-exploit/
tree/master/exploit-remaining-spectre-gadget/
Signed-off-by: Jinbum Park
---
kernel/events/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index f6ea33a..3313552 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -50,6
LL by default
because no one could point to real-world performance impacts with
REFCOUNT_FULL vs unprotected atomic_t infrastructure.
This is the reason arm64 ended up enabling REFCOUNT_FULL.
(4adcec1164de ("arm64: Always use REFCOUNT_FULL"))
As with the decision of arm64,
arm can set REF
To enable UBSAN on arm, ARCH_HAS_UBSAN_SANITIZE_ALL is needed to be selected.
Basic test has passed on Raspberry Pi2, Raspbian jessi lite with
CONFIG_UBSAN_SANITIZE_ALL, CONFIG_UBSAN_NULL.
Signed-off-by: Jinbum Park
---
arch/arm/Kconfig | 1 +
arch/arm/boot/compressed/Makefile
t has security-risk.
Signed-off-by: Jinbum Park
---
arch/arm/mm/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 7f14acf..40e5fe5 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -840,7 +840,7 @@ config NEED_KUSER_HE
them.
Signed-off-by: Jinbum Park
---
lib/Kconfig.ubsan | 7 +++
lib/Makefile | 2 +
lib/test_ubsan.c | 144 ++
3 files changed, 153 insertions(+)
create mode 100644 lib/test_ubsan.c
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
est-5/arm-linux-gnueabi/
[3] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78678
Cc: Arnd Bergmann
Signed-off-by: Jinbum Park
Signed-off-by: Seung-Woo Kim
---
v2: Add sign of Seung-Woo Kim.
Add commit message about history, build environment.
---
arch/arm/Kconfig | 1 +
M can be built and run with CONFIG_FORTIFY_SOURCE.
Additionally, modify vdso.c to remove compile-error that happens
when built arm kernel with CONFIG_FORTIFY_SOURCE.
Jinbum Park (2):
arm: mm: Define vdso_start, vdso_end as array
arm: Kconfig: Add ARCH_HAS_FORTIFY_SOURCE
arch/arm/Kc
happens at this code.
- if (memcmp(&vdso_start, "\177ELF", 4))
The size of "&vdso_start" is recognized as 1 byte, but n is 4,
So that compile-time error is reported.
Signed-off-by: Jinbum Park
---
arch/arm/include/asm/vdso.h | 2 --
arch/arm/kernel/vdso.c | 12 +
that flag like other architectures,
select ARCH_HAS_FORTIFY_SOURCE as default.
Signed-off-by: Jinbum Park
---
arch/arm/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 7e3d535..3765336 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -7,6
Just fix a typo in the code comment.
Signed-off-by: Jinbum Park
---
arch/arm/probes/kprobes/opt-arm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/probes/kprobes/opt-arm.c
b/arch/arm/probes/kprobes/opt-arm.c
index bcdecc2..073c0ba 100644
--- a/arch/arm/probes
/boot/compressed/* can't find that function.
Jinbum Park (2):
arm: mm: Define vdso_start, vdso_end as array
arm: Kconfig: Add ARCH_HAS_FORTIFY_SOURCE
arch/arm/Kconfig| 1 +
arch/arm/include/asm/vdso.h | 2 --
arch/arm/kernel/vdso.c | 12 +++-
3 files changed, 8
that flag like other architectures,
select ARCH_HAS_FORTIFY_SOURCE as default.
Acked-by: Kees Cook
Signed-off-by: Jinbum Park
---
v2: Add fortify_panic() in arch/arm/boot/compressed/misc.c,
Because there will be a build error if without that function.
---
arch/arm/Kconfig
happens at this code.
- if (memcmp(&vdso_start, "\177ELF", 4))
The size of "&vdso_start" is recognized as 1 byte, but n is 4,
So that compile-time error is reported.
Acked-by: Kees Cook
Signed-off-by: Jinbum Park
---
v2: No changes
---
arch/arm/include/asm/vdso.h |
This patch adds testcases for the CONFIG_DEBUG_RODATA option.
It's similar to x86's testcases.
It tests read-only mapped data and page-size aligned rodata section.
Signed-off-by: Jinbum Park
---
arch/arm/Kconfig.debug| 5 +++
arch/arm/include/asm/cacheflush.h | 10 +
change the state of CONFIG_DEBUG_RODATA_TEST,
It cause overhead of kernel build.
To solve above issue,
write arch-independent testcases and move it to shared location. (main.c)
Signed-off-by: Jinbum Park
---
arch/x86/Kconfig.debug| 8 -
arch/x86/include/asm/cacheflush.h | 10
change the state of CONFIG_DEBUG_RODATA_TEST,
It cause overhead of kernel build.
To solve above issue,
write arch-independent testcases and move it to shared location. (main.c)
Signed-off-by: Jinbum Park
---
v2: Restore original credit of mm/rodata_test.c
arch/x86/Kconfig.debug| 8
change the state of CONFIG_DEBUG_RODATA_TEST,
It cause overhead of kernel build.
To solve above issue,
Move x86's testcases to shared location able to be called by other archs.
and move declaration of rodata_test_data to separate header file.
Signed-off-by: Jinbum Park
---
v3
change the state of CONFIG_DEBUG_RODATA_TEST,
It cause overhead of kernel build.
To solve above issue,
write arch-independent testcases and move it to shared location.
Signed-off-by: Jinbum Park
---
v4: Move the rodata_test() call out into mark_readonly()
v3: Use probe_kernel_write() instead of
change the state of CONFIG_DEBUG_RODATA_TEST,
It cause overhead of kernel build.
To solve above issue,
write arch-independent testcases and move it to shared location.
Signed-off-by: Jinbum Park
---
(Sorry, Previous patch-v4 doesn't have any changes..my mistake. Please see this
patch)
change the state of CONFIG_DEBUG_RODATA_TEST,
It cause overhead of kernel build.
To solve above issue,
write arch-independent testcases and move it to shared location.
Signed-off-by: Jinbum Park
---
v4: Move the rodata_test() call out into mark_readonly()
Delete some comment
v3: Use
Just fix a typo in the code comment.
Signed-off-by: Jinbum Park
---
arch/arm/probes/kprobes/opt-arm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/probes/kprobes/opt-arm.c
b/arch/arm/probes/kprobes/opt-arm.c
index bcdecc2..073c0ba 100644
--- a/arch/arm/probes
Since DEBUG_RODATA has renamed to STRICT_KERNEL_RWX,
Fix the config dependency.
Reported-by: Valentin Rothberg
Signed-off-by: Jinbum Park
---
mm/Kconfig.debug | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
index 3e5eada..3c88b7e 100644
patch adds these common typo.
Signed-off-by: Jinbum Park
---
scripts/spelling.txt | 3 +++
1 file changed, 3 insertions(+)
diff --git a/scripts/spelling.txt b/scripts/spelling.txt
index 417ede8..201d0ed 100644
--- a/scripts/spelling.txt
+++ b/scripts/spelling.txt
@@ -74,6 +74,7 @@ algoritms
Move the AES inverse S-box to the .rodata section
where it is safe from abuse by speculation.
Signed-off-by: Jinbum Park
---
arch/arm/crypto/aes-cipher-core.S | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/arch/arm/crypto/aes-cipher-core.S
b/arch/arm
rf stat -B -- echo REFCOUNT_TIMING \
>/sys/kernel/debug/provoke-crash/DIRECT
208.006062212 seconds time elapsed
- Case with CONFIG_REFCOUNT_FULL,
perf stat -B -- echo REFCOUNT_TIMING \
>/sys/kernel/debug/provoke-crash/DIRECT
369.256523453 seconds time elapsed
Si
2017-12-06 8:51 GMT+09:00 Laura Abbott :
> On 12/04/2017 06:27 AM, Jinbum Park wrote:
>>
>> Page mappings with full RWX permissions are a security risk.
>> x86, arm64 has an option to walk the page tables
>> and dump any bad pages.
