On Thu, 08 Aug 2024 17:00:24 +0200, Thorsten Blum wrote:
> Add the __counted_by compiler attribute to the flexible array member
> entries to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
> CONFIG_FORTIFY_SOURCE.
>
>
Applied to the vfs.misc branch of the vfs/vfs.git tree.
Patches in
On Fri, 15 Sep 2023 13:14:14 -0700, Kees Cook wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> (for array indexi
On Fri, 22 Sep 2023 10:54:08 -0700, Kees Cook wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> (for array indexi
> list removal should happen after generic_shutdown_super(). Sure, you
> want the superblock to serve as bdev holder, which leads to fun
> with -EBUSY if mount comes while umount still hadn't closed the
> device. I suspect that it would make a lot more sense to
> introduce an intermediate state -
On Sat, Dec 02, 2023 at 01:34:32PM -0800, Kees Cook wrote:
> On Sat, Dec 02, 2023 at 09:28:46PM +, Al Viro wrote:
> > On Sat, Dec 02, 2023 at 01:22:13PM -0800, Kees Cook wrote:
> > > Allow __free(iput) markings for easier cleanup on inode allocations.
> >
> > NAK. That's a bloody awful idea f
://github.com/KSPP/linux/issues/344 [4]
> Cc: Benjamin LaHaise
> Cc: Alexander Viro
> Cc: Christian Brauner
> Cc: Jan Kara
> Cc: linux-...@kvack.org
> Cc: linux-fsde...@vger.kernel.org
> Signed-off-by: Kees Cook
> ---
What's the plan?
Merge the generic infrastructure and we can pick the individual patches?
On Mon, 29 Jan 2024 10:37:29 -0800, Kees Cook wrote:
> The loop counter "i" in copy_compat_iovec_from_user() is an int, but
> because the nr_segs argument is unsigned long, the signed overflow
> sanitizer got worried "i" could wrap around. Instead of making "i" an
> unsigned long (which may enlarge
On Mon, 29 Jan 2024 10:40:15 -0800, Kees Cook wrote:
> The mix of int, unsigned int, and unsigned long used by struct
> poll_list::len, todo, len, and j meant that the signed overflow
> sanitizer got worried it needed to instrument several places where
> arithmetic happens between these variables.
On Wed, Feb 14, 2024 at 08:18:01PM +0100, Oleg Nesterov wrote:
> On 02/14, Tycho Andersen wrote:
> >
> > On Wed, Feb 14, 2024 at 06:55:55PM +0100, Oleg Nesterov wrote:
> > >
> > > We want to check the "flags" argument at the start, we do not want to
> > > delay the "case 0:" check until we have f.f
On Mon, 25 Mar 2024 19:34:01 -0600, Gustavo A. R. Silva wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
> array index
On Fri, 22 Mar 2024 21:41:18 +, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
>
> There is some care taken to ensure these destination buffers are
> NUL-terminat
On Thu, Apr 04, 2024 at 11:19:00AM +0200, Jan Kara wrote:
> On Wed 03-04-24 14:54:03, Kees Cook wrote:
> > With adding __counted_by(handle_bytes) to struct file_handle, we need
> > to explicitly set it in the one place it wasn't yet happening prior to
> > accessing the flex array "f_handle".
> >
>
On Fri, 03 May 2024 13:16:25 -0700, Kees Cook wrote:
> It should never happen that get_file() is called on a file with
> f_count equal to zero. If this happens, a use-after-free condition
> has happened[1], and we need to attempt a best-effort reporting of
> the situation to help find the root caus
On Mon, 13 May 2024 17:50:30 +, Justin Stitt wrote:
> Running syzkaller with the newly enabled signed integer overflow
> sanitizer produces this report:
>
> [ 195.401651] [ cut here ]
> [ 195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
> [ 195.40873
iewed-by: SeongJae Park
> Signed-off-by: Kees Cook
> ---
> v1: https://lore.kernel.org/lkml/20240717212230.work.346-k...@kernel.org/
> v2: file suffix changed to _kunit instead of _test
> I'll toss this into -next and send it to Linus before -rc1 closes.
Acked-by: Christian Brauner
On Wed, Jul 31, 2024 at 02:15:54PM GMT, Adrian Ratiu wrote:
> On Wednesday, July 31, 2024 02:18 EEST, Linus Torvalds
> wrote:
>
> > On Tue, 30 Jul 2024 at 16:09, Jeff Xu wrote:
> > >
> > > > + task = get_proc_task(file_inode(file));
> > > > + if (task) {
> > > > +
On Fri, 02 Aug 2024 11:02:25 +0300, Adrian Ratiu wrote:
> This adds a Kconfig option and boot param to allow removing
> the FOLL_FORCE flag from /proc/pid/mem write calls because
> it can be abused.
>
> The traditional forcing behavior is kept as default because
> it can break GDB and some other u
On Fri, 18 Oct 2024 14:14:21 +0200, Thorsten Blum wrote:
> Add the __counted_by compiler attribute to the flexible array member
> a_entries to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
> CONFIG_FORTIFY_SOURCE.
>
> Use struct_size() to calculate the number of bytes to allocate for
On Mon, 23 Sep 2024 23:38:05 +0200, Thorsten Blum wrote:
> Add the __counted_by compiler attribute to the flexible array member
> a_entries to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
> CONFIG_FORTIFY_SOURCE.
>
> Use struct_size() to calculate the number of bytes to allocate for
On Tue, Oct 01, 2024 at 08:42:52PM GMT, Nathan Chancellor wrote:
> On Thu, Sep 26, 2024 at 02:21:42PM +0200, Thorsten Blum wrote:
> > On 26. Sep 2024, at 03:46, kernel test robot wrote:
> > >
> > > Hello,
> > >
> > > kernel test robot noticed
> > > "WARNING:at_lib/string_helpers.c:#__fortify_re
On Sun, 03 Nov 2024 13:17:09 +0100, Thorsten Blum wrote:
> Replace the deprecated one-element array with a modern flexible array
> member in the struct vxfs_dirblk.
>
>
Applied to the vfs.misc branch of the vfs/vfs.git tree.
Patches in the vfs.misc branch should appear in linux-next soon.
Pleas
..@google.com
> Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the
> execveat(AT_EMPTY_PATH) case")
> Signed-off-by: Kees Cook
> ---
Reviewed-by: Christian Brauner
thub.com/uapi-group/kernel-features#set-comm-field-before-exec
> Signed-off-by: Kees Cook
> ---
> Cc: Al Viro
> Cc: Linus Torvalds
> Cc: Eric Biederman
> Cc: Alexander Viro
> Cc: Christian Brauner
> Cc: Jan Kara
> Cc: linux...@kvack.org
> Cc: linux-fsde...@vger.k
On Sat, Nov 30, 2024 at 10:02:38AM -0800, Linus Torvalds wrote:
> On Sat, 30 Nov 2024 at 04:30, Christian Brauner wrote:
> >
> > What does the smp_load_acquire() pair with?
>
> I'm not sure we have them everywhere, but at least this one at dentry
>
On Sun, Dec 01, 2024 at 08:54:41AM -0800, Linus Torvalds wrote:
> On Sun, 1 Dec 2024 at 06:17, Christian Brauner wrote:
> >
> > /*
> > * Hold rcu lock to keep the name from being freed behind our back.
> > * Use cquire semantics to make sure the terminating NUL from
On Sat, Feb 22, 2025 at 05:36:11PM +0100, Mateusz Guzik wrote:
> On Sat, Feb 22, 2025 at 4:17 PM Kees Cook wrote:
> >
> > On Sat, Feb 22, 2025 at 01:12:47PM +0100, Mateusz Guzik wrote:
> > > If it was not for the aforementioned bugfix, I would be sending a
> > > removal instead.
> >
> > Less code
On Mon, 10 Mar 2025 15:25:31 -0700, Kees Cook wrote:
> When a character array without a terminating NUL character has a static
> initializer, GCC 15's -Wunterminated-string-initialization will only
> warn if the array lacks the "nonstring" attribute[1]. Mark the arrays
> with __nonstring to and cor
27 matches
Mail list logo
