tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'hardening-v6.2-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull kernel hardening fixes from Kees Cook:

- Fix CFI failure with KASAN (Sami Tolvanen)

- Fix LKDTM + CFI under GCC 7 and 8 (Kristina Martsenko)

- Limit CONFIG_ZERO_CALL_USED_REGS to Clang > 15.0.6 (Nathan
Chancellor)

- Ignore "contents" argument in LoadPin's LSM hook handling

- Fix paste-o in /sys/kernel/warn_count API docs

- Use READ_ONCE() consistently for oops/warn limit reading

* tag 'hardening-v6.2-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
cfi: Fix CFI failure with KASAN
exit: Use READ_ONCE() for all oops/warn limit reads
security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
lkdtm: cfi: Make PAC test work with GCC 7 and 8
docs: Fix path paste-o for /sys/kernel/warn_count
LoadPin: Ignore the "contents" argument of the LSM hooks

Linus Torvalds 51094a24 edb23125

+36 -21
+1 -1
Documentation/ABI/testing/sysfs-kernel-warn_count
··· 1 - What: /sys/kernel/oops_count 1 + What: /sys/kernel/warn_count 2 2 Date: November 2022 3 3 KernelVersion: 6.2.0 4 4 Contact: Linux Kernel Hardening List <linux-hardening@vger.kernel.org>
+5 -1
drivers/misc/lkdtm/cfi.c
··· 54 54 # ifdef CONFIG_ARM64_BTI_KERNEL 55 55 # define __no_pac "branch-protection=bti" 56 56 # else 57 - # define __no_pac "branch-protection=none" 57 + # ifdef CONFIG_CC_HAS_BRANCH_PROT_PAC_RET 58 + # define __no_pac "branch-protection=none" 59 + # else 60 + # define __no_pac "sign-return-address=none" 61 + # endif 58 62 # endif 59 63 # define __no_ret_protection __noscs __attribute__((__target__(__no_pac))) 60 64 #else
-3
kernel/Makefile
··· 41 41 KMSAN_SANITIZE_kcov.o := n 42 42 CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack) -fno-stack-protector 43 43 44 - # Don't instrument error handlers 45 - CFLAGS_REMOVE_cfi.o := $(CC_FLAGS_CFI) 46 - 47 44 obj-y += sched/ 48 45 obj-y += locking/ 49 46 obj-y += power/
+4 -2
kernel/exit.c
··· 931 931 * Then do everything else. 932 932 */ 933 933 struct task_struct *tsk = current; 934 + unsigned int limit; 934 935 935 936 if (unlikely(in_interrupt())) 936 937 panic("Aiee, killing interrupt handler!"); ··· 955 954 * To make sure this can't happen, place an upper bound on how often the 956 955 * kernel may oops without panic(). 957 956 */ 958 - if (atomic_inc_return(&oops_count) >= READ_ONCE(oops_limit) && oops_limit) 959 - panic("Oopsed too often (kernel.oops_limit is %d)", oops_limit); 957 + limit = READ_ONCE(oops_limit); 958 + if (atomic_inc_return(&oops_count) >= limit && limit) 959 + panic("Oopsed too often (kernel.oops_limit is %d)", limit); 960 960 961 961 /* 962 962 * We're taking recursive faults here in make_task_dead. Safest is to just
+5 -2
kernel/panic.c
··· 232 232 233 233 void check_panic_on_warn(const char *origin) 234 234 { 235 + unsigned int limit; 236 + 235 237 if (panic_on_warn) 236 238 panic("%s: panic_on_warn set ...\n", origin); 237 239 238 - if (atomic_inc_return(&warn_count) >= READ_ONCE(warn_limit) && warn_limit) 240 + limit = READ_ONCE(warn_limit); 241 + if (atomic_inc_return(&warn_count) >= limit && limit) 239 242 panic("%s: system warned too often (kernel.warn_limit is %d)", 240 - origin, warn_limit); 243 + origin, limit); 241 244 } 242 245 243 246 /**
+3
security/Kconfig.hardening
··· 257 257 258 258 config CC_HAS_ZERO_CALL_USED_REGS 259 259 def_bool $(cc-option,-fzero-call-used-regs=used-gpr) 260 + # https://github.com/ClangBuiltLinux/linux/issues/1766 261 + # https://github.com/llvm/llvm-project/issues/59242 262 + depends on !CC_IS_CLANG || CLANG_VERSION > 150006 260 263 261 264 config ZERO_CALL_USED_REGS 262 265 bool "Enable register zeroing on function exit"
+18 -12
security/loadpin/loadpin.c
··· 122 122 } 123 123 } 124 124 125 - static int loadpin_read_file(struct file *file, enum kernel_read_file_id id, 126 - bool contents) 125 + static int loadpin_check(struct file *file, enum kernel_read_file_id id) 127 126 { 128 127 struct super_block *load_root; 129 128 const char *origin = kernel_read_file_id_str(id); 130 - 131 - /* 132 - * If we will not know that we'll be seeing the full contents 133 - * then we cannot trust a load will be complete and unchanged 134 - * off disk. Treat all contents=false hooks as if there were 135 - * no associated file struct. 136 - */ 137 - if (!contents) 138 - file = NULL; 139 129 140 130 /* If the file id is excluded, ignore the pinning. */ 141 131 if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) && ··· 182 192 return 0; 183 193 } 184 194 195 + static int loadpin_read_file(struct file *file, enum kernel_read_file_id id, 196 + bool contents) 197 + { 198 + /* 199 + * LoadPin only cares about the _origin_ of a file, not its 200 + * contents, so we can ignore the "are full contents available" 201 + * argument here. 202 + */ 203 + return loadpin_check(file, id); 204 + } 205 + 185 206 static int loadpin_load_data(enum kernel_load_data_id id, bool contents) 186 207 { 187 - return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents); 208 + /* 209 + * LoadPin only cares about the _origin_ of a file, not its 210 + * contents, so a NULL file is passed, and we can ignore the 211 + * state of "contents". 212 + */ 213 + return loadpin_check(NULL, (enum kernel_read_file_id) id); 188 214 } 189 215 190 216 static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {