[GIT PULL] kernel hardening updates for v6.1-rc1

From: Kees Cook
Date: Sat Oct 01 2022 - 13:46:59 EST

Hi Linus,

Please pull these kernel hardening updates for v6.1-rc1. Most of
the collected changes here are fixes across the tree for various
hardening features (noted in the tag commit log below).

The most notable new feature here is the addition of the memcpy()
overflow warning (under CONFIG_FORTIFY_SOURCE), which is the next step
on the path to killing the common class of "trivially detectable" buffer
overflow conditions (i.e. on arrays with sizes known at compile time)
that have resulted in many exploitable vulnerabilities over the years
(e.g. BleedingTooth).

This feature is expected to still have some undiscovered false
positives. It's been in -next for a full development cycle and all
the reported false positives have been fixed in their respective trees.
All the known-bad code patterns we could find with Coccinelle are
also either fixed in their respective trees or in flight.

The commit log[1] for the feature has extensive details, but I'll repeat
here that this is a warning _only_, and is not intended to actually block
overflows (yet). The many patches fixing array sizes and struct members
have been landing for several years now, and we're finally able to turn
this on to find any remaining stragglers.

1 expected conflict is minimal:
- https://lore.kernel.org/linux-next/20220906174946.61819060@xxxxxxxxxxxxxxxx/



[1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=54d9469bc515dc5fcbc20eecbe19cea868b70d68

The following changes since commit 1c23f9e627a7b412978b4e852793c5e3c3efc555:

Linux 6.0-rc2 (2022-08-21 17:32:54 -0700)

are available in the Git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.1-rc1

for you to fetch changes up to 2120635108b35ecad9c59c8b44f6cbdf4f98214e:

Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 (2022-10-01 07:46:05 -0700)

hardening updates for v6.1-rc1

Various fixes across several hardening areas:

- loadpin: Fix verity target enforcement (Matthias Kaehlcke).

- zero-call-used-regs: Add missing clobbers in paravirt (Bill Wendling).

- CFI: clean up sparc function pointer type mismatches (Bart Van Assche).

- Clang: Adjust compiler flag detection for various Clang changes (Sami
Tolvanen, Kees Cook).

- fortify: Fix warnings in arch-specific code in sh, ARM, and xen.

Improvements to existing features:

- testing: improve overflow KUnit test, introduce fortify KUnit test,
add more coverage to LKDTM tests (Bart Van Assche, Kees Cook).

- overflow: Relax overflow type checking for wider utility.

New features:

- string: Introduce strtomem() and strtomem_pad() to fill a gap in
strncpy() replacement needs.

- um: Enable FORTIFY_SOURCE support.

- fortify: Enable run-time struct member memcpy() overflow warning.

Bart Van Assche (4):
testing/selftests: Add tests for the is_signed_type() macro
overflow, tracing: Define the is_signed_type() macro once
lib: Improve the is_signed_type() kunit test
sparc: Unbreak the build

Bill Wendling (2):
x86/paravirt: clean up typos and grammaros
x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled

Kees Cook (17):
overflow: Allow mixed type arguments
overflow: Split up kunit tests for smaller stack frames
string: Introduce strtomem() and strtomem_pad()
fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
fortify: Add KUnit test for FORTIFY_SOURCE internals
fortify: Use SIZE_MAX instead of (size_t)-1
fortify: Add run-time WARN for cross-field memcpy()
lkdtm: Update tests for memcpy() run-time warnings
kunit/memcpy: Avoid pathological compile-time string size
sh: machvec: Use char[] for section boundaries
fortify: Adjust KUnit test for modular build
ARM: decompressor: Include .data.rel.ro.local
x86/entry: Work around Clang __bdos() bug
fortify: Explicitly check bounds are compile-time constants
fortify: Convert to struct vs member helpers
hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero

Matthias Kaehlcke (3):
LoadPin: Fix Kconfig doc about format of file with verity digests
dm: verity-loadpin: Only trust verity targets with enforcement
LoadPin: Require file with verity root digests to have a header

Sami Tolvanen (1):
Makefile.extrawarn: Move -Wcast-function-type-strict to W=1

Documentation/process/deprecated.rst | 11 +-
Makefile | 4 +-
arch/arm/boot/compressed/vmlinux.lds.S | 2 +
arch/sh/include/asm/sections.h | 2 +-
arch/sh/kernel/machvec.c | 10 +-
arch/sparc/include/asm/smp_32.h | 15 +-
arch/sparc/kernel/leon_smp.c | 12 +-
arch/sparc/kernel/sun4d_smp.c | 12 +-
arch/sparc/kernel/sun4m_smp.c | 10 +-
arch/sparc/mm/srmmu.c | 29 ++--
arch/um/Kconfig | 1 +
arch/um/os-Linux/user_syms.c | 1 +
arch/x86/include/asm/paravirt_types.h | 27 ++--
arch/x86/xen/enlighten_pv.c | 3 +-
drivers/md/dm-verity-loadpin.c | 8 ++
drivers/md/dm-verity-target.c | 16 +++
drivers/md/dm-verity.h | 1 +
drivers/misc/lkdtm/fortify.c | 96 +++++++++++--
include/linux/compiler.h | 6 +
include/linux/fortify-string.h | 245 +++++++++++++++++++++++---------
include/linux/overflow.h | 73 +++++-----
include/linux/string.h | 43 ++++++
include/linux/trace_events.h | 2 -
lib/Kconfig.debug | 21 +++
lib/Makefile | 2 +
lib/fortify_kunit.c | 76 ++++++++++
lib/is_signed_type_kunit.c | 53 +++++++
lib/memcpy_kunit.c | 59 +++++++-
lib/overflow_kunit.c | 177 ++++++++++++++++-------
scripts/Makefile.extrawarn | 1 +
security/Kconfig.hardening | 14 +-
security/loadpin/Kconfig | 7 +-
security/loadpin/loadpin.c | 16 ++-
tools/testing/selftests/lkdtm/tests.txt | 8 +-
35 files changed, 821 insertions(+), 243 deletions(-)
create mode 100644 lib/fortify_kunit.c
create mode 100644 lib/is_signed_type_kunit.c

Kees Cook