diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-05-24 08:33:44 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-05-24 08:33:44 -0700 |
| commit | b0a9ba13ffdb9591d468d84f26ec2cefdd7625b4 (patch) | |
| tree | 1d07c5f00a65ffdc626079a5dcca9c031cfd8527 | |
| parent | 0eb03c7e8e2a4cc3653eb5eeb2d2001182071215 (diff) | |
| parent | ae1a863bcdbd6ea2abc93519a82ab5d715d5dcbc (diff) | |
Merge tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull hardening fixes from Kees Cook:
- loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module
decompression (Stephen Boyd)
- ubsan: Restore dependency on ARCH_HAS_UBSAN
- kunit/fortify: Fix memcmp() test to be amplitude agnostic
* tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
kunit/fortify: Fix memcmp() test to be amplitude agnostic
ubsan: Restore dependency on ARCH_HAS_UBSAN
loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
| -rw-r--r-- | lib/Kconfig.ubsan | 1 | ||||
| -rw-r--r-- | lib/fortify_kunit.c | 2 | ||||
| -rw-r--r-- | security/loadpin/Kconfig | 3 |
3 files changed, 5 insertions, 1 deletions
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index e81e1ac4a919..bdda600f8dfb 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -4,6 +4,7 @@ config ARCH_HAS_UBSAN menuconfig UBSAN bool "Undefined behaviour sanity checker" + depends on ARCH_HAS_UBSAN help This option enables the Undefined Behaviour sanity checker. Compile-time instrumentation is used to detect various undefined diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c index d2377e00caab..39da5b3bc649 100644 --- a/lib/fortify_kunit.c +++ b/lib/fortify_kunit.c @@ -990,7 +990,7 @@ static void fortify_test_memcmp(struct kunit *test) KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0); KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); /* Still in bounds, but no longer matching. */ - KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 1), -32); + KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0); KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); /* Catch too-large ranges. */ diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index 6724eaba3d36..848f8b4a6019 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -14,6 +14,9 @@ config SECURITY_LOADPIN config SECURITY_LOADPIN_ENFORCE bool "Enforce LoadPin at boot" depends on SECURITY_LOADPIN + # Module compression breaks LoadPin unless modules are decompressed in + # the kernel. + depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS) help If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter |