Re: [PATCH] libata: Annotate struct ata_cpr_log with __counted_by

2023-09-25 Thread Damien Le Moal 
On 2023/09/22 19:52, Kees Cook wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> functions).
> 
> As found with Coccinelle[1], add __counted_by for struct ata_cpr_log.
> 
> [1] 
> https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
> 
> Cc: Damien Le Moal 
> Cc: linux-...@vger.kernel.org
> Signed-off-by: Kees Cook 

Applied to for-6.7. Thanks !

-- 
Damien Le Moal
Western Digital Research

Re: [PATCH] riscv: Support RANDOMIZE_KSTACK_OFFSET

2023-11-01 Thread Damien Le Moal 
On 11/1/23 15:44, Song Shuai wrote:
> Inspired from arm64's implement -- commit 70918779aec9
> ("arm64: entry: Enable random_kstack_offset support")
> 
> Add support of kernel stack offset randomization while handling syscall,
> the offset is defaultly limited by KSTACK_OFFSET_MAX() (i.e. 10 bits).
> 
> In order to avoid trigger stack canaries (due to __builtin_alloca) and
> slowing down the entry path, use __no_stack_protector attribute to
> disable stack protector for do_trap_ecall_u() at the function level.
> 
> Signed-off-by: Song Shuai 
> ---
> Testing with randomize_kstack_offset=y cmdline, lkdtm/stack-entropy.sh
> showed appropriate stack offset instead of zero.
> ---
>  arch/riscv/Kconfig|  1 +
>  arch/riscv/kernel/traps.c | 18 +-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index d607ab0f7c6d..0e843de33f0c 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -100,6 +100,7 @@ config RISCV
>   select HAVE_ARCH_KGDB_QXFER_PKT
>   select HAVE_ARCH_MMAP_RND_BITS if MMU
>   select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
> + select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
>   select HAVE_ARCH_SECCOMP_FILTER
>   select HAVE_ARCH_THREAD_STRUCT_WHITELIST
>   select HAVE_ARCH_TRACEHOOK
> diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> index 19807c4d3805..3f869b2d47c3 100644
> --- a/arch/riscv/kernel/traps.c
> +++ b/arch/riscv/kernel/traps.c
> @@ -6,6 +6,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -296,9 +297,11 @@ asmlinkage __visible __trap_section void 
> do_trap_break(struct pt_regs *regs)
>   }
>  }
>  
> -asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs 
> *regs)
> +asmlinkage __visible __trap_section  __no_stack_protector
> +void do_trap_ecall_u(struct pt_regs *regs)
>  {
>   if (user_mode(regs)) {
> +

White line change.

>   long syscall = regs->a7;
>  
>   regs->epc += 4;
> @@ -308,10 +311,23 @@ asmlinkage __visible __trap_section void 
> do_trap_ecall_u(struct pt_regs *regs)
>  
>   syscall = syscall_enter_from_user_mode(regs, syscall);
>  
> + add_random_kstack_offset();
> +
>   if (syscall >= 0 && syscall < NR_syscalls)
>   syscall_handler(regs, syscall);
>   else if (syscall != -1)
>   regs->a0 = -ENOSYS;
> + /*
> +  * Ultimately, this value will get limited by 
> KSTACK_OFFSET_MAX(),
> +  * so the maximum stack offset is 1k bytes (10 bits).
> +  *
> +  * The actual entropy will be further reduced by the compiler 
> when
> +  * applying stack alignment constraints: 16-byte (i.e. 4-bit) 
> aligned
> +  * for RV32I or RV64I.
> +  *
> +  * The resulting 6 bits of entropy is seen in SP[9:4].
> +  */
> + choose_random_kstack_offset(get_random_u16());
>  
>   syscall_exit_to_user_mode(regs);
>   } else {

-- 
Damien Le Moal
Western Digital Research

Re: [PATCH v2] binfmt_flat: Fix corruption when not offsetting data start

2024-08-07 Thread Damien Le Moal 
On 2024/08/07 12:51, Kees Cook wrote:
> Commit 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
> introduced a RISC-V specific variant of the FLAT format which does
> not allocate any space for the (obsolete) array of shared library
> pointers. However, it did not disable the code which initializes the
> array, resulting in the corruption of sizeof(long) bytes before the DATA
> segment, generally the end of the TEXT segment.
> 
> Introduce MAX_SHARED_LIBS_UPDATE which depends on the state of
> CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET to guard the initialization of
> the shared library pointer region so that it will only be initialized
> if space is reserved for it.
> 
> Fixes: 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
> Co-developed-by: Stefan O'Rear 
> Signed-off-by: Stefan O'Rear 
> Signed-off-by: Kees Cook 

Looks good to me.

Reviewed-by: Damien Le Moal 

-- 
Damien Le Moal
Western Digital Research