* Re: [PATCH 05/64] skbuff: Switch structure bounds to struct_group()
@ 2021-07-27 23:06 kernel test robot
0 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2021-07-27 23:06 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 10123 bytes --]
CC: kbuild-all(a)lists.01.org
In-Reply-To: <20210727205855.411487-6-keescook@chromium.org>
References: <20210727205855.411487-6-keescook@chromium.org>
TO: Kees Cook <keescook@chromium.org>
Hi Kees,
I love your patch! Perhaps something to improve:
[auto build test WARNING on staging/staging-testing]
[also build test WARNING on linus/master v5.14-rc3 next-20210727]
[cannot apply to wireless-drivers-next/master wireless-drivers/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Kees-Cook/Introduce-strict-memcpy-bounds-checking/20210728-053749
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git 39f9137268ee3df0047706df4e9b7357a40ffc98
:::::: branch date: 86 minutes ago
:::::: commit date: 86 minutes ago
config: csky-randconfig-s032-20210727 (attached as .config)
compiler: csky-linux-gcc (GCC) 10.3.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# apt-get install sparse
# sparse version: v0.6.3-341-g8af24329-dirty
# https://github.com/0day-ci/linux/commit/80b83332473f65b5a87310a3c8d61d32f0f1d288
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Kees-Cook/Introduce-strict-memcpy-bounds-checking/20210728-053749
git checkout 80b83332473f65b5a87310a3c8d61d32f0f1d288
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=csky SHELL=/bin/bash drivers/iio/accel/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
drivers/iio/accel/mma7455_spi.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/adxl372_spi.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/bmi088-accel-spi.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/adis16201.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/bmc150-accel-spi.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/sca3300.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/st_accel_i2c.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h, include/linux/iio/common/st_sensors.h, ...):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/adxl372.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/st_accel_buffer.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h, include/linux/iio/common/st_sensors.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/st_accel_spi.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
--
drivers/iio/accel/st_accel_core.c: note: in included file (through include/linux/ptp_clock_kernel.h, include/linux/spi/spi.h, include/linux/iio/common/st_sensors.h):
>> include/linux/skbuff.h:813:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:815:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:839:1: sparse: sparse: directive in macro's argument list
include/linux/skbuff.h:841:1: sparse: sparse: directive in macro's argument list
vim +813 include/linux/skbuff.h
6a5bcd84e886a9 Ilias Apalodimas 2021-06-07 802
80b83332473f65 Kees Cook 2021-07-27 803 /* Fields enclosed in headers group are copied
b1937227316417 Eric Dumazet 2014-09-28 804 * using a single memcpy() in __copy_skb_header()
