| Message ID | 63efd7ab.170a0220.3442b.6609@mx.google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp32845wrn;
Fri, 17 Feb 2023 11:39:05 -0800 (PST)
X-Google-Smtp-Source:
AK7set/iQKyNI4zfYDXvclZ3QvmLXUYqbR6qiMb9gngIaGx9Bt+SKbpC+FSkoFKJWqLk13m7hnJm
X-Received: by 2002:aa7:97bd:0:b0:5a8:a56c:6144 with SMTP id
d29-20020aa797bd000000b005a8a56c6144mr1256808pfq.19.1676662745345;
Fri, 17 Feb 2023 11:39:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676662745; cv=none;
d=google.com; s=arc-20160816;
b=JW4IzjMp/zsAA+fREAULDFP2C1zQxUjaqa+a1LUHmNcknAwiSkV5MQ+WydCTi9Vnn1
04Cl5PdeHtYo1f1MuGjc8GnSILQDdYtCDdnrCNQPZZdRxzCLdhTochT62oirAbHueE60
ohQpiUxia1LqKXWp/lVEue/RNZoE+v3tQp5iSAJ0UYNjYBlNl6PIbxTzMv6sSl0dCLyB
mNYoro/TE2aOf3y2I0FpaEhLYHxjb8kO3dKN+f5tmlIoIKOyzSJOhfN5Z1Eyz5wAYOn4
MxgwhQAIugXXXfpj5I+IERwY9jvAsReCJ/ZNgrZ0oWecVsiZB91mLHmea8TAAuC7kWgT
KVrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-disposition:mime-version:subject:cc:to
:from:date:message-id:dkim-signature;
bh=YKKsXZajqAwe6W3hq4W4TjLXNRRTkhvXVuDWAa55fyY=;
b=FAKZrrpzrfDjlTq2ar6j5/wucqOT//vJ/tAFhWjK2NmObMOfdS9EPdh34rIEwEmOYv
cX5nGBZlBPfjcmpy+R+zlx90PO0IHWm+Mce1gJhb1XyJAp2ZWJwY7ztk1IpV8jds+D2h
C0pMdhL7A6H8JXeOj3K1LFcT/0tI2SAUl13WImOVdVipzIEZMqCjRd/e7D0/Wp456EXE
ltzfszwqzSSFm5hA/Qtmv8LIPd7NCpd/7CQXIUouu0TAiFws+VAVmP6DeDGwXNJAfRns
8woG5x1lxpVEP+bhopyz6PtFIx3PtJEoFbjY/w9/3fhK4Rz7pMg3qtrsIzYgrldMuzRd
4K/w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=mUGUUwMm;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
g7-20020a056a00078700b005a86c304ae3si3913992pfu.270.2023.02.17.11.38.52;
Fri, 17 Feb 2023 11:39:05 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=mUGUUwMm;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229836AbjBQTiX (ORCPT <rfc822;aimixsaka@gmail.com> + 99 others);
Fri, 17 Feb 2023 14:38:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57452 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229570AbjBQTiV (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 17 Feb 2023 14:38:21 -0500
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com
[IPv6:2607:f8b0:4864:20::102e])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD5FF5B2EB
for <linux-kernel@vger.kernel.org>;
Fri, 17 Feb 2023 11:38:20 -0800 (PST)
Received: by mail-pj1-x102e.google.com with SMTP id
i10-20020a17090a7e0a00b002341a2656e5so2249044pjl.1
for <linux-kernel@vger.kernel.org>;
Fri, 17 Feb 2023 11:38:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google;
