unction 'qcom_glink_work':
drivers/rpmsg/qcom_glink_native.c:36:5: note: subobject 'data' declared here
36 | u8 data[];
| ^~~~
[1]
https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings
Signed-off-by: Kees Cook
---
driv
Hi,
This patch series (based on next-20210726) implements stricter (no struct
member overflows) bounds checking for memcpy(), memmove(), and memset()
under CONFIG_FORTIFY_SOURCE. To quote a later patch in the series:
tl;dr: In order to eliminate a large class of common buffer overflow
fla
64 to be zero-filled to avoid
undefined behavior.
Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of
omap3isp_stat_data")
Signed-off-by: Kees Cook
---
drivers/media/platform/omap3isp/ispstat.c | 5 +--
include/uapi/linux/omap3isp.h | 44 +--
g presence bitmaps and arguments.
Additionally improve readability in the iterator code which walks
through the bitmaps and arguments.
Signed-off-by: Kees Cook
---
include/net/ieee80211_radiotap.h | 24
net/mac80211/rx.c| 2 +-
net/wireless/radiotap.c
return -EINVAL;
memcpy(&dst.thing, &src.thing, length);
do_something(dst.three);
There are some rare cases where the resulting struct_group() needs
attributes added, so struct_group_attr() is also introduced to allow
for specifying struct attributes (e.g. __ali
ct code changes (i.e. only source
line number induced differences and optimizations).
Signed-off-by: Kees Cook
---
drivers/staging/rtl8723bs/core/rtw_security.c | 5 +++--
drivers/staging/rtl8723bs/core/rtw_xmit.c | 5 +++--
include/linux/ieee80211.h | 8 ++
to struct
libipw_qos_information_element.
Additionally corrects the size in libipw_read_qos_param_element() as
it was testing the wrong structure size (it should have been struct
libipw_qos_information_element, not struct libipw_qos_parameter_info).
Signed-off-by: Kees Cook
---
drivers/net/wireless/intel/ipw2x00/libipw
object code changes.
Signed-off-by: Kees Cook
---
drivers/net/wireless/marvell/libertas_tf/libertas_tf.h | 10 ++
drivers/net/wireless/marvell/libertas_tf/main.c| 3 ++-
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/marvell/libertas_tf/libe
quot;objdump -d" shows no object code changes.
Signed-off-by: Kees Cook
---
drivers/net/wireless/marvell/mwl8k.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwl8k.c
b/drivers/net/wireless/marvell/mwl8k.c
index 3bf6571f4149..a2927
induced differences and
optimizations).
Signed-off-by: Kees Cook
---
drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 ++--
drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h
b/
induced differences and optimizations).
Signed-off-by: Kees Cook
---
.../staging/rtl8192u/ieee80211/ieee80211.h| 24 +++
.../rtl8192u/ieee80211/ieee80211_crypt_ccmp.c | 3 ++-
.../staging/rtl8192u/ieee80211/ieee80211_rx.c | 8 +++
3 files changed, 20 insertions(+), 1
the fortify routines have been rearranged.
Update the Kconfig to reflect the reality of the current situation.
Signed-off-by: Kees Cook
---
security/Kconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/Kconfig b/security/Kconfig
index 0ced7fd33e4d..8f0e675e70a4 100644
--- a
(on some architectures). Make this deterministic
by explicitly setting __NO_FORTIFY and move all the helper functions
into string_helpers.c so that they gain the fortification coverage they
had been missing.
Signed-off-by: Kees Cook
---
arch/s390/lib/string.c | 3 +
arch/x86/lib/string_32.c
. This will allow memcpy() and sizeof()
to more easily reason about sizes, improve readability, and avoid future
warnings about writing beyond the end of imm_data.
"pahole" shows no size nor member offset changes to struct rss_hdr.
"objdump -d" shows no object code changes.
Sign
is requires
that any FORTIFY helper function prototypes be conditionally built to
avoid "no prototype" warnings. Additionally removes unused helpers.
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h | 7 +++
include/linux/string.h | 9 -
lib/string_helpers.c
shows no meaningful object
code changes (i.e. only source line number induced differences.)