>>
>> (1404d6f13e47
>
register() already returns what you think.
>> +int ptdump_debugfs_register(struct ptdump_info *info, const char *name)
>> +{
>> + struct dentry *pe;
>> +
>> + pe = debugfs_create_file(name, 0400, NULL, info, &ptdump_fops);
>> + return pe ? 0 : -ENOMEM;
>> +
>> +}
So "return ptdump_debugfs_register(~~)" is fine.
Thanks.
Jinbum Park.
there was an mistake.
(from "jinb.park" to Jinbum Park)
Contents of patch-set are perfectly same.
v3 :
Take advantage of the existing pg_level and bits arrays
to check ro, nx prot.
v4 :
Add boolean for ro_bit, nx_bit into prot_bits
to point ro_bit, nx_bit in pg_level.
This change is sug
separate option"))
Signed-off-by: Jinbum Park
---
v4: No changes
---
arch/arm/Kconfig.debug| 6 +++-
arch/arm/include/asm/ptdump.h | 48
arch/arm/mm/Makefile | 3 +-
arch/arm/mm/dump.c| 65 +++-
This patch makes the page table dumping seq_file optional.
It makes the page table dumping code usable for other cases.
This patch refers below commit of arm64.
(ae5d1cf358a5
("arm64: dump: Make the page table dumping seq_file optional"))
Acked-by: Kees Cook
Signed-off-by: Jinbum Pa
Page mappings with full RWX permissions are a security risk.
x86, arm64 has an option to walk the page tables
and dump any bad pages.
(1404d6f13e47
("arm64: dump: Add checking for writable and exectuable pages"))
Add a similar implementation for arm.
Signed-off-by: Jinbum Park
-
pgd_cache is setup once while init stage and never changed after
that, so it is good candidate for __ro_after_init
Signed-off-by: Jinbum Park
---
arch/arm64/mm/pgd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/mm/pgd.c b/arch/arm64/mm/pgd.c
index 371c5f0
> (add Dave)
>
> On 21 December 2017 at 09:18, Ard Biesheuvel
> wrote:
>> On 21 December 2017 at 07:50, Jinbum Park wrote:
>>> This adds support to arm for fast refcount checking.
>>> It's heavily based on x86, arm64 implementation.
>>> (7a46ec0e2
arm prefers to use REFCOUNT_FULL by default.
This enables it for arm.
Signed-off-by: Jinbum Park
---
arch/arm/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 3d349b4..ec80270 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -100,6
there was an mistake.
(from "jinb.park" to Jinbum Park)
Contents of patch-set are perfectly same.
Jinbum Park (3):
arm: mm: dump: make page table dumping reusable
arm: mm: dump: make the page table dumping seq_file optional
arm: mm: dump: add checking for writable and executable p
separate option"))
Signed-off-by: Jinbum Park
---
arch/arm/Kconfig.debug| 6 +++-
arch/arm/include/asm/ptdump.h | 48
arch/arm/mm/Makefile | 3 +-
arch/arm/mm/dump.c| 65 +++
arch/arm/mm/pt
This patch makes the page table dumping seq_file optional.
It makes the page table dumping code usable for other cases.
This patch refers below commit of arm64.
(ae5d1cf358a5
("arm64: dump: Make the page table dumping seq_file optional"))
Signed-off-by: Jinbum Park
---
arch/arm/mm/d
Page mappings with full RWX permissions are a security risk.
x86, arm64 has an option to walk the page tables
and dump any bad pages.
(1404d6f13e47
("arm64: dump: Add checking for writable and exectuable pages"))
Add a similar implementation for arm.
Signed-off-by: Jinbum Park
---
there was an mistake.
(from "jinb.park" to Jinbum Park)
Contents of patch-set are perfectly same.
v3 :
Take advantage of the existing pg_level and bits arrays
to check ro, nx prot.
jinb.park (3):
arm: mm: dump: make page table dumping reusable
arm: mm: dump: make the page table d
separate option"))
Signed-off-by: Jinbum Park
---
v3: No changes
arch/arm/Kconfig.debug| 6 +++-
arch/arm/include/asm/ptdump.h | 48
arch/arm/mm/Makefile | 3 +-
arch/arm/mm/dump.c| 65 +++-
This patch makes the page table dumping seq_file optional.
