Kees Cook
fed2ef7aba
reset: Annotate struct reset_control_array with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct reset_control_array.
Additionally, since the element count member must be set before accessing
the annotated flexible array member, move its initialization earlier.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Philipp Zabel <p.zabel@pengutronix.de >
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230922175229.work.838-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-24 14:10:04 -07:00
Kees Cook
15fcedd43a
kexec: Annotate struct crash_mem with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct crash_mem.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Eric Biederman <ebiederm@xmission.com >
Cc: kexec@lists.infradead.org
Acked-by: Baoquan He <bhe@redhat.com >
Link: https://lore.kernel.org/r/20230922175224.work.712-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-24 14:09:46 -07:00
Kees Cook
bf5abc17bc
virtio_console: Annotate struct port_buffer with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct port_buffer.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Amit Shah <amit@kernel.org >
Cc: Arnd Bergmann <arnd@arndb.de >
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org >
Cc: virtualization@lists.linux-foundation.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Reviewed-by: Amit Shah <amit@kernel.org >
Link: https://lore.kernel.org/r/20230922175115.work.059-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-24 14:09:20 -07:00
Gustavo A. R. Silva
68a8f64457
ima: Add __counted_by for struct modsig and use struct_size()
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
Also, relocate `hdr->raw_pkcs7_len = sig_len;` so that the __counted_by
annotation has effect, and flex-array member `raw_pkcs7` can be properly
bounds-checked at run-time.
While there, use struct_size() helper, instead of the open-coded
version, to calculate the size for the allocation of the whole
flexible structure, including of course, the flexible-array member.
This code was found with the help of Coccinelle, and audited and
fixed manually.
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/ZSRaDcJNARUUWUwS@work
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-20 10:52:41 -07:00
Kees Cook
8d7af82031
MAINTAINERS: Include stackleak paths in hardening entry
...
While most of the gcc-plugins are self-contained in the
scripts/gcc-plugins directory, stackleak actually has some additional
files. Add those so changes are directed to the hardening list.
Suggested-by: Mark Rutland <mark.rutland@arm.com >
Acked-by: Mark Rutland <mark.rutland@arm.com >
Link: https://lore.kernel.org/r/20231019004616.work.960-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-20 10:40:28 -07:00
Kees Cook
0e108725f6
string: Adjust strtomem() logic to allow for smaller sources
...
Arnd noticed we have a case where a shorter source string is being copied
into a destination byte array, but this results in a strnlen() call that
exceeds the size of the source. This is seen with -Wstringop-overread:
In file included from ../include/linux/uuid.h:11,
from ../include/linux/mod_devicetable.h:14,
from ../include/linux/cpufeature.h:12,
from ../arch/x86/coco/tdx/tdx.c:7:
../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop':
../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 exceeds source size 60 [-Werror=stringop-overread]
284 | memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro 'strtomem_pad'
124 | strtomem_pad(message.str, msg, '\0');
| ^~~~~~~~~~~~
Use the smaller of the two buffer sizes when calling strnlen(). When
src length is unknown (SIZE_MAX), it is adjusted to use dest length,
which is what the original code did.
Reported-by: Arnd Bergmann <arnd@arndb.de >
Fixes: dfbafa70bdarnd@arndb.de >
Cc: Andy Shevchenko <andy@kernel.org >
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-18 17:56:32 -07:00
Lukas Bulwahn
faed498d0d
hardening: x86: drop reference to removed config AMD_IOMMU_V2
...
Commit 5a0b11a180lukas.bulwahn@gmail.com >
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com >
Link: https://lore.kernel.org/r/20231012045040.22088-1-lukas.bulwahn@gmail.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-12 09:08:57 -07:00
Kees Cook
381fdb73d1
randstruct: Fix gcc-plugin performance mode to stay in group
...
The performance mode of the gcc-plugin randstruct was shuffling struct
members outside of the cache-line groups. Limit the range to the
specified group indexes.
