From patchwork Fri Aug 20 07:09:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 1518933 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=oChnJHWf; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GrXpn1Q5Sz9sWw; Fri, 20 Aug 2021 17:10:41 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mGyfm-00089l-01; Fri, 20 Aug 2021 07:10:38 +0000 Received: from mail-pj1-f47.google.com ([209.85.216.47]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mGyfQ-000815-0z for kernel-team@lists.ubuntu.com; Fri, 20 Aug 2021 07:10:16 +0000 Received: by mail-pj1-f47.google.com with SMTP id 28-20020a17090a031cb0290178dcd8a4d1so8785200pje.0 for ; Fri, 20 Aug 2021 00:10:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=N8YijCd1N/fvze+XDKxYD01qQRrrT1Ntja3dyTOQXJs=; b=oChnJHWf/i1iDZpPuIphS5cz4/WPKuKmpvmBlVJ4gPA8b2GpVcbKtUzMAsCSQgzYSL bCMlyufi52Z2aTFOVSDNeNoU8uUD92PlQKaw1noZv9u4OZ74CG9EAHGRcAd+I+rzHsbX FcvnFKGzlhEOgidJUPhyLfZ4nwMmL8e4MIypg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=N8YijCd1N/fvze+XDKxYD01qQRrrT1Ntja3dyTOQXJs=; b=lhpiXgl4CcmFf0wE4zoWuaheKE7j5HEDy9sCODwNqQNAx/sMMEpTY8uZO0Vuk/KwCE 0n+yD80S48fK8X6X09qkFkMZ2P1J/eeOZdw+gIhW9QwjQD5spWvEEGs4HJmPPnUrIe+p 58daMghEVBTbItDqXmL+xCUxvmzt/bkpLjqMNU2mHCCtyX33VrJwPg0D4dAX6oGOQLTd vVp7dN7M4BVIX4HvM+r85s4AWSxzTy/jrJHIeuLTu4uR6ddkpBrZe67+UofosfpqcVvN LCrS97iFIRl5+zn3NqZiRCW0/febXTD6uHgxqxBH9rAM6eHHDroQ8iLkyn+Vm7RAjH0L 9t9Q== X-Gm-Message-State: AOAM533r0p/EFavXxZF0Y+16hwtBBJ/E/1h8sUsc0tMAFyuYshvi1oCs QYaLiNTLS0hQ1ddYypkrCiL5Tw== X-Google-Smtp-Source: ABdhPJxBBkwzFxVXaa9cT8vONkUiX26B7+2VhM70TiARcqJv9t7/Gcvh7s+/+91YuZXfy+tPW5PHcA== X-Received: by 2002:a17:90a:d590:: with SMTP id v16mr3109382pju.205.1629443414737; Fri, 20 Aug 2021 00:10:14 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c7sm4004331pjc.31.2021.08.20.00.10.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Aug 2021 00:10:13 -0700 (PDT) From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/4] UBUNTU: [Config] annotations: set CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT to y Date: Fri, 20 Aug 2021 00:09:59 -0700 Message-Id: <20210820071002.3560053-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210820071002.3560053-1-keescook@chromium.org> References: <20210820071002.3560053-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1459; h=from:subject; bh=9difY8+zZrvjk1x0N1jXFGxHBgExL8VcGYQYCHw/2Ug=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhH1VI1c0r4tL3hykn1bMiew3GHbv6zi+6uNQq61Sx g9Qs00yJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYR9VSAAKCRCJcvTf3G3AJk+bEA CevDa21PTxWZJ+FWBmaXQCKXsktNoV+CpDrGXNU4LcQi7JzKsy9k3Jxsd910prhVbz7u2I2uw/9i9I +VY9s8wbB54ohr2jRmCG/nB9eiKIalXuhKoCgjwS2MVPrNW2vFKqWj4Zw8NT1OyAWyghcdZcYcVFFN AuuodtUg1vMTJE1kJ337haD6Ak0bTDw5JK7sOqGy6dYOPGUcryjZ3kQz4uFyxgw4SxhfC7j4uWIeKt BYrYe8n2j8Qza6Eo2JUWmrRveV0nOOy8YP1Xl4RNJfruHYiYyR6GWBJcELqyOK5SUpM8I87VQL7MbL