b1937227316417 Eric Dumazet 2014-09-28 805 */
80b83332473f65 Kees Cook 2021-07-27 806 struct_group(headers,
ebcf34f3d4be11 Randy Dunlap 2014-10-26 807 /* public: */
4031ae6edb92f7 Alexander Duyck 2012-01-27 808
233577a22089fa Hannes Frederic Sowa 2014-09-12 809 /* if you move pkt_type around you also must adapt those constants */
233577a22089fa Hannes Frederic Sowa 2014-09-12 810 #ifdef __BIG_ENDIAN_BITFIELD
233577a22089fa Hannes Frederic Sowa 2014-09-12 811 #define PKT_TYPE_MAX (7 << 5)
233577a22089fa Hannes Frederic Sowa 2014-09-12 812 #else
233577a22089fa Hannes Frederic Sowa 2014-09-12 @813 #define PKT_TYPE_MAX 7
^1da177e4c3f41 Linus Torvalds 2005-04-16 814 #endif
233577a22089fa Hannes Frederic Sowa 2014-09-12 815 #define PKT_TYPE_OFFSET() offsetof(struct sk_buff, __pkt_type_offset)
fe55f6d5c0cfec Vegard Nossum 2008-08-30 816
d2f273f0a92052 Randy Dunlap 2020-02-15 817 /* private: */
233577a22089fa Hannes Frederic Sowa 2014-09-12 818 __u8 __pkt_type_offset[0];
d2f273f0a92052 Randy Dunlap 2020-02-15 819 /* public: */
b1937227316417 Eric Dumazet 2014-09-28 820 __u8 pkt_type:3;
b1937227316417 Eric Dumazet 2014-09-28 821 __u8 ignore_df:1;
b1937227316417 Eric Dumazet 2014-09-28 822 __u8 nf_trace:1;
b1937227316417 Eric Dumazet 2014-09-28 823 __u8 ip_summed:2;
3853b5841c01a3 Tom Herbert 2010-11-21 824 __u8 ooo_okay:1;
8b7008620b8452 Stefano Brivio 2018-07-11 825
61b905da33ae25 Tom Herbert 2014-03-24 826 __u8 l4_hash:1;
a3b18ddb9cc105 Tom Herbert 2014-07-01 827 __u8 sw_hash:1;
6e3e939f3b1bf8 Johannes Berg 2011-11-09 828 __u8 wifi_acked_valid:1;
6e3e939f3b1bf8 Johannes Berg 2011-11-09 829 __u8 wifi_acked:1;
3bdc0eba0b8b47 Ben Greear 2012-02-11 830 __u8 no_fcs:1;
77cffe23c1f888 Tom Herbert 2014-08-27 831 /* Indicates the inner headers are valid in the skbuff. */
6a674e9c75b17e Joseph Gasparakis 2012-12-07 832 __u8 encapsulation:1;
7e2b10c1e52ca3 Tom Herbert 2014-06-04 833 __u8 encap_hdr_csum:1;
5d0c2b95bc57cf Tom Herbert 2014-06-10 834 __u8 csum_valid:1;
8b7008620b8452 Stefano Brivio 2018-07-11 835
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 34007 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 00/64] Introduce strict memcpy() bounds checking
@ 2021-07-27 20:57 Kees Cook
2021-07-27 20:57 ` Kees Cook
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2021-07-27 20:57 UTC (permalink / raw)
To: linux-hardening
Cc: Kees Cook, Gustavo A. R. Silva, Keith Packard,
Greg Kroah-Hartman, Andrew Morton, linux-kernel, linux-wireless,
netdev, dri-devel, linux-staging, linux-block, linux-kbuild,
clang-built-linux
Hi,
This patch series (based on next-20210726) implements stricter (no struct
member overflows) bounds checking for memcpy(), memmove(), and memset()
under CONFIG_FORTIFY_SOURCE. To quote a later patch in the series:
tl;dr: In order to eliminate a large class of common buffer overflow
flaws that continue to persist in the kernel, have memcpy() (under
CONFIG_FORTIFY_SOURCE) perform bounds checking of the destination struct
member when they have a known size. This would have caught all of the
memcpy()-related buffer write overflow flaws identified in at least the
last three years.