It makes the page table dumping code usable for other cases.
This patch refers below commit of arm64.
(ae5d1cf358a5
("arm64: dump: Make the page table dumping seq_file optional"))
Signed-off-by: Jinbum Park
---
v3: No changes
Page mappings with full RWX permissions are a security risk.
x86, arm64 has an option to walk the page tables
and dump any bad pages.
(1404d6f13e47
("arm64: dump: Add checking for writable and exectuable pages"))
Add a similar implementation for arm.
Signed-off-by: Jinbum Park
---
there was an mistake.
(from "jinb.park" to Jinbum Park)
Contents of patch-set are perfectly same.
v3 :
Take advantage of the existing pg_level and bits arrays
to check ro, nx prot.
v4 :
Add boolean for ro_bit, nx_bit into prot_bits
to point ro_bit, nx_bit in pg_level.
This change is sug
separate option"))
Tested-by: Laura Abbott
Reviewed-by: Laura Abbott
Signed-off-by: Jinbum Park
---
v5: No changes
(Just add Tested-by, Reviewed-by from Laura Abbott)
---
arch/arm/Kconfig.debug| 6 +++-
arch/arm/include/asm/ptdump.h | 48
ott
Acked-by: Kees Cook
Signed-off-by: Jinbum Park
---
v5: No changes
(Just add Tested-by, Reviewed-by from Laura Abbott)
---
arch/arm/mm/dump.c | 28 +---
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/arch/arm/mm/dump.c b/arch/arm/mm/dump.c
ind
-by: Laura Abbott
Signed-off-by: Jinbum Park
---
v5: No changes
(Just add Tested-by, Reviewed-by from Laura Abbott)
---
arch/arm/Kconfig.debug| 27
arch/arm/include/asm/ptdump.h | 8 ++
arch/arm/mm/dump.c| 58 +++
there was an mistake.
(from "jinb.park" to Jinbum Park)
Contents of patch-set are perfectly same.
v3 :
Take advantage of the existing pg_level and bits arrays
to check ro, nx prot.
v4 :
Add boolean for ro_bit, nx_bit into prot_bits
to point ro_bit, nx_bit in pg_level.
This change is sug
separate option"))
Reviewed-by: Kees Cook
Tested-by: Laura Abbott
Reviewed-by: Laura Abbott
Signed-off-by: Jinbum Park
---
v6: Use SPDX ids in ptdump.h
Add Reviewed-by from Kees Cook
---
arch/arm/Kconfig.debug| 6 +++-
arch/arm/include/asm/ptdump.h | 35 +++
Reviewed-by: Laura Abbott
Acked-by: Kees Cook
Signed-off-by: Jinbum Park
---
v6: No changes
(Just add Reviewed-by from Kees Cook)
---
arch/arm/mm/dump.c | 28 +---
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/arch/arm/mm/dump.c b/arch/arm/mm/du
-by: Laura Abbott
Reviewed-by: Laura Abbott
Signed-off-by: Jinbum Park
---
v6: No changes
(Just add Reviewed-by from Kees Cook)
---
arch/arm/Kconfig.debug| 27
arch/arm/include/asm/ptdump.h | 8 ++
arch/arm/mm/dump.c
idmap_pgd, arch_phys_to_idmap_offset are setup once
while init stage, and never changed after that.
so, it is good candidate for __ro_after_init.
Signed-off-by: Jinbum Park
---
arch/arm/mm/idmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mm/idmap.c b/arch
core_num_brps, core_num_wrps, debug_arch, has_ossr,
max_watchpoint_len are setup once while init stage,
and never changed after that.
so it is good candidate for __ro_after_init.
Signed-off-by: Jinbum Park
---
arch/arm/kernel/hw_breakpoint.c | 10 +-
1 file changed, 5 insertions(+), 5
52 matches
Mail list logo
