https://git.kernel.org/kees/c/cce436aafc2a
[2/2] selftests/seccomp: Add a test for the WAIT_KILLABLE_RECV fast reply race
https://git.kernel.org/kees/c/b0c9bfbab925
Take care,
--
Kees Cook
e
#include
#include
+#include
#include
#include
#include
But, with that, yes, I can confirm the race and the fix. Thank you!
I can fix that up locally.
-Kees
--
Kees Cook
TH_LOG("Child: Failed to send FD");
> + close(unprivileged_tty_fd);
> + _exit(1);
> + }
> +
> + close(unprivileged_tty_fd);
> + close(sockpair[1]);
> + _exit(0); /* Child success */
> +
> + } else {
This doesn't need an else nor indenting: it is the parent no matter what
due to the _exit above.
> + /* Parent process - keep CAP_SYS_ADMIN, receive FD, test
> TIOCSTI */
> + close(sockpair[1]);
> +
> + TH_LOG("Parent: Waiting for TTY FD from unprivileged child...");
> +
> + /* Verify we still have CAP_SYS_ADMIN */
> + ASSERT_TRUE(has_cap_sys_admin());
> +
> + /* Receive the TTY FD from unprivileged child */
> + int received_fd = recv_fd_via_socket(sockpair[0]);
> +
> + ASSERT_GE(received_fd, 0)
> + TH_LOG("Parent: Received FD %d (opened by unprivileged
> process)",
> +received_fd);
> +
> + /*
> + * VULNERABILITY TEST: Try TIOCSTI with FD opened by
> unprivileged process
> + * This should FAIL even though parent has CAP_SYS_ADMIN
> + * because the FD was opened by unprivileged process
> + */
> + char attack_char = 'V'; /* V for Vulnerability */
> + int ret = ioctl(received_fd, TIOCSTI, &attack_char);
Doesn't the child need to stay alive long enough to receive the
character? i.e. is it a problem that the child immediately exits 0 after
sending the fd to the parent?
> +
> + TH_LOG("Parent: Testing TIOCSTI on FD from unprivileged
> process...");
> + if (ret == 0) {
> + TH_LOG("*** VULNERABILITY DETECTED ***");
> + TH_LOG("Privileged process can use TIOCSTI on
> unprivileged FD");
> + } else {
> + TH_LOG("TIOCSTI failed on unprivileged FD: %s",
> +strerror(errno));
> + EXPECT_EQ(errno, EPERM);
> + }
Shouldn't this be arranged with an expect on ret == 0 ?
> + close(received_fd);
> + close(sockpair[0]);
> +
> + /* Wait for child */
> + int status;
> +
> + ASSERT_EQ(waitpid(child_pid, &status, 0), child_pid);
> + EXPECT_EQ(WEXITSTATUS(status), 0);
> + ASSERT_NE(ret, 0);
> + }
> +}
> +
> +TEST_HARNESS_MAIN
Looks like you're on the right track!
-Kees
--
Kees Cook
t;source base with this temporary keyword; instead define "auto" as a
>macro unless the compiler is running in C23+ mode.
Yeah, this is good. We have typeof() used extensively in macros all over. I'll
try this for fortify macros and see if we see any binary output changes...
--
Kees Cook
On Wed, Jul 16, 2025 at 11:32:10PM -0700, Kees Cook wrote:
> This really screams for a struct-based way to in-place declare a
> seq_buf. The current macro only works on the stack. I think this
> will work; I'll send a patch once I get it tested:
>
> #define DECLAR
blocking or otherwise interfering with other processes in binder.
>
> This test is refactored into more meaningful cases in the subsequent
> patch.
>
> Acked-by: Carlos Llamas
> Signed-off-by: Tiffany Yang
Reviewed-by: Kees Cook
--
Kees Cook
ray would have 750,000 entries.
> This change structures the recursive calls into meaningful test cases so
> that failures are easier to interpret.
>
> Cc: Kees Cook
> Acked-by: Carlos Llamas
> Signed-off-by: Tiffany Yang
> [...]
> +struct binder_alloc_test_case_info {
o kunit in a subsequent patch in this series.
>
> Acked-by: Carlos Llamas
> Signed-off-by: Tiffany Yang
Reviewed-by: Kees Cook
--
Kees Cook
> Signed-off-by: Tiffany Yang
Reviewed-by: Kees Cook
--
Kees Cook
On Wed, Jul 16, 2025 at 10:42:58PM +, Carlos Llamas wrote:
> On Wed, Jul 16, 2025 at 03:28:49PM -0700, Tiffany Yang wrote:
> > Kees Cook writes:
> >
> > > > ...
> >
> > > I'm used to the "#ifdef CONFIG_..." idiom, but looking at
int index)
> {
> size_t end, prev;
> int align;
>
> if (index == BUFFER_NUM) {
> - gen_buf_sizes(test, alloc, end_offset);
> + struct binder_alloc_test_case_info tc = {0};
> +
> + stringify_alignments(test, alignments, tc.alignments,
> + ALIGNMENTS_BUFLEN);
> +
> + gen_buf_sizes(test, alloc, &tc, end_offset, runs, failures);
> return;
> }
> prev = index == 0 ? 0 : end_offset[index - 1];
> @@ -276,7 +397,9 @@ static void gen_buf_offsets(struct kunit *test, struct
> binder_alloc *alloc,
> else
> end += BUFFER_MIN_SIZE;
> end_offset[index] = end;
> - gen_buf_offsets(test, alloc, end_offset, index + 1);
> + alignments[index] = align;
> + gen_buf_offsets(test, alloc, end_offset, alignments, runs,
> + failures, index + 1);
> }
> }
>
> @@ -328,10 +451,15 @@ static void binder_alloc_exhaustive_test(struct kunit
> *test)
> {
> struct binder_alloc_test *priv = test->priv;
> size_t end_offset[BUFFER_NUM];
> + int alignments[BUFFER_NUM];
> + unsigned long failures = 0;
> + unsigned long runs = 0;
>
> - gen_buf_offsets(test, &priv->alloc, end_offset, 0);
> + gen_buf_offsets(test, &priv->alloc, end_offset, alignments, &runs,
> + &failures, 0);
>
> - KUNIT_EXPECT_EQ(test, binder_alloc_test_failures, 0);
> + KUNIT_EXPECT_EQ(test, runs, TOTAL_EXHAUSTIVE_CASES);
> + KUNIT_EXPECT_EQ(test, failures, 0);
> }
>
> /* = End test cases = */
> --
> 2.50.0.727.gbf7dc18ff4-goog
>
Otherwise looks good to me.
--
Kees Cook
R(priv->filp) : -ENOMEM;
> + }
> +
> + priv->mmap_uaddr = kunit_vm_mmap(test, priv->filp, 0, BINDER_MMAP_SIZE,
> + PROT_READ, MAP_PRIVATE | MAP_NORESERVE,
> + 0);
> + if (!priv->mmap_uaddr) {
> + kunit_err(test, "Could not map the test's transaction
> memory\n");
> + return -ENOMEM;
> + }
> +
> + return 0;
> +}
> +
> +static void binder_alloc_test_exit(struct kunit *test)
> +{
> + struct binder_alloc_test *priv = test->priv;
> +
> + /* Close the backing file to make sure binder_alloc_vma_close runs */
> + if (!IS_ERR_OR_NULL(priv->filp))
> + fput(priv->filp);
> +
> + if (priv->alloc.mm)
> + binder_alloc_deferred_release(&priv->alloc);
> +
> + /* Make sure freelist is empty */
> + KUNIT_EXPECT_EQ(test, list_lru_count(&priv->binder_test_freelist), 0);
> + list_lru_destroy(&priv->binder_test_freelist);
> +}
> +
> +static struct kunit_case binder_alloc_test_cases[] = {
> + KUNIT_CASE(binder_alloc_test_init_freelist),
> + KUNIT_CASE(binder_alloc_test_mmap),
> + {}
> +};
> +
> +static struct kunit_suite binder_alloc_test_suite = {
> + .name = "binder_alloc",
> + .test_cases = binder_alloc_test_cases,
> + .init = binder_alloc_test_init,
> + .exit = binder_alloc_test_exit,
> +};
> +
> +kunit_test_suite(binder_alloc_test_suite);
> +
> +MODULE_AUTHOR("Tiffany Yang ");
> +MODULE_DESCRIPTION("Binder Alloc KUnit tests");
> +MODULE_LICENSE("GPL");
Reviewed-by: Kees Cook
--
Kees Cook
d attach a new mm if it doesn't already exist. */
> -static int kunit_attach_mm(void)
> +int kunit_attach_mm(void)
> {
> struct mm_struct *mm;
>
> @@ -49,6 +48,7 @@ static int kunit_attach_mm(void)
>
> return 0;
> }
> +EXPORT_SYMBOL_GPL(kunit_attach_mm);
>
> static int kunit_vm_mmap_init(struct kunit_resource *res, void *context)
> {
> --
> 2.50.0.727.gbf7dc18ff4-goog
Reviewed-by: Kees Cook
--
Kees Cook
+ goto cleanup;
> + }
> +
> + if (list_lru_init(&binder_selftest_freelist)) {
> + pr_err("failed to init test freelist\n");
> + goto cleanup;
> + }
> +
> + alloc->freelist = &binder_selftest_freelist;
> +
> pr_info("STARTED\n");
> binder_selftest_alloc_offset(alloc, end_offset, 0);
> - binder_selftest_run = false;
> if (binder_selftest_failures > 0)
> pr_info("%d tests FAILED\n", binder_selftest_failures);
> else
> pr_info("PASSED\n");
>
> + if (list_lru_count(&binder_selftest_freelist))
> + pr_err("expect test freelist to be empty\n");
> +
> +cleanup:
> + /* Even if we didn't run the test, it's no longer thread-safe. */
> + binder_selftest_run = false;
> + alloc->freelist = prev_freelist;
> + list_lru_destroy(&binder_selftest_freelist);
> done:
> mutex_unlock(&binder_selftest_lock);
> }
> --
> 2.50.0.727.gbf7dc18ff4-goog
Otherwise looks good.
--
Kees Cook
; pr_err("expect lru but is %s at page index %d\n",
> --
> 2.50.0.727.gbf7dc18ff4-goog
>
--
Kees Cook
d_type(type) (((typeof(type))(-1)) < (__force typeof(type))1)
#define is_unsigned_type(type) (!is_signed_type(type))
/*
--
Kees Cook
o update when changes happen. (Well, 3, since
kern-doc already needs updating too.)
Can't we collect error codes programmatically through control flow
analysis? Argument mapping is already present in the SYSCALL macros,
etc. Let's not repeat this info.
-Kees
--
Kees Cook
at was in your v1. :)
>
> Suggested-by: Kees Cook
>
No blank line here -- other tags should all be together with the S-o-b
line.
> Signed-off-by: Sameeksha Sankpal
> ---
> v1 -> v2:
> - Used TH_LOG instead of printf for error logging
> - Moved variable declaration t
On Fri, 16 May 2025 18:17:22 -0700, Sumanth Gavini wrote:
> Fix misspelling reported by codespell
>
>
Applied to for-next/seccomp, thanks!
[1/1] selftests: seccomp: Fix "performace" to "performance"
https://git.kernel.org/kees/c/a9b33aae79ce
Take care,
--
Kees Cook
to use is TH_LOG,
probably like this:
rc = get_nth(_metadata, proc_path, 3, &line);
ASSERT_EQ(rc, 1) {
TH_LOG("user_notification_fifo: failed to read stat for PID %d
(rc=%d)", pid, rc);
}
And please don't introduce new variables in the middle -- they need to
be declared at the top of the function.
-Kees
--
Kees Cook
a greater effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
fix negative_ENOSYS tracer tests on arm32
https://git.kernel.org/kees/c/73989c998814
Take care,
--
Kees Cook
o
need to track level any more.
If you want to be able to explicitly supress KTAP output, that's
probably a new thing to be added. But normally it's not needed -- things
should be fairly readable even with KTAP output.
--
Kees Cook
gt; one file.