As this series introduces various helpers and performs several phases of
treewide cleanups, I'm expecting to carry this series in my tree, so I'd
love to get some Reviews and Acks. Given the size, I've mostly aimed this
series at various mailing lists, otherwise the CC size got really big. :)
Specifically, this series is logically split into several steps:
Clean up remaining simple compile-time memcpy() warnings:
media: omap3isp: Extract struct group for memcpy() region
mac80211: Use flex-array for radiotap header bitmap
rpmsg: glink: Replace strncpy() with strscpy_pad()
Introduce struct_group() and apply it treewide to avoid compile-time
memcpy() warnings:
stddef: Introduce struct_group() helper macro
skbuff: Switch structure bounds to struct_group()
bnxt_en: Use struct_group_attr() for memcpy() region
staging: rtl8192e: Use struct_group() for memcpy() region
staging: rtl8192u: Use struct_group() for memcpy() region
staging: rtl8723bs: Avoid field-overflowing memcpy()
lib80211: Use struct_group() for memcpy() region
net/mlx5e: Avoid field-overflowing memcpy()
mwl8k: Use struct_group() for memcpy() region
libertas: Use struct_group() for memcpy() region
libertas_tf: Use struct_group() for memcpy() region
ipw2x00: Use struct_group() for memcpy() region
thermal: intel: int340x_thermal: Use struct_group() for memcpy() region
iommu/amd: Use struct_group() for memcpy() region
cxgb3: Use struct_group() for memcpy() region
ip: Use struct_group() for memcpy() regions
intersil: Use struct_group() for memcpy() region
cxgb4: Use struct_group() for memcpy() region
bnx2x: Use struct_group() for memcpy() region
drm/amd/pm: Use struct_group() for memcpy() region
staging: wlan-ng: Use struct_group() for memcpy() region
drm/mga/mga_ioc32: Use struct_group() for memcpy() region
net/mlx5e: Use struct_group() for memcpy() region
HID: cp2112: Use struct_group() for memcpy() region
Prepare fortify for additional hardening:
compiler_types.h: Remove __compiletime_object_size()
lib/string: Move helper functions out of string.c
fortify: Move remaining fortify helpers into fortify-string.h
fortify: Explicitly disable Clang support
Add compile-time and run-time tests:
fortify: Add compile-time FORTIFY_SOURCE tests
lib: Introduce CONFIG_TEST_MEMCPY
Enable new compile-time memcpy() and memmove() bounds checking:
fortify: Detect struct member overflows in memcpy() at compile-time
fortify: Detect struct member overflows in memmove() at compile-time
Clean up remaining simple compile-time memset() warnings:
scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp
Introduce memset_after() helper and apply it (and struct_group())
treewide to avoid compile-time memset() warnings:
string.h: Introduce memset_after() for wiping trailing members/padding
xfrm: Use memset_after() to clear padding
mac80211: Use memset_after() to clear tx status
net: 802: Use memset_after() to clear struct fields
net: dccp: Use memset_after() for TP zeroing
net: qede: Use memset_after() for counters
ath11k: Use memset_after() for clearing queue descriptors
iw_cxgb4: Use memset_after() for cpl_t5_pass_accept_rpl
intel_th: msu: Use memset_after() for clearing hw header
IB/mthca: Use memset_after() for clearing mpt_entry
btrfs: Use memset_after() to clear end of struct
drbd: Use struct_group() to zero algs
cm4000_cs: Use struct_group() to zero struct cm4000_dev region
KVM: x86: Use struct_group() to zero decode cache
tracing: Use struct_group() to zero struct trace_iterator
dm integrity: Use struct_group() to zero struct journal_sector
HID: roccat: Use struct_group() to zero kone_mouse_event
ipv6: Use struct_group() to zero rt6_info
RDMA/mlx5: Use struct_group() to zero struct mlx5_ib_mr
ethtool: stats: Use struct_group() to clear all stats at once
netfilter: conntrack: Use struct_group() to zero struct nf_conn
powerpc: Split memset() to avoid multi-field overflow
Enable new compile-time memset() bounds checking:
fortify: Detect struct member overflows in memset() at compile-time
Enable Clang support and global array-bounds checking:
fortify: Work around Clang inlining bugs
Makefile: Enable -Warray-bounds
Avoid run-time memcpy() bounds check warnings:
netlink: Avoid false-positive memcpy() warning
iwlwifi: dbg_ini: Split memcpy() to avoid multi-field write
Enable run-time memcpy() bounds checking:
fortify: Add run-time WARN for cross-field memcpy()
A future series will clean up for and add run-time memset() bounds
checking.
Thanks!
-Kees
Makefile | 1 -
arch/s390/lib/string.c | 3 +
arch/x86/boot/compressed/misc.c | 3 +-
arch/x86/kvm/emulate.c | 3 +-
arch/x86/kvm/kvm_emulate.h | 19 +-
arch/x86/lib/memcpy_32.c | 1 +
arch/x86/lib/string_32.c | 1 +
drivers/block/drbd/drbd_main.c | 3 +-
drivers/block/drbd/drbd_protocol.h | 6 +-
drivers/block/drbd/drbd_receiver.c | 3 +-
drivers/char/pcmcia/cm4000_cs.c | 9 +-
drivers/gpu/drm/amd/include/atomfirmware.h | 9 +-
.../drm/amd/pm/inc/smu11_driver_if_arcturus.h | 3 +-
.../drm/amd/pm/inc/smu11_driver_if_navi10.h | 3 +-
.../amd/pm/inc/smu13_driver_if_aldebaran.h | 3 +-
.../gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 6 +-
.../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 12 +-
.../drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 6 +-
drivers/gpu/drm/mga/mga_ioc32.c | 30 +-
drivers/hid/hid-cp2112.c | 14 +-
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +-
drivers/hwtracing/intel_th/msu.c | 4 +-
drivers/infiniband/hw/cxgb4/cm.c | 5 +-
drivers/infiniband/hw/mlx5/mlx5_ib.h | 4 +-
drivers/infiniband/hw/mthca/mthca_mr.c | 3 +-
drivers/iommu/amd/init.c | 9 +-
drivers/macintosh/smu.c | 3 +-
drivers/md/dm-integrity.c | 9 +-
drivers/media/platform/omap3isp/ispstat.c | 5 +-
.../net/ethernet/broadcom/bnx2x/bnx2x_stats.c | 7 +-
.../net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 14 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 +-
drivers/net/ethernet/chelsio/cxgb3/sge.c | 9 +-
drivers/net/ethernet/chelsio/cxgb4/sge.c | 8 +-
drivers/net/ethernet/chelsio/cxgb4/t4_msg.h | 2 +-
drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 10 +-
drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 7 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 +-
.../net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 +-
.../net/ethernet/mellanox/mlx5/core/en_tx.c | 2 +-
drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
drivers/net/wireguard/queueing.h | 4 +-
drivers/net/wireless/ath/ath11k/hal_rx.c | 13 +-
drivers/net/wireless/ath/carl9170/tx.c | 4 +-
drivers/net/wireless/intel/ipw2x00/libipw.h | 12 +-
.../net/wireless/intel/ipw2x00/libipw_rx.c | 8 +-
drivers/net/wireless/intel/iwlwifi/fw/file.h | 2 +-
.../net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 3 +-
.../net/wireless/intersil/hostap/hostap_hw.c | 5 +-
.../wireless/intersil/hostap/hostap_wlan.h | 14 +-
drivers/net/wireless/intersil/p54/txrx.c | 4 +-
drivers/net/wireless/marvell/libertas/host.h | 10 +-
drivers/net/wireless/marvell/libertas/tx.c | 5 +-
.../marvell/libertas_tf/libertas_tf.h | 10 +-
.../net/wireless/marvell/libertas_tf/main.c | 3 +-
drivers/net/wireless/marvell/mwl8k.c | 10 +-
drivers/rpmsg/qcom_glink_native.c | 2 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 2 +-
drivers/staging/rtl8192e/rtllib.h | 20 +-
drivers/staging/rtl8192e/rtllib_crypt_ccmp.c | 3 +-
drivers/staging/rtl8192e/rtllib_rx.c | 8 +-
.../staging/rtl8192u/ieee80211/ieee80211.h | 24 +-
.../rtl8192u/ieee80211/ieee80211_crypt_ccmp.c | 3 +-
.../staging/rtl8192u/ieee80211/ieee80211_rx.c | 8 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 2 +-
drivers/staging/rtl8723bs/core/rtw_security.c | 5 +-
drivers/staging/rtl8723bs/core/rtw_xmit.c | 5 +-
drivers/staging/wlan-ng/hfa384x.h | 16 +-
drivers/staging/wlan-ng/hfa384x_usb.c | 4 +-
.../intel/int340x_thermal/acpi_thermal_rel.c | 5 +-
.../intel/int340x_thermal/acpi_thermal_rel.h | 48 +--
fs/btrfs/root-tree.c | 5 +-
include/linux/compiler-gcc.h | 2 -
include/linux/compiler_types.h | 4 -
include/linux/fortify-string.h | 234 +++++++++++---
include/linux/ieee80211.h | 8 +-
include/linux/if_vlan.h | 6 +-
include/linux/skbuff.h | 9 +-
include/linux/stddef.h | 34 ++
include/linux/string.h | 26 +-
include/linux/thread_info.h | 2 +-
include/linux/trace_events.h | 26 +-
include/net/flow.h | 6 +-