h=content-disposition:mime-version:subject:cc:to:from:date:message-id
:from:to:cc:subject:date:message-id:reply-to;
bh=YKKsXZajqAwe6W3hq4W4TjLXNRRTkhvXVuDWAa55fyY=;
b=mUGUUwMmQdL7yiJ3A/3vV6P1wMLI6SAVScK7i+EWcuQRo+kxjv+fWFNz3IolqSBkyN
1TJHCL6b1B4soEF0g++QCLyyqwBlCRxdR2mQaPTI5y8hDHATNGjB8RcGzcXu4FhSao/5
ZOiQCMyCf4SgpUK4gSE26ZtSsFcC5pmMOIvus=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-disposition:mime-version:subject:cc:to:from:date:message-id
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=YKKsXZajqAwe6W3hq4W4TjLXNRRTkhvXVuDWAa55fyY=;
b=ko0rOoeuUj+1Y0u/zJeYxBGIc6P3IJHC0GuDrFdAmFNhYhSaBf1zNErv4gFbAVLCT9
aWGVJtyJAF78lKdZyweL8p62n0+RUk/p31lhsDo/U1NXedaKUgBUmypIq4nnSTX5G85g
DkEK3Tl24td5JbSwhB/spgLAdTObtdI+lZ7nlYWxWM9LCoAjvjPIerDGSMjb2Z2YRJwT
U9JZHL7U7mAUTTFsaibErM4T3t8s+rAAWebkTIJuN87ZNjr3d+qYsRKKjHwv2HzWuK4V
5jJgfxSp5ZvLowAmzA+fuyOTmRIForFwm5j+LwwtUVYMixa6GjAtiNuH+5JEeWf4sM2o
sp7g==
X-Gm-Message-State: AO0yUKXdnMZuKm3sfSAZq+gakB1o9FwDW+jzq8KPvEAAb9IjtPdY1jmQ
P+dB5HZdMAVvfYL0d1wjPIs63g==
X-Received: by 2002:a17:90b:1bd2:b0:233:c3e7:bd3b with SMTP id
oa18-20020a17090b1bd200b00233c3e7bd3bmr1501084pjb.10.1676662700260;
Fri, 17 Feb 2023 11:38:20 -0800 (PST)
Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net.
[198.0.35.241])
by smtp.gmail.com with ESMTPSA id
s2-20020a17090a764200b00230e2b6f89esm3241765pjl.12.2023.02.17.11.38.19
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 17 Feb 2023 11:38:19 -0800 (PST)
Message-ID: <63efd7ab.170a0220.3442b.6609@mx.google.com>
X-Google-Original-Message-ID: <202302171129.@keescook>
Date: Fri, 17 Feb 2023 11:38:18 -0800
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>,
Sam James <sam@gentoo.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Eric Biggers <ebiggers@kernel.org>,
Stephen Rothwell <sfr@canb.auug.org.au>,
linux-hardening@vger.kernel.org
Subject: [GIT PULL] hardening updates for v6.3-rc1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758108315028011625?=
X-GMAIL-MSGID: =?utf-8?q?1758108315028011625?=
|
| Series |
[GIT,PULL] hardening updates for v6.3-rc1
|
|
Pull-request
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.3-rc1Message
Kees Cook
Feb. 17, 2023, 7:38 p.m. UTC
Hi Linus,
Please pull these hardening updates for v6.3-rc1. Beyond some specific
LoadPin, UBSAN, and fortify features, there are other fixes scattered
around in various subsystems where maintainers were okay with me carrying
them in my tree or were non-responsive but the patches were reviewed
by others.
Thanks!
