From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
Azeem Shaikh <azeemshaikh38@gmail.com>,
Christian Brauner <brauner@kernel.org>,
David Windsor <dwindsor@gmail.com>,
Elena Reshetova <elena.reshetova@intel.com>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Hans Liljestrand <ishkamiel@gmail.com>,
Jann Horn <jannh@google.com>, Jarkko Sakkinen <jarkko@kernel.org>,
Juergen Gross <jgross@suse.com>,
Justin Stitt <justinstitt@google.com>,
Marco Elver <elver@google.com>,
Mark Rutland <mark.rutland@arm.com>,
Miguel Ojeda <ojeda@kernel.org>, Mimi Zohar <zohar@linux.ibm.com>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Song Liu <song@kernel.org>,
"Steven Rostedt (Google)" <rostedt@goodmis.org>,
Yonghong Song <yonghong.song@linux.dev>,
Zhen Lei <thunder.leizhen@huawei.com>,
linux-hardening@vger.kernel.org
Subject: [GIT PULL] hardening updates for v6.6-rc1
Date: Mon, 28 Aug 2023 11:42:58 -0700 [thread overview]
Message-ID: <202308281138.5E9835A@keescook> (raw)
Hi Linus,
Please pull these hardening updates for v6.6-rc1. As has become normal,
changes are scattered around the tree (either explicitly maintainer
Acked or for trivial stuff that went ignored). Details in the log below,
and all have been in -next for a while.
Thanks!
-Kees
The following changes since commit fdf0eaf11452d72945af31804e2a1048ee1b574c:
Linux 6.5-rc2 (2023-07-16 15:10:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.6-rc1
for you to fetch changes up to 5f536ac6a5a7b67351e4e5ae4f9e1e57d31268e6:
LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by (2023-08-25 16:07:30 -0700)
----------------------------------------------------------------
hardening updates for v6.6-rc1
- Carve out the new CONFIG_LIST_HARDENED as a more focused subset of
CONFIG_DEBUG_LIST (Marco Elver).
- Fix kallsyms lookup failure under Clang LTO (Yonghong Song).
- Clarify documentation for CONFIG_UBSAN_TRAP (Jann Horn).
- Flexible array member conversion not carried in other tree (Gustavo
A. R. Silva).
- Various strlcpy() and strncpy() removals not carried in other trees
(Azeem Shaikh, Justin Stitt).
- Convert nsproxy.count to refcount_t (Elena Reshetova).
- Add handful of __counted_by annotations not carried in other trees,
as well as an LKDTM test.
- Fix build failure with gcc-plugins on GCC 14+.
- Fix selftests to respect SKIP for signal-delivery tests.
- Fix CFI warning for paravirt callback prototype.
- Clarify documentation for seq_show_option_n() usage.
----------------------------------------------------------------
Azeem Shaikh (4):
soc: fsl: qe: Replace all non-returning strlcpy with strscpy
um: Remove strlcpy declaration
perf: Replace strlcpy with strscpy
EISA: Replace all non-returning strlcpy with strscpy
Elena Reshetova (1):
nsproxy: Convert nsproxy.count to refcount_t
Gustavo A. R. Silva (1):
alpha: Replace one-element array with flexible-array member
Jann Horn (1):
ubsan: Clarify Kconfig text for CONFIG_UBSAN_TRAP
Justin Stitt (2):
um: vector: refactor deprecated strncpy
um: refactor deprecated strncpy to memcpy
Kees Cook (8):
seq_file: seq_show_option_n() is used for precise sizes
x86/paravirt: Fix tlb_remove_table function callback prototype warning
selftests/harness: Actually report SKIP for signal tests
gcc-plugins: Rename last_stmt() for GCC 14+
Compiler Attributes: counted_by: Adjust name and identifier expansion
lkdtm: Add FAM_BOUNDS test for __counted_by
integrity: Annotate struct ima_rule_opt_list with __counted_by
LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by
Marco Elver (4):
compiler_types: Introduce the Clang __preserve_most function attribute
list_debug: Introduce inline wrappers for debug checks
list: Introduce CONFIG_LIST_HARDENED
hardening: Move BUG_ON_DATA_CORRUPTION to hardening options
Yonghong Song (2):
kallsyms: Fix kallsyms_selftest failure
kallsyms: Change func signature for cleanup_symbol_name()
arch/alpha/kernel/osf_sys.c | 2 +-
arch/arm64/kvm/hyp/nvhe/Makefile | 2 +-
arch/arm64/kvm/hyp/nvhe/list_debug.c | 8 ++-
arch/um/drivers/mconsole_kern.c | 4 +-
arch/um/drivers/vector_user.c | 4 +-
arch/um/include/shared/user.h | 1 -
arch/um/os-Linux/umid.c | 6 +-
arch/x86/kernel/paravirt.c | 8 ++-
drivers/eisa/eisa-bus.c | 2 +-
drivers/misc/lkdtm/bugs.c | 51 +++++++++++++++--
drivers/soc/fsl/qe/qe.c | 4 +-
include/linux/compiler_attributes.h | 26 ++++-----
include/linux/compiler_types.h | 28 +++++++++
include/linux/dm-verity-loadpin.h | 2 +-
include/linux/list.h | 89 +++++++++++++++++++++++++++--
include/linux/nsproxy.h | 7 +--
include/linux/seq_file.h | 7 ++-
include/uapi/linux/stddef.h | 4 ++
kernel/events/core.c | 6 +-
kernel/kallsyms.c | 27 ++++-----
kernel/kallsyms_selftest.c | 23 +-------
kernel/nsproxy.c | 4 +-
lib/Kconfig.debug | 21 +++----
lib/Kconfig.ubsan | 10 +++-
lib/Makefile | 2 +-
lib/list_debug.c | 16 +++---
scripts/gcc-plugins/gcc-common.h | 4 ++
security/Kconfig.hardening | 23 ++++++++
security/integrity/ima/ima_policy.c | 4 +-
security/loadpin/loadpin.c | 3 +-
tools/testing/selftests/kselftest_harness.h | 11 ++--
31 files changed, 286 insertions(+), 123 deletions(-)
--
Kees Cook
next reply other threads:[~2023-08-28 18:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-28 18:42 Kees Cook [this message]
2023-08-28 20:14 ` [GIT PULL] hardening updates for v6.6-rc1 pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308281138.5E9835A@keescook \
--to=keescook@chromium.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=anton.ivanov@cambridgegreys.com \
--cc=azeemshaikh38@gmail.com \
--cc=brauner@kernel.org \
--cc=dwindsor@gmail.com \
--cc=elena.reshetova@intel.com \
--cc=elver@google.com \
--cc=gustavoars@kernel.org \
--cc=ishkamiel@gmail.com \
--cc=jannh@google.com \
--cc=jarkko@kernel.org \
--cc=jgross@suse.com \
--cc=justinstitt@google.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
--cc=rostedt@goodmis.org \
--cc=song@kernel.org \
--cc=thunder.leizhen@huawei.com \
--cc=torvalds@linux-foundation.org \
--cc=yonghong.song@linux.dev \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox