Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull hardening fixes from Kees Cook:
- loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module
decompression (Stephen Boyd)
- ubsan: Restore dependency on ARCH_HAS_UBSAN
- kunit/fortify: Fix memcmp() test to be amplitude agnostic
* tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
kunit/fortify: Fix memcmp() test to be amplitude agnostic
ubsan: Restore dependency on ARCH_HAS_UBSAN
loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
+5
-1
+1
lib/Kconfig.ubsan
+1
lib/Kconfig.ubsan
+1
-1
lib/fortify_kunit.c
+1
-1
lib/fortify_kunit.c
···
990
990
KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);
991
991
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
992
992
/* Still in bounds, but no longer matching. */
993
-
KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 1), -32);
993
+
KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0);
994
994
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
995
995
996
996
/* Catch too-large ranges. */
+3
security/loadpin/Kconfig
+3
security/loadpin/Kconfig
···
14
14
config SECURITY_LOADPIN_ENFORCE
15
15
bool "Enforce LoadPin at boot"
16
16
depends on SECURITY_LOADPIN
17
+
# Module compression breaks LoadPin unless modules are decompressed in
18
+
# the kernel.
19
+
depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
17
20
help
18
21
If selected, LoadPin will enforce pinning at boot. If not
19
22
selected, it can be enabled at boot with the kernel parameter