From: Pavel Machek <pavel@denx.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Daniel Marth <daniel.marth@inso.tuwien.ac.at>,
Ard Biesheuvel <ardb@kernel.org>,
Kees Cook <keescook@chromium.org>,
Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 4.14 06/40] efi: libstub: Disable struct randomization
Date: Mon, 26 Sep 2022 13:08:26 +0200 [thread overview]
Message-ID: <20220926110826.GE8978@amd> (raw)
In-Reply-To: <20220926100738.463310701@linuxfoundation.org>
[-- Attachment #1: Type: text/plain, Size: 1510 bytes --]
Hi!
> These structs look like the ideal randomization candidates to the
> randstruct plugin (as they only carry function pointers), but of course,
> these protocols are contracts between the firmware that exposes them,
> and the EFI applications (including our stubbed kernel) that invoke
> them. This means that struct randomization for EFI protocols is not a
> great idea, and given that the stub shares very little data with the
> core kernel that is represented as a randomizable struct, we're better
> off just disabling it completely here.
> Cc: <stable@vger.kernel.org> # v4.14+
AFAICT RANDSTRUCT_CFLAGS is not available in v4.19, so we should not
take this patch.
Best regards,
Pavel
> +++ b/drivers/firmware/efi/libstub/Makefile
> @@ -23,6 +23,13 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \
> $(call cc-option,-ffreestanding) \
> $(call cc-option,-fno-stack-protector)
>
> +#
> +# struct randomization only makes sense for Linux internal types, which the EFI
> +# stub code never touches, so let's turn off struct randomization for the stub
> +# altogether
> +#
> +KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS), $(KBUILD_CFLAGS))
> +
> # remove SCS flags from all objects in this directory
> KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS))
>
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2022-09-26 13:37 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-26 10:11 [PATCH 4.14 00/40] 4.14.295-rc1 review Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 01/40] of: fdt: fix off-by-one error in unflatten_dt_nodes() Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 02/40] gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 03/40] drm/meson: Correct OSD1 global alpha value Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 04/40] parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 05/40] efi/libstub: Disable Shadow Call Stack Greg Kroah-Hartman
2022-09-26 11:14 ` Pavel Machek
2022-09-26 15:56 ` Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 06/40] efi: libstub: Disable struct randomization Greg Kroah-Hartman
2022-09-26 11:08 ` Pavel Machek [this message]
2022-09-26 14:16 ` Ard Biesheuvel
2022-09-26 15:53 ` Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 07/40] cifs: dont send down the destination address to sendmsg for a SOCK_STREAM Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 08/40] ASoC: nau8824: Fix semaphore unbalance at error paths Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 09/40] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 10/40] ALSA: hda/sigmatel: Keep power up while beep is enabled Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 11/40] net: usb: qmi_wwan: add Quectel RM520N Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 12/40] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 13/40] mksysmap: Fix the mismatch of L0 symbols in System.map Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 14/40] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 15/40] ALSA: hda/sigmatel: Fix unused variable warning for beep power change Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 16/40] wifi: mac80211: Fix UAF in ieee80211_scan_rx() Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 17/40] USB: core: Fix RST error in hub.c Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 18/40] USB: serial: option: add Quectel BG95 0x0203 composition Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 19/40] USB: serial: option: add Quectel RM520N Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 20/40] ALSA: hda/tegra: set depop delay for tegra Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 21/40] ALSA: hda: add Intel 5 Series / 3400 PCI DID Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 22/40] mm/slub: fix to return errno if kmalloc() fails Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 23/40] arm64: dts: rockchip: Remove enable-active-low from rk3399-puma Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 24/40] netfilter: nf_conntrack_sip: fix ct_sip_walk_headers Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 25/40] netfilter: nf_conntrack_irc: Tighten matching on DCC message Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 26/40] iavf: Fix cached head and tail value for iavf_get_tx_pending Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 27/40] ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 28/40] net: team: Unsync device addresses on ndo_stop Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 29/40] MIPS: lantiq: export clk_get_io() for lantiq_wdt.ko Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 30/40] of: mdio: Add of_node_put() when breaking out of for_each_xx Greg Kroah-Hartman
2022-09-26 10:11 ` [PATCH 4.14 31/40] netfilter: ebtables: fix memory leak when blob is malformed Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 32/40] can: gs_usb: gs_can_open(): fix race dev->can.state condition Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 33/40] perf kcore_copy: Do not check /proc/modules is unchanged Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 34/40] net: sunhme: Fix packet reception for len < RX_COPY_THRESHOLD Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 35/40] serial: Create uart_xmit_advance() Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 36/40] serial: tegra: Use uart_xmit_advance(), fixes icount.tx accounting Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 37/40] s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 38/40] Drivers: hv: Never allocate anything besides framebuffer from framebuffer memory region Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 39/40] ext4: make directory inode spreading reflect flexbg size Greg Kroah-Hartman
2022-09-26 10:12 ` [PATCH 4.14 40/40] media: em28xx: initialize refcount before kref_get Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220926110826.GE8978@amd \
--to=pavel@denx.de \
--cc=ardb@kernel.org \
--cc=daniel.marth@inso.tuwien.ac.at \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.