Commits · 78a91671d5e78c3f5d4a9501089bda0475cf9e64 · fact-depend / kernel-hardening-checker

23 Sep, 2021 1 commit
- Update the README · 78a91671
```
Ready for the release 0.5.14.
```
  Alexander Popov authored Sep 23, 2021
  78a91671 Browse Files
22 Sep, 2021 1 commit
- Move 'self_protection' & 'maintainer' higher · 98476021
  Alexander Popov authored Sep 22, 2021
  
  98476021 Browse Files
21 Sep, 2021 4 commits
- Add HARDENED_USERCOPY_PAGESPAN check from KSPP · 3da1225a
  Alexander Popov authored Sep 21, 2021
  
  3da1225a Browse Files
- Add comments about the maintainer recommendations · 5a149f0d
```
Refers to #53
```
  Alexander Popov authored Sep 21, 2021
  5a149f0d Browse Files
- Fix UBSAN_BOUNDS recommendations · 173e65ef
```
Thanks to @kees and @equaeghe

Refers to #53
```
  Alexander Popov authored Sep 21, 2021
  173e65ef Browse Files
- RANDOMIZE_KSTACK_OFFSET_DEFAULT is recommended by KSPP · aa44db62
```
Thanks to @anthraxx
```
  Alexander Popov authored Sep 21, 2021
  aa44db62 Browse Files
16 Sep, 2021 2 commits
- Update the KSPP recommendations · 6d0bc7d9
  Alexander Popov authored Sep 16, 2021
  
  6d0bc7d9 Browse Files
- Add defconfigs for Linux v5.14 · 4852f766
  Alexander Popov authored Sep 16, 2021
  
  4852f766 Browse Files
10 Sep, 2021 3 commits

Merge pull request #54 from evdenis/master · af01432f
```
Recommend disabling CONFIG_BLK_DEV_FD ( thanks to @evdenis )
```
Alexander Popov authored Sep 11, 2021
af01432f Browse Files

Floppy driver was written many years ago. It was designed to
work in a single-threaded environment (many global variables)
and to work on real hardware which has significant delays
(floppy drives are slow). Nowadays, when we use virtual
devices (which are fast) and multi-core cpus, floppy driver
shows its problems including deadlocking/livelocking and
other security-related issues. However, we can't just
rewrite it because lack of real hardware and compatibility
with existing userspace tools, many of which rely on
undocumented driver behavior.

Here are some CVEs related to floppy driver:
 - CVE-2014-1737 privileges escalation in FDRAWCMD ioctl
 - CVE-2014-1738 info leak from kernel heap in FDRAWCMD ioctl
 - CVE-2018-7755 kernel pointer lead in FDGETPRM ioctl
 - CVE-2019-14283 integer overflow and out-of-bounds read in set_geometry
 - CVE-2019-14284 denial of service in setup_format_params
 - CVE-2020-9383 out-of-bounds read in set_fdc
 - CVE-2021-20261 race condition in floppy_revalidate,
   floppy_check_events

As pointed by Linus [1]:
> The only users are virtualization, and even they are going away
> because floppies are so small, and other things have become more
> standard anyway (ie USB disk) or easier to emulate (NVMe or whatever).
> So I suspect the only reason floppy is used even in that area is just
> legacy "we haven't bothered updating to anything better and we have
> old scripts and images that work".

CONFIG_BLK_DEV_FD is not enabled in defconfig on x86_64.
Many distros already require root access for /dev/fd0.
However, qemu (5.2.0) still enables floppy device by default.

[1] https://lore.kernel.org/all/CAHk-=whFAAV_TOLFNnj=wu4mD2L9OvgB6n2sKDdmd8buMKFv8A@mail.gmail.com/

authored Sep 10, 2021

17d70c52 Browse Files

Add RANDOMIZE_KSTACK_OFFSET_DEFAULT · b54dca6a
```
This refers to the pull request #52.

Thanks to Levente Polyak aka @anthraxx.
```
Alexander Popov authored Aug 20, 2021
b54dca6a Browse Files

29 Aug, 2021 2 commits
- Add CFI_CLANG · 4dc94be8
  Alexander Popov authored Aug 30, 2021
  
  4dc94be8 Browse Files
- Add ARM64_EPAN · 264b0f6d
  Alexander Popov authored Aug 20, 2021
  
  264b0f6d Browse Files
20 Aug, 2021 2 commits
- Merge pull request #51 from Hacks4Snacks/master · 57379d8c
```
Added the CBL-Mariner kernel configuration file.
```
  Alexander Popov authored Aug 20, 2021
  57379d8c Browse Files
- Added Linux/x86_64 kernel config link for CBL-Mariner · a5686b11
  Mark D. Gray authored Aug 20, 2021
  
  a5686b11 Browse Files
19 Aug, 2021 1 commit
- Added cbl-mariner kernel configuration file. · fb55e4c8
  Mark D. Gray authored Aug 19, 2021
  
  fb55e4c8 Browse Files
14 Aug, 2021 2 commits
- Add hardware tag-based KASAN with arm64 Memory Tagging Extension · 38bde65d
  Alexander Popov authored Aug 14, 2021
  
  38bde65d Browse Files
- Add the command line parameters that should NOT be set · 2b5bf354
  Alexander Popov authored Aug 14, 2021
  
  2b5bf354 Browse Files
08 Aug, 2021 2 commits

Document the changes of vm.unprivileged_userfaultfd in v5.11 · b7d33ca9

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=37cd0575b8510159992d279c530c05f872990b02
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0d4730ac2e404a5b0da9a87ef38c73e51cb1664

authored Aug 09, 2021

b7d33ca9 Browse Files

Add the news about PAGE_POISONING · 4f2124b5

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f289041ed4cf9a3f6e8a32068fef9ffb2acc5662
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f424750baaafcef229791882e879da01c9473b5

authored Aug 08, 2021

4f2124b5 Browse Files

02 Jul, 2021 1 commit
- Improve wording · 5e4fba66
  Alexander Popov authored Jul 02, 2021
  
  5e4fba66 Browse Files
19 Jun, 2021 14 commits
- Update the README. · f5277e58
```
Ready for the release 0.5.10.
```
  Alexander Popov authored Jun 19, 2021
  f5277e58 Browse Files
- Fix pylint warning · 68622ad2
  Alexander Popov authored Jun 19, 2021
  
  68622ad2 Browse Files
- Remember that SHADOW_CALL_STACK depends on clang · 25cb2389
  Alexander Popov authored Jun 19, 2021
  
  25cb2389 Browse Files
- STACKPROTECTOR_PER_TASK is also available for ARM64 · 31767839
  Alexander Popov authored Jun 19, 2021
  
  31767839 Browse Files
- INTEL_IOMMU_SVM is available only for X86_64 · f8b12633
  Alexander Popov authored Jun 19, 2021
  
  f8b12633 Browse Files
- Reorder arch checks · 3b2a9440
  Alexander Popov authored Jun 19, 2021
  
  3b2a9440 Browse Files
- SECURITY_DMESG_RESTRICT is recommended by KSPP now · d1a8bb6a
  Alexander Popov authored Jun 19, 2021
  
  d1a8bb6a Browse Files
- Think about kptr_restrict later (KSPP recommends to set it to 1) · a486a640
  Alexander Popov authored Jun 19, 2021
  
  a486a640 Browse Files
- Mention that nosmt is slow · 361e571e
  Alexander Popov authored Jun 19, 2021
  
  361e571e Browse Files
- More info on init_on_free and init_on_alloc · 495d4374
  Alexander Popov authored Jun 19, 2021
  
  495d4374 Browse Files
- SLUB_DEBUG_ON is very slow, leave it for the kernel command line · 4c4f2527
  Alexander Popov authored Jun 19, 2021
  
  4c4f2527 Browse Files
- Update KSPP recommendations · 29de5cc2
  Alexander Popov authored Jun 19, 2021
  
  29de5cc2 Browse Files
- Add defconfigs for v5.10 · fb4d95bd
```
Made with updated https://github.com/a13xp0p0v/kernel-build-containers

Excellent!
```
  Alexander Popov authored Jun 19, 2021
  fb4d95bd Browse Files
- HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10 · 12d6535d
  Alexander Popov authored Jun 19, 2021
  
  12d6535d Browse Files
18 Jun, 2021 3 commits
- Add ARM64_MTE for userspace · 2bc87b84
  Alexander Popov authored Jun 19, 2021
  
  2bc87b84 Browse Files
- Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG · 029bd7f4
  Alexander Popov authored Jun 19, 2021
  
  029bd7f4 Browse Files
- Save 'debugfs=no-mount' for future · ff5a84ba
  Alexander Popov authored Jun 18, 2021
  
  ff5a84ba Browse Files
30 Oct, 2020 2 commits
- Update the README. · 2f8e7a4d
```
Ready for the release 0.5.9.
```
  Alexander Popov authored Oct 30, 2020
  2f8e7a4d Browse Files
- Fix indentation (thanks to pylint) · fbaf5df4
  Alexander Popov authored Oct 30, 2020
  
  fbaf5df4 Browse Files