>
> This is part of a greater effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
educe the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
cts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
f CONFIG_PROC_SYSCTL
> + {
> + .procname = "cad_pid",
> + .data = NULL,
nit: this is redundant, any unspecified member will be zero-initialized.
Regardless:
Reviewed-by: Kees Cook
> + .maxlen = sizeof(int),
> +
ems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
ilter.h
> linux/binfmts.h
>
> Signed-off-by: Joel Granados
This is very nice! :)
Reviewed-by: Kees Cook
--
Kees Cook
On Fri, May 09, 2025 at 02:54:15PM +0200, Joel Granados wrote:
> These comments are older than 2003 and therefore do not bare any
> relevance on the current state of the sysctl.c file. Remove them as they
> confuse more than clarify.
>
> Signed-off-by: Joel Granados
Reviewe
effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Yup, all looks good, including the variable relocation.
Reviewed-by: Kees Cook
> ---
> include/linux/rtmutex.h |
sctl.c.
nit: do_proc_dointvec_minmax
>
> This is part of a greater effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
But yes, this looks correct.
Reviewed-by: Kees Cook
s one should be called
"panic_on_stack_exhaustion", but so be it. :)
Reviewed-by: Kees Cook
> ---
> kernel/panic.c | 10 ++
> kernel/sysctl.c | 10 --
> 2 files changed, 10 insertions(+), 10 deletions(-)
>
> diff --gi
_restart test for arm compat
https://git.kernel.org/kees/c/797002deed03
Take care,
--
Kees Cook
> > > base
> > > further patches on. For that I'd like to pick up all the nolibc patches
> > > from
> > > this series through the nolibc tree. They got Acks from Willy.
> > >
> > > Any objections?
> >
> > No objection on my side!
> >
>
> Thanks.
>
> Kees, do you have any comments on this series? If you are okay
> with it, I would like to apply this for next.
Fine by me! :)
--
Kees Cook
l_tests.config so they are enabled when the KUnit
> runner builds the kernel.
>
>
> [...]
Applied to for-linus/hardening, thanks!
[1/1] lib: Ensure prime numbers tests are included in KUnit test runs
https://git.kernel.org/kees/c/4ea404fdbc39
Take care,
--
Kees Cook
f --git a/tools/testing/kunit/configs/all_tests.config
b/tools/testing/kunit/configs/all_tests.config
index cdd9782f9646..554da9df02f2 100644
--- a/tools/testing/kunit/configs/all_tests.config
+++ b/tools/testing/kunit/configs/all_tests.config
@@ -51,3 +51,5 @@ CONFIG_SOUND=y
CONFIG_SND=y
CONFIG_SND_SOC=y
CONFIG_SND_SOC_TOPOLOGY_BUILD=y
+
+CONFIG_PRIME_NUMBERS=y
--
Kees Cook
https://git.kernel.org/kees/c/3f2925174f8b
Take care,
--
Kees Cook
:)
Reviewed-by: Kees Cook
--
Kees Cook
viewed-by: Kees Cook
--
Kees Cook
to lib/test_sysctl.c where the registration reference is
> handled on module exit
>
> 'Fixes: b5ffbd139688 ("sysctl: move the extra1/2 boundary check of u8 to
Typoe: drop leading '
> sysctl_check_table_array")'
And avoid wrapping this line for the field.
>
out of range.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
.org/kees/c/5866730da723
[2/6] scanf: remove redundant debug logs
https://git.kernel.org/kees/c/6340d61b9005
[3/6] scanf: convert self-test to KUnit
https://git.kernel.org/kees/c/97c1f302f2bc
[4/6] scanf: break kunit into test cases
https://git.kernel.org/kees/c/d62f8c95470c
Take care,
--
Kees Cook
next and the next merge window.
>
> > scanf: tidy header `#include`s
>
> This one is a bit controversial and might be added later.
>
> > scanf: further break kunit into test cases
>
> This one was just an attempt. But I personally think that
> it is not worth it.
>
> Best Regards,
> Petr
--
Kees Cook
On Fri, Mar 14, 2025 at 05:48:00PM +0100, Christophe Leroy wrote:
>
>
> Le 12/03/2025 à 17:30, Kees Cook a écrit :
> > On Wed, Mar 12, 2025 at 04:45:24PM +0100, Vlastimil Babka wrote:
> > > On 3/6/25 17:57, Luis Chamberlain wrote:
> > > > + linux-
the file. Additionally, merge the
> >> message on a single line because checkpatch.pl recommends that for the
> >> ability to grep for the string.
> >>
> >> Suggested-by: Kees Cook
> >> Signed-off-by: Petr Pavlu
> >> ---
> >> I opted to
can carry this in
the "lib/ kunit tests move to lib/tests/" tree.
-Kees
--
Kees Cook
On Fri, Feb 21, 2025 at 08:04:05PM -0500, Tamir Duberstein wrote:
> On Fri, Feb 21, 2025 at 7:57 PM Kees Cook wrote:
> >
> > On Mon, 17 Feb 2025 08:30:44 -0500, Tamir Duberstein wrote:
> > > Remove a leftover shell script reference from commit 313b38a6ecb4
> > >
selftets: lib: remove reference to prime_numbers
https://git.kernel.org/kees/c/03d0e920d775
Take care,
--
Kees Cook
uot;
> echo "make sure the test passes a series of tests."
> echo
> - echo Example uses:
> + echo Example usage:
> echo
> echo "$TEST_NAME.sh-- executes all tests"
> echo "$TEST_NAME.sh -t 0002-- Executes test ID 0002 number of times
> is recomended"
> --
> 2.34.1
>
--
Kees Cook
t right now.
> >
> > Log:
> > https://download.copr.fedorainfracloud.org/results/@kernel-vanilla/next/fedora-rawhide-x86_64/08642966-next-next-all/builder-live.log.gz
> >
> > Cioa, Thorsten
> >
>
> Hmm... this definitely seems like a problem, but I haven't been able
> to reproduce it here (either under x86_64 or UML, both as a module and
> built-in). The suggested fix of changing the path to "../utf8n.h"
> doesn't seem to have broken it, though.
Thanks for the reports! I've squashed this path correction into my tree
and it should be fix in the next -next. :)
-Kees
--
Kees Cook
ut instead
of in the same work tree. :(
--
Kees Cook
rtions(+), 77 deletions(-)
Thanks! I've applied this and rebased it onto:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=for-next/move-kunit-tests
--
Kees Cook
.com/
> > [2]
> > ---
> >
> > Bruno Sobreira França (1):
> >lib/math: Add int_log test suite
> >
> > Diego Vieira (1):
> >lib/tests/kfifo_kunit.c: add tests for the kfifo structure
> >
> > Gabriela Bittencourt (2):
> >
gt; Link: https://refspecs.linuxfoundation.org/elf/gabi4+/ch4.symtab.html
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
docs.oracle.com/cd/E19683-01/816-1386/chapter6-80869/index.html
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
Link:
> https://refspecs.linuxfoundation.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/symversion.html#VERDEFEXTS
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
;
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
Link:
> https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/libc-ddefs.html
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
On Tue, Feb 04, 2025 at 04:17:03PM +0100, Thomas Weißschuh wrote:
> On Tue, Feb 04, 2025 at 07:10:00AM -0800, Kees Cook wrote:
> > On Mon, Feb 03, 2025 at 10:05:05AM +0100, Thomas Weißschuh wrote:
> > > The definitions are used by tools/testing/selftests/vDSO/parse_vdso.c.
&
ed libc header somewhere?
-Kees
--
Kees Cook
ritten function pointer, not that they already have arbitrary
execution control. (i.e. taking a "jump anywhere" primitive and
upgrading it to "execute anything".) Is the expectation that existing
ROP/JOP techniques make protecting memfd irrelevant?
--
Kees Cook
main declaration with argc/argv present. But it's mostly
aesthetic.
And if you think use of kselftest.h isn't universal, then perhaps we can
avoid the macro, but it does seem nicer and more "normal" feeling for
the rest of kernel development.