tFL/BUL9HNXvUGbXr8DEKQORxxv+5TtVOzsbIpn2HPEh/rsAuPNFFrtNbEnTKMehiRdAqbMtHx7FXn 7lnyvmWjCDY689wyfEnKV1aJ88UoGgV6KHadFS3nT9yAH86QOyHnEs2IvWnNBUpSIh9YwEVk65RD4K RjeKQArsMo9Kchkty4+nxanEkbyzTb0UNKbkU/F6Okfk5torYHeMQzK6LRBbl2jtyybANNyPqNhx+V LGFpOKVCPnaHse5Xnbo84lBGVRD3wt07kKdO/4ETfw5BXDxBk3olY9FBPQp683Ii3s/+MtDtjCYwdH b7duIzuaX769o0YkPJqVIV8DA8mfBM/wmPU6gdaS2b+r2F+f/AYxXyreFCUg== X-Developer-Key: i=kees@ubuntu.com; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ubuntu-hardened@lists.ubuntu.com, Kees Cook Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kees Cook While the config was updated, annotations weren't. Set this enabled for the architectures that support it. Fixes: 2ea2b647bcdd ("UBUNTU: [Config] Enable CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT") Signed-off-by: Kees Cook --- debian.master/config/annotations | 1 + 1 file changed, 1 insertion(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 445d8711606a..7599bf532a0b 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -10951,6 +10951,7 @@ CONFIG_ARCH_MMAP_RND_BITS policy<{'amd64': '28', 'arm64': CONFIG_ARCH_MMAP_RND_COMPAT_BITS policy<{'amd64': '8', 'arm64': '11', 'ppc64el': '8'}> CONFIG_COMPAT_32BIT_TIME policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_VMAP_STACK policy<{'amd64': 'y', 'arm64': 'y', 's390x': 'y'}> +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT policy<{'amd64': 'y', 'arm64': 'y', 's390x': 'y'}> CONFIG_STRICT_KERNEL_RWX policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_STRICT_MODULE_RWX policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 's390x': 'y'}> CONFIG_LOCK_EVENT_COUNTS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> From patchwork Fri Aug 20 07:10:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 1518930 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=kcUmvMzb; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GrXpY1ZHzz9sWq; Fri, 20 Aug 2021 17:10:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mGyfU-00082B-Sz; Fri, 20 Aug 2021 07:10:20 +0000 Received: from mail-pg1-f178.google.com ([209.85.215.178]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mGyfP-000812-7o for kernel-team@lists.ubuntu.com; Fri, 20 Aug 2021 07:10:15 +0000 Received: by mail-pg1-f178.google.com with SMTP id t1so8262905pgv.3 for ; Fri, 20 Aug 2021 00:10:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=sBo5KafHTNJjD1C3aWv5jkV89exFi8LfUQOMiNiFit8=; b=kcUmvMzbxC8tIOfckP87imCoepuKnAmHKEbfJbRUWR78W7uVC2x5NbyPEto9NxpnNd L0fjlC65bcjCyOYmjeWAnIP0Pc5s/vKgzujL1OJOpkO2WTwPgQ3zt/Gt76xYg/c+dM5L DT26XIVfNl5/2Pzo4ZZlQYBoFjEe0hJI18+wo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sBo5KafHTNJjD1C3aWv5jkV89exFi8LfUQOMiNiFit8=; b=hw19KR7LUlXDRY8NCzwn1iYn5M9CYw8xStP1n9oJHmPt/8a4kosr7CL20Y8LGVRz3g KP6Lt1ccgV4YRYvszPnndQk+70LRRZgBOfz9QBQ7cZg2i3f2ejOq8XCas8pbAubj7VhZ fdjzVSu6ciXBVhruc7NdhysSF+0adYDXmMrgg+t2uCPO2Eqc8VIHuIAen0dU3ag6rl6P