[PATCH 03/64] rpmsg: glink: Replace strncpy() with strscpy_pad()

2021-07-27 Thread Kees Cook
unction 'qcom_glink_work': drivers/rpmsg/qcom_glink_native.c:36:5: note: subobject 'data' declared here 36 | u8 data[]; | ^~~~ [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings Signed-off-by: Kees Cook --- driv

[PATCH 00/64] Introduce strict memcpy() bounds checking

2021-07-27 Thread Kees Cook
Hi, This patch series (based on next-20210726) implements stricter (no struct member overflows) bounds checking for memcpy(), memmove(), and memset() under CONFIG_FORTIFY_SOURCE. To quote a later patch in the series: tl;dr: In order to eliminate a large class of common buffer overflow fla

[PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

2021-07-27 Thread Kees Cook
64 to be zero-filled to avoid undefined behavior. Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data") Signed-off-by: Kees Cook --- drivers/media/platform/omap3isp/ispstat.c | 5 +-- include/uapi/linux/omap3isp.h | 44 +--

[PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

2021-07-27 Thread Kees Cook
g presence bitmaps and arguments. Additionally improve readability in the iterator code which walks through the bitmaps and arguments. Signed-off-by: Kees Cook --- include/net/ieee80211_radiotap.h | 24 net/mac80211/rx.c| 2 +- net/wireless/radiotap.c

[PATCH 04/64] stddef: Introduce struct_group() helper macro

2021-07-27 Thread Kees Cook
return -EINVAL; memcpy(&dst.thing, &src.thing, length); do_something(dst.three); There are some rare cases where the resulting struct_group() needs attributes added, so struct_group_attr() is also introduced to allow for specifying struct attributes (e.g. __ali

[PATCH 10/64] lib80211: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
ct code changes (i.e. only source line number induced differences and optimizations). Signed-off-by: Kees Cook --- drivers/staging/rtl8723bs/core/rtw_security.c | 5 +++-- drivers/staging/rtl8723bs/core/rtw_xmit.c | 5 +++-- include/linux/ieee80211.h | 8 ++

[PATCH 15/64] ipw2x00: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
to struct libipw_qos_information_element. Additionally corrects the size in libipw_read_qos_param_element() as it was testing the wrong structure size (it should have been struct libipw_qos_information_element, not struct libipw_qos_parameter_info). Signed-off-by: Kees Cook --- drivers/net/wireless/intel/ipw2x00/libipw

[PATCH 14/64] libertas_tf: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
object code changes. Signed-off-by: Kees Cook --- drivers/net/wireless/marvell/libertas_tf/libertas_tf.h | 10 ++ drivers/net/wireless/marvell/libertas_tf/main.c| 3 ++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas_tf/libe

[PATCH 12/64] mwl8k: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
quot;objdump -d" shows no object code changes. Signed-off-by: Kees Cook --- drivers/net/wireless/marvell/mwl8k.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c index 3bf6571f4149..a2927

[PATCH 11/64] net/mlx5e: Avoid field-overflowing memcpy()

2021-07-27 Thread Kees Cook
induced differences and optimizations). Signed-off-by: Kees Cook --- drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 ++-- drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/

[PATCH 08/64] staging: rtl8192u: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
induced differences and optimizations). Signed-off-by: Kees Cook --- .../staging/rtl8192u/ieee80211/ieee80211.h| 24 +++ .../rtl8192u/ieee80211/ieee80211_crypt_ccmp.c | 3 ++- .../staging/rtl8192u/ieee80211/ieee80211_rx.c | 8 +++ 3 files changed, 20 insertions(+), 1

[PATCH 31/64] fortify: Explicitly disable Clang support

2021-07-27 Thread Kees Cook
the fortify routines have been rearranged. Update the Kconfig to reflect the reality of the current situation. Signed-off-by: Kees Cook --- security/Kconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/Kconfig b/security/Kconfig index 0ced7fd33e4d..8f0e675e70a4 100644 --- a

[PATCH 29/64] lib/string: Move helper functions out of string.c

2021-07-27 Thread Kees Cook
(on some architectures). Make this deterministic by explicitly setting __NO_FORTIFY and move all the helper functions into string_helpers.c so that they gain the fortification coverage they had been missing. Signed-off-by: Kees Cook --- arch/s390/lib/string.c | 3 + arch/x86/lib/string_32.c

