From 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 Mon Sep 17 00:00:00 2001 From: Salvatore Mesoraca Date: Thu, 23 Aug 2018 17:00:35 -0700 Subject: namei: allow restricted O_CREAT of FIFOs and regular files Disallows open of FIFOs or regular files not owned by the user in world writable sticky directories, unless the owner is the same as that of the directory or the file is opened without the O_CREAT flag. The purpose is to make data spoofing attacks harder. This protection can be turned on and off separately for FIFOs and regular files via sysctl, just like the symlinks/hardlinks protection. This patch is based on Openwall's "HARDEN_FIFO" feature by Solar Designer. This is a brief list of old vulnerabilities that could have been prevented by this feature, some of them even allow for privilege escalation: CVE-2000-1134 CVE-2007-3852 CVE-2008-0525 CVE-2009-0416 CVE-2011-4834 CVE-2015-1838 CVE-2015-7442 CVE-2016-7489 This list is not meant to be complete. It's difficult to track down all vulnerabilities of this kind because they were often reported without any mention of this particular attack vector. In fact, before hardlinks/symlinks restrictions, fifos/regular files weren't the favorite vehicle to exploit them. [s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter] Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com [keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future] [keescook@chromium.org: adjust commit subjet] Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast Signed-off-by: Salvatore Mesoraca Signed-off-by: Kees Cook Suggested-by: Solar Designer Suggested-by: Kees Cook Cc: Al Viro Cc: Dan Carpenter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Documentation/sysctl/fs.txt | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'Documentation') diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt index 6c00c1e2743f..819caf8ca05f 100644 --- a/Documentation/sysctl/fs.txt +++ b/Documentation/sysctl/fs.txt @@ -34,7 +34,9 @@ Currently, these files are in /proc/sys/fs: - overflowgid - pipe-user-pages-hard - pipe-user-pages-soft +- protected_fifos - protected_hardlinks +- protected_regular - protected_symlinks - suid_dumpable - super-max @@ -182,6 +184,24 @@ applied. ============================================================== +protected_fifos: + +The intent of this protection is to avoid unintentional writes to +an attacker-controlled FIFO, where a program expected to create a regular +file. + +When set to "0", writing to FIFOs is unrestricted. + +When set to "1" don't allow O_CREAT open on FIFOs that we don't own +in world writable sticky directories, unless they are owned by the +owner of the directory. + +When set to "2" it also applies to group writable sticky directories. + +This protection is based on the restrictions in Openwall. + +============================================================== + protected_hardlinks: A long-standing class of security issues is the hardlink-based @@ -202,6 +222,22 @@ This protection is based on the restrictions in Openwall and grsecurity. ============================================================== +protected_regular: + +This protection is similar to protected_fifos, but it +avoids writes to an attacker-controlled regular file, where a program +expected to create one. + +When set to "0", writing to regular files is unrestricted. + +When set to "1" don't allow O_CREAT open on regular files that we +don't own in world writable sticky directories, unless they are +owned by the owner of the directory. + +When set to "2" it also applies to group writable sticky directories. + +============================================================== + protected_symlinks: A long-standing class of security issues is the symlink-based -- cgit v1.2.3 From 3cc97bea600372885923a1c270d82523411a4c70 Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Thu, 23 Aug 2018 17:00:52 -0700 Subject: treewide: correct "differenciate" and "instanciate" typos Also add these typos to spelling.txt so checkpatch.pl will look for them. Link: http://lkml.kernel.org/r/88af06b9de34d870cb0afc46cfd24e0458be2575.1529471371.git.fthain@telegraphics.com.au Signed-off-by: Finn Thain Cc: Masahiro Yamada Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Documentation') diff --git a/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt b/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt index 16291f2a4688..bac4afa3b197 100644 --- a/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt +++ b/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt @@ -49,7 +49,7 @@ compatible (optional) - standard definition - may contain the following strings: - shared-dma-pool: This indicates a region of memory meant to be used as a shared pool of DMA buffers for a set of devices. It can - be used by an operating system to instanciate the necessary pool + be used by an operating system to instantiate the necessary pool management subsystem if necessary. - vendor specific string in the form ,[-] no-map (optional) - empty property -- cgit v1.2.3 From 7463f650be27887ede138b9c02dd1dcdf86f07d1 Mon Sep 17 00:00:00 2001 From: Mike Rapoport Date: Thu, 23 Aug 2018 17:01:05 -0700 Subject: docs/core-api: kill trailing whitespace in kernel-api.rst Link: http://lkml.kernel.org/r/1532626360-16650-4-git-send-email-rppt@linux.vnet.ibm.com Signed-off-by: Mike Rapoport Reviewed-by: Andrew Morton Cc: Jonathan Corbet Cc: Matthew Wilcox Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Documentation/core-api/kernel-api.rst | 1 - 1 file changed, 1 deletion(-) (limited to 'Documentation') diff --git a/Documentation/core-api/kernel-api.rst b/Documentation/core-api/kernel-api.rst index 76fe2d0f5e7d..25e94964065f 100644 --- a/Documentation/core-api/kernel-api.rst +++ b/Documentation/core-api/kernel-api.rst @@ -437,4 +437,3 @@ Read-Copy Update (RCU) .. kernel-doc:: include/linux/rcu_sync.h .. kernel-doc:: kernel/rcu/sync.c - -- cgit v1.2.3 From 1595617655f376a3dfa9d5e13ed953effe3476cb Mon Sep 17 00:00:00 2001 From: Mike Rapoport Date: Thu, 23 Aug 2018 17:01:09 -0700 Subject: docs/core-api: move *{str,mem}dup* to "String Manipulation" The string and memory duplication routines fit better to the "String Manipulation" section than to "The SLAB Cache". Link: http://lkml.kernel.org/r/1532626360-16650-5-git-send-email-rppt@linux.vnet.ibm.com Signed-off-by: Mike Rapoport Reviewed-by: Andrew Morton Cc: Jonathan Corbet Cc: Matthew Wilcox Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Documentation/core-api/kernel-api.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'Documentation') diff --git a/Documentation/core-api/kernel-api.rst b/Documentation/core-api/kernel-api.rst index 25e94964065f..39f1460d2842 100644 --- a/Documentation/core-api/kernel-api.rst +++ b/Documentation/core-api/kernel-api.rst @@ -39,6 +39,10 @@ String Manipulation .. kernel-doc:: lib/string.c :export: +.. kernel-doc:: mm/util.c + :functions: kstrdup kstrdup_const kstrndup kmemdup kmemdup_nul memdup_user + vmemdup_user strndup_user memdup_user_nul + Basic Kernel Library Functions ============================== @@ -168,7 +172,7 @@ The Slab Cache :export: .. kernel-doc:: mm/util.c - :export: + :functions: kfree_const kvmalloc_node kvfree get_user_pages_fast User Space Memory Access ------------------------ -- cgit v1.2.3 From 41f35b395c52c938363d41ff8db6527ff1bd7759 Mon Sep 17 00:00:00 2001 From: Mike Rapoport Date: Thu, 23 Aug 2018 17:01:12 -0700 Subject: docs/core-api: split memory management API to a separate file This is basically copy-paste of the memory management section from kernel-api.rst with some minor adjustments: * The "User Space Memory Access" is moved to the beginning * The get_user_pages_fast reference is now a part of "User Space Memory Access" * And, of course, headings are adjusted with section being promoted to chapters Link: http://lkml.kernel.org/r/1532626360-16650-6-git-send-email-rppt@linux.vnet.ibm.com Signed-off-by: Mike Rapoport Reviewed-by: Andrew Morton Cc: Jonathan Corbet Cc: Matthew Wilcox Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Documentation/core-api/index.rst | 1 + Documentation/core-api/kernel-api.rst | 54 --------------------------------- Documentation/core-api/mm-api.rst | 57 +++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 54 deletions(-) create mode 100644 Documentation/core-api/mm-api.rst (limited to 'Documentation') diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst index b5379fb740a5..26b735cefb93 100644 --- a/Documentation/core-api/index.rst +++ b/Documentation/core-api/index.rst @@ -27,6 +27,7 @@ Core utilities errseq printk-formats circular-buffers + mm-api gfp_mask-from-fs-io timekeeping boot-time-mm diff --git a/Documentation/core-api/kernel-api.rst b/Documentation/core-api/kernel-api.rst index 39f1460d2842..3431337ee4e6 100644 --- a/Documentation/core-api/kernel-api.rst +++ b/Documentation/core-api/kernel-api.rst @@ -159,60 +159,6 @@ UUID/GUID .. kernel-doc:: lib/uuid.c :export: -Memory Management in Linux -========================== - -The Slab Cache --------------- - -.. kernel-doc:: include/linux/slab.h - :internal: - -.. kernel-doc:: mm/slab.c - :export: - -.. kernel-doc:: mm/util.c - :functions: kfree_const kvmalloc_node kvfree get_user_pages_fast - -User Space Memory Access ------------------------- - -.. kernel-doc:: arch/x86/include/asm/uaccess.h - :internal: - -.. kernel-doc:: arch/x86/lib/usercopy_32.c - :export: - -More Memory Management Functions --------------------------------- - -.. kernel-doc:: mm/readahead.c - :export: - -.. kernel-doc:: mm/filemap.c - :export: - -.. kernel-doc:: mm/memory.c - :export: - -.. kernel-doc:: mm/vmalloc.c - :export: - -.. kernel-doc:: mm/page_alloc.c - :internal: - -.. kernel-doc:: mm/mempool.c - :export: - -.. kernel-doc:: mm/dmapool.c - :export: - -.. kernel-doc:: mm/page-writeback.c - :export: - -.. kernel-doc:: mm/truncate.c - :export: - Kernel IPC facilities ===================== diff --git a/Documentation/core-api/mm-api.rst b/Documentation/core-api/mm-api.rst new file mode 100644 index 000000000000..b5913aad3ae6 --- /dev/null +++ b/Documentation/core-api/mm-api.rst @@ -0,0 +1,57 @@ +====================== +Memory Management APIs +====================== + +User Space Memory Access +======================== + +.. kernel-doc:: arch/x86/include/asm/uaccess.h + :internal: + +.. kernel-doc:: arch/x86/lib/usercopy_32.c + :export: + +.. kernel-doc:: mm/util.c + :functions: get_user_pages_fast + +The Slab Cache +============== + +.. kernel-doc:: include/linux/slab.h + :internal: + +.. kernel-doc:: mm/slab.c + :export: + +.. kernel-doc:: mm/util.c + :functions: kfree_const kvmalloc_node kvfree + +More Memory Management Functions +================================ + +.. kernel-doc:: mm/readahead.c + :export: + +.. kernel-doc:: mm/filemap.c + :export: + +.. kernel-doc:: mm/memory.c + :export: + +.. kernel-doc:: mm/vmalloc.c + :export: + +.. kernel-doc:: mm/page_alloc.c + :internal: + +.. kernel-doc:: mm/mempool.c + :export: + +.. kernel-doc:: mm/dmapool.c + :export: + +.. kernel-doc:: mm/page-writeback.c + :export: + +.. kernel-doc:: mm/truncate.c + :export: -- cgit v1.2.3 From 038a07a5420a59f1291dcf2a506f66335ec1cf9c Mon Sep 17 00:00:00 2001 From: Mike Rapoport Date: Thu, 23 Aug 2018 17:01:19 -0700 Subject: docs/core-api: mm-api: add section about GFP flags Link: http://lkml.kernel.org/r/1532626360-16650-8-git-send-email-rppt@linux.vnet.ibm.com Signed-off-by: Mike Rapoport Reviewed-by: Andrew Morton Cc: Jonathan Corbet Cc: Matthew Wilcox Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Documentation/core-api/mm-api.rst | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'Documentation') diff --git a/Documentation/core-api/mm-api.rst b/Documentation/core-api/mm-api.rst index b5913aad3ae6..46ae3537fb12 100644 --- a/Documentation/core-api/mm-api.rst +++ b/Documentation/core-api/mm-api.rst @@ -14,6 +14,27 @@ User Space Memory Access .. kernel-doc:: mm/util.c :functions: get_user_pages_fast +Memory Allocation Controls +========================== + +Functions which need to allocate memory often use GFP flags to express +how that memory should be allocated. The GFP acronym stands for "get +free pages", the underlying memory allocation function. Not every GFP +flag is allowed to every function which may allocate memory. Most +users will want to use a plain ``GFP_KERNEL``. + +.. kernel-doc:: include/linux/gfp.h + :doc: Page mobility and placement hints + +.. kernel-doc:: include/linux/gfp.h + :doc: Watermark modifiers + +.. kernel-doc:: include/linux/gfp.h + :doc: Reclaim modifiers + +.. kernel-doc:: include/linux/gfp.h + :doc: Common combinations + The Slab Cache ============== -- cgit v1.2.3 From 3723c63247854c97fe044c12a40e29043e9bbc1b Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 23 Aug 2018 17:01:26 -0700 Subject: treewide: convert ISO_8859-1 text comments to utf-8 Almost all files in the kernel are either plain text or UTF-8 encoded. A couple however are ISO_8859-1, usually just a few characters in a C comments, for historic reasons. This converts them all to UTF-8 for consistency. Link: http://lkml.kernel.org/r/20180724111600.4158975-1-arnd@arndb.de Signed-off-by: Arnd Bergmann Acked-by: Simon Horman [IPVS portion] Acked-by: Jonathan Cameron [IIO] Acked-by: Michael Ellerman [powerpc] Acked-by: Rob Herring Cc: Joe Perches Cc: Arnd Bergmann Cc: Samuel Ortiz Cc: "David S. Miller" Cc: Rob Herring Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Documentation/devicetree/bindings/net/nfc/pn544.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Documentation') diff --git a/Documentation/devicetree/bindings/net/nfc/pn544.txt b/Documentation/devicetree/bindings/net/nfc/pn544.txt index 5b937403fed6..92f399ec22b8 100644 --- a/Documentation/devicetree/bindings/net/nfc/pn544.txt +++ b/Documentation/devicetree/bindings/net/nfc/pn544.txt @@ -2,7 +2,7 @@ Required properties: - compatible: Should be "nxp,pn544-i2c". -- clock-frequency: I²C work frequency. +- clock-frequency: I²C work frequency. - reg: address on the bus - interrupts: GPIO interrupt to which the chip is connected - enable-gpios: Output GPIO pin used for enabling/disabling the PN544 -- cgit v1.2.3