rpms/kernel/F-12 linux-2.6.31-copy_from_user-bounds.patch,1.2,1.3
Dave Jones
davej at fedoraproject.org
Wed Sep 30 17:02:03 UTC 2009
- Previous message (by thread): rpms/deltarpm/devel deltarpm-system-zlib.patch, NONE, 1.1 deltarpm.spec, 1.31, 1.32
- Next message (by thread): rpms/system-config-date/devel .cvsignore, 1.109, 1.110 sources, 1.121, 1.122 system-config-date.spec, 1.129, 1.130
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: davej
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2279
Modified Files:
linux-2.6.31-copy_from_user-bounds.patch
Log Message:
update to arjans latest (still not applied, this is just for testing)
linux-2.6.31-copy_from_user-bounds.patch:
b/arch/x86/include/asm/uaccess_32.h | 12 ++++-
b/arch/x86/lib/usercopy_32.c | 6 ++
b/drivers/acpi/proc.c | 4 -
b/drivers/acpi/video.c | 20 ++++++---
b/drivers/char/nvram.c | 12 ++++-
b/fs/cifs/cifs_debug.c | 10 ++--
b/include/linux/compiler-gcc4.h | 3 +
b/include/linux/compiler.h | 9 +---
b/kernel/capability.c | 11 ++---
b/mm/migrate.c | 47 ++++++++++++++++++++--
b/net/socket.c | 9 ++--
b/net/wireless/wext.c | 11 ++---
linux-2.6.31.noarch/arch/x86/kernel/cpu/mtrr/if.c | 21 ++++++---
13 files changed, 127 insertions(+), 48 deletions(-)
Index: linux-2.6.31-copy_from_user-bounds.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/linux-2.6.31-copy_from_user-bounds.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- linux-2.6.31-copy_from_user-bounds.patch 29 Sep 2009 08:26:13 -0000 1.2
+++ linux-2.6.31-copy_from_user-bounds.patch 30 Sep 2009 17:02:01 -0000 1.3
@@ -1,5 +1,5 @@
-From davej Sat Sep 26 11:56:25 2009
-Return-Path: BATV+801d9f966e814c9eff35+2225+infradead.org+arjan at casper.srs.infradead.org
+From davej Wed Sep 30 12:03:40 2009
+Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
@@ -7,230 +7,174 @@ X-Spam-Status: No, score=-6.1 required=5
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
- for <davej at localhost> (single-drop); Sat, 26 Sep 2009 11:56:25 -0400 (EDT)
-Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
- zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
- mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
+ for <davej at localhost> (single-drop); Wed, 30 Sep 2009 12:03:40 -0400 (EDT)
+Received: from zmta01.collab.prod.int.phx2.redhat.com (LHLO
+ zmta01.collab.prod.int.phx2.redhat.com) (10.5.5.31) by
+ mail04.corp.redhat.com with LMTP; Wed, 30 Sep 2009 07:05:24 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
- by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id A7DF39E640
- for <davej at redhat.com>; Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
-Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
- by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
- with ESMTP id hkbfP756iXek for <davej at redhat.com>;
- Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
-Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21])
- by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 8FFA39E63B
- for <davej at mail.corp.redhat.com>; Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
-Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.6])
- by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QCX7cQ016845
- for <davej at redhat.com>; Sat, 26 Sep 2009 08:33:07 -0400
-Received: from casper.infradead.org (casper.infradead.org [85.118.1.10])
- by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QCWsOO027686
- for <davej at redhat.com>; Sat, 26 Sep 2009 08:32:55 -0400
+ by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id A83B191E74;
+ Wed, 30 Sep 2009 07:05:24 -0400 (EDT)
+Received: from zmta01.collab.prod.int.phx2.redhat.com ([127.0.0.1])
+ by localhost (zmta01.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
+ with ESMTP id C2l5G8z2ZQxe; Wed, 30 Sep 2009 07:05:24 -0400 (EDT)
+Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