[PATCH 18/64] cxgb3: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of imm_data. "pahole" shows no size nor member offset changes to struct rss_hdr. "objdump -d" shows no object code changes. Sign

[PATCH 30/64] fortify: Move remaining fortify helpers into fortify-string.h

2021-07-27 Thread Kees Cook
is requires that any FORTIFY helper function prototypes be conditionally built to avoid "no prototype" warnings. Additionally removes unused helpers. Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 7 +++ include/linux/string.h | 9 - lib/string_helpers.c

[PATCH 27/64] HID: cp2112: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
shows no meaningful object code changes (i.e. only source line number induced differences.) Signed-off-by: Kees Cook --- drivers/hid/hid-cp2112.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c index 477baa

[PATCH 28/64] compiler_types.h: Remove __compiletime_object_size()

2021-07-27 Thread Kees Cook
Desaulniers Signed-off-by: Kees Cook --- include/linux/compiler-gcc.h | 2 -- include/linux/compiler_types.h | 4 include/linux/thread_info.h| 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index cb9217fc60af

[PATCH 06/64] bnxt_en: Use struct_group_attr() for memcpy() region

2021-07-27 Thread Kees Cook
aningful object code changes (i.e. only source line number induced differences and optimizations). Signed-off-by: Kees Cook --- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 ++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 -- 2 files changed, 10 insertions(+), 8 deleti

[PATCH 09/64] staging: rtl8723bs: Avoid field-overflowing memcpy()

2021-07-27 Thread Kees Cook
() to correctly reason about the size. "objdump -d" shows no object code changes. Signed-off-by: Kees Cook --- drivers/staging/rtl8723bs/core/rtw_mlme.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8

[PATCH 32/64] fortify: Add compile-time FORTIFY_SOURCE tests

2021-07-27 Thread Kees Cook
wire it up as a dummy dependency to lib/string.o, collecting the results into a log file artifact. Signed-off-by: Kees Cook --- lib/.gitignore | 2 + lib/Makefile| 30 ++ lib/test_fortify/read_overflow-memchr.c | 5 ++

[PATCH 07/64] staging: rtl8192e: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
; shows no size nor member offset changes to struct rtllib_hdr_4addr nor struct rtllib_qos_information_element. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations). Signed-off-by: Kees Cook --- drivers/stagi

[PATCH 22/64] bnx2x: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
ruct group sizes. Signed-off-by: Kees Cook --- drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c | 7 --- drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 14 ++ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.

[PATCH 47/64] btrfs: Use memset_after() to clear end of struct

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Signed-off-by: Kees Cook --- fs/btrfs/root-tree.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c index 702dc5441f03..ec9e78f65fca 100644 --- a/fs/btrfs/root-tree.c +++ b/fs/btrfs

[PATCH 05/64] skbuff: Switch structure bounds to struct_group()

2021-07-27 Thread Kees Cook
differences and optimizations.) Signed-off-by: Kees Cook --- drivers/net/wireguard/queueing.h | 4 +--- include/linux/skbuff.h | 9 - net/core/skbuff.c| 14 +- 3 files changed, 10 insertions(+), 17 deletions(-) diff --git a/drivers/net/wire

[PATCH 13/64] libertas: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
nges. Signed-off-by: Kees Cook --- drivers/net/wireless/marvell/libertas/host.h | 10 ++ drivers/net/wireless/marvell/libertas/tx.c | 5 +++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas/host.h b/drivers/net/wireless/marvell/l

[PATCH 26/64] net/mlx5e: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of h_dest. "pahole" shows no size nor member offset changes to struct vlan_ethhdr. "objdump -d" shows no object code changes.

