[GIT PULL] kernel hardening updates for v5.19-rc1

[Kees Cook]

Hi Linus,

Please pull these kernel hardening updates for v5.19-rc1. As hardening
features are now supported by various combinations of native GCC,
native Clang, and GCC plugins, the dependencies don't allow for a clean
separation between a "gcc plugins" tree and a "clang features" tree, and
similarly, the tweaks for the "small" LSMs (e.g. LoadPin) don't really
make sense to carry separately either. So, here is the combined tree,
which I was already heading toward during the last merge window.

Please note there are 2 easy conflicts to deal with, but I wanted to
make sure they were clear and to give some context for why they happened:

1) drivers/misc/lkdtm/stackleak.c
	char-misc
        	73f62e60d80c ("lkdtm: Move crashtype definitions into each category")
	hardening:
        	f03a50938dec ("lkdtm/stackleak: prevent unexpected stack usage")

   73f62e60d80c is a larger refactoring of how all the LKDTM tests are
   registered with the LKDTM core, but the stackleak test updates depend on
   the arm64 changes, so these came via separate trees. The resolution is
   easy; the linux-next notes are here:
   https://lore.kernel.org/linux-next/202205091610.4375DD0A@keescook/

2) include/linux/netfs.h
	fscache
		713423282ae1 ("netfs: Fix gcc-12 warning by embedding vfs inode in netfs_i_context")
	hardening
		3b5eed3c71a2 ("netfs: Eliminate Clang randstruct warning")

   3b5eed3c71a2 can be entirely dropped in favor of 713423282ae1, which
   is the more complete solution, keeping both Clang and GCC happy.
   3b5eed3c71a2 was committed before GCC 12 was released and 713423282ae1
   was being worked on right up until yesterday, so to keep the commit history
   intact and avoid Clang-specific allmodconfig warnings to appear, I kept it
   in the hardening tree rather than doing a revert just to avoid the conflict.
   The linux-next notes are here:
   https://lore.kernel.org/linux-next/20220523205716.4a641c41@xxxxxxxxxxxxxxxx/

Thanks!

-Kees

The following changes since commit a19944809fe9942e6a96292490717904d0690c21:

  Merge tag 'hardening-v5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux (2022-04-12 14:29:40 -1000)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kernel-hardening-v5.19-rc1

for you to fetch changes up to ed5edd5a70b9525085403f193786395179ea303d:

  loadpin: stop using bdevname (2022-05-16 16:02:21 -0700)

----------------------------------------------------------------
kernel-hardening updates for v5.19-rc1

- usercopy hardening expanded to check other allocation types
  (Matthew Wilcox, Yuanzheng Song)

- arm64 stackleak behavioral improvements (Mark Rutland)

- arm64 CFI code gen improvement (Sami Tolvanen)

- LoadPin LSM block dev API adjustment (Christoph Hellwig)

- Clang randstruct support (Bill Wendling, Kees Cook)

----------------------------------------------------------------
Bill Wendling (1):
      security: don't treat structure as an array of struct hlist_head

Christoph Hellwig (1):
      loadpin: stop using bdevname

Kees Cook (12):
      netfs: Eliminate Clang randstruct warning
      sancov: Split plugin build from plugin CFLAGS
      randstruct: Reorganize Kconfigs and attribute macros
      randstruct: Split randstruct Makefile and CFLAGS
      randstruct: Move seed generation into scripts/basic/
      randstruct: Enable Clang support
      randomize_kstack: Improve docs on requirements/rationale
      gcc-plugins: Change all version strings match kernel
      big_keys: Use struct for internal payload
      niu: Silence randstruct warnings
      af_unix: Silence randstruct GCC plugin warning
      gcc-plugins: randstruct: Remove cast exception handling

Mark Rutland (14):
      arm64: stackleak: fix current_top_of_stack()
      stackleak: move skip_erasing() check earlier
      stackleak: remove redundant check
      stackleak: rework stack low bound handling
      stackleak: clarify variable names
      stackleak: rework stack high bound handling
      stackleak: rework poison scanning
      lkdtm/stackleak: avoid spurious failure
      lkdtm/stackleak: rework boundary management
      lkdtm/stackleak: prevent unexpected stack usage
      lkdtm/stackleak: check stack boundaries
      stackleak: add on/off stack variants
      arm64: entry: use stackleak_erase_on_task_stack()
      lkdtm/stackleak: fix CONFIG_GCC_PLUGIN_STACKLEAK=n

Matthew Wilcox (Oracle) (4):
      mm/usercopy: Check kmap addresses properly
      mm/usercopy: Detect vmalloc overruns
      mm/usercopy: Detect large folio overruns
      usercopy: Remove HARDENED_USERCOPY_PAGESPAN

Sami Tolvanen (1):
      cfi: Use __builtin_function_start

Yuanzheng Song (1):
      mm: usercopy: move the virt_addr_valid() below the is_vmalloc_addr()

 Documentation/dontdiff                        |   1 +
 Documentation/kbuild/reproducible-builds.rst  |   8 +-
 Makefile                                      |   1 +
 arch/Kconfig                                  |   5 +-
 arch/arm/vdso/Makefile                        |   2 +-
 arch/arm64/include/asm/compiler.h             |  16 ---
 arch/arm64/include/asm/processor.h            |  10 +-
 arch/arm64/kernel/entry.S                     |   2 +-
 arch/arm64/kernel/vdso/Makefile               |   3 +-
 arch/riscv/Kconfig                            |   2 +-
 arch/sparc/vdso/Makefile                      |   3 +-
 arch/x86/entry/vdso/Makefile                  |   3 +-
 arch/x86/include/asm/highmem.h                |   1 +
 arch/x86/mm/pti.c                             |   2 +-
 drivers/misc/lkdtm/stackleak.c                | 145 ++++++++++++++++++--------
 drivers/net/ethernet/sun/niu.c                |  41 ++++++--
 include/linux/compiler-clang.h                |  10 ++
 include/linux/compiler-gcc.h                  |   8 --
 include/linux/compiler_types.h                |  14 +--
 include/linux/highmem-internal.h              |  10 ++
 include/linux/netfs.h                         |   4 +-
 include/linux/randomize_kstack.h              |  27 ++++-
 include/linux/stackleak.h                     |  55 +++++++++-
 include/linux/vermagic.h                      |  10 +-
 kernel/panic.c                                |   2 +-
 kernel/stackleak.c                            | 105 +++++++++++--------
 mm/usercopy.c                                 |  91 +++++-----------
 net/unix/af_unix.c                            |   8 +-
 scripts/Makefile.gcc-plugins                  |  22 ++--
 scripts/Makefile.randstruct                   |  17 +++
 scripts/basic/.gitignore                      |   1 +
 scripts/basic/Makefile                        |  11 ++
 scripts/gcc-plugins/Kconfig                   |  38 -------
 scripts/gcc-plugins/Makefile                  |  24 +++--
 scripts/gcc-plugins/gen-random-seed.sh        |   9 --
 scripts/gcc-plugins/latent_entropy_plugin.c   |   2 +-
 scripts/gcc-plugins/randomize_layout_plugin.c |  89 +---------------
 scripts/gcc-plugins/sancov_plugin.c           |   2 +-
 scripts/gcc-plugins/stackleak_plugin.c        |   2 +-
 scripts/gcc-plugins/structleak_plugin.c       |   2 +-
 scripts/gen-randstruct-seed.sh                |   7 ++
 security/Kconfig                              |  13 +--
 security/Kconfig.hardening                    |  73 +++++++++++++
 security/keys/big_key.c                       |  73 +++++++------
 security/loadpin/loadpin.c                    |   5 +-
 security/security.c                           |   9 +-
 46 files changed, 539 insertions(+), 449 deletions(-)
 create mode 100644 scripts/Makefile.randstruct
 delete mode 100755 scripts/gcc-plugins/gen-random-seed.sh
 create mode 100755 scripts/gen-randstruct-seed.sh

-- 
Kees Cook