Signed-off-by: Kees Cook
---
drivers/hid/hid-cp2112.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index 477baa
Desaulniers
Signed-off-by: Kees Cook
---
include/linux/compiler-gcc.h | 2 --
include/linux/compiler_types.h | 4
include/linux/thread_info.h| 2 +-
3 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index cb9217fc60af
aningful object code changes (i.e. only source
line number induced differences and optimizations).
Signed-off-by: Kees Cook
---
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 ++--
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 --
2 files changed, 10 insertions(+), 8 deleti
() to correctly reason about the size.
"objdump -d" shows no object code changes.
Signed-off-by: Kees Cook
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c
b/drivers/staging/rtl8
wire it up as
a dummy dependency to lib/string.o, collecting the results into a log
file artifact.
Signed-off-by: Kees Cook
---
lib/.gitignore | 2 +
lib/Makefile| 30 ++
lib/test_fortify/read_overflow-memchr.c | 5 ++
; shows no size nor member offset changes to struct
rtllib_hdr_4addr nor struct rtllib_qos_information_element. "objdump -d"
shows no meaningful object code changes (i.e. only source line number
induced differences and optimizations).
Signed-off-by: Kees Cook
---
drivers/stagi
ruct group
sizes.
Signed-off-by: Kees Cook
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c | 7 ---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 14 ++
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.
rting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook
---
fs/btrfs/root-tree.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
index 702dc5441f03..ec9e78f65fca 100644
--- a/fs/btrfs/root-tree.c
+++ b/fs/btrfs
differences and optimizations.)
Signed-off-by: Kees Cook
---
drivers/net/wireguard/queueing.h | 4 +---
include/linux/skbuff.h | 9 -
net/core/skbuff.c| 14 +-
3 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/drivers/net/wire
nges.
Signed-off-by: Kees Cook
---
drivers/net/wireless/marvell/libertas/host.h | 10 ++
drivers/net/wireless/marvell/libertas/tx.c | 5 +++--
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/marvell/libertas/host.h
b/drivers/net/wireless/marvell/l
together. This will allow memcpy()
and sizeof() to more easily reason about sizes, improve readability,
and avoid future warnings about writing beyond the end of h_dest.
"pahole" shows no size nor member offset changes to struct vlan_ethhdr.
"objdump -d" shows no object code changes.
This enables the run-time checking of dynamic memcpy() and memmove()
lengths, issuing a WARN when a write would exceed the size of the
target field.
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h | 18 +++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git
itly redefined local to the header.
Signed-off-by: Kees Cook
---
drivers/gpu/drm/mga/mga_ioc32.c | 30 ++
include/uapi/drm/mga_drm.h | 37 -
2 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/drivers/gpu/drm/mga/mga_ioc32
rting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook
---
net/802/hippi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/802/hippi.c b/net/802/hippi.c
index f80b33a8f7e0..00fb4b16 100644
--- a/net/802/hippi.c
+++ b/net/802/hippi.c
@@ -65,7
no meaningful object code changes (i.e. only source
line number induced differences.)
Note that since this is a UAPI header, struct_group() has been open
coded.
Signed-off-by: Kees Cook
---
include/net/flow.h| 6 --
include/uapi/linux/if_ether.h | 12 ++--
include/uapi/l
will allow memcpy() and sizeof()
to more easily reason about sizes, improve readability, and avoid future
warnings about writing beyond the end of ext.
"pahole" shows no size nor member offset changes to struct ivhd_entry.
"objdump -d" shows no object code changes.
Sign
line number induced differences).
Signed-off-by: Kees Cook
---
.../intel/int340x_thermal/acpi_thermal_rel.c | 5 +-
.../intel/int340x_thermal/acpi_thermal_rel.h | 48 ++-
2 files changed, 29 insertions(+), 24 deletions(-)
diff --git a/drivers/thermal/intel/int340x_thermal/acpi_ther
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct mlx5_ib_mr that should be
initialized to zero.
Signed-off-by: Kees Cook
---
drivers
rting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook
---
The old code seems to be doing the wrong thing: starting from not the
first member, but sized for the whole struct. Which is correct?
