFVDvKD9xX12UGfrx0f55HtfBhVghYoLbITC8CZGQsvtJM4rOU0q0lm 1ehyCQZ9HV+EdC3RPsgIOv8sB4Q5yeKsIIIbYtFzMIM2ypkrTepVsIaaejP0VtjeY/ eYlPuGAGP3RC320f2aU3hIPEJveX2x0wYMkmPEIP5/FPZhIkyP+bHpyvgxUqGm4pQJ 2NT7XtJrRUZhHaJyXvkxavKKu7vwfZQndze1nl/LJ26Ww3VUFrh0e3XavtUozHI2RZ u+ku0J6Tw76+fp4lHpPEl+RW+zHO/ws2SjB4SAl5nap2Wa4HhpVnEW3wRnsJ/zOi94 PDE0imHgcF4Lg== From: Nathan Chancellor Date: Thu, 11 Apr 2024 11:11:06 -0700 Subject: [PATCH 1/2] configs/hardening: Fix disabling UBSAN configurations Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240411-fix-ubsan-in-hardening-config-v1-1-e0177c80ffaa@kernel.org> References: <20240411-fix-ubsan-in-hardening-config-v1-0-e0177c80ffaa@kernel.org> In-Reply-To: <20240411-fix-ubsan-in-hardening-config-v1-0-e0177c80ffaa@kernel.org> To: keescook@chromium.org Cc: gustavoars@kernel.org, justinstitt@google.com, linux-hardening@vger.kernel.org, patches@lists.linux.dev, Nathan Chancellor X-Mailer: b4 0.14-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=2244; i=nathan@kernel.org; h=from:subject:message-id; bh=E+pCb+Z9vLlU9oGTaDGgpHqqUQ1HPT9OB7NM+MDiKXY=; b=owGbwMvMwCUmm602sfCA1DTG02pJDGkS6ociY/bfrViVKCR77eH8n3zu+oenRspM0bu7sXLhF wmZnx1XO0pZGMS4GGTFFFmqH6seNzScc5bxxqlJMHNYmUCGMHBxCsBEPh9h+J+U8O+KRvXOKd7N 2tve1p7qfxF9KbWB96K390zu62x3/vUwMqycrnrM2txoc1Hy/MhG5a1r7NfP0q3KS3s2OffLlFi B6VwA X-Developer-Key: i=nathan@kernel.org; a=openpgp; fpr=2437CB76E544CB6AB3D9DFD399739260CB6CB716 The initial change that added kernel/configs/hardening.config attempted to disable all UBSAN sanitizers except for the array bounds one while turning on UBSAN_TRAP. Unfortunately, it only got the syntax for CONFIG_UBSAN_SHIFT correct, so configurations that are on by default with CONFIG_UBSAN=y such as CONFIG_UBSAN_{BOOL,ENUM} do not get disabled properly. CONFIG_ARCH_HAS_UBSAN=y CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_CC_HAS_UBSAN_BOUNDS_STRICT=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_BOUNDS_STRICT=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set CONFIG_UBSAN_SIGNED_WRAP=y CONFIG_UBSAN_BOOL=y CONFIG_UBSAN_ENUM=y # CONFIG_TEST_UBSAN is not set Add the missing 'is not set' to each configuration that needs it so that they get disabled as intended. CONFIG_ARCH_HAS_UBSAN=y CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_CC_HAS_UBSAN_BOUNDS_STRICT=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_BOUNDS_STRICT=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set CONFIG_UBSAN_SIGNED_WRAP=y # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_TEST_UBSAN is not set Fixes: 215199e3d9f3 ("hardening: Provide Kconfig fragments for basic options") Signed-off-by: Nathan Chancellor --- kernel/configs/hardening.config | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index 7a5bbfc024b7..d6f6dc45628a 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -39,11 +39,11 @@ CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_SHIFT is not set -# CONFIG_UBSAN_DIV_ZERO -# CONFIG_UBSAN_UNREACHABLE -# CONFIG_UBSAN_BOOL -# CONFIG_UBSAN_ENUM -# CONFIG_UBSAN_ALIGNMENT +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set # Sampling-based heap out-of-bounds and use-after-free detection. CONFIG_KFENCE=y From patchwork Thu Apr 11 18:11:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nathan Chancellor X-Patchwork-Id: 13626509 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5808A13A244; Thu, 11 Apr 2024 