[PATCH 64/64] fortify: Add run-time WARN for cross-field memcpy()

2021-07-27 Thread Kees Cook
This enables the run-time checking of dynamic memcpy() and memmove() lengths, issuing a WARN when a write would exceed the size of the target field. Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 18 +++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git

[PATCH 25/64] drm/mga/mga_ioc32: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
itly redefined local to the header. Signed-off-by: Kees Cook --- drivers/gpu/drm/mga/mga_ioc32.c | 30 ++ include/uapi/drm/mga_drm.h | 37 - 2 files changed, 44 insertions(+), 23 deletions(-) diff --git a/drivers/gpu/drm/mga/mga_ioc32

[PATCH 40/64] net: 802: Use memset_after() to clear struct fields

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Signed-off-by: Kees Cook --- net/802/hippi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/802/hippi.c b/net/802/hippi.c index f80b33a8f7e0..00fb4b16 100644 --- a/net/802/hippi.c +++ b/net/802/hippi.c @@ -65,7

[PATCH 19/64] ip: Use struct_group() for memcpy() regions

2021-07-27 Thread Kees Cook
no meaningful object code changes (i.e. only source line number induced differences.) Note that since this is a UAPI header, struct_group() has been open coded. Signed-off-by: Kees Cook --- include/net/flow.h| 6 -- include/uapi/linux/if_ether.h | 12 ++-- include/uapi/l

[PATCH 17/64] iommu/amd: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of ext. "pahole" shows no size nor member offset changes to struct ivhd_entry. "objdump -d" shows no object code changes. Sign

[PATCH 16/64] thermal: intel: int340x_thermal: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
line number induced differences). Signed-off-by: Kees Cook --- .../intel/int340x_thermal/acpi_thermal_rel.c | 5 +- .../intel/int340x_thermal/acpi_thermal_rel.h | 48 ++- 2 files changed, 29 insertions(+), 24 deletions(-) diff --git a/drivers/thermal/intel/int340x_thermal/acpi_ther

[PATCH 55/64] RDMA/mlx5: Use struct_group() to zero struct mlx5_ib_mr

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct mlx5_ib_mr that should be initialized to zero. Signed-off-by: Kees Cook --- drivers

[PATCH 42/64] net: qede: Use memset_after() for counters

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Signed-off-by: Kees Cook --- The old code seems to be doing the wrong thing: starting from not the first member, but sized for the whole struct. Which is correct? --- drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- 1 file changed, 1 inse

[PATCH 41/64] net: dccp: Use memset_after() for TP zeroing

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Signed-off-by: Kees Cook --- net/dccp/trace.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/dccp/trace.h b/net/dccp/trace.h index 5062421beee9..3c2594da49fc 100644 --- a/net/dccp/trace.h +++ b/net/dccp/trace.h @@

[PATCH 44/64] iw_cxgb4: Use memset_after() for cpl_t5_pass_accept_rpl

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Additionally, since everything appears to perform a roundup (including allocation), just change the size of the struct itself and add a build-time check to validate the expected size. Signed-off-by: Kees Cook --- drivers/infiniband/hw/cxgb4

[PATCH 38/64] xfrm: Use memset_after() to clear padding

2021-07-27 Thread Kees Cook
the last struct member. There is no change to the resulting machine code. Signed-off-by: Kees Cook --- net/xfrm/xfrm_policy.c | 4 +--- net/xfrm/xfrm_user.c | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 37d17a79617

[PATCH 39/64] mac80211: Use memset_after() to clear tx status

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Note that the common helper, ieee80211_tx_info_clear_status(), does NOT clear ack_signal, but the open-coded versions do. All three perform checks that the ack_signal position hasn't changed, though. Signed-off-by: Kees Cook --- Should the

[PATCH 43/64] ath11k: Use memset_after() for clearing queue descriptors

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Additionally split up a later field-spanning memset() so that memset() can reason about the size. Signed-off-by: Kees Cook --- drivers/net/wireless/ath/ath11k/hal_rx.c | 13 ++--- 1 file changed, 6 insertions(+), 7 deletions(-) diff --

[PATCH 63/64] iwlwifi: dbg_ini: Split memcpy() to avoid multi-field write

2021-07-27 Thread Kees Cook
To avoid a run-time false positive in the stricter FORTIFY_SOURCE memcpy() checks, split the memcpy() into the struct and the data. Additionally switch the data member to a flexible array to follow modern language conventions. Signed-off-by: Kees Cook --- drivers/net/wireless/intel/iwlwifi/fw

[PATCH 54/64] ipv6: Use struct_group() to zero rt6_info

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct rt6_info that should be initialized to zero. Signed-off-by: Kees Cook --- include/net

[PATCH 53/64] HID: roccat: Use struct_group() to zero kone_mouse_event

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct kone_mouse_event that should be initialized to zero. Signed-off-by: Kees Cook

[PATCH 61/64] Makefile: Enable -Warray-bounds

2021-07-27 Thread Kees Cook
Signed-off-by: Kees Cook --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index 6f781a199624..77d01ba3d4e1 100644 --- a/Makefile +++ b/Makefile @@ -1089,7 +1089,6 @@ KBUILD_CFLAGS += $(call cc-disable-warning, stringop-truncation) # We'll want to enable

[PATCH 56/64] ethtool: stats: Use struct_group() to clear all stats at once

2021-07-27 Thread Kees Cook
() call. Signed-off-by: Kees Cook --- net/ethtool/stats.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/net/ethtool/stats.c b/net/ethtool/stats.c index ec07f5765e03..a20e0a24ff61 100644 --- a/net/ethtool/stats.c +++ b/net/ethtool/stats.c @@ -14,10 +14,12 @@ struct

[PATCH 50/64] KVM: x86: Use struct_group() to zero decode cache

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct x86_emulate_ctxt that should be initialized to zero. Signed-off-by: Kees Cook --- arch

[PATCH 37/64] string.h: Introduce memset_after() for wiping trailing members/padding

2021-07-27 Thread Kees Cook
takes the target struct instance, the byte to write, and the member name after which the zeroing should start. Signed-off-by: Kees Cook --- include/linux/string.h | 12 lib/test_memcpy.c | 12 2 files changed, 24 insertions(+) diff --git a/include/linux/string.h b

[PATCH 57/64] netfilter: conntrack: Use struct_group() to zero struct nf_conn

2021-07-27 Thread Kees Cook
zero, allowing memset() to correctly reason about the size of the write. Signed-off-by: Kees Cook --- include/net/netfilter/nf_conntrack.h | 20 ++-- net/netfilter/nf_conntrack_core.c| 4 +--- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/include/net

[PATCH 21/64] cxgb4: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
mp -d" shows no object code changes. Signed-off-by: Kees Cook --- drivers/net/ethernet/chelsio/cxgb4/sge.c | 8 +--- drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 10 ++ drivers/net/ethernet/chelsio/cxgb4vf/sge.c| 7 ++- 3 files changed, 13 insertions(+), 12 dele

[PATCH 60/64] fortify: Work around Clang inlining bugs

2021-07-27 Thread Kees Cook
GCC builds, but allows Clang to finally gain full FORTIFY coverage. However, because of a third bug which had no work-arounds, FORTIFY_SOURCE will only work with Clang version 13 and later. Update the Kconfig to reflect the new requirements. Signed-off-by: Kees Cook --- include/linux/fortif

[PATCH 36/64] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp

2021-07-27 Thread Kees Cook
7;s what is being wiped. Signed-off-by: Kees Cook --- drivers/scsi/ibmvscsi/ibmvscsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c index e6a3eaaa57d9..7e8beb42d2d3 100644 --- a/drivers/scsi/ibmvscsi/ibmvs

[PATCH 62/64] netlink: Avoid false-positive memcpy() warning

2021-07-27 Thread Kees Cook
memcpy() warning: memcpy: detected field-spanning write (size 32) of single field (size 16) Signed-off-by: Kees Cook --- include/uapi/linux/netlink.h | 1 + net/netlink/af_netlink.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netlink.h b

[PATCH 23/64] drm/amd/pm: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
first member. "pahole" shows no size nor member offset changes to any structs. "objdump -d" shows no object code changes. Signed-off-by: Kees Cook --- drivers/gpu/drm/amd/include/atomfirmware.h | 9 - .../gpu/drm/amd/pm/inc/smu11_driver_if_arcturus.h|

[PATCH 20/64] intersil: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
x_tx_frame. "objdump -d" shows no object code changes. Signed-off-by: Kees Cook --- drivers/net/wireless/intersil/hostap/hostap_hw.c | 5 +++-- drivers/net/wireless/intersil/hostap/hostap_wlan.h | 14 -- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/drivers/n