---
drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
1 file changed, 1 inse
rting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook
---
net/dccp/trace.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/dccp/trace.h b/net/dccp/trace.h
index 5062421beee9..3c2594da49fc 100644
--- a/net/dccp/trace.h
+++ b/net/dccp/trace.h
@@
rting point
of zeroing through the end of the struct. Additionally, since everything
appears to perform a roundup (including allocation), just change the
size of the struct itself and add a build-time check to validate the
expected size.
Signed-off-by: Kees Cook
---
drivers/infiniband/hw/cxgb4
the last struct
member. There is no change to the resulting machine code.
Signed-off-by: Kees Cook
---
net/xfrm/xfrm_policy.c | 4 +---
net/xfrm/xfrm_user.c | 2 +-
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 37d17a79617
rting point
of zeroing through the end of the struct.
Note that the common helper, ieee80211_tx_info_clear_status(), does NOT
clear ack_signal, but the open-coded versions do. All three perform
checks that the ack_signal position hasn't changed, though.
Signed-off-by: Kees Cook
---
Should the
rting point
of zeroing through the end of the struct. Additionally split up a later
field-spanning memset() so that memset() can reason about the size.
Signed-off-by: Kees Cook
---
drivers/net/wireless/ath/ath11k/hal_rx.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --
To avoid a run-time false positive in the stricter FORTIFY_SOURCE
memcpy() checks, split the memcpy() into the struct and the data.
Additionally switch the data member to a flexible array to follow
modern language conventions.
Signed-off-by: Kees Cook
---
drivers/net/wireless/intel/iwlwifi/fw
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct rt6_info that should be
initialized to zero.
Signed-off-by: Kees Cook
---
include/net
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct kone_mouse_event that should
be initialized to zero.
Signed-off-by: Kees Cook
Signed-off-by: Kees Cook
---
Makefile | 1 -
1 file changed, 1 deletion(-)
diff --git a/Makefile b/Makefile
index 6f781a199624..77d01ba3d4e1 100644
--- a/Makefile
+++ b/Makefile
@@ -1089,7 +1089,6 @@ KBUILD_CFLAGS += $(call cc-disable-warning,
stringop-truncation)
# We'll want to enable
() call.
Signed-off-by: Kees Cook
---
net/ethtool/stats.c | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/net/ethtool/stats.c b/net/ethtool/stats.c
index ec07f5765e03..a20e0a24ff61 100644
--- a/net/ethtool/stats.c
+++ b/net/ethtool/stats.c
@@ -14,10 +14,12 @@ struct
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct x86_emulate_ctxt that should
be initialized to zero.
Signed-off-by: Kees Cook
---
arch
takes the target struct instance, the byte to
write, and the member name after which the zeroing should start.
Signed-off-by: Kees Cook
---
include/linux/string.h | 12
lib/test_memcpy.c | 12
2 files changed, 24 insertions(+)
diff --git a/include/linux/string.h b
zero,
allowing memset() to correctly reason about the size of the write.
Signed-off-by: Kees Cook
---
include/net/netfilter/nf_conntrack.h | 20 ++--
net/netfilter/nf_conntrack_core.c| 4 +---
2 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/include/net
mp -d" shows no object code changes.
Signed-off-by: Kees Cook
---
drivers/net/ethernet/chelsio/cxgb4/sge.c | 8 +---
drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 10 ++
drivers/net/ethernet/chelsio/cxgb4vf/sge.c| 7 ++-
3 files changed, 13 insertions(+), 12 dele
GCC builds, but allows Clang to finally gain full
FORTIFY coverage.
However, because of a third bug which had no work-arounds, FORTIFY_SOURCE
will only work with Clang version 13 and later. Update the Kconfig to
reflect the new requirements.
Signed-off-by: Kees Cook
---
include/linux/fortif
7;s what is being wiped.
Signed-off-by: Kees Cook
---
drivers/scsi/ibmvscsi/ibmvscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c
index e6a3eaaa57d9..7e8beb42d2d3 100644
--- a/drivers/scsi/ibmvscsi/ibmvs
memcpy() warning:
memcpy: detected field-spanning write (size 32) of single field (size 16)
Signed-off-by: Kees Cook
---
include/uapi/linux/netlink.h | 1 +
net/netlink/af_netlink.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netlink.h b
first member.
"pahole" shows no size nor member offset changes to any structs.
"objdump -d" shows no object code changes.
Signed-off-by: Kees Cook
---
drivers/gpu/drm/amd/include/atomfirmware.h | 9 -
.../gpu/drm/amd/pm/inc/smu11_driver_if_arcturus.h|
x_tx_frame. "objdump -d" shows no object code changes.
Signed-off-by: Kees Cook
---
drivers/net/wireless/intersil/hostap/hostap_hw.c | 5 +++--
drivers/net/wireless/intersil/hostap/hostap_wlan.h | 14 --
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/n
rting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook
---
drivers/hwtracing/intel_th/msu.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c
index 432ade0842f6..f3e266b0756c 100644
x_tx_frame. "objdump -d" shows no meaningful object code changes
(i.e. only source line number induced differences.)
Signed-off-by: Kees Cook
---
drivers/staging/wlan-ng/hfa384x.h | 16 +---
drivers/staging/wlan-ng/hfa384x_usb.c | 4 +++-
2 files changed, 12 insertions(+),
As done for memcpy(), also update memmove() to use the same tightened
compile-time checks under CONFIG_FORTIFY_SOURCE.
Signed-off-by: Kees Cook
---
arch/x86/boot/compressed/misc.c | 3 ++-
arch/x86/lib/memcpy_32.c | 1 +
include/linux/fortify-string.h
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct journal_sector that should be
initialized to zero.
Signed-off-by: Kees Cook
---
drivers
Before changing anything about memcpy(), memmove(), and memset(), add
run-time tests to check basic behaviors for any regressions.
Signed-off-by: Kees Cook
---
lib/Kconfig.debug | 3 +
lib/Makefile | 1 +
lib/test_memcpy.c | 285 ++
3 files
all where the compiler cannot see the true type. In
theory, greater static analysis could catch these.
[0] https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
[1] https://git.kernel.org/linus/6a39e62abbafd1d58d1722f40c7d26ef379c6a2f
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h
.
Signed-off-by: Kees Cook
---
drivers/macintosh/smu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/macintosh/smu.c b/drivers/macintosh/smu.c
index 94fb63a7b357..59ce431da7ef 100644
--- a/drivers/macintosh/smu.c
+++ b/drivers/macintosh/smu.c
@@ -848,7 +848,8 @@ int
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct cm4000_dev that should be
initialized to zero.
Signed-off-by: Kees Cook
---
drivers/char
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add struct_group() to mark region of struct trace_iterator that should
be initialized to zero.
Signed-off-by: Kees Cook
---
include
rting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook
---
drivers/infiniband/hw/mthca/mthca_mr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c
b/drivers/infiniband/hw/mthca/mthca_mr.c
index ce0e0867e488..64adba5
As done for memcpy(), also update memset() to use the same tightened
compile-time bounds checking under CONFIG_FORTIFY_SOURCE.
Signed-off-by: Kees Cook
---
include/linux/fortify-string.h| 54 ---
.../write_overflow_field-memset.c | 5 ++
2 files
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Add a struct_group() for the algs so that memset() can correctly reason
about the size.
Signed-off-by: Kees Cook
---
drivers/block
On Tue, Jul 27, 2021 at 02:18:58PM -0700, Nathan Chancellor wrote:
> On 7/27/2021 1:58 PM, Kees Cook wrote:
> > Clang has never correctly compiled the FORTIFY_SOURCE defenses due to
> > a couple bugs:
> >
> > Eliding inlines with matching __builtin_* names
&g
On Tue, Jul 27, 2021 at 04:31:03PM -0700, Bart Van Assche wrote:
> On 7/27/21 1:58 PM, Kees Cook wrote:
> > +static int __init test_memcpy_init(void)
> > +{
> > + int err = 0;
> > +
> > + err |= test_memcpy();
> > + err |= test_memmove();
> > +
On Tue, Jul 27, 2021 at 03:43:27PM -0700, Nick Desaulniers wrote:
> On Tue, Jul 27, 2021 at 2:17 PM Kees Cook wrote:
> >
> > To accelerate the review of potential run-time false positives, it's
> > also worth noting that it is possible to partially automate checki
On Tue, Jul 27, 2021 at 07:55:46PM -0500, Gustavo A. R. Silva wrote:
> On Tue, Jul 27, 2021 at 01:57:52PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
&g
> Instead of writing beyond the end of evt_struct->iu.srp.cmd, target the
> > upper union (evt_struct->iu.srp) instead, as that's what is being wiped.