+ by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 6C40F91AFB;
+ Wed, 30 Sep 2009 07:05:24 -0400 (EDT)
+Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.9])
+ by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8UB5Hsn004857;
+ Wed, 30 Sep 2009 07:05:18 -0400
+Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
+ by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8UAvsRr008879;
+ Wed, 30 Sep 2009 07:05:06 -0400
+Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+ id S1754157AbZI3LE4 (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
+ Wed, 30 Sep 2009 07:04:56 -0400
+Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1753441AbZI3LE4
+ (ORCPT <rfc822;linux-kernel-outgoing>);
+ Wed, 30 Sep 2009 07:04:56 -0400
+Received: from casper.infradead.org ([85.118.1.10]:46939 "EHLO
+ casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+ with ESMTP id S1752896AbZI3LEz convert rfc822-to-8bit (ORCPT
+ <rfc822;linux-kernel at vger.kernel.org>);
+ Wed, 30 Sep 2009 07:04:55 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
- id 1MrWS9-00025Y-Q2; Sat, 26 Sep 2009 12:32:42 +0000
-Date: Sat, 26 Sep 2009 14:33:01 +0200
+ id 1MswzQ-0005Tp-EG; Wed, 30 Sep 2009 11:04:56 +0000
+Date: Wed, 30 Sep 2009 13:05:23 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: linux-kernel at vger.kernel.org
Cc: mingo at elte.hu, tglx at tglx.de, hpa at zytor.com
-Subject: [PATCH] x86: Use __builtin_object_size to validate the buffer size
- for copy_from_user
-Message-ID: <20090926143301.2c396b94 at infradead.org>
+Subject: [PATCH] x86: Turn the copy_from_user check into an (optional)
+ compile time warning
+Message-ID: <20090930130523.348ae6c4 at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
-Content-Transfer-Encoding: quoted-printable
+Content-Transfer-Encoding: 8BIT
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
-X-RedHat-Spam-Score: -3.884 (AWL,RCVD_IN_DNSWL_MED)
-X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21
-X-Scanned-By: MIMEDefang 2.67 on 10.5.110.6
+Sender: linux-kernel-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel at vger.kernel.org
+X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
+X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
+X-Scanned-By: MIMEDefang 2.67 on 10.5.110.9
Status: RO
-Content-Length: 6453
-Lines: 191
+Content-Length: 3934
+Lines: 111
+
-=46rom 524a1da3c45683cec77480acc6cab1d33ae8d5cb Mon Sep 17 00:00:00 2001
+>From 350cf3cd513e6759ae6852946532a47249f25600 Mon Sep 17 00:00:00 2001
From: Arjan van de Ven <arjan at linux.intel.com>
-Date: Sat, 26 Sep 2009 12:36:21 +0200
-Subject: [PATCH] x86: Use __builtin_object_size to validate the buffer size for copy_from_user
+Date: Wed, 30 Sep 2009 12:57:46 +0200
+Subject: [PATCH] x86: Turn the copy_from_user check into an (optional) compile time warning
-gcc (4.x) supports the __builtin_object_size() builtin, which reports the
-size of an object that a pointer point to, when known at compile time.
-If the buffer size is not known at compile time, a constant -1 is returned.
-
-This patch uses this feature to add a sanity check to copy_from_user();
-if the target buffer is known to be smaller than the copy size, the copy
-is aborted and a WARNing is emitted in memory debug mode.
+A previous patch added the buffer size check to copy_from_user().
-These extra checks compile away when the object size is not known,
-or if both the buffer size and the copy length are constants.
+One of the things learned from analyzing the result of the previous patch
+is that in general, gcc is really good at proving that the code contains
+sufficient security checks to not need to do a runtime check. But that
+for those cases where gcc could not prove this, there was a relatively
+high percentage of real security issues.
+
+This patch turns the case of "gcc cannot prove" into a compile time
+warning, as long as a sufficiently new gcc is in use that supports this.