Cc: linux-hardening@vger.kernel.org
Cc: stable@vger.kernel.org
Reported-by: Lukas Loidolt <e1634039@student.tuwien.ac.at >
Closes: https://lore.kernel.org/all/f3ca77f0-e414-4065-83a5-ae4c4d25545d@student.tuwien.ac.at
Fixes: 313dd1b629keescook@chromium.org >
2023-10-08 22:46:05 -07:00
Kees Cook
c5225cd073
mailbox: zynqmp: Annotate struct zynqmp_ipi_pdata with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct zynqmp_ipi_pdata.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Jassi Brar <jassisinghbrar@gmail.com >
Cc: Michal Simek <michal.simek@amd.com >
Cc: linux-arm-kernel@lists.infradead.org
Reviewed-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Acked-by: Michal Simek <michal.simek@amd.com >
Link: https://lore.kernel.org/r/20230922175351.work.018-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-08 22:46:05 -07:00
Kees Cook
86748637bf
drivers: thermal: tsens: Annotate struct tsens_priv with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct tsens_priv.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Andy Gross <agross@kernel.org >
Cc: Bjorn Andersson <andersson@kernel.org >
Cc: Konrad Dybcio <konrad.dybcio@linaro.org >
Cc: Amit Kucheria <amitk@kernel.org >
Cc: Thara Gopinath <thara.gopinath@gmail.com >
Cc: "Rafael J. Wysocki" <rafael@kernel.org >
Cc: Daniel Lezcano <daniel.lezcano@linaro.org >
Cc: Zhang Rui <rui.zhang@intel.com >
Cc: linux-arm-msm@vger.kernel.org
Cc: linux-pm@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230922175341.work.919-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-08 22:46:05 -07:00
Kees Cook
0f76868245
irqchip/imx-intmux: Annotate struct intmux_data with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct intmux_data.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Thomas Gleixner <tglx@linutronix.de >
Cc: Marc Zyngier <maz@kernel.org >
Cc: Shawn Guo <shawnguo@kernel.org >
Cc: Sascha Hauer <s.hauer@pengutronix.de >
Cc: Pengutronix Kernel Team <kernel@pengutronix.de >
Cc: Fabio Estevam <festevam@gmail.com >
Cc: NXP Linux Team <linux-imx@nxp.com >
Cc: linux-arm-kernel@lists.infradead.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230922175131.work.718-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-08 22:46:04 -07:00
Kees Cook
a48e1f656b
KVM: Annotate struct kvm_irq_routing_table with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct kvm_irq_routing_table.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Paolo Bonzini <pbonzini@redhat.com >
Cc: kvm@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230922175121.work.660-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-08 22:46:04 -07:00
Kees Cook
51a71ab21f
virt: acrn: Annotate struct vm_memory_region_batch with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct vm_memory_region_batch.
Additionally, since the element count member must be set before accessing
the annotated flexible array member, move its initialization earlier.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Fei Li <fei1.li@intel.com >
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230922175102.work.020-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-08 22:46:04 -07:00
Kees Cook
4a530cb932
hwmon: Annotate struct gsc_hwmon_platform_data with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct gsc_hwmon_platform_data.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Tim Harvey <tharvey@gateworks.com >
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230922175053.work.564-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-08 22:46:04 -07:00
Kees Cook
cfa36f889f
sparc: Annotate struct cpuinfo_tree with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct cpuinfo_tree.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: "David S. Miller" <davem@davemloft.net >
Cc: sparclinux@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230922175159.work.357-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-06 13:25:17 -07:00
Justin Stitt
cba58fcbc4
isdn: kcapi: replace deprecated strncpy with strscpy_pad
...
`strncpy` is deprecated for use on NUL-terminated destination strings
[1] and as such we should prefer more robust and less ambiguous string
interfaces.
`buf` is used in this context as a data buffer with 64 bytes of memory
to be occupied by capi_manufakturer.
We see the caller capi20_get_manufacturer() passes data.manufacturer as
its `buf` argument which is then later passed over to user space. Due to
this, let's keep the NUL-padding that strncpy provided by using
strscpy_pad so as to not leak any stack data.
| cdev->errcode = capi20_get_manufacturer(data.contr, data.manufacturer);
| if (cdev->errcode)
| return -EIO;
|
| if (copy_to_user(argp, data.manufacturer,
| sizeof(data.manufacturer)))
| return -EFAULT;
Perhaps this would also be a good instance to use `strtomem_pad` for but
in my testing the compiler was not able to determine the size of `buf`
-- even with all the hints.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230922-strncpy-drivers-isdn-capi-kcapi-c-v1-1-55fcf8b075fb@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 11:07:02 -07:00
Justin Stitt
5c80c4fced
isdn: replace deprecated strncpy with strscpy
...