-Kees
The following changes since commit be0d8f48ad97f5b775b0af3310343f676dbf318a:
bcache: Silence memcpy() run-time false positive warnings (2023-01-25 12:24:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.3-rc1
for you to fetch changes up to 78f7a3fd6dc66cb788c21d7705977ed13c879351:
randstruct: disable Clang 15 support (2023-02-08 15:26:58 -0800)
----------------------------------------------------------------
hardening updates for v6.3-rc1
- Replace 0-length and 1-element arrays with flexible arrays in various
subsystems (Paulo Miguel Almeida, Stephen Rothwell, Kees Cook)
- randstruct: Disable Clang 15 support (Eric Biggers)
- GCC plugins: Drop -std=gnu++11 flag (Sam James)
- strpbrk(): Refactor to use strchr() (Andy Shevchenko)
- LoadPin LSM: Allow root filesystem switching when non-enforcing
- UBSAN: Improve arm64 trap code reporting
- fortify: Use dynamic object size hints when available
- ext4: Fix CFI function prototype mismatch
- Nouveau: Fix DP buffer size arguments
- hisilicon: Wipe entire crypto DMA pool on error
- coda: Fully allocate sig_inputArgs
- copy_struct_from_user(): Add minimum bounds check on kernel buffer size
----------------------------------------------------------------
Andy Shevchenko (1):
lib/string: Use strchr() in strpbrk()
Eric Biggers (1):
randstruct: disable Clang 15 support
Kees Cook (15):
fortify: Use __builtin_dynamic_object_size() when available
ARM: ixp4xx: Replace 0-length arrays with flexible arrays
LoadPin: Refactor read-only check into a helper
LoadPin: Refactor sysctl initialization
LoadPin: Move pin reporting cleanly out of locking
LoadPin: Allow filesystem switch when not enforcing
drm/nouveau/disp: Fix nvif_outp_acquire_dp() argument size
ext4: Fix function prototype mismatch for ext4_feat_ktype
io_uring: Replace 0-length array with flexible array
net/i40e: Replace 0-length array with flexible array
crypto: hisilicon: Wipe entire pool on error
Merge branch 'for-linus/hardening' into for-next/hardening
coda: Avoid partial allocation of sig_inputArgs
arm64: Support Clang UBSAN trap codes for better reporting
uaccess: Add minimum bounds check on kernel buffer size
Paulo Miguel Almeida (1):
i915/gvt: Replace one-element array with flexible-array member
Sam James (1):
gcc-plugins: drop -std=gnu++11 to fix GCC 13 build
Stephen Rothwell (1):
rxrpc: replace zero-lenth array with DECLARE_FLEX_ARRAY() helper
arch/arm64/include/asm/brk-imm.h | 3 +
arch/arm64/kernel/traps.c | 21 +++++++
drivers/crypto/hisilicon/sgl.c | 3 +-
drivers/gpu/drm/i915/gvt/firmware.c | 4 +-
drivers/gpu/drm/nouveau/include/nvif/outp.h | 3 +-
drivers/gpu/drm/nouveau/nvif/outp.c | 2 +-
drivers/misc/lkdtm/heap.c | 1 +
drivers/net/ethernet/intel/i40e/i40e.h | 2 +-
drivers/soc/ixp4xx/ixp4xx-npe.c | 6 +-
fs/coda/upcall.c | 2 +-
fs/ext4/sysfs.c | 7 ++-
include/linux/compiler_attributes.h | 5 ++
include/linux/fortify-string.h | 7 +++
include/linux/uaccess.h | 4 ++
include/linux/ubsan.h | 9 +++
include/uapi/linux/io_uring.h | 2 +-
lib/Makefile | 2 -
lib/string.c | 10 ++--
lib/ubsan.c | 68 ++++++++++++++++++++++
lib/ubsan.h | 32 +++++++++++
net/rxrpc/ar-internal.h | 2 +-
scripts/gcc-plugins/Makefile | 2 +-
security/Kconfig.hardening | 3 +
security/loadpin/loadpin.c | 89 +++++++++++++++++------------
24 files changed, 229 insertions(+), 60 deletions(-)
create mode 100644 include/linux/ubsan.h
Comments
On Fri, Feb 17, 2023 at 11:38 AM Kees Cook <keescook@chromium.org> wrote: > > Please pull these hardening updates for v6.3-rc1. So I've pulled this, but while looking at it, I see commit 5c0f220e1b2d ("Merge branch 'for-linus/hardening' into for-next/hardening"). And that one-liner shortlog part is literally the whole commit message. I've said this before, and apparently I need to say this again: if you cannot be bothered to explain *WHY* a merge exists, then that merge is buggy garbage by definition. This really should be a rule that every single developer should take to heart. I'm not just putting random words together in a random order. I repeat: if you cannot explain a merge, then JUST DON'T DO IT. It's really that simple. There is absolutely *NEVER* an excuse for merges without explaining why those merges exist. In this case, I really think that merge should not have existed at all, and the lack of explanation is because there *IS* no explanation for it. But if there was a reason for it, then just state it, dammit, and make that merge commit look sensible. Because right now it just looks entirely pointless. And I literally *detest* pointless merges. They only make the history look worse and harder to read. Linus
The pull request you sent on Fri, 17 Feb 2023 11:38:18 -0800:
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.3-rc1
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/4a7d37e824f57dbace61abf62f53843800bd245c
Thank you!