[PATCH 45/64] intel_th: msu: Use memset_after() for clearing hw header

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Signed-off-by: Kees Cook --- drivers/hwtracing/intel_th/msu.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c index 432ade0842f6..f3e266b0756c 100644

[PATCH 24/64] staging: wlan-ng: Use struct_group() for memcpy() region

2021-07-27 Thread Kees Cook
x_tx_frame. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences.) Signed-off-by: Kees Cook --- drivers/staging/wlan-ng/hfa384x.h | 16 +--- drivers/staging/wlan-ng/hfa384x_usb.c | 4 +++- 2 files changed, 12 insertions(+),

[PATCH 35/64] fortify: Detect struct member overflows in memmove() at compile-time

2021-07-27 Thread Kees Cook
As done for memcpy(), also update memmove() to use the same tightened compile-time checks under CONFIG_FORTIFY_SOURCE. Signed-off-by: Kees Cook --- arch/x86/boot/compressed/misc.c | 3 ++- arch/x86/lib/memcpy_32.c | 1 + include/linux/fortify-string.h

[PATCH 52/64] dm integrity: Use struct_group() to zero struct journal_sector

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct journal_sector that should be initialized to zero. Signed-off-by: Kees Cook --- drivers

[PATCH 33/64] lib: Introduce CONFIG_TEST_MEMCPY

2021-07-27 Thread Kees Cook
Before changing anything about memcpy(), memmove(), and memset(), add run-time tests to check basic behaviors for any regressions. Signed-off-by: Kees Cook --- lib/Kconfig.debug | 3 + lib/Makefile | 1 + lib/test_memcpy.c | 285 ++ 3 files

[PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time

2021-07-27 Thread Kees Cook
all where the compiler cannot see the true type. In theory, greater static analysis could catch these. [0] https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html [1] https://git.kernel.org/linus/6a39e62abbafd1d58d1722f40c7d26ef379c6a2f Signed-off-by: Kees Cook --- include/linux/fortify-string.h

[PATCH 58/64] powerpc: Split memset() to avoid multi-field overflow

2021-07-27 Thread Kees Cook
. Signed-off-by: Kees Cook --- drivers/macintosh/smu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/macintosh/smu.c b/drivers/macintosh/smu.c index 94fb63a7b357..59ce431da7ef 100644 --- a/drivers/macintosh/smu.c +++ b/drivers/macintosh/smu.c @@ -848,7 +848,8 @@ int

[PATCH 49/64] cm4000_cs: Use struct_group() to zero struct cm4000_dev region

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct cm4000_dev that should be initialized to zero. Signed-off-by: Kees Cook --- drivers/char

[PATCH 51/64] tracing: Use struct_group() to zero struct trace_iterator

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct trace_iterator that should be initialized to zero. Signed-off-by: Kees Cook --- include

[PATCH 46/64] IB/mthca: Use memset_after() for clearing mpt_entry

2021-07-27 Thread Kees Cook
rting point of zeroing through the end of the struct. Signed-off-by: Kees Cook --- drivers/infiniband/hw/mthca/mthca_mr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c index ce0e0867e488..64adba5

[PATCH 59/64] fortify: Detect struct member overflows in memset() at compile-time

2021-07-27 Thread Kees Cook
As done for memcpy(), also update memset() to use the same tightened compile-time bounds checking under CONFIG_FORTIFY_SOURCE. Signed-off-by: Kees Cook --- include/linux/fortify-string.h| 54 --- .../write_overflow_field-memset.c | 5 ++ 2 files

[PATCH 48/64] drbd: Use struct_group() to zero algs

2021-07-27 Thread Kees Cook
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add a struct_group() for the algs so that memset() can correctly reason about the size. Signed-off-by: Kees Cook --- drivers/block

Re: [PATCH 31/64] fortify: Explicitly disable Clang support

2021-07-27 Thread Kees Cook
On Tue, Jul 27, 2021 at 02:18:58PM -0700, Nathan Chancellor wrote: > On 7/27/2021 1:58 PM, Kees Cook wrote: > > Clang has never correctly compiled the FORTIFY_SOURCE defenses due to > > a couple bugs: > > > > Eliding inlines with matching __builtin_* names &g