`strncpy` is deprecated for use on NUL-terminated destination strings
[1] and as such we should prefer more robust and less ambiguous string
interfaces.
We expect `iclock->name` to be NUL-terminated based on its use within
printk:
| printk(KERN_DEBUG "%s: %s %d\n", __func__, iclock->name,
| iclock->pri);
`iclock` is zero-initialized and as such is already NUL-padded which
means strncpy is doing extra work here by eagerly NUL-padding the
destination buffer.
Considering the above, a suitable replacement is `strscpy` [2] due to
the fact that it guarantees NUL-termination on the destination buffer
without unnecessarily NUL-padding.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230922-strncpy-drivers-isdn-misdn-clock-c-v1-1-3ba2a5ae627a@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 11:07:02 -07:00
Kees Cook
1c67401354
NFS/flexfiles: Annotate struct nfs4_ff_layout_segment with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct nfs4_ff_layout_segment.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Trond Myklebust <trond.myklebust@hammerspace.com >
Cc: Anna Schumaker <anna@kernel.org >
Cc: linux-nfs@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915201434.never.346-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:53 -07:00
Kees Cook
c0c64aac49
nfs41: Annotate struct nfs4_file_layout_dsaddr with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct nfs4_file_layout_dsaddr.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Trond Myklebust <trond.myklebust@hammerspace.com >
Cc: Anna Schumaker <anna@kernel.org >
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Cc: linux-nfs@vger.kernel.org
Link: https://lore.kernel.org/r/20230915201427.never.771-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:53 -07:00
Kees Cook
96d7c65939
dm: Annotate struct dm_bio_prison with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct dm_bio_prison.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Alasdair Kergon <agk@redhat.com >
Cc: Mike Snitzer <snitzer@kernel.org >
Cc: dm-devel@redhat.com
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915200407.never.611-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:53 -07:00
Kees Cook
37d27cf1f5
dm: Annotate struct dm_stat with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct dm_stat.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Alasdair Kergon <agk@redhat.com >
Cc: Mike Snitzer <snitzer@kernel.org >
Cc: dm-devel@redhat.com
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915200400.never.585-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
694b3b9d7a
dm: Annotate struct stripe_c with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct stripe_c.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Alasdair Kergon <agk@redhat.com >
Cc: Mike Snitzer <snitzer@kernel.org >
Cc: dm-devel@redhat.com
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915200352.never.118-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
6521ba56ca
dm crypt: Annotate struct crypt_config with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct crypt_config.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Alasdair Kergon <agk@redhat.com >
Cc: Mike Snitzer <snitzer@kernel.org >
Cc: dm-devel@redhat.com
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915200344.never.272-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
e3260d90c8
dm raid: Annotate struct raid_set with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct raid_set.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Alasdair Kergon <agk@redhat.com >
Cc: Mike Snitzer <snitzer@kernel.org >
Cc: dm-devel@redhat.com
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915200335.never.098-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
150849c5e2
drbd: Annotate struct fifo_buffer with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct fifo_buffer.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Philipp Reisner <philipp.reisner@linbit.com >
Cc: Lars Ellenberg <lars.ellenberg@linbit.com >
Cc: Christoph Böhmwalder <christoph.boehmwalder@linbit.com >
Cc: Jens Axboe <axboe@kernel.dk >
Cc: drbd-dev@lists.linbit.com
Cc: linux-block@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915200316.never.707-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
182717026e
usb: gadget: f_midi: Annotate struct f_midi with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct f_midi.
Additionally, since the element count member must be set before accessing
the annotated flexible array member, move its initialization earlier.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org >
Cc: John Keeping <john@keeping.me.uk >
Cc: Peter Chen <peter.chen@nxp.com >
Cc: Hulk Robot <hulkci@huawei.com >
Cc: Allen Pais <allen.lkml@gmail.com >
Cc: Will McVicker <willmcvicker@google.com >
Cc: Davidlohr Bueso <dave@stgolabs.net >
Cc: Zhang Qilong <zhangqilong3@huawei.com >
Cc: linux-usb@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915195938.never.611-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
c7c4ac7f47
usb: gadget: f_fs: Annotate struct ffs_buffer with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct ffs_buffer.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org >
Cc: John Keeping <john@keeping.me.uk >
Cc: Udipto Goswami <quic_ugoswami@quicinc.com >
Cc: Linyu Yuan <quic_linyyuan@quicinc.com >
Cc: linux-usb@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915195849.never.275-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
d5ae1c3b97
usb: Annotate struct urb_priv with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct urb_priv.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Alan Stern <stern@rowland.harvard.edu >
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org >
Cc: Mathias Nyman <mathias.nyman@intel.com >
Cc: linux-usb@vger.kernel.org
Link: https://lore.kernel.org/r/20230915195812.never.371-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
2d26302bdf
afs: Annotate struct afs_addr_list with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct afs_addr_list.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: David Howells <dhowells@redhat.com >
Cc: Marc Dionne <marc.dionne@auristor.com >
Cc: linux-afs@lists.infradead.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915201449.never.649-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
aade15333c
afs: Annotate struct afs_permits with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct afs_permits.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: David Howells <dhowells@redhat.com >
Cc: Marc Dionne <marc.dionne@auristor.com >
Cc: linux-afs@lists.infradead.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Link: https://lore.kernel.org/r/20230915201456.never.529-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
5234193ee2
ceph: Annotate struct ceph_osd_request with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct ceph_osd_request.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Ilya Dryomov <idryomov@gmail.com >
Cc: Xiubo Li <xiubli@redhat.com >
Cc: Jeff Layton <jlayton@kernel.org >
Cc: ceph-devel@vger.kernel.org
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Reviewed-by: Xiubo Li <xiubli@redhat.com >
Link: https://lore.kernel.org/r/20230915201517.never.373-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Kees Cook
e91673b8dc
ocfs2: Annotate struct ocfs2_slot_info with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct ocfs2_slot_info.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Mark Fasheh <mark@fasheh.com >
Cc: Joel Becker <jlbec@evilplan.org >
Cc: Joseph Qi <joseph.qi@linux.alibaba.com >
Cc: ocfs2-devel@lists.linux.dev
Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com >
Link: https://lore.kernel.org/r/20230915201522.never.979-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:52 -07:00
Gustavo A. R. Silva
b7fa76e03b
usb: atm: Use size_add() in call to struct_size()
...
If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.
Fixes: b626871a7cgustavoars@kernel.org >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/ZQSuboEIhvATAdxN@work
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-10-02 09:48:51 -07:00
Gustavo A. R. Silva
8fddc4b660
drm/gud: Use size_add() in call to struct_size()
...
If, for any reason, the open-coded arithmetic causes a wraparound, the
protection that `struct_size()` adds against potential integer overflows
is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
Fixes: 40e1a70b4agustavoars@kernel.org >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/ZQSlyHKPdw/zsy4c@work
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:32 -07:00
Justin Stitt
6b343a4642
EDAC/mc_sysfs: Replace deprecated strncpy() with memcpy()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
We've already calculated bounds, possible truncation with '\0' or '\n'
and manually NUL-terminated. The situation is now just a literal byte
copy from one buffer to another, let's treat it as such and use a less
ambiguous interface in memcpy.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230918-strncpy-drivers-edac-edac_mc_sysfs-c-v4-1-38a23d2fcdd8@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:32 -07:00
Justin Stitt
8046da444d
hwmon: (asus_wmi_sensors) Replace deprecated strncpy() with strscpy()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
We should prefer more robust and less ambiguous string interfaces.
A suitable replacement is `strscpy` [2] due to the fact that it
guarantees NUL-termination on the destination buffer without
unnecessarily NUL-padding. If, for any reason, NUL-padding is needed
let's opt for `strscpy_pad`.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230914-strncpy-drivers-hwmon-asus_wmi_sensors-c-v1-1-e1703cf91693@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
66f8a4a0cc
hwmon: (ibmpowernv) Replace deprecated strncpy() with memcpy()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
A suitable replacement is `memcpy` as we've already precisely calculated
the number of bytes to copy while `buf` has been explicitly
zero-initialized:
| char buf[8] = { 0 };
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Tested-by: Michael Ellerman <mpe@ellerman.id.au >
Acked-by: Michael Ellerman <mpe@ellerman.id.au >
Link: https://lore.kernel.org/r/20230919-strncpy-drivers-hwmon-ibmpowernv-c-v2-1-37d3e64172bc@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
abe6db6c43
HID: prodikeys: Replace deprecated strncpy() with strscpy()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
We should prefer more robust and less ambiguous string interfaces.
A suitable replacement is `strscpy` [2] due to the fact that it guarantees
NUL-termination on the destination buffer without unnecessarily NUL-padding.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230914-strncpy-drivers-hid-hid-prodikeys-c-v1-1-10c00550f2c2@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
9b9056a313
firmware: tegra: bpmp: Replace deprecated strncpy() with strscpy_pad()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
We should prefer more robust and less ambiguous string interfaces.
It seems like the filename stored at `namevirt` is expected to be
NUL-terminated.
A suitable replacement is `strscpy_pad` due to the fact that it
guarantees NUL-termination on the destination buffer whilst maintaining
the NUL-padding behavior that strncpy provides.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230913-strncpy-drivers-firmware-tegra-bpmp-debugfs-c-v1-1-828b0a8914b5@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
b545465e22
cpuidle: dt: Replace deprecated strncpy() with strscpy()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
We should prefer more robust and less ambiguous string interfaces.
A suitable replacement is `strscpy` [2] due to the fact that it guarantees
NUL-termination on the destination buffer. With this, we can also drop
the now unnecessary `CPUIDLE_(NAME|DESC)_LEN - 1` pieces.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230913-strncpy-drivers-cpuidle-dt_idle_states-c-v1-1-d16a0dbe5658@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
0faf84caee
cpufreq: Replace deprecated strncpy() with strscpy()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
We should prefer more robust and less ambiguous string interfaces.
Both `policy->last_governor` and `default_governor` are expected to be
NUL-terminated which is shown by their heavy usage with other string
apis like `strcmp`.
A suitable replacement is `strscpy` [2] due to the fact that it guarantees
NUL-termination on the destination buffer.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Acked-by: Viresh Kumar <viresh.kumar@linaro.org >
Link: https://lore.kernel.org/r/20230913-strncpy-drivers-cpufreq-cpufreq-c-v1-1-f1608bfeff63@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
de055e6116
bus: fsl-mc: Replace deprecated strncpy() with strscpy_pad()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
We need to prefer more robust and less ambiguous string interfaces.
`obj_desc->(type|label)` are expected to be NUL-terminated strings as
per "include/linux/fsl/mc.h +143"
| ...
| * struct fsl_mc_obj_desc - Object descriptor
| * @type: Type of object: NULL terminated string
| ...
It seems `cmd_params->obj_type` is also expected to be a NUL-terminated string.
A suitable replacement is `strscpy_pad` due to the fact that it
guarantees NUL-termination on the destination buffer whilst keeping the
NUL-padding behavior that `strncpy` provides.
Padding may not strictly be necessary but let's opt to keep it as this
ensures no functional change.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org >
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230912-strncpy-drivers-bus-fsl-mc-dprc-c-v1-1-cdb56aa3f4f4@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
a952abcdaa
auxdisplay: panel: Replace deprecated strncpy() with strtomem_pad()
...
`strncpy` is deprecated and as such we should prefer more robust and
less ambiguous interfaces.
In this case, all of `press_str`, `repeat_str` and `release_str` are
explicitly marked as nonstring:
| struct { /* valid when type == INPUT_TYPE_KBD */
| char press_str[sizeof(void *) + sizeof(int)] __nonstring;
| char repeat_str[sizeof(void *) + sizeof(int)] __nonstring;
| char release_str[sizeof(void *) + sizeof(int)] __nonstring;
| } kbd;
... which makes `strtomem_pad` a suitable replacement as it is
functionally the same whilst being more obvious about its behavior.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org >
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230911-strncpy-drivers-auxdisplay-panel-c-v1-1-b60bd0ae8552@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 14:48:31 -07:00
Justin Stitt
e0bbf92682
um,ethertap: Replace deprecated strncpy() with strscpy()
...