+The objective is that these warnings will trigger developers checking
+new cases out before a security hole enters a linux kernel release.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
-Reviewed-by: Ingo Molnar <mingo at elte.hu>
---
- arch/x86/include/asm/uaccess_32.h | 19 ++++++++++++++++++-
- arch/x86/include/asm/uaccess_64.h | 19 ++++++++++++++++++-
- arch/x86/kernel/x8664_ksyms_64.c | 2 +-
- arch/x86/lib/copy_user_64.S | 4 ++--
- arch/x86/lib/usercopy_32.c | 4 ++--
- include/linux/compiler-gcc4.h | 2 ++
+ arch/x86/include/asm/uaccess_32.h | 12 +++++++++---
+ arch/x86/lib/usercopy_32.c | 6 ++++++
+ include/linux/compiler-gcc4.h | 3 +++
include/linux/compiler.h | 4 ++++
- 7 files changed, 47 insertions(+), 7 deletions(-)
+ 4 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
-index 632fb44..582d6ae 100644
+index 582d6ae..7826639 100644
--- a/arch/x86/include/asm/uaccess_32.h
+++ b/arch/x86/include/asm/uaccess_32.h
-@@ -187,9 +187,26 @@ __copy_from_user_inatomic_nocache(void *to, const void __user *from,
-
- unsigned long __must_check copy_to_user(void __user *to,
- const void *from, unsigned long n);
--unsigned long __must_check copy_from_user(void *to,
-+unsigned long __must_check _copy_from_user(void *to,
+@@ -191,6 +191,13 @@ unsigned long __must_check _copy_from_user(void *to,
const void __user *from,
unsigned long n);
+
+
-+static inline unsigned long __must_check copy_from_user(void *to,
-+ const void __user *from,
-+ unsigned long n)
-+{
-+ int sz = __compiletime_object_size(to);
-+ int ret = -EFAULT;
-+
-+ if (likely(sz == -1 || sz >= n))
-+ ret = _copy_from_user(to, from, n);
-+#ifdef CONFIG_DEBUG_VM
-+ else
-+ WARN(1, "Buffer overflow detected!\n");
-+#endif
-+ return ret;
-+}
-+
- long __must_check strncpy_from_user(char *dst, const char __user *src,
- long count);
- long __must_check __strncpy_from_user(char *dst,
-diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
-index db24b21..ce6fec7 100644
---- a/arch/x86/include/asm/uaccess_64.h
-+++ b/arch/x86/include/asm/uaccess_64.h
-@@ -21,10 +21,27 @@ copy_user_generic(void *to, const void *from, unsigned len);
- __must_check unsigned long
- copy_to_user(void __user *to, const void *from, unsigned len);
- __must_check unsigned long
--copy_from_user(void *to, const void __user *from, unsigned len);
-+_copy_from_user(void *to, const void __user *from, unsigned len);
- __must_check unsigned long
- copy_in_user(void __user *to, const void __user *from, unsigned len);
-
-+static inline unsigned long __must_check copy_from_user(void *to,
-+ const void __user *from,
-+ unsigned long n)
-+{
-+ int sz = __compiletime_object_size(to);
-+ int ret = -EFAULT;
-+
-+ if (likely(sz == -1 || sz >= n))
-+ ret = _copy_from_user(to, from, n);
-+#ifdef CONFIG_DEBUG_VM
-+ else
-+ WARN(1, "Buffer overflow detected!\n");
++extern void copy_from_user_overflow(void)
++#ifdef CONFIG_DEBUG_STACKOVERFLOW
++ __compiletime_warning("copy_from_user buffer size is not provably correct")
+#endif
-+ return ret;
-+}
++;
+
+ static inline unsigned long __must_check copy_from_user(void *to,
+ const void __user *from,
+ unsigned long n)
+@@ -200,10 +207,9 @@ static inline unsigned long __must_check copy_from_user(void *to,
+
+ if (likely(sz == -1 || sz >= n))
+ ret = _copy_from_user(to, from, n);
+-#ifdef CONFIG_DEBUG_VM
+ else
+- WARN(1, "Buffer overflow detected!\n");
+-#endif
++ copy_from_user_overflow();
+
- static __always_inline __must_check
- int __copy_from_user(void *dst, const void __user *src, unsigned size)
- {
-diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
-index 3909e3b..a0cdd8c 100644
---- a/arch/x86/kernel/x8664_ksyms_64.c
-+++ b/arch/x86/kernel/x8664_ksyms_64.c