NJgqCW3DNtBf/C0JqgPajYwIJWOjW2BNsntDZoBbf9F9+UGzyWhH/LTCwXsUs7uRBTz2 jF/QtDxX2rV7HHWE1ikYL+J8pZKuAH42RSSSTXpa/YkHfhiVn0Y9wMxgls6vGT7dCF8d vw+g== X-Gm-Message-State: AOAM531B/j3PgoVOaXnTU3+eOrAO5EarfznxqHkWQ+jtEwoFQ5oKwyvc DQy2RZQmUme2WkKEHH7jXcqFnA== X-Google-Smtp-Source: ABdhPJw7q4Gr8Mqm+pk4e4CqTNzkGZzQITL3hsDyV6FBPj0+Q4iTFOh+UGRl1J1O6fVD6tZ0FPIdXQ== X-Received: by 2002:a65:6205:: with SMTP id d5mr17548717pgv.326.1629443413822; Fri, 20 Aug 2021 00:10:13 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id ep21sm5283973pjb.18.2021.08.20.00.10.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Aug 2021 00:10:13 -0700 (PDT) From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/4] UBUNTU: [Config] Disable CONFIG_MANDATORY_FILE_LOCKING Date: Fri, 20 Aug 2021 00:10:00 -0700 Message-Id: <20210820071002.3560053-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210820071002.3560053-1-keescook@chromium.org> References: <20210820071002.3560053-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2329; h=from:subject; bh=BLMX0iuALIHME8qxVragd19dQt8PkIP9b4eVGvVTjq0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhH1VJfpcVF0cZ9cpSMs00nq95EZDH0RlfWYGTXTi4 UIfXbFGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYR9VSQAKCRCJcvTf3G3AJkQaD/ 9gaBo45g5POuxHt8VkAdRnI+FgKW8WqpcQt6RZrJi6gpbpTU8ki5opvwHlL+VDmfW6rXPHkBMfpoH2 sCfYj3Za1HlEQFTKD1oIaOcJo0j6jJw02DV9Cn01nBnrr05QGmKf98wD54MIECVc1Qvy670XFGv3kn 2VO3fm5EMSOO5swnMsToLuMbY2BHeuCF/I7IQF8yxUd6jVZbjYd4e++80hzZ8JQCxjF8E5c9O3R5Th oNigQ0NdEvm/ziGMixc1sT0heGCZOO3UAsKmHl5Hilx8tBZw75UqB9WiWNWTSi9Qoao9+MqF+pfj0Y Chsr917geXLZHQDIbLQrEpXkmoljXOtZFyjA4Y7Spvgrf2vpqDxQohV9op3MeufRdDGuX8N5fx3FPP PRm7+wbCwqPErjO1hYG4ZN7b4p0y0fTAFmy//eAx0uzQhvQUfT5AoccRrAi2PDVeWgFEULBh9fDYps QDUF+QwDR3N9n2KjhcIgwzO9aY/6C4166S36tDZIsPkV1cj52GrEaaxB6ffDx2ymijCcb7cozCGvLs yblj81NNhj8r7eQWNrI1db8jrU9Roy1oEsTNYXMchJKRVOjprRROS2Wj2LN3iMEdtg3wJCLT16tRTL E5QQPY4a9kYOrbSuUgws4cOB7/5VgdcfFg3J1R+NdpLq/t206sjE9DpVt0nA== X-Developer-Key: i=kees@ubuntu.com; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ubuntu-hardened@lists.ubuntu.com, Kees Cook Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kees Cook Upstream is trying to remove this feature. It appears to be unused and causes maintenance burdens. Disable in common config and enforce in policy. BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1940392 Signed-off-by: Kees Cook --- debian.master/config/annotations | 2 +- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 7599bf532a0b..0092f241d013 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -10445,7 +10445,7 @@ CONFIG_ZONEFS_FS policy<{'amd64': 'm', 'arm64': ' CONFIG_FS_DAX policy<{'amd64': 'y', 'arm64': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_EXPORTFS_BLOCK_OPS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_FILE_LOCKING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_MANDATORY_FILE_LOCKING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_MANDATORY_FILE_LOCKING policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_FS_ENCRYPTION policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_FS_ENCRYPTION_INLINE_CRYPT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_FS_VERITY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 8f140f6fb4db..5af18fe4b2d5 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -5783,7 +5783,7 @@ CONFIG_MAGIC_SYSRQ_SERIAL=y CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE="" CONFIG_MAILBOX_TEST=m CONFIG_MANAGER_SBS=m -CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_MANDATORY_FILE_LOCKING is not set CONFIG_MANTIS_CORE=m CONFIG_MAPPING_DIRTY_HELPERS=y # CONFIG_MARCH_Z10 is not set From patchwork Fri Aug 20 07:10:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 1518934 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=jqtorr2n; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GrXpv0dCzz9sW5; Fri, 20 Aug 2021 17:10:47 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mGyfq-0008De-L0; Fri, 20 Aug 2021 07:10:42 +0000 Received: from mail-pj1-f51.google.com ([209.85.216.51]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mGyfQ-000816-46 for kernel-team@lists.ubuntu.com; Fri, 20 Aug 2021 07:10:16 +0000 Received: by mail-pj1-f51.google.com with SMTP id m24-20020a17090a7f98b0290178b1a81700so6619763pjl.4 for ; Fri, 20 Aug 2021 00:10:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hYOqZE8WPeol1DUBGCodr1R+k7r9YzUR0yCqkPTZtqU=; b=jqtorr2nXImbtzj90yKpoY/eG716ny4pE6S06IHxiTxhq6JHU8gtq1DUx45mhHukNS zXIR+sxiUNM2+cayYtQA5eKT8gXkFrDtTadWvQYwF+WQ3do/ZL+eXBo2JryZbAtLtYda xMyybiXldy5EPJ42cxxC7oDjYlNd+/Au2o+CQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hYOqZE8WPeol1DUBGCodr1R+k7r9YzUR0yCqkPTZtqU=; b=BiB+tr7VHBlZgUXurofAFTeMoxbJP7ubH3X43Wm/uXA1ixWVBLv0Okc+5NuqTr46s2 eWbki4mnvMCIZK5ph6PllCKWV3cLUxbFq2zxKf40QV4JJEmS3qtcLa0FAW5LVf7GcUTU hPYjnM4Rj41/vXVk3cyWXz8v+XFndBOMelnUetLPi6JSjSVEaMa2IdHPkOBIcv6+d4Df gogFu0aXyKm0XQVGW6LMGsKQO0rMZUj40/HN494BYpKl+aY8b0MPov28FV1BuJiQX2Jg 9KNFYfl8bqPVaBqbRjthuSxQV/zqvaOHOXz5q71EmLXbu5TlIw9Y+OXkTFleMOTox2W/ MNWQ== X-Gm-Message-State: AOAM533qZOOWw1YGIGSel7jZ+CxVIYIOaAKIb9qqDyatUFtPbeJdQ8ep UUSu2crpSmVFBi25QDldSKJ3+w== X-Google-Smtp-Source: ABdhPJwdE6mIMcG3Q1rJNAvnVXt3o8XbXHZRwL8h6m1/oUIHRajA6wrILR4Hceby0DSmzvG/+ONW0g== X-Received: by 2002:a17:90a:4b07:: with SMTP id g7mr3190221pjh.48.1629443414097; Fri, 20 Aug 2021 00:10:14 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 141sm5754337pfv.15.2021.08.20.00.10.