forked from Minki/linux
d0989d01c6
Various fixes across several hardening areas:
- loadpin: Fix verity target enforcement (Matthias Kaehlcke).
- zero-call-used-regs: Add missing clobbers in paravirt (Bill Wendling).
- CFI: clean up sparc function pointer type mismatches (Bart Van Assche).
- Clang: Adjust compiler flag detection for various Clang changes (Sami
Tolvanen, Kees Cook).
- fortify: Fix warnings in arch-specific code in sh, ARM, and xen.
Improvements to existing features:
- testing: improve overflow KUnit test, introduce fortify KUnit test,
add more coverage to LKDTM tests (Bart Van Assche, Kees Cook).
- overflow: Relax overflow type checking for wider utility.
New features:
- string: Introduce strtomem() and strtomem_pad() to fill a gap in
strncpy() replacement needs.
- um: Enable FORTIFY_SOURCE support.
- fortify: Enable run-time struct member memcpy() overflow warning.
-----BEGIN PGP SIGNATURE-----
iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmM4chcWHGtlZXNjb29r
QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJvq1D/9uKU03RozAOnzhi4gcgRnHZSAK
oOQOkPwnkUgFU0yOnMkNYOZ7njLnM+CjCN3RJ9SSpD2lrQ23PwLeThAuOzy0brPO
0iAksIztSF3e5tAyFjtFkjswrY8MSv/TkF0WttTOSOj3lCUcwatF0FBkclCOXtwu
ILXfG7K8E17r/wsUejN+oMAI42ih/YeVQAZpKRymEEJsK+Lly7OT4uu3fdFWVb1P
M77eRLI2Vg1eSgMVwv6XdwGakpUdwsboK7do0GGX+JOrhayJoCfY2IpwyPz9ciel
jsp9OQs8NrlPJMa2sQ7LDl+b5EQl/MtggX3JlQEbLs2LV7gDtYgAWNo6vxCT5Lvd
zB7TZqIR3lrVjbtw4FAKQ+41bS4VOajk2NB3Mkiy5AfivB+6zKF+P56a+xSoNhOl
iktpjCEP7bp4oxmTMXpOfmywjh/ZsyoMhQ2ABP7S+JZ5rHUndpPAjjuBetIcHxX2
28Wlr4aFIF9ff9caasg4sMYXcQMGnuLUlUKngceUbd1umZZRNZ1gaIxYpm9poefm
qd/lvTIvzn9V8IB8wHVmvafbvDbV88A+2bKJdSUDA352Dt9PvqT7yI0dmbMNliGL
os+iLPW6Y6x38BxhXax0HR9FEhO3Eq7kLdNdc4J29NvISg8HHaifwNrG41lNwaWL
cuc6IAjLxiRk3NsUpg==
=HZ6+
-----END PGP SIGNATURE-----
Merge tag 'hardening-v6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull kernel hardening updates from Kees Cook:
"Most of the collected changes here are fixes across the tree for
various hardening features (details noted below).
The most notable new feature here is the addition of the memcpy()
overflow warning (under CONFIG_FORTIFY_SOURCE), which is the next step
on the path to killing the common class of "trivially detectable"
buffer overflow conditions (i.e. on arrays with sizes known at compile
time) that have resulted in many exploitable vulnerabilities over the
years (e.g. BleedingTooth).
This feature is expected to still have some undiscovered false
positives. It's been in -next for a full development cycle and all the
reported false positives have been fixed in their respective trees.
All the known-bad code patterns we could find with Coccinelle are also
either fixed in their respective trees or in flight.
The commit message in commit 54d9469bc5 ("fortify: Add run-time WARN
for cross-field memcpy()") for the feature has extensive details, but
I'll repeat here that this is a warning _only_, and is not intended to
actually block overflows (yet). The many patches fixing array sizes
and struct members have been landing for several years now, and we're
finally able to turn this on to find any remaining stragglers.
Summary:
Various fixes across several hardening areas:
- loadpin: Fix verity target enforcement (Matthias Kaehlcke).