> >
> > Signed-off-by: Kees Cook
>
> Orthogonal to your change, it wasn't immediately obvious to me
because struct_group() can not be used here? Still feels odd to see
> in a userspace-visible header.
Yeah, there is some inconsistency here. I will clean this up for v2.
Is there a place we can put kernel-specific macros for use in UAPI
headers? (I need to figure out where things like __kernel_size_t get
defined...)
--
Kees Cook
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
> >
;
> The recommended practice is to always use unsigned types for shifts, so
> "1U << ..." at least.
Ah, good catch! I think just using BIT() is the right replacement here,
yes? I suppose that should be a separate patch.
--
Kees Cook
On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote:
> On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memset(), avoid intentionally writing across
> &g
On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote:
> On 27/07/2021 22.57, Kees Cook wrote:
>
> > In order to have a regular programmatic way to describe a struct
> > region that can be used for references and sizing, can be examined for
> > bounds checking
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
> >
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote:
> > [...]
> > - /**
> > -* @it_present: (first) present word
> > -*/
> > - __le32 it_present;
> > + union {
> > +
On Wed, Jul 28, 2021 at 01:24:01PM +0200, Rasmus Villemoes wrote:
> On 28/07/2021 07.49, Greg Kroah-Hartman wrote:
> > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote:
> >> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> >> field
On Wed, Jul 28, 2021 at 07:49:46AM +0200, Greg Kroah-Hartman wrote:
> On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
&g
On Wed, Jul 28, 2021 at 02:45:55PM -0700, Bart Van Assche wrote:
> On 7/27/21 1:58 PM, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memset(), avoid intentionally writing across
> > neighboring f
On Wed, Jul 28, 2021 at 01:19:59PM +0200, Rasmus Villemoes wrote:
> On 27/07/2021 22.58, Kees Cook wrote:
>
> > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size()
> > internal[0] to determine the available size at a target address based on
> > the
the pattern of
basic initializers, which makes sense given the behavior of initializers
and direct assignment tests above. e.g.:
obj = (type){ .member = ... };
stackinit: small_hole_assigned_static_partial ok
stackinit: small_hole_assigned_dynamic_partial ok
stackinit: big_hole_assigned_dynamic_partial ok
stackinit: big_hole_assigned_static_partial ok
stackinit: trailing_hole_assigned_dynamic_partial ok
stackinit: trailing_hole_assigned_static_partial ok
stackinit: small_hole_assigned_static_all FAIL (uninit bytes: 3)
stackinit: small_hole_assigned_dynamic_all FAIL (uninit bytes: 3)
stackinit: big_hole_assigned_static_all FAIL (uninit bytes: 124)
stackinit: big_hole_assigned_dynamic_all FAIL (uninit bytes: 124)
stackinit: trailing_hole_assigned_dynamic_all FAIL (uninit bytes: 7)
stackinit: trailing_hole_assigned_static_all FAIL (uninit bytes: 7)
So, yeah, it's not very stable.
-Kees
[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-July/576341.html
--
Kees Cook
On Thu, Jul 29, 2021 at 12:45:47PM +0200, David Sterba wrote:
> On Wed, Jul 28, 2021 at 02:54:52PM -0700, Kees Cook wrote:
> > On Wed, Jul 28, 2021 at 11:23:23AM +0200, David Sterba wrote:
> > > On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote:
> &
void *ptr;
};
These are fine:
struct foo ok1 = { };
struct foo ok2 = { .flag = 7 };
struct foo ok3 = { .ptr = NULL };
This is not:
struct foo bad = { .flag = 7, .ptr = NULL };
(But, of course, it depends on padding size, compiler version, and
architecture. i.e. things remain unreliable.)