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Aug 2021 00:10:13 -0700 (PDT) From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/4] UBUNTU: [Config] Disable CONFIG_HARDENED_USERCOPY_FALLBACK Date: Fri, 20 Aug 2021 00:10:01 -0700 Message-Id: <20210820071002.3560053-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210820071002.3560053-1-keescook@chromium.org> References: <20210820071002.3560053-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2316; h=from:subject; bh=nGEHATtEinOmCtDPMDC7w48Ii4ahfPFsIFuoRfbngy0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhH1VJ8G/oAmOWpMFg/cmJoEB1GZmZWAip/QWfxjxf QXwG3SCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYR9VSQAKCRCJcvTf3G3AJj+jD/ 9+aH/C6JPJAEXZ5yDYSedoxAMM+T9ZJoGXN9PIFPjiBdGrWGKGu23S70fgcoErQDr2cjCWNxBtJeOK EgCWybMVrlyRo8G/3MpdV4AFgux66NktEky8Ltw05WWeb3ZJYKasvgF1IGKh7Jvjbdu+6XrqvnVvf4 eIUFX9L8hgjm9N7QrIW++8iIhGFd+67H5cQezTCV7PgQjbLbhVQcqSwob/MXAsEHHWr9cE+FGexyNK 9/39NGLB1HsjYO6Rj9Hyj7ZcL4LlCk3NlAVgB4+64AL4UXfwzWDvanYIbQ/nC1RPRxHPWk61ZRew2l cmZRMVQDD/U5cPuRWdKnLyNEjbPBncvmjHyoqVKyTxK4S0prHsHSlf/LBfYtmx9MxkSSTQl54gHbBZ 1IRtpj78LATqVQFDfBUM1GoaQPNbPYFXF28q9rNSQ4IHuqOHW7Bavb04B3azIKON7Eagu2jhA6foMr ovoGux4HY8QLYtL6fX5SwBTtnxvWRS3pa5tBZ03reIKT2DNyVmKFI2EYsSkbMy4r2yd5i7pY6jkMdo 4HJlAZbIPIclFw56ShIfCYhMI8hESrZF3faCdlLdN5sZc4wD8Rtds00sxXeWoesVlcaS+P08hApG5X 0XPB7zS0R1tAnwofKyWT4rt/qXmq4Awn49T1Zq84wp72jZ66aXfsNLetAxog== X-Developer-Key: i=kees@ubuntu.com; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ubuntu-hardened@lists.ubuntu.com, Kees Cook Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kees Cook CONFIG_HARDENED_USERCOPY_FALLBACK was designed to catch old out of tree drivers doing bad things with CONFIG_HARDENED_USERCOPY, and weakens the protection. It's been several years now; it's time to turn this off. BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855340 Signed-off-by: Kees Cook --- debian.master/config/annotations | 2 +- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 0092f241d013..0c2d17076442 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -13578,7 +13578,7 @@ CONFIG_SECURITYFS policy<{'amd64': 'y', 'arm64': ' CONFIG_PAGE_TABLE_ISOLATION policy<{'amd64': 'y'}> CONFIG_INTEL_TXT policy<{'amd64': 'y'}> CONFIG_HARDENED_USERCOPY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_HARDENED_USERCOPY_FALLBACK policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_HARDENED_USERCOPY_FALLBACK policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_HARDENED_USERCOPY_PAGESPAN policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_FORTIFY_SOURCE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_STATIC_USERMODEHELPER policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 5af18fe4b2d5..8bbd7d7a8d1d 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -4019,7 +4019,7 @@ CONFIG_HANDLE_DOMAIN_IRQ=y CONFIG_HANGCHECK_TIMER=m CONFIG_HAPPYMEAL=m CONFIG_HARDENED_USERCOPY=y -CONFIG_HARDENED_USERCOPY_FALLBACK=y +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set CONFIG_HARDEN_BRANCH_PREDICTOR=y CONFIG_HARDIRQS_SW_RESEND=y From patchwork Fri Aug 20 07:10:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 1518931 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=YZS2xE7l; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GrXpZ0F6hz9sX3; Fri, 