On February 21, 2023 11:16:33 AM PST, Linus Torvalds <torvalds@linux-foundation.org> wrote: >On Fri, Feb 17, 2023 at 11:38 AM Kees Cook <keescook@chromium.org> wrote: >> >> Please pull these hardening updates for v6.3-rc1. > >So I've pulled this, but while looking at it, I see commit >5c0f220e1b2d ("Merge branch 'for-linus/hardening' into >for-next/hardening"). > >And that one-liner shortlog part is literally the whole commit message. > >I've said this before, and apparently I need to say this again: if you >cannot be bothered to explain *WHY* a merge exists, then that merge is >buggy garbage by definition. Okay, understood. This was a merge of the fixes for v6.2. I'll explain that more clearly in the log from now on. :) -Kees
On Tue, Feb 21, 2023 at 11:49 AM Kees Cook <kees@kernel.org> wrote: > > >I've said this before, and apparently I need to say this again: if you > >cannot be bothered to explain *WHY* a merge exists, then that merge is > >buggy garbage by definition. > > Okay, understood. This was a merge of the fixes for v6.2. I'll explain that more clearly in the log from now on. :) So I really want people to document their merges, not just so that I (and others) can see "oh, that's why it exists at all", but also because I want to make people think about their merges more in general. For example, one reason why people do these kinds of merges is because they are starting to do some new development for the next release, and that new development then depends on fixes or infrastructure that they had in another branch (like a "for-linus" branch in case of fixes). So then they - mindlessly - just do a "git merge that-branch" and the end result looks very much like what you sent me. In a slightly better world, they then actually write an explanatory commit message for that merge, knowing that I ask for them, and the merge commit message ends up being exactly that kind of slightly odd "Now I'm starting a new thing that depends on the fixes I already sent upstream, so I'm merging that branch" Which while certainly better than no explanation at all sounds a bit odd, doesn't it? Yeah, add a few details on just what you depend on and why, and it gets much better, but it's all going to be a bit hand-wavy about future work that you haven't even written yet. And *that* will them maybe make you then go "Ahh, I'm doing things wrong". Because the "nice git way" to do that kind of thing is to actually realize "oh, I'm starting new work that depends on the fixes I already sent upstram, so I should just make a new topic branch and start at that point that I needed". And then - once you've done all the "new work" that depended on that state, only at *THAT* point do you merge the topic branch. And look - you have exactly the same commits: you have one (or more) normal commits that implement the new feature, and you have one merge commit, but notice how much easier it is to write the explanation for the merge when you do it *after* the work. Instead of having to waffle about "future work depends on this feature that was in another branch, so I'm merging this branch", your merge commit now makes *sense*. You're not merging some old state in order to create new features, you are literally just merging the completed new feature. So *this* is one reason I want people to really think about, and explain, their merges. Because it may be that having to explain it makes you go "Oh, I'm doing this wrong". Now, in your case, I don't actually think you needed that merge for any "future new work" at all. I think you just randomly did a merge to just get the same warning fixes that you had already sent me. So in this case, it smells like the merge was just entirely superfluous. Those kinds of superfluous merges can be ok - it's just annoying to have a development branch that still shows some artifact that you already fixed elsewhere. But they still need the explanation. And for that case, I want the explanation partly to make it clear that you really *thought* about it, and partly just so that I can see why you did it. Because we have a very real history where people did mindless daily back-merges like this "just because" with absolutely no rhyme or reason, just because they wanted to start each day with the most recent base, and it really gets very ugly. The development history can go from a DAG that actually visualizes the different development streams nicely to a spider-net maze of inexplicable merges very quickly. Linus