18:11:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712859076; cv=none; b=AHW5qa73kENJjABnUB/2hMKBD0Igxgd6x08eqhtYSZH6Sj9NaNeur6CpK609GoBKKWKsKplIAtciv3+qFYhDuX5xF9D0oDu+qNSBPCDINycf1VrmGIgQqgJQNkucwAUDJC2jl3hqKiqTOlbjxSbcUAfsNwjB9IFAmyMwnrq3+kM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712859076; c=relaxed/simple; bh=XOsbqvr4AZyPNMl9xo6AYH1X+oIS2bOvRQecWxU5VBs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=kF37v50IffiVeqotxQyafl+Tin8CKVm0HyNP04BcotI0LszZrE70LTsv03GgLXzqRgL0p05BMyrPa6r6oqcpbW1vSagY0fyk7amIbpYusYrtSo6yK5folcrZoE5FADBLq+TVq5mHrTWdzWTHAFvHYDOI/dl5ZvY9qNmwxyMMz7M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=pMq3nxWc; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="pMq3nxWc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 97D7DC072AA; Thu, 11 Apr 2024 18:11:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712859075; bh=XOsbqvr4AZyPNMl9xo6AYH1X+oIS2bOvRQecWxU5VBs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=pMq3nxWcOhM7YCNikVsaCBGoXvGnWEw5InSBj+ROEoeNvztIi43HNr4gaMPj0vFTb n9UrmrmsiOGWdg2ONr099nwNYFFcJEnLFqT9OTBdNG3Qq7jGGC1OEhaXsOFDp9bNnp zZrw6BNa8yIsTBg2LJuntvkcKumLqMTBWRKPE555QZ0sdBICgTEOC6Vn+lgsbuRdBh hxMxgZgsaT5bx5fc1a7kavUvYnbRczIqS2NCUpGbTwIf+YBpQAtZFsphr7tnBEqdaR rTpkNB5T2MsEGokIQfcQjM2fOxkPAO5x3IKoLpqF9OPM/7FqlVrFHHFNRsGuEROUYg R6EJKsMDCwMJQ== From: Nathan Chancellor Date: Thu, 11 Apr 2024 11:11:07 -0700 Subject: [PATCH 2/2] configs/hardening: Disable CONFIG_UBSAN_SIGNED_WRAP Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240411-fix-ubsan-in-hardening-config-v1-2-e0177c80ffaa@kernel.org> References: <20240411-fix-ubsan-in-hardening-config-v1-0-e0177c80ffaa@kernel.org> In-Reply-To: <20240411-fix-ubsan-in-hardening-config-v1-0-e0177c80ffaa@kernel.org> To: keescook@chromium.org Cc: gustavoars@kernel.org, justinstitt@google.com, linux-hardening@vger.kernel.org, patches@lists.linux.dev, Nathan Chancellor X-Mailer: b4 0.14-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1703; i=nathan@kernel.org; h=from:subject:message-id; bh=XOsbqvr4AZyPNMl9xo6AYH1X+oIS2bOvRQecWxU5VBs=; b=owGbwMvMwCUmm602sfCA1DTG02pJDGkS6oe+cb9t1p6iICB+7o5jsNTjuYtabtp8df8kap2yY rq00nGtjlIWBjEuBlkxRZbqx6rHDQ3nnGW8cWoSzBxWJpAhDFycAjCR/puMDEe+HCq4/fw6y9eM bz+u1F//5/Rg5exFac6bV6THXtVmDZ3CyLDx9vO4i4/2BETv/FlXeMPLMbt5y9M0g7x359/HHe2 N8uEAAA== X-Developer-Key: i=nathan@kernel.org; a=openpgp; fpr=2437CB76E544CB6AB3D9DFD399739260CB6CB716 kernel/configs/hardening.config turns on UBSAN for the bounds sanitizer, as that in combination with trapping can stop the exploitation of buffer overflows within the kernel. At the same time, hardening.config turns off every other UBSAN sanitizer because trapping means all UBSAN reports will be fatal and the problems brought up by other sanitizers generally do not have security implications. The signed integer overflow sanitizer was recently added back to the kernel and it is default on with just CONFIG_UBSAN=y, meaning that it gets enabled when merging hardening.config into another configuration. While this sanitizer does have security implications like the array bounds sanitizer, work to clean up enough instances to allow this to run in production environments is still ramping up, which means regular users and testers may be broken by these instances with CONFIG_UBSAN_TRAP=y. Disable CONFIG_UBSAN_SIGNED_WRAP in hardening.config to avoid this situation. Fixes: 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer") Signed-off-by: Nathan Chancellor --- kernel/configs/hardening.config | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index d6f6dc45628a..4b4cfcba3190 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -41,6 +41,7 @@ CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_SIGNED_WRAP is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set