Commit b0a9ba13 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 

Pull hardening fixes from Kees Cook:

 - loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module
   decompression (Stephen Boyd)

 - ubsan: Restore dependency on ARCH_HAS_UBSAN

 - kunit/fortify: Fix memcmp() test to be amplitude agnostic

* tag 'hardening-v6.10-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  kunit/fortify: Fix memcmp() test to be amplitude agnostic
  ubsan: Restore dependency on ARCH_HAS_UBSAN
  loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
parents 0eb03c7e ae1a863b

lib/Kconfig.ubsan

+1 −0
Original line number Diff line number Diff line
@@ -4,6 +4,7 @@ config ARCH_HAS_UBSAN 


menuconfig UBSAN

	bool "Undefined behaviour sanity checker"

	depends on ARCH_HAS_UBSAN

	help

	  This option enables the Undefined Behaviour sanity checker.

	  Compile-time instrumentation is used to detect various undefined

lib/fortify_kunit.c

+1 −1
Original line number Diff line number Diff line
@@ -990,7 +990,7 @@ static void fortify_test_memcmp(struct kunit *test) 
	KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);

	KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);

	/* Still in bounds, but no longer matching. */

	KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 1), -32);

	KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0);

	KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);



	/* Catch too-large ranges. */

security/loadpin/Kconfig

+3 −0
Original line number Diff line number Diff line
@@ -14,6 +14,9 @@ config SECURITY_LOADPIN 
config SECURITY_LOADPIN_ENFORCE

	bool "Enforce LoadPin at boot"

	depends on SECURITY_LOADPIN

	# Module compression breaks LoadPin unless modules are decompressed in

	# the kernel.

	depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)

	help

	  If selected, LoadPin will enforce pinning at boot. If not

	  selected, it can be enabled at boot with the kernel parameter