Re: [PATCH 33/64] lib: Introduce CONFIG_TEST_MEMCPY

2021-07-27 Thread Kees Cook
On Tue, Jul 27, 2021 at 04:31:03PM -0700, Bart Van Assche wrote: > On 7/27/21 1:58 PM, Kees Cook wrote: > > +static int __init test_memcpy_init(void) > > +{ > > + int err = 0; > > + > > + err |= test_memcpy(); > > + err |= test_memmove(); > > +

Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time

2021-07-27 Thread Kees Cook
On Tue, Jul 27, 2021 at 03:43:27PM -0700, Nick Desaulniers wrote: > On Tue, Jul 27, 2021 at 2:17 PM Kees Cook wrote: > > > > To accelerate the review of potential run-time false positives, it's > > also worth noting that it is possible to partially automate checki

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

2021-07-27 Thread Kees Cook
On Tue, Jul 27, 2021 at 07:55:46PM -0500, Gustavo A. R. Silva wrote: > On Tue, Jul 27, 2021 at 01:57:52PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid &g

Re: [PATCH 36/64] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp

2021-07-28 Thread Kees Cook
> Instead of writing beyond the end of evt_struct->iu.srp.cmd, target the > > upper union (evt_struct->iu.srp) instead, as that's what is being wiped. > > > > Signed-off-by: Kees Cook > > Orthogonal to your change, it wasn't immediately obvious to me

Re: [PATCH 19/64] ip: Use struct_group() for memcpy() regions

2021-07-28 Thread Kees Cook
because struct_group() can not be used here? Still feels odd to see > in a userspace-visible header. Yeah, there is some inconsistency here. I will clean this up for v2. Is there a place we can put kernel-specific macros for use in UAPI headers? (I need to figure out where things like __kernel_size_t get defined...) -- Kees Cook

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

2021-07-28 Thread Kees Cook
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid > >

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

2021-07-28 Thread Kees Cook
; > The recommended practice is to always use unsigned types for shifts, so > "1U << ..." at least. Ah, good catch! I think just using BIT() is the right replacement here, yes? I suppose that should be a separate patch. -- Kees Cook

Re: [PATCH 47/64] btrfs: Use memset_after() to clear end of struct

2021-07-28 Thread Kees Cook
On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote: > On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across > &g

Re: [PATCH 04/64] stddef: Introduce struct_group() helper macro

2021-07-28 Thread Kees Cook
On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote: > On 27/07/2021 22.57, Kees Cook wrote: > > > In order to have a regular programmatic way to describe a struct > > region that can be used for references and sizing, can be examined for > > bounds checking

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

2021-07-28 Thread Kees Cook
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid > >

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

2021-07-28 Thread Kees Cook
On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > On Tue, Jul 27, 2021 at 01:57:53PM -0700, Kees Cook wrote: > > [...] > > - /** > > -* @it_present: (first) present word > > -*/ > > - __le32 it_present; > > + union { > > +

Re: [PATCH 62/64] netlink: Avoid false-positive memcpy() warning

2021-07-29 Thread Kees Cook
On Wed, Jul 28, 2021 at 01:24:01PM +0200, Rasmus Villemoes wrote: > On 28/07/2021 07.49, Greg Kroah-Hartman wrote: > > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: > >> In preparation for FORTIFY_SOURCE performing compile-time and run-time > >> field

Re: [PATCH 62/64] netlink: Avoid false-positive memcpy() warning

2021-07-29 Thread Kees Cook
On Wed, Jul 28, 2021 at 07:49:46AM +0200, Greg Kroah-Hartman wrote: > On Tue, Jul 27, 2021 at 01:58:53PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid &g

Re: [PATCH 48/64] drbd: Use struct_group() to zero algs

2021-07-29 Thread Kees Cook
On Wed, Jul 28, 2021 at 02:45:55PM -0700, Bart Van Assche wrote: > On 7/27/21 1:58 PM, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across > > neighboring f

Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time

2021-07-29 Thread Kees Cook
On Wed, Jul 28, 2021 at 01:19:59PM +0200, Rasmus Villemoes wrote: > On 27/07/2021 22.58, Kees Cook wrote: > > > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size() > > internal[0] to determine the available size at a target address based on > > the

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

2021-07-29 Thread Kees Cook
the pattern of basic initializers, which makes sense given the behavior of initializers and direct assignment tests above. e.g.: obj = (type){ .member = ... }; stackinit: small_hole_assigned_static_partial ok stackinit: small_hole_assigned_dynamic_partial ok stackinit: big_hole_assigned_dynamic_partial ok stackinit: big_hole_assigned_static_partial ok stackinit: trailing_hole_assigned_dynamic_partial ok stackinit: trailing_hole_assigned_static_partial ok stackinit: small_hole_assigned_static_all FAIL (uninit bytes: 3) stackinit: small_hole_assigned_dynamic_all FAIL (uninit bytes: 3) stackinit: big_hole_assigned_static_all FAIL (uninit bytes: 124) stackinit: big_hole_assigned_dynamic_all FAIL (uninit bytes: 124) stackinit: trailing_hole_assigned_dynamic_all FAIL (uninit bytes: 7) stackinit: trailing_hole_assigned_static_all FAIL (uninit bytes: 7) So, yeah, it's not very stable. -Kees [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-July/576341.html -- Kees Cook

Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap

2021-07-29 Thread Kees Cook
On Thu, Jul 29, 2021 at 12:45:47PM +0200, David Sterba wrote: > On Wed, Jul 28, 2021 at 02:54:52PM -0700, Kees Cook wrote: > > On Wed, Jul 28, 2021 at 11:23:23AM +0200, David Sterba wrote: > > > On Wed, Jul 28, 2021 at 10:35:56AM +0300, Dan Carpenter wrote: > &

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

2021-07-30 Thread Kees Cook
void *ptr; }; These are fine: struct foo ok1 = { }; struct foo ok2 = { .flag = 7 }; struct foo ok3 = { .ptr = NULL }; This is not: struct foo bad = { .flag = 7, .ptr = NULL }; (But, of course, it depends on padding size, compiler version, and architecture. i.e. things remain unreliable.) -- Kees Cook

Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy() region

2021-07-30 Thread Kees Cook
On Fri, Jul 30, 2021 at 10:08:03AM -0700, Nick Desaulniers wrote: > On Fri, Jul 30, 2021 at 9:44 AM Kees Cook wrote: > > > > On Fri, Jul 30, 2021 at 12:00:54PM +0300, Dan Carpenter wrote: > > > On Fri, Jul 30, 2021 at 10:38:45AM +0200, David Sterba wrote: > > > &

Re: [PATCH 04/64] stddef: Introduce struct_group() helper macro

2021-07-30 Thread Kees Cook
On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote: > On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote: > > On Wed, Jul 28, 2021 at 12:54:18PM +0200, Rasmus Villemoes wrote: > > > On 27/07/2021 22.57, Kees Cook wrote: > > > > > > > In orde

Re: [PATCH 25/64] drm/mga/mga_ioc32: Use struct_group() for memcpy() region

2021-07-30 Thread Kees Cook
On Thu, Jul 29, 2021 at 02:11:27PM +0200, Daniel Vetter wrote: > On Wed, Jul 28, 2021 at 07:56:40AM +0200, Greg Kroah-Hartman wrote: > > On Tue, Jul 27, 2021 at 01:58:16PM -0700, Kees Cook wrote: > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time

Re: [PATCH 54/64] ipv6: Use struct_group() to zero rt6_info

2021-07-31 Thread Kees Cook
On Thu, Jul 29, 2021 at 11:58:50AM -0700, Jakub Kicinski wrote: > On Tue, 27 Jul 2021 13:58:45 -0700 Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memset(), avoid intentionally writing across > &g

Re: [PATCH 04/64] stddef: Introduce struct_group() helper macro

2021-07-31 Thread Kees Cook
On Sat, Jul 31, 2021 at 07:24:44AM +0200, Rasmus Villemoes wrote: > On Sat, Jul 31, 2021, 04:59 Kees Cook wrote: > > > On Fri, Jul 30, 2021 at 10:19:20PM +, Williams, Dan J wrote: > > > On Wed, 2021-07-28 at 14:59 -0700, Kees Cook wrote: > > > > > /**

Re: [PATCH 47/64] btrfs: Use memset_after() to clear end of struct

2021-07-31 Thread Kees Cook
On Thu, Jul 29, 2021 at 12:33:37PM +0200, David Sterba wrote: > On Wed, Jul 28, 2021 at 02:56:31PM -0700, Kees Cook wrote: > > On Wed, Jul 28, 2021 at 11:42:15AM +0200, David Sterba wrote: > > > On Tue, Jul 27, 2021 at 01:58:38PM -0700, Kees Cook wrote: > > > > In

Re: [PATCH 39/64] mac80211: Use memset_after() to clear tx status

2021-07-31 Thread Kees Cook
On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memset(), avoid intentionally writing across > neighboring fields. > > Use memset_after() so memset() doesn't get co

Re: [PATCH 42/64] net: qede: Use memset_after() for counters

2021-07-31 Thread Kees Cook
On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memset(), avoid intentionally writing across > neighboring fields. > > Use memset_after() so memset() doesn't get co

Re: [PATCH 42/64] net: qede: Use memset_after() for counters

2021-08-02 Thread Kees Cook
On Mon, Aug 02, 2021 at 02:29:28PM +, Shai Malin wrote: > > On Tue, Jul 31, 2021 at 07:07:00PM -0300, Kees Cook wrote: > > On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote: > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > >

[PATCH 2/2] drm/radeon: Avoid power table parsing memory leaks

2021-05-02 Thread Kees Cook
Avoid leaving a hanging pre-allocated clock_info if last mode is invalid, and avoid heap corruption if no valid modes are found. Fixes: 6991b8f2a319 ("drm/radeon/kms: fix segfault in pm rework") Signed-off-by: Kees Cook --- drivers/gpu/drm/radeon/radeon_atombios.c | 20 +

[PATCH 1/2] drm/radeon: Fix off-by-one power_state index heap overwrite

2021-05-02 Thread Kees Cook
ng power state (v2)") Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups") Signed-off-by: Kees Cook --- drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/dri

[PATCH 0/2] drm/radeon: Fix off-by-one power_state index heap overwrite

2021-05-02 Thread Kees Cook
Hi, This is an attempt at fixing a bug[1] uncovered by the relocation of the slab freelist pointer offset, as well as some related clean-ups. I don't have hardware to do runtime testing, but it builds. ;) -Kees [1] https://bugzilla.kernel.org/show_bug.cgi?id=211537 Kees Cook (2): drm/r

Re: [PATCH 10/64] lib80211: Use struct_group() for memcpy() region

2021-08-13 Thread Kees Cook
On Fri, Aug 13, 2021 at 10:04:09AM +0200, Johannes Berg wrote: > On Tue, 2021-07-27 at 13:58 -0700, Kees Cook wrote: > > > > +++ b/include/linux/ieee80211.h > > @@ -297,9 +297,11 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2) > >  struct ieee80211_hdr { &

Re: [PATCH 39/64] mac80211: Use memset_after() to clear tx status

2021-08-13 Thread Kees Cook
On Fri, Aug 13, 2021 at 09:40:07AM +0200, Johannes Berg wrote: > On Sat, 2021-07-31 at 08:55 -0700, Kees Cook wrote: > > On Tue, Jul 27, 2021 at 01:58:30PM -0700, Kees Cook wrote: > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > > field

[PATCH] drm/i915: Use designated initializers for init/exit table

2021-08-17 Thread Kees Cook
uot;drm/i915: Use a table for i915_init/exit (v2)") Signed-off-by: Kees Cook --- drivers/gpu/drm/i915/i915_module.c | 37 +++--- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_module.c b/drivers/gpu/drm/i915/i915_module.c in

[PATCH v2 06/63] cxl/core: Replace unions with struct_group()

2021-08-17 Thread Kees Cook
/1d9a2e6df2a9a35b2cdd50a9a68cac5991e7e5f0.ca...@intel.com Signed-off-by: Kees Cook --- drivers/cxl/cxl.h | 61 ++- 1 file changed, 18 insertions(+), 43 deletions(-) diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h index 53927f9fa77e..9db0c402c9ce 100644 --- a/drivers/cxl/cxl.h

  1   2   3   4   5   6   7   8   >