From 47f04616f2c9b2f4f0c9127e30ca515a078db591 Mon Sep 17 00:00:00 2001 From: Matthias Kaehlcke Date: Tue, 27 Jun 2023 20:28:01 +0000 Subject: [PATCH 1/3] dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter Add a NULL check for the 'bdev' parameter of dm_verity_loadpin_is_bdev_trusted(). The function is called by loadpin_check(), which passes the block device that corresponds to the super block of the file system from which a file is being loaded. Generally a super_block structure has an associated block device, however that is not always the case (e.g. tmpfs). Cc: stable@vger.kernel.org # v6.0+ Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin") Signed-off-by: Matthias Kaehlcke Link: https://lore.kernel.org/r/20230627202800.1.Id63f7f59536d20f1ab83e1abdc1fda1471c7d031@changeid Signed-off-by: Kees Cook --- drivers/md/dm-verity-loadpin.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c index 4f78cc55c251..0666699b6858 100644 --- a/drivers/md/dm-verity-loadpin.c +++ b/drivers/md/dm-verity-loadpin.c @@ -58,6 +58,9 @@ bool dm_verity_loadpin_is_bdev_trusted(struct block_device *bdev) int srcu_idx; bool trusted = false; + if (bdev == NULL) + return false; + if (list_empty(&dm_verity_loadpin_trusted_root_digests)) return false; From 5e2956ee46244ffba1d345bae8115aa5dc199adc Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Mon, 3 Jul 2023 12:50:26 -0700 Subject: [PATCH 2/3] Revert "fortify: Allow KUnit test to build without FORTIFY" This reverts commit a9dc8d0442294b426b1ebd4ec6097c82ebe282e0. The standard for KUnit is to not build tests at all when required functionality is missing, rather than doing test "skip". Restore this for the fortify tests, so that architectures without CONFIG_ARCH_HAS_FORTIFY_SOURCE do not emit unsolvable warnings. Reported-by: Geert Uytterhoeven Closes: https://lore.kernel.org/all/CAMuHMdUrxOEroHVUt7-mAnKSBjY=a-D3jr+XiAifuwv06Ob9Pw@mail.gmail.com Signed-off-by: Kees Cook --- lib/Kconfig.debug | 2 +- lib/fortify_kunit.c | 14 -------------- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index c2a7608ff585..6c6a7ee9f1f9 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2645,7 +2645,7 @@ config STACKINIT_KUNIT_TEST config FORTIFY_KUNIT_TEST tristate "Test fortified str*() and mem*() function internals at runtime" if !KUNIT_ALL_TESTS - depends on KUNIT + depends on KUNIT && FORTIFY_SOURCE default KUNIT_ALL_TESTS help Builds unit tests for checking internals of FORTIFY_SOURCE as used diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c index 524132f33cf0..c8c33cbaae9e 100644 --- a/lib/fortify_kunit.c +++ b/lib/fortify_kunit.c @@ -25,11 +25,6 @@ static const char array_of_10[] = "this is 10"; static const char *ptr_of_11 = "this is 11!"; static char array_unknown[] = "compiler thinks I might change"; -/* Handle being built without CONFIG_FORTIFY_SOURCE */ -#ifndef __compiletime_strlen -# define __compiletime_strlen __builtin_strlen -#endif - static void known_sizes_test(struct kunit *test) { KUNIT_EXPECT_EQ(test, __compiletime_strlen("88888888"), 8); @@ -312,14 +307,6 @@ DEFINE_ALLOC_SIZE_TEST_PAIR(kvmalloc) } while (0) DEFINE_ALLOC_SIZE_TEST_PAIR(devm_kmalloc) -static int fortify_test_init(struct kunit *test) -{ - if (!IS_ENABLED(CONFIG_FORTIFY_SOURCE)) - kunit_skip(test, "Not built with CONFIG_FORTIFY_SOURCE=y"); - - return 0; -} - static struct kunit_case fortify_test_cases[] = { KUNIT_CASE(known_sizes_test), KUNIT_CASE(control_flow_split_test), @@ -336,7 +323,6 @@ static struct kunit_case fortify_test_cases[] = { static struct kunit_suite fortify_test_suite = { .name = "fortify", - .init = fortify_test_init, .test_cases = fortify_test_cases, }; From 01f23c5f1526f5b6ff744887aa511b9e69d4401b Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 29 Jun 2023 12:09:00 -0700 Subject: [PATCH 3/3] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array Since commit 2d47c6956ab3 ("ubsan: Tighten UBSAN_BOUNDS on GCC"), UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking bmSublinkSpeedAttr will trigger a warning, so make it a proper flexible array. Add a union to keep the struct size identical for userspace in case anything was depending on the old size. False positive warning was: UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31 index 1 is out of range for type '__le32 [1]' for this line of code: ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr); Reported-by: Borislav Petkov Closes: https://lore.kernel.org/lkml/2023062945-fencing-pebble-0411@gregkh/ Reported-by: Mirsad Todorovac Closes: https://lore.kernel.org/lkml/9a8e34ad-8a8b-3830-4878-3c2c82e69dd9@alu.unizg.hr/ Cc: Greg Kroah-Hartman Cc: "Gustavo A. R. Silva" Tested-by: "Borislav Petkov (AMD)" Tested-by: Mirsad Todorovac Reviewed-by: "Gustavo A. R. Silva" Link: https://lore.kernel.org/r/20230629190900.never.787-kees@kernel.org Signed-off-by: Kees Cook --- include/uapi/linux/usb/ch9.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h index b17e3a21b15f..3ff98c7ba7e3 100644 --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -981,7 +981,11 @@ struct usb_ssp_cap_descriptor { #define USB_SSP_MIN_RX_LANE_COUNT (0xf << 8) #define USB_SSP_MIN_TX_LANE_COUNT (0xf << 12) __le16 wReserved; - __le32 bmSublinkSpeedAttr[1]; /* list of sublink speed attrib entries */ + union { + __le32 legacy_padding; + /* list of sublink speed attrib entries */ + __DECLARE_FLEX_ARRAY(__le32, bmSublinkSpeedAttr); + }; #define USB_SSP_SUBLINK_SPEED_SSID (0xf) /* sublink speed ID */ #define USB_SSP_SUBLINK_SPEED_LSE (0x3 << 4) /* Lanespeed exponent */ #define USB_SSP_SUBLINK_SPEED_LSE_BPS 0