- zero-call-used-regs: Add missing clobbers in paravirt (Bill
Wendling).
- CFI: clean up sparc function pointer type mismatches (Bart Van
Assche).
- Clang: Adjust compiler flag detection for various Clang changes
(Sami Tolvanen, Kees Cook).
- fortify: Fix warnings in arch-specific code in sh, ARM, and xen.
Improvements to existing features:
- testing: improve overflow KUnit test, introduce fortify KUnit test,
add more coverage to LKDTM tests (Bart Van Assche, Kees Cook).
- overflow: Relax overflow type checking for wider utility.
New features:
- string: Introduce strtomem() and strtomem_pad() to fill a gap in
strncpy() replacement needs.
- um: Enable FORTIFY_SOURCE support.
- fortify: Enable run-time struct member memcpy() overflow warning"
* tag 'hardening-v6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (27 commits)
Makefile.extrawarn: Move -Wcast-function-type-strict to W=1
hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero
sparc: Unbreak the build
x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled
x86/paravirt: clean up typos and grammaros
fortify: Convert to struct vs member helpers
fortify: Explicitly check bounds are compile-time constants
x86/entry: Work around Clang __bdos() bug
ARM: decompressor: Include .data.rel.ro.local
fortify: Adjust KUnit test for modular build
sh: machvec: Use char[] for section boundaries
kunit/memcpy: Avoid pathological compile-time string size
lib: Improve the is_signed_type() kunit test
LoadPin: Require file with verity root digests to have a header
dm: verity-loadpin: Only trust verity targets with enforcement
LoadPin: Fix Kconfig doc about format of file with verity digests
um: Enable FORTIFY_SOURCE
lkdtm: Update tests for memcpy() run-time warnings
fortify: Add run-time WARN for cross-field memcpy()
fortify: Use SIZE_MAX instead of (size_t)-1
...
118 lines
3.5 KiB
Makefile
118 lines
3.5 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
# ==========================================================================
|
|
# make W=... settings
|
|
#
|
|
# There are four warning groups enabled by W=1, W=2, W=3, and W=e
|
|
# They are independent, and can be combined like W=12 or W=123e.
|
|
# ==========================================================================
|
|
|
|
KBUILD_CFLAGS += $(call cc-disable-warning, packed-not-aligned)
|
|
|
|
# backward compatibility
|
|
KBUILD_EXTRA_WARN ?= $(KBUILD_ENABLE_EXTRA_GCC_CHECKS)
|
|
|
|
ifeq ("$(origin W)", "command line")
|
|
KBUILD_EXTRA_WARN := $(W)
|
|
endif
|
|
|
|
export KBUILD_EXTRA_WARN
|
|
|
|
#
|
|
# W=1 - warnings which may be relevant and do not occur too often
|
|
#
|
|
ifneq ($(findstring 1, $(KBUILD_EXTRA_WARN)),)
|
|
|
|
KBUILD_CFLAGS += -Wextra -Wunused -Wno-unused-parameter
|
|
KBUILD_CFLAGS += -Wmissing-declarations
|
|
KBUILD_CFLAGS += -Wmissing-format-attribute
|
|
KBUILD_CFLAGS += -Wmissing-prototypes
|
|
KBUILD_CFLAGS += -Wold-style-definition
|
|
KBUILD_CFLAGS += -Wmissing-include-dirs
|
|
KBUILD_CFLAGS += $(call cc-option, -Wunused-but-set-variable)
|
|
KBUILD_CFLAGS += $(call cc-option, -Wunused-const-variable)
|
|
KBUILD_CFLAGS += $(call cc-option, -Wpacked-not-aligned)
|
|
KBUILD_CFLAGS += $(call cc-option, -Wstringop-truncation)
|
|
# The following turn off the warnings enabled by -Wextra
|
|
KBUILD_CFLAGS += -Wno-missing-field-initializers
|
|
KBUILD_CFLAGS += -Wno-sign-compare
|
|
KBUILD_CFLAGS += -Wno-type-limits
|
|
KBUILD_CFLAGS += -Wno-shift-negative-value
|
|
|
|
KBUILD_CPPFLAGS += -DKBUILD_EXTRA_WARN1
|
|
|
|
else
|
|
|
|
# Some diagnostics enabled by default are noisy.
|
|
# Suppress them by using -Wno... except for W=1.
|
|
|
|
ifdef CONFIG_CC_IS_CLANG
|
|
KBUILD_CFLAGS += -Wno-initializer-overrides
|
|
# Clang before clang-16 would warn on default argument promotions.
|
|
ifeq ($(shell [ $(CONFIG_CLANG_VERSION) -lt 160000 ] && echo y),y)
|
|
# Disable -Wformat
|
|
KBUILD_CFLAGS += -Wno-format
|
|
# Then re-enable flags that were part of the -Wformat group that aren't
|
|
# problematic.
|
|
KBUILD_CFLAGS += -Wformat-extra-args -Wformat-invalid-specifier
|
|
KBUILD_CFLAGS += -Wformat-zero-length -Wnonnull
|
|
# Requires clang-12+.
|
|
ifeq ($(shell [ $(CONFIG_CLANG_VERSION) -ge 120000 ] && echo y),y)
|
|
KBUILD_CFLAGS += -Wformat-insufficient-args
|
|
endif
|
|
endif
|
|
KBUILD_CFLAGS += -Wno-sign-compare
|
|
KBUILD_CFLAGS += $(call cc-disable-warning, pointer-to-enum-cast)
|
|
KBUILD_CFLAGS += -Wno-tautological-constant-out-of-range-compare
|
|
KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access)
|
|
KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict)
|
|
endif
|
|
|
|
endif
|
|
|
|
#
|
|
# W=2 - warnings which occur quite often but may still be relevant
|
|
#
|
|
ifneq ($(findstring 2, $(KBUILD_EXTRA_WARN)),)
|
|
|
|
KBUILD_CFLAGS += -Wdisabled-optimization
|
|
KBUILD_CFLAGS += -Wshadow
|
|
KBUILD_CFLAGS += $(call cc-option, -Wlogical-op)
|
|
KBUILD_CFLAGS += -Wmissing-field-initializers
|
|
KBUILD_CFLAGS += -Wtype-limits
|
|
KBUILD_CFLAGS += $(call cc-option, -Wmaybe-uninitialized)
|
|
KBUILD_CFLAGS += $(call cc-option, -Wunused-macros)
|
|
|
|
KBUILD_CPPFLAGS += -DKBUILD_EXTRA_WARN2
|
|
|
|
endif
|
|
|
|
#
|
|
# W=3 - more obscure warnings, can most likely be ignored
|
|
#
|
|
ifneq ($(findstring 3, $(KBUILD_EXTRA_WARN)),)
|
|
|
|
KBUILD_CFLAGS += -Wbad-function-cast
|
|
KBUILD_CFLAGS += -Wcast-align
|
|
KBUILD_CFLAGS += -Wcast-qual
|
|
KBUILD_CFLAGS += -Wconversion
|
|
KBUILD_CFLAGS += -Wpacked
|
|
KBUILD_CFLAGS += -Wpadded
|
|
KBUILD_CFLAGS += -Wpointer-arith
|
|
KBUILD_CFLAGS += -Wredundant-decls
|
|
KBUILD_CFLAGS += -Wsign-compare
|
|
KBUILD_CFLAGS += -Wswitch-default
|
|
KBUILD_CFLAGS += $(call cc-option, -Wpacked-bitfield-compat)
|
|
|
|
KBUILD_CPPFLAGS += -DKBUILD_EXTRA_WARN3
|
|
|
|
endif
|
|
|
|
#
|
|
# W=e - error out on warnings
|
|
#
|
|
ifneq ($(findstring e, $(KBUILD_EXTRA_WARN)),)
|
|
|
|
KBUILD_CFLAGS += -Werror
|
|
|
|
endif
|