`strncpy` is deprecated for use on NUL-terminated destination strings [1].
`gate_buf` should always be NUL-terminated and does not require
NUL-padding. It is used as a string arg inside an argv array given to
`run_helper()`. Due to this, let's use `strscpy` as it guarantees
NUL-terminated on the destination buffer preventing potential buffer
overreads [2].
This exact invocation was changed from `strcpy` to `strncpy` in commit
7879b1d94bhttps://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org >
Signed-off-by: Justin Stitt <justinstitt@google.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/20230911-strncpy-arch-um-os-linux-drivers-ethertap_user-c-v1-1-d9e53f52ab32@google.com
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 11:37:50 -07:00
Elena Reshetova
d77008421a
groups: Convert group_info.usage to refcount_t
...
atomic_t variables are currently used to implement reference counters
with the following properties:
- counter is initialized to 1 using atomic_set()
- a resource is freed upon counter reaching zero
- once counter reaches zero, its further
increments aren't allowed
- counter schema uses basic atomic operations
(set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows and
underflows. This is important since overflows and underflows can lead
to use-after-free situation and be exploitable.
The variable group_info.usage is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
**Important note for maintainers:
Some functions from refcount_t API defined in refcount.h have different
memory ordering guarantees than their atomic counterparts. Please check
Documentation/core-api/refcount-vs-atomic.rst for more information.
Normally the differences should not matter since refcount_t provides
enough guarantees to satisfy the refcounting use cases, but in some
rare cases it might matter. Please double check that you don't have
some undocumented memory guarantees for this variable usage.
For the group_info.usage it might make a difference in following places:
- put_group_info(): decrement in refcount_dec_and_test() only
provides RELEASE ordering and ACQUIRE ordering on success vs. fully
ordered atomic counterpart
Suggested-by: Kees Cook <keescook@chromium.org >
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com >
Reviewed-by: David Windsor <dwindsor@gmail.com >
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com >
Link: https://lore.kernel.org/r/20230818041456.gonna.009-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 11:28:39 -07:00
Gustavo A. R. Silva
4cb2e89fea
nouveau/svm: Split assignment from if conditional
...
Fix checkpatch.pl ERROR: do not use assignment in if condition.
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/6b900e80b5587187c68efc788f5b042ca747d374.1692208802.git.gustavoars@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 11:19:43 -07:00
Gustavo A. R. Silva
6ad33b53c9
nouveau/svm: Replace one-element array with flexible-array member in struct nouveau_svm
...
One-element and zero-length arrays are deprecated. So, replace
one-element array in struct nouveau_svm with flexible-array member.
This results in no differences in binary output.
Link: https://github.com/KSPP/linux/issues/338
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org >
Reviewed-by: Kees Cook <keescook@chromium.org >
Link: https://lore.kernel.org/r/087a1c335228bd245192bbb2fb347c9af1be5750.1692208802.git.gustavoars@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-29 11:19:43 -07:00
Kees Cook
4ae7f6320a
MAINTAINERS: hardening: Add Gustavo as Reviewer
...
It's an oversight to not have already listed Gustavo here. Add him as a
Reviewer.
Cc: Gustavo A. R. Silva <gustavoars@kernel.org >
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-28 16:39:08 -07:00
Kees Cook
5e6a1c803f
accel/ivpu: Annotate struct ivpu_job with __counted_by
...
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
As found with Coccinelle[1], add __counted_by for struct ivpu_job.
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com >
Cc: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com >
Cc: Oded Gabbay <ogabbay@kernel.org >
Cc: Nathan Chancellor <nathan@kernel.org >
Cc: Nick Desaulniers <ndesaulniers@google.com >
Cc: Tom Rix <trix@redhat.com >
Cc: dri-devel@lists.freedesktop.org
Cc: llvm@lists.linux.dev
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com >
Link: https://lore.kernel.org/r/20230922175416.work.272-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-28 16:39:08 -07:00
Kees Cook
921f15fe8c
MAINTAINERS: hardening: Add __counted_by regex
...
Since __counted_by annotations may also require that code be changed to
get initialization ordering correct, let's get an extra group of eyes on
code that is working on these annotations.
Signed-off-by: Kees Cook <keescook@chromium.org >
2023-09-28 16:39:08 -07:00