-@@ -30,7 +30,7 @@ EXPORT_SYMBOL(__put_user_8);
-
- EXPORT_SYMBOL(copy_user_generic);
- EXPORT_SYMBOL(__copy_user_nocache);
--EXPORT_SYMBOL(copy_from_user);
-+EXPORT_SYMBOL(_copy_from_user);
- EXPORT_SYMBOL(copy_to_user);
- EXPORT_SYMBOL(__copy_from_user_inatomic);
-
-diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
-index 6ba0f7b..4be3c41 100644
---- a/arch/x86/lib/copy_user_64.S
-+++ b/arch/x86/lib/copy_user_64.S
-@@ -78,7 +78,7 @@ ENTRY(copy_to_user)
- ENDPROC(copy_to_user)
-
- /* Standard copy_from_user with segment limit checking */
--ENTRY(copy_from_user)
-+ENTRY(_copy_from_user)
- CFI_STARTPROC
- GET_THREAD_INFO(%rax)
- movq %rsi,%rcx
-@@ -88,7 +88,7 @@ ENTRY(copy_from_user)
- jae bad_from_user
- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
- CFI_ENDPROC
--ENDPROC(copy_from_user)
-+ENDPROC(_copy_from_user)
+ return ret;
+ }
- ENTRY(copy_user_generic)
- CFI_STARTPROC
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
-index 1f118d4..8498684 100644
+index 8498684..e218d5d 100644
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
-@@ -874,7 +874,7 @@ EXPORT_SYMBOL(copy_to_user);
- * data to the requested size using zero bytes.
- */
- unsigned long
--copy_from_user(void *to, const void __user *from, unsigned long n)
-+_copy_from_user(void *to, const void __user *from, unsigned long n)
- {
- if (access_ok(VERIFY_READ, from, n))
- n = __copy_from_user(to, from, n);
-@@ -882,4 +882,4 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
- memset(to, 0, n);
+@@ -883,3 +883,9 @@ _copy_from_user(void *to, const void __user *from, unsigned long n)
return n;
}
--EXPORT_SYMBOL(copy_from_user);
-+EXPORT_SYMBOL(_copy_from_user);
+ EXPORT_SYMBOL(_copy_from_user);
++
++void copy_from_user_overflow(void)
++{
++ WARN(1, "Buffer overflow detected!\n");
++}
++EXPORT_SYMBOL(copy_from_user_overflow);
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
-index 450fa59..a3aef5d 100644
+index a3aef5d..f1709c1 100644
--- a/include/linux/compiler-gcc4.h
+++ b/include/linux/compiler-gcc4.h
-@@ -37,3 +37,5 @@
- #define __cold __attribute__((__cold__))
-
+@@ -39,3 +39,6 @@
#endif
-+
-+#define __compiletime_object_size(obj) __builtin_object_size(obj, 0)
+
+ #define __compiletime_object_size(obj) __builtin_object_size(obj, 0)
++#if __GNUC_MINOR__ >= 4
++#define __compiletime_warning(message) __attribute__((warning(message)))
++#endif
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index 9d4c4b0..9c42853 100644
+index 9c42853..241dfd8 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
-@@ -185,6 +185,10 @@ extern void __chk_io_ptr(const volatile void __iomem *);
- # define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
+@@ -189,6 +189,10 @@ extern void __chk_io_ptr(const volatile void __iomem *);
+ #ifndef __compiletime_object_size
+ # define __compiletime_object_size(obj) -1
#endif
-
-+/* Compile time object size, -1 for unknown */
-+#ifndef __compiletime_object_size
-+# define __compiletime_object_size(obj) -1
++#ifndef __compiletime_warning
++# define __compiletime_warning(message)
+#endif
++
/*
* Prevent the compiler from merging or refetching accesses. The compiler
* is also forbidden from reordering successive instances of ACCESS_ONCE(),
--
-1.6.0.6
-
+1.6.2.5
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at http://www.tux.org/lkml/
From davej Sat Sep 26 14:57:33 2009
Return-Path: linux-kernel-owner at vger.kernel.org
- Previous message (by thread): rpms/deltarpm/devel deltarpm-system-zlib.patch, NONE, 1.1 deltarpm.spec, 1.31, 1.32
- Next message (by thread): rpms/system-config-date/devel .cvsignore, 1.109, 1.110 sources, 1.121, 1.122 system-config-date.spec, 1.129, 1.130
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list