-Kees
--
Kees Cook
-git a/tools/testing/selftests/mm/hugetlb-madvise.c
> b/tools/testing/selftests/mm/hugetlb-madvise.c
> index e74107185324f..43f16c12c8e9a 100644
> --- a/tools/testing/selftests/mm/hugetlb-madvise.c
> +++ b/tools/testing/selftests/mm/hugetlb-madvise.c
> @@ -58,7 +58,7 @@ void read_fault_pages(void *addr, unsigned long nr_pages)
> }
> }
>
> -int main(int argc, char **argv)
> +int main(int __attribute__((unused)) argc, char **argv)
Can we add a macro in kselftest.h for "__unused" like the kernel already
does? Then instead of removing args, we can just mark them, like you're
doing here.
--
Kees Cook
On Wed, Jan 08, 2025 at 07:06:13PM +, Lorenzo Stoakes wrote:
> On Mon, Jan 06, 2025 at 04:44:33PM -0800, Kees Cook wrote:
> > On Mon, Jan 06, 2025 at 10:26:27AM -0800, Jeff Xu wrote:
> > > + Kees because this is related to W^X memfd and security.
> > >
> > >
:Expected exp_args[2] (3134324433)
> == info.entry.args[1] (18446744072548908753)
>
> Fixes: b5bb6d3068ea ("selftests/seccomp: fix 32-bit build warnings")
> Signed-off-by: Dmitry V. Levin
Ah nice, thanks!
Reviewed-by: Kees Cook
--
Kees Cook
e cover
> > letter, it wouldn't matter that much to an attacker whether the
> > mapping is shared or private (as long as the VMA contents haven't been
> > CoWed already).
> +1 on this.
> The concept of blocking this for only shared mapping is questionable.
Right -- why does sharedness matter? It seems more robust to me to not
create a corner case but rather apply the flag/behavior universally?
--
Kees Cook
mode for that?)
Also, why is it too late to cancel? Can we set the module to the
"Unloading" state to stop any dependent modules from loading on top of
it, and then request it unload?
--
Kees Cook
it doesn't hurt to keep.
>
> Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping
> core")
> Cc: sta...@vger.kernel.org
> Cc: Eric W. Biederman
> Acked-by: Oleg Nesterov
> Signed-off-by: Nam Cao
Thanks for fixing this!
Acked-by: Kees Cook
--
Kees Cook
mes appearing in /tmp for selftests.
-Kees
--
Kees Cook
rt of
> the subsystem name. So for example, instead of "(supporter:SUBSYSTEM)"
> report "(maintainer:SUBSYSTEM [supported])".
>
> [1]
> https://lore.kernel.org/all/20221006162413.858527-1-bryan.odonog...@linaro.org/
>
> Cc: "Theodore Ts'o&quo
On Sat, Nov 02, 2024 at 11:29:55AM +, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Oct 31, 2024 at 03:10:37PM -0700, Kees Cook wrote:
> > On Wed, 30 Oct 2024 14:37:31 -0600, Tycho Andersen wrote:
> > > Zbigniew mentioned at Linux Plumber's that systemd is intereste
at(AT_EMPTY_PATH) case
https://git.kernel.org/kees/c/7bdc6fc85c9a
[2/2] selftests/exec: add a test for execveat()'s comm
https://git.kernel.org/kees/c/bd104872311a
Take care,
--
Kees Cook
s regardless of bprm->fdpath.
>
> It will be a change of behavior on when executing symlinks and possibly
> mount points but I don't think we care. If we do then we can add make
> it conditional with "if (bprm->fdpath)"
>
> At the very least using the above version unconditionally ought to flush
> out any bugs.
I'm not super comfortable doing this regardless of bprm->fdpath; that
seems like too many cases getting changed. Can we just leave it as
depending on bprm->fdpath?
Also, is d_name.name always going to be set? e.g. what about memfd, etc?
--
Kees Cook
not described in 'kunit_kfree_const'
>
> Reported-by: Stephen Rothwell
> Closes: https://lore.kernel.org/lkml/20240827160631.67e12...@canb.auug.org.au/
> Fixes: f2c6dbd22017 ("kunit: Device wrappers should also manage driver name")
> Signed-off-by: David Gow
Reviewed-by: Kees Cook
--
Kees Cook
suffix before sorting symbols
https://git.kernel.org/kees/c/020925ce9299
[2/2] kallsyms: Match symbols exactly with CONFIG_LTO_CLANG
https://git.kernel.org/kees/c/fb6a421fb615
Take care,
--
Kees Cook
ching is probably not used by a lot of users, so I guess we
> are OK without Fixes tags? I personally don't have a strong preference
> either way.
>
> It is not necessary to invert the order of the two patches. Only applying
> one of the two patches won't cause more issues than what we have today.
Which tree should carry this series?
--
Kees Cook
On Fri, Jul 05, 2024 at 09:10:36AM +0200, Peter Zijlstra wrote:
> On Wed, Jul 03, 2024 at 01:36:19PM -0700, Kees Cook wrote:
>
> > Yes, please use struct_size_t(). This is exactly what it was designed for.
>
> Kees, please, just let up, not going to happen. I'm getting re
nce with __counted_by:
+ int sessions_cnt;
+ struct session_consumer sessions[] __counted_by(sessions_cnt);
--
Kees Cook
odpost: missing MODULE_DESCRIPTION() in lib/test_bits.o
>
> Add the missing invocations of the MODULE_DESCRIPTION() macro.
>
> Signed-off-by: Jeff Johnson
Thanks for chasing these down!
Reviewed-by: Kees Cook
--
Kees Cook
thanks!
[1/1] tracing: Add sched_prepare_exec tracepoint
https://git.kernel.org/kees/c/5c5fad46e48c
Take care,
--
Kees Cook
rp=/usr/bin/dmesg filename=/usr/bin/dmesg pid=389 comm=bash
>
> Signed-off-by: Marco Elver
This looks good to me. If tracing wants to take it:
Acked-by: Kees Cook
If not, I can take it in my tree if I get a tracing Ack. :)
-Kees
--
Kees Cook
On Tue, Apr 09, 2024 at 08:25:45PM +0200, Marco Elver wrote:
> On Tue, Apr 09, 2024 at 08:46AM -0700, Kees Cook wrote:
> [...]
> > > + trace_new_exec(current, bprm);
> > > +
> >
> > All other steps in this function have explicit comments about
> > wha
gt; + __string( comm, task->comm )
> + ),
> +
> + TP_fast_assign(
> + __assign_str(filename, bprm->filename);
What about binfmt_misc, and binfmt_script? You may want bprm->interp
too?
-Kees
> + __entry->pid = task->pid;
> + __assign_str(comm, task->comm);
> + ),
> +
> + TP_printk("filename=%s pid=%d comm=%s",
> + __get_str(filename), __entry->pid, __get_str(comm))
> +);
> +
> #endif
>
> /* This part must be outside protection */
> --
> 2.44.0.478.gd926399ef9-goog
>
--
Kees Cook
On Sat, Mar 09, 2024 at 01:51:16PM -0500, Steven Rostedt wrote:
> On Sat, 9 Mar 2024 10:27:47 -0800
> Kees Cook wrote:
>
> > On Tue, Mar 05, 2024 at 08:59:10PM -0500, Steven Rostedt wrote:
> > > This is a way to map a ring buffer instance across reboots.
> >
&
/
https://docs.kernel.org/admin-guide/ramoops.html
[2]
https://www.freedesktop.org/software/systemd/man/latest/systemd-pstore.service.html
--
Kees Cook
.db90a6d5-oliver.s...@intel.com
>
>
> [ 42.894536][T1] [ cut here ]
> [ 42.895474][T1] UBSAN: signed-integer-overflow in
> lib/test_memcat_p.c:47:10
> [ 42.897128][T1] 6570 * 725861 cannot be represented in type 'int'
I'm surprised to see the sanitizer catching anything here since the
kernel is built with -fno-strict-overflow, but regardless, I'll send a
patch...
-Kees
--
Kees Cook
es
> all be the same")
> Signed-off-by: Steven Rostedt (Google)
Since I reviewed the earlier patch, I will repeat here for the formal
one too. :) Thanks for avoiding the hashing!
Reviewed-by: Kees Cook
--
Kees Cook
on.\n");
>> +}
>> }
>> -#elif defined(CONFIG_ARCH_HAS_STRICT_KERNEL_RWX)
>> -static inline void mark_readonly(void)
>> -{
>> -pr_warn("Kernel memory protection not selected by kernel config.\n");
>> -}
>> -#else
>> -static inline void mark_readonly(void)
>> -{
>> -pr_warn("This architecture does not have kernel memory protection.\n");
>> -}
>> -#endif
>>
>> void __weak free_initmem(void)
>> {
>> --
>> 2.41.0
--
Kees Cook
yle
https://git.kernel.org/kees/c/c62c9771b7d6
Take care,
--
Kees Cook
exact situation (casting an error pointer to another type).
>
> Closes: https://github.com/ClangBuiltLinux/linux/issues/1947
> Fixes: 5790b1fb3d67 ("eventfs: Remove eventfs_file and just use
> eventfs_inode")
> Signed-off-by: Nathan Chancellor
Yes, please. That's the correct method to do such casts. Thanks!
Reviewed-by: Kees Cook
--
Kees Cook
option.
Reviewed-by: Kees Cook
--
Kees Cook
e comment style
Seems like a nice bit of clean-up.
Reviewed-by: Kees Cook
--
Kees Cook
st struct
> kernel_param *kp)
> {
> const struct kparam_string *kps = kp->str;
>
> - if (strlen(val)+1 > kps->maxlen) {
> + if (strnlen(val, kps->maxlen) == kps->maxlen) {
> pr_err("%s: string doesn't fit in %u chars.\n",
> kp->name, kps->maxlen-1);
> return -ENOSPC;
> --
> 2.40.0.1.gaa8946217a0b
>
--
Kees Cook
@@ -19302,8 +19302,8 @@ F: include/uapi/linux/seccomp.h
F: kernel/seccomp.c
F: tools/testing/selftests/kselftest_harness.h
F: tools/testing/selftests/seccomp/*
-K: \bsecure_computing
-K: \bTIF_SECCOMP\b
+D: \bsecure_computing
+D: \bTIF_SECCOMP\b
SECURE DIGITAL HOST CONTROLLER INTERFACE (SDHCI) Broadcom BRCMSTB DRIVER
M: Kamal Dasu
--
Kees Cook
re are used when rendering:
https://docs.kernel.org/process/maintainers.html
In this case, I assume "D" is inspired by "Diff", so perhaps reword this
to get a proper emphasis hint, and add additional context:
D: *Diff content regex* (perl extended) pattern match that applies
only to patches and not entire files (e.g. when using the
get_maintainers.pl script).
--
Kees Cook
hanged in a patch, but we're not
maintainers of the files they appear in.
> > Justin Stitt (3):
> > MAINTAINERS: add documentation for D:
> > get_maintainer: add patch-only pattern matching type
Can we squash these two changes together, and then likely add some
patches for moving things out of K: ?
--
Kees Cook
On Wed, Sep 20, 2023 at 02:10:09PM -0700, Luis Chamberlain wrote:
> Use glob include/linux/module*.h to capture all module changes.
>
> Suggested-by: Kees Cook
> Signed-off-by: Luis Chamberlain
Thanks!
Reviewed-by: Kees Cook
--
Kees Cook
Add the markings for the SLAB_VIRTUAL area.
Cc: Matteo Rizzo
Cc: Jann Horn
Cc: Dave Hansen
Cc: Andy Lutomirski
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: x...@kernel.org
Cc: "H. Peter Anvin"
Signed-off-by: Kees Cook
---
This is on
On Fri, Sep 15, 2023 at 09:36:23AM +0200, David Rheinsberg wrote:
> Hi
>
> On Fri, Sep 15, 2023, at 7:13 AM, Kees Cook wrote:
> >> - /* @hid is zero-initialized, strncpy() is correct, strlcpy() not */
> >> - len = min(sizeof(hid->name), sizeof(ev->u.create2.name
1 - 100 of 4735 matches
Mail list logo