--
Kees Cook
On Fri, Jul 30, 2021 at 10:08:03AM -0700, Nick Desaulniers wrote:
> On Fri, Jul 30, 2021 at 9:44 AM Kees Cook wrote:
> >
> > On Fri, Jul 30, 2021 at 12:00:54PM +0300, Dan Carpenter wrote:
> > > On Fri, Jul 30, 2021 at 10:38:45AM +0200, David Sterba wrote:
> > > &
On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote:
> On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote:
> > On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote:
> > > On 27/07/2021 22.57, Kees Cook wrote:
> > >
> > > > In orde
On Thu, Jul 29, 2021 at 02:11:27PM +0200, Daniel Vetter wrote:
> On Wed, Jul 28, 2021 at 07:56:40AM +0200, Greg Kroah-Hartman wrote:
> > On Tue, Jul 27, 2021 at 01:58:16PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
On Thu, Jul 29, 2021 at 11:58:50AM -0700, Jakub Kicinski wrote:
> On Tue, 27 Jul 2021 13:58:45 -0700 Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memset(), avoid intentionally writing across
> &g
On Sat, Jul 31, 2021 at 07:24:44AM +0200, Rasmus Villemoes wrote:
> On Sat, Jul 31, 2021, 04:59 Kees Cook wrote:
>
> > On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote:
> > > On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote:
> >
> > > /**
On Thu, Jul 29, 2021 at 12:33:37PM +0200, David Sterba wrote:
> On Wed, Jul 28, 2021 at 02:56:31PM -0700, Kees Cook wrote:
> > On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote:
> > > On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote:
> > > > In
On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memset(), avoid intentionally writing across
> neighboring fields.
>
> Use memset_after() so memset() doesn't get co
On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memset(), avoid intentionally writing across
> neighboring fields.
>
> Use memset_after() so memset() doesn't get co
On Mon, Aug 02, 2021 at 02:29:28PM +, Shai Malin wrote:
>
> On Tue, Jul 31, 2021 at 07:07:00PM -0300, Kees Cook wrote:
> > On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> >
Avoid leaving a hanging pre-allocated clock_info if last mode is
invalid, and avoid heap corruption if no valid modes are found.
Fixes: 6991b8f2a319 ("drm/radeon/kms: fix segfault in pm rework")
Signed-off-by: Kees Cook
---
drivers/gpu/drm/radeon/radeon_atombios.c | 20 +
ng power state (v2)")
Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups")
Signed-off-by: Kees Cook
---
drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c
b/dri
Hi,
This is an attempt at fixing a bug[1] uncovered by the relocation of
the slab freelist pointer offset, as well as some related clean-ups.
I don't have hardware to do runtime testing, but it builds. ;)
-Kees
[1] https://bugzilla.kernel.org/show_bug.cgi?id=211537
Kees Cook (2):
drm/r
On Fri, Aug 13, 2021 at 10:04:09AM +0200, Johannes Berg wrote:
> On Tue, 2021-07-27 at 13:58 -0700, Kees Cook wrote:
> >
> > +++ b/include/linux/ieee80211.h
> > @@ -297,9 +297,11 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2)
> > struct ieee80211_hdr {
&
On Fri, Aug 13, 2021 at 09:40:07AM +0200, Johannes Berg wrote:
> On Sat, 2021-07-31 at 08:55 -0700, Kees Cook wrote:
> > On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > field
uot;drm/i915: Use a table for i915_init/exit (v2)")
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/i915_module.c | 37 +++---
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_module.c
b/drivers/gpu/drm/i915/i915_module.c
in
/1d9a2e6df2a9a35b2cdd50a9a68cac5991e7e5f0.ca...@intel.com
Signed-off-by: Kees Cook
---
drivers/cxl/cxl.h | 61 ++-
1 file changed, 18 insertions(+), 43 deletions(-)
diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h
index 53927f9fa77e..9db0c402c9ce 100644
--- a/drivers/cxl/cxl.h
1 - 100 of 708 matches
Mail list logo