20 Aug 2021 17:10:30 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mGyfa-00082y-9Y; Fri, 20 Aug 2021 07:10:26 +0000 Received: from mail-pf1-f182.google.com ([209.85.210.182]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mGyfQ-00081I-Aq for kernel-team@lists.ubuntu.com; Fri, 20 Aug 2021 07:10:16 +0000 Received: by mail-pf1-f182.google.com with SMTP id y11so7818229pfl.13 for ; Fri, 20 Aug 2021 00:10:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rqNAXILbq5SdqDSaGHVaFk0PGwdgENXUDvC9Ys09jck=; b=YZS2xE7lxbPdifr5Xy8CNBxmYmSzFTHwDgJfGBEE/yMDBanBQo59x6UzqYhqZEyvj8 FPWY95/C01rnmlNFxLPf9CdddqYUhUHbsiMlY8hMKojwxiBEg/yzLunDQzuNeFy63z4D lEKE3WMAYwdWUgWjWzduIkGmqk8YoGo/xfaG8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rqNAXILbq5SdqDSaGHVaFk0PGwdgENXUDvC9Ys09jck=; b=j5ZQ3hiAQ0eOEnvi5CeW5qQ5PBy416CCObLONiGXyo8HVboPXdMPqIAHsubCF57MKS SaU22+6WpB56yknH2CSD3Ml2AHRJVTPVtlcRUVK/1u8wZynO4Zpdm4ewsNwXKhTKFm3P PC4B9qYyZNqN1Q2VxVfF7cPleBhqDjOWbL1FoM5fFRwtlCP42+Pcm04J2eUnzPYNl9h6 2VPy9FT20WL3m5xnZu658aZGE4n66eHPjurhoJqg1eKM2UFF1WZihYWTHJtyCpIqns8Y CIL9DIXIDhEqeeNFU+ezuEujQQTSuGrhIwpClU3wBBReH7YvGmcdg6BzP2KvDfpm5XsQ Teqw== X-Gm-Message-State: AOAM530W4NNkwZAbb+GEiZFQTt4m+KtlJ/mT25fuJJ6zXsdnFthAPY7j 7keiL+N/XCiOtu9zU2jJK6nMnw== X-Google-Smtp-Source: ABdhPJwPgMT5sUA/OqOY1dqHeF0OOxifMXzdlo82hzod49OOEDyL+6lBaAOwhtOZbXHYExr/Lh2DKQ== X-Received: by 2002:a65:494e:: with SMTP id q14mr17362592pgs.314.1629443415061; Fri, 20 Aug 2021 00:10:15 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y5sm6452135pgs.27.2021.08.20.00.10.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Aug 2021 00:10:13 -0700 (PDT) From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [PATCH 4/4] UBUNTU: [Config] Enable CONFIG_UBSAN_BOUNDS Date: Fri, 20 Aug 2021 00:10:02 -0700 Message-Id: <20210820071002.3560053-5-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210820071002.3560053-1-keescook@chromium.org> References: <20210820071002.3560053-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3750; h=from:subject; bh=8wQ8Gkq50B+G4pcYJKNidftgxmZ6HcD5fXgEzxXV8is=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhH1VJ71oBvEKoob8jg/1cUcsrR1r4EX9FXL1KTYQW +E5dMMKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYR9VSQAKCRCJcvTf3G3AJqiZD/ 9rlkdq8mQuSipT0ACN+U7OVDnCgtWDF1i+1fNKwWEkO/6E4O09Orsabc2EPxQ6RqS4Ii//yvFSLwqd 6+QqYR6CzjFPRMkbUnCaG/H7XJ5Cmbto8LRz/h2zLbLTbUrp2kKX+RfjvnmWTYYtUDSZapr+1XOpR8 bjo4yzde00Sq8dl5lgBKY0XoBetZdnXIIa5I8yb4ZgUOhqqaE+9aiaMH/3L1mEfimrNDeJWVO8Rt5o VnEsBWLZFjaLa5F5MSfMaQzgIqRyYPrFo7IeSr+gjvk6Fkb+SULrtIHFf0YaJ2sYPFNWLxDnpYhc7V pRynCaCdve5vrpVRGAskStbYv4Gf/NEQsnsdSZBHwNQ1zBmoZAB5uNCpSrRZJEy1ayQ3gEV6QM4HGy MUfdi8ghubM7ghUIFZyP3deiYW5GSE5VesmUTkVGrwKgRrJCIm2o4EhNBXrgumkc5T6r21f16nimig 3LO7axGFZnVI6/rmK6xu2mPDhnKun/0xPilTtVJWit3MYds0FkhTSW/14lsxDN42kzpN9gm6B7B25s ku27lxEIFy3EchY+tebTiMpJzjU9CvNH8FMu0jyVq7MNr11syzri8o+bSRtS9Ni3WNmCu/5fWpVjEy hdOIlnGXd0MUI3R+sgNQf/DgR+R2he5S4ycJYrnXXOloaP37hd15ZNt7NAWQ== X-Developer-Key: i=kees@ubuntu.com; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ubuntu-hardened@lists.ubuntu.com, Kees Cook Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kees Cook This enables run-time array index bounds checking for arrays with compile-time known sizes. This catches some potentially serious issues at run-time with nearly zero performance impact. Syzkaller is still catching bugs with this. (See "array-index-out-of-bounds" reports at https://syzkaller.appspot.com/upstream) Using UBSAN_TRAP=y has nearly no impact on image size, though it makes caught conditions much less verbose. BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1914685 Signed-off-by: Kees Cook --- debian.master/config/annotations | 12 +++++++++++- debian.master/config/config.common.ubuntu | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 0c2d17076442..40f7743daf91 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -11409,7 +11409,17 @@ CONFIG_KDB_KEYBOARD policy<{'amd64': 'y', 'arm64': ' CONFIG_KDB_CONTINUE_CATASTROPHIC policy<{'amd64': '0', 'arm64': '0', 'armhf': '0', 'ppc64el': '0'}> # Menu: Kernel hacking >> Generic Kernel Debugging Instruments >> Undefined behaviour sanity checker -CONFIG_UBSAN policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_UBSAN policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_UBSAN_TRAP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_UBSAN_BOUNDS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_UBSAN_SHIFT policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}> +CONFIG_UBSAN_DIV_ZERO policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}> +CONFIG_UBSAN_UNREACHABLE policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}> +CONFIG_UBSAN_OBJECT_SIZE policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}> +CONFIG_UBSAN_BOOL policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}> +CONFIG_UBSAN_ENUM policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}> +CONFIG_UBSAN_ALIGNMENT policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}> +CONFIG_UBSAN_SANITIZE_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> # Menu: Kernel hacking >> Kernel Testing and Coverage CONFIG_MEMTEST policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 8bbd7d7a8d1d..e9396bd41b81 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -11219,7 +11219,17 @@ CONFIG_UBIFS_FS_SECURITY=y CONFIG_UBIFS_FS_XATTR=y CONFIG_UBIFS_FS_ZLIB=y CONFIG_UBIFS_FS_ZSTD=y -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +CONFIG_UBSAN_TRAP=y +CONFIG_UBSAN_BOUNDS=y +# CONFIG_UBSAN_SHIFT is not set +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_OBJECT_SIZE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y CONFIG_UBUNTU_HOST=m CONFIG_UBUNTU_ODM_DRIVERS=y CONFIG_UCB1400_CORE=m