Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-4.16.y 2018-02-04T00:25:42Z 2018-02-04T00:25:42Z Linus Torvalds torvalds@linux-foundation.org 2018-02-04T00:25:42Z urn:sha1:617aebe6a97efa539cc4b8a52adccd89596e6be0 Pull hardened usercopy whitelisting from Kees Cook: "Currently, hardened usercopy performs dynamic bounds checking on slab cache objects. This is good, but still leaves a lot of kernel memory available to be copied to/from userspace in the face of bugs. To further restrict what memory is available for copying, this creates a way to whitelist specific areas of a given slab cache object for copying to/from userspace, allowing much finer granularity of access control. Slab caches that are never exposed to userspace can declare no whitelist for their objects, thereby keeping them unavailable to userspace via dynamic copy operations. (Note, an implicit form of whitelisting is the use of constant sizes in usercopy operations and get_user()/put_user(); these bypass all hardened usercopy checks since these sizes cannot change at runtime.) This new check is WARN-by-default, so any mistakes can be found over the next several releases without breaking anyone's system. The series has roughly the following sections: - remove %p and improve reporting with offset - prepare infrastructure and whitelist kmalloc - update VFS subsystem with whitelists - update SCSI subsystem with whitelists - update network subsystem with whitelists - update process memory with whitelists - update per-architecture thread_struct with whitelists - update KVM with whitelists and fix ioctl bug - mark all other allocations as not whitelisted - update lkdtm for more sensible test overage" * tag 'usercopy-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (38 commits) lkdtm: Update usercopy tests for whitelisting usercopy: Restrict non-usercopy caches to size 0 kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl kvm: whitelist struct kvm_vcpu_arch arm: Implement thread_struct whitelist for hardened usercopy arm64: Implement thread_struct whitelist for hardened usercopy x86: Implement thread_struct whitelist for hardened usercopy fork: Provide usercopy whitelisting for task_struct fork: Define usercopy region in thread_stack slab caches fork: Define usercopy region in mm_struct slab caches net: Restrict unwhitelisted proto caches to size 0 sctp: Copy struct sctp_sock.autoclose to userspace using put_user() sctp: Define usercopy region in SCTP proto slab cache caif: Define usercopy region in caif proto slab cache ip: Define usercopy region in IP proto slab cache net: Define usercopy region in struct proto slab cache scsi: Define usercopy region in scsi_sense_cache slab cache cifs: Define usercopy region in cifs_request slab cache vxfs: Define usercopy region in vxfs_inode slab cache ufs: Define usercopy region in ufs_inode_cache slab cache ... 2018-01-25T09:41:05Z Ivan Delalande colona@arista.com 2018-01-25T01:16:22Z urn:sha1:5be2a5011c039506e2862650c928acfb2e3d7b9c Function handle_IRQ_event was retired in v2.6.39 and replaced with handle_irq_event but nobody changed it in lkdtm so INT_HW_IRQ_EN has been broken for a while. Fixes: 33b054b867b8 ("genirq: Remove handle_IRQ_event") Signed-off-by: Travis Brown <travisb@arista.com> Signed-off-by: Ivan Delalande <colona@arista.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-01-15T20:08:09Z Kees Cook keescook@chromium.org 2017-06-15T01:56:55Z urn:sha1:e47e311843dece8073146f3606871280ee9beb87 This updates the USERCOPY_HEAP_FLAG_* tests to USERCOPY_HEAP_WHITELIST_*, since the final form of usercopy whitelisting ended up using an offset/size window instead of the earlier proposed allocation flags. Signed-off-by: Kees Cook <keescook@chromium.org> 2017-10-20T13:51:39Z Kees Cook keescook@chromium.org 2017-10-20T13:31:49Z urn:sha1:75f98b7ab748a6f604d667d84ec46acc452fdfc1 Since nothing in the crashtypes table ever changes, mark it const. Adds some missing "static" markings as well. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-20T13:50:55Z Kees Cook keescook@chromium.org 2017-10-20T13:31:27Z urn:sha1:31c5c870a1120960ec4157e6a5ea34686c77f6b8 The jprobe subsystem is being removed, so convert to using kprobe instead. Cc: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-15T19:27:35Z Kees Cook keescook@chromium.org 2017-08-04T21:34:40Z urn:sha1:93e78c6b14c42abe4018c815aeea2aa491522fae There wasn't an LKDTM test to distinguish between -fstack-protector and -fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see the difference. Also adjusts the stack-clobber value to 0xff so execution won't potentially jump into userspace when the stack protector is missing. Signed-off-by: Kees Cook <keescook@chromium.org> 2017-08-04T20:04:21Z Kees Cook keescook@chromium.org 2017-08-04T20:04:21Z urn:sha1:7b25a85c9d9f796c5be7ad3fb8b9553d3e2ed958 Two new tests STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING attempt to read the byte before and after, respectively, of the current stack frame, which should fault. Signed-off-by: Kees Cook <keescook@chromium.org> 2017-07-26T21:38:04Z Kees Cook keescook@chromium.org 2017-07-21T13:19:14Z urn:sha1:c7fea48876773603721f545f8c1a2f894291ef85 While not a crash test, this does provide two tight atomic_t and refcount_t loops for performance comparisons: cd /sys/kernel/debug/provoke-crash perf stat -B -- cat <(echo ATOMIC_TIMING) > DIRECT perf stat -B -- cat <(echo REFCOUNT_TIMING) > DIRECT Looking a CPU cycles is the best way to example the fast-path (rather than instruction counts, since conditional jumps will be executed but will be negligible due to branch-prediction). Signed-off-by: Kees Cook <keescook@chromium.org> 2017-07-26T21:38:03Z Kees Cook keescook@chromium.org 2017-04-24T20:23:21Z urn:sha1:95925c99b9043d52db626645e6ef5ee5f62c97e4 The existing REFCOUNT_* LKDTM tests were designed only for testing a narrow portion of CONFIG_REFCOUNT_FULL. This moves the tests to their own file and expands their testing to poke each boundary condition. Since the protections (CONFIG_REFCOUNT_FULL and x86-fast) use different saturation values and reach-zero behavior, those have to be build-time set so the tests can actually validate things are happening at the right places. Notably, the x86-fast protection will fail REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO since those conditions are not checked (only overflow is critical to protecting refcount_t). CONFIG_REFCOUNT_FULL will warn for each REFCOUNT_*_NEGATIVE test since it provides zero-pinning behaviors (which allows it to pass REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO). Signed-off-by: Kees Cook <keescook@chromium.org> 2017-04-08T15:56:02Z Kees Cook keescook@chromium.org 2017-03-24T17:51:25Z urn:sha1:e22aa9d781a27a961581c57442911309fb86a48e This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>