hardening fixes for v6.10-rc1
- loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression (Stephen Boyd) - ubsan: Restore dependency on ARCH_HAS_UBSAN - kunit/fortify: Fix memcmp() test to be amplitude agnostic -----BEGIN PGP SIGNATURE----- iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmZP0w0WHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJqYDEACWaY0Xjig6Izo+B+85IozTLf2R Wv3zlOjUhjbRn7enzhVBRRfU216nl/wp8s7pKhNYCEZ7gJ+04hYtZoLY6YV7jtZ0 RAvpwc1dmUm7RZIBxjnzqiNTdttNBniPDE47goV0Yi9JVSDFY1Y/P5GwiAr0PO6W kt1+WBr2zADNpTZziH8MZou7jfK+y1bOZw8rUUFMODrMc0buuLGO2h+lZqASJXNs 5NHPUOoJsZHvQxN/YSyE555VycpoyWiwMvA1XOz1NVKdr1eFP1heu88AnIRKOD7o cMz6W/yUZ+4dYr2yydDGNX+QvFmZuvPz0oXAlI7BAblpT0UU7xv0jaioAhIam87U WxVQSOgkLQBw6Ym79W66HplizCVfEl9aUAYDSK5UJlwdpNE/j16XLYDLKxDi0wUZ pjUy5CF0X7FFNyY7Kp5flqzKrQG31vfqZf/yWhtWu258x604LR6CTkO06IJDINx0 UUrbehie3bGnbu5FS0oVKGH37Mq0aRn4Xk2aUZaFf1Vz/YtU4Wo3FbtyOyFZsdpl aCNyYzmNmfVijDQlLshy6HBACeLPV2DjIJ8pcC74abUV1FX6VOvIDsTy4ELkm9BF WZ8LNryo79lFsFMThhwfCDHubhXoaLjkl4rpOB5x+Ld0q+GgfIb5jMfF507YxrRj 3KxJJKXzUKNf+JFnjg== =VTTF -----END PGP SIGNATURE----- Merge tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening fixes from Kees Cook: - loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression (Stephen Boyd) - ubsan: Restore dependency on ARCH_HAS_UBSAN - kunit/fortify: Fix memcmp() test to be amplitude agnostic * tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: kunit/fortify: Fix memcmp() test to be amplitude agnostic ubsan: Restore dependency on ARCH_HAS_UBSAN loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
This commit is contained in:
commit
b0a9ba13ff
|
@ -4,6 +4,7 @@ config ARCH_HAS_UBSAN
|
|||
|
||||
menuconfig UBSAN
|
||||
bool "Undefined behaviour sanity checker"
|
||||
depends on ARCH_HAS_UBSAN
|
||||
help
|
||||
This option enables the Undefined Behaviour sanity checker.
|
||||
Compile-time instrumentation is used to detect various undefined
|
||||
|
|
|
@ -990,7 +990,7 @@ static void fortify_test_memcmp(struct kunit *test)
|
|||
KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);
|
||||
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
|
||||
/* Still in bounds, but no longer matching. */
|
||||
KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 1), -32);
|
||||
KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0);
|
||||
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
|
||||
|
||||
/* Catch too-large ranges. */
|
||||
|
|
|
@ -14,6 +14,9 @@ config SECURITY_LOADPIN
|
|||
config SECURITY_LOADPIN_ENFORCE
|
||||
bool "Enforce LoadPin at boot"
|
||||
depends on SECURITY_LOADPIN
|
||||
# Module compression breaks LoadPin unless modules are decompressed in
|
||||
# the kernel.
|
||||
depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
|
||||
help
|
||||
If selected, LoadPin will enforce pinning at boot. If not
|
||||
selected, it can be enabled at boot with the kernel parameter
|
||||
|
|
Loading…
Reference in New Issue