include/net/ieee80211_radiotap.h | 24 +-
include/net/ip6_fib.h | 30 +-
include/net/mac80211.h | 4 +-
include/net/netfilter/nf_conntrack.h | 20 +-
include/uapi/drm/mga_drm.h | 37 ++-
include/uapi/linux/if_ether.h | 12 +-
include/uapi/linux/ip.h | 12 +-
include/uapi/linux/ipv6.h | 12 +-
include/uapi/linux/netlink.h | 1 +
include/uapi/linux/omap3isp.h | 44 ++-
kernel/trace/trace.c | 4 +-
lib/.gitignore | 2 +
lib/Kconfig.debug | 3 +
lib/Makefile | 32 ++
lib/string.c | 210 +------------
lib/string_helpers.c | 201 ++++++++++++
lib/test_fortify/read_overflow-memchr.c | 5 +
lib/test_fortify/read_overflow-memchr_inv.c | 5 +
lib/test_fortify/read_overflow-memcmp.c | 5 +
lib/test_fortify/read_overflow-memscan.c | 5 +
lib/test_fortify/read_overflow2-memcmp.c | 5 +
lib/test_fortify/read_overflow2-memcpy.c | 5 +
lib/test_fortify/read_overflow2-memmove.c | 5 +
.../read_overflow2_field-memcpy.c | 5 +
.../read_overflow2_field-memmove.c | 5 +
lib/test_fortify/test_fortify.h | 31 ++
lib/test_fortify/write_overflow-memcpy.c | 5 +
lib/test_fortify/write_overflow-memmove.c | 5 +
lib/test_fortify/write_overflow-memset.c | 5 +
lib/test_fortify/write_overflow-strlcpy.c | 5 +
lib/test_fortify/write_overflow-strncpy.c | 5 +
lib/test_fortify/write_overflow-strscpy.c | 5 +
.../write_overflow_field-memcpy.c | 5 +
.../write_overflow_field-memmove.c | 5 +
.../write_overflow_field-memset.c | 5 +
lib/test_memcpy.c | 297 ++++++++++++++++++
net/802/hippi.c | 2 +-
net/core/flow_dissector.c | 10 +-
net/core/skbuff.c | 14 +-
net/dccp/trace.h | 4 +-
net/ethtool/stats.c | 15 +-
net/ipv4/ip_output.c | 6 +-
net/ipv6/route.c | 4 +-
net/mac80211/rx.c | 2 +-
net/netfilter/nf_conntrack_core.c | 4 +-
net/netlink/af_netlink.c | 4 +-
net/wireless/lib80211_crypt_ccmp.c | 3 +-
net/wireless/radiotap.c | 5 +-
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_user.c | 2 +-
scripts/test_fortify.sh | 64 ++++
security/Kconfig | 3 +
137 files changed, 1484 insertions(+), 633 deletions(-)
create mode 100644 lib/test_fortify/read_overflow-memchr.c
create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c
create mode 100644 lib/test_fortify/read_overflow-memcmp.c
create mode 100644 lib/test_fortify/read_overflow-memscan.c
create mode 100644 lib/test_fortify/read_overflow2-memcmp.c
create mode 100644 lib/test_fortify/read_overflow2-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2-memmove.c
create mode 100644 lib/test_fortify/read_overflow2_field-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2_field-memmove.c
create mode 100644 lib/test_fortify/test_fortify.h
create mode 100644 lib/test_fortify/write_overflow-memcpy.c
create mode 100644 lib/test_fortify/write_overflow-memmove.c
create mode 100644 lib/test_fortify/write_overflow-memset.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy.c
create mode 100644 lib/test_fortify/write_overflow-strncpy.c
create mode 100644 lib/test_fortify/write_overflow-strscpy.c
create mode 100644 lib/test_fortify/write_overflow_field-memcpy.c
create mode 100644 lib/test_fortify/write_overflow_field-memmove.c
create mode 100644 lib/test_fortify/write_overflow_field-memset.c
create mode 100644 lib/test_memcpy.c
create mode 100644 scripts/test_fortify.sh
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 05/64] skbuff: Switch structure bounds to struct_group()
2021-07-27 20:57 [PATCH 00/64] Introduce strict memcpy() bounds checking Kees Cook
@ 2021-07-27 20:57 ` Kees Cook
0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2021-07-27 20:57 UTC (permalink / raw)
To: linux-hardening
Cc: Kees Cook, Gustavo A. R. Silva, Keith Packard,
Greg Kroah-Hartman, Andrew Morton, linux-kernel, linux-wireless,
netdev, dri-devel, linux-staging, linux-block, linux-kbuild,
clang-built-linux
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.
Replace the existing empty member position markers "headers_start" and
"headers_end" with a struct_group(). This will allow memcpy() and sizeof()
to more easily reason about sizes, and improve readability.
"pahole" shows no size nor member offset changes to struct sk_buff.
"objdump -d" shows no no meaningful object code changes (i.e. only source
line number induced differences and optimizations.)
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/wireguard/queueing.h | 4 +---
include/linux/skbuff.h | 9 ++++-----
net/core/skbuff.c | 14 +++++---------
3 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/drivers/net/wireguard/queueing.h b/drivers/net/wireguard/queueing.h
index 4ef2944a68bc..52da5e963003 100644
--- a/drivers/net/wireguard/queueing.h
+++ b/drivers/net/wireguard/queueing.h
@@ -79,9 +79,7 @@ static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
u8 sw_hash = skb->sw_hash;
u32 hash = skb->hash;
skb_scrub_packet(skb, true);
- memset(&skb->headers_start, 0,
- offsetof(struct sk_buff, headers_end) -
- offsetof(struct sk_buff, headers_start));
+ memset(&skb->headers, 0, sizeof(skb->headers));
if (encapsulating) {
skb->l4_hash = l4_hash;
skb->sw_hash = sw_hash;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index f19190820e63..b4032e9b130e 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -800,11 +800,10 @@ struct sk_buff {
__u8 active_extensions;
#endif
- /* fields enclosed in headers_start/headers_end are copied
+ /* Fields enclosed in headers group are copied
* using a single memcpy() in __copy_skb_header()
*/
- /* private: */
- __u32 headers_start[0];
+ struct_group(headers,
/* public: */
/* if you move pkt_type around you also must adapt those constants */
@@ -920,8 +919,8 @@ struct sk_buff {
u64 kcov_handle;
#endif
- /* private: */
- __u32 headers_end[0];
+ ); /* end headers group */
+
/* public: */
/* These elements must be at the end, see alloc_skb() for details. */
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index fc7942c0dddc..5f29c65507e0 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -987,12 +987,10 @@ void napi_consume_skb(struct sk_buff *skb, int budget)
}
EXPORT_SYMBOL(napi_consume_skb);
-/* Make sure a field is enclosed inside headers_start/headers_end section */
+/* Make sure a field is contained by headers group */
#define CHECK_SKB_FIELD(field) \
- BUILD_BUG_ON(offsetof(struct sk_buff, field) < \
- offsetof(struct sk_buff, headers_start)); \
- BUILD_BUG_ON(offsetof(struct sk_buff, field) > \
- offsetof(struct sk_buff, headers_end)); \
+ BUILD_BUG_ON(offsetof(struct sk_buff, field) != \
+ offsetof(struct sk_buff, headers.field)); \
static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
{
@@ -1004,14 +1002,12 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
__skb_ext_copy(new, old);
__nf_copy(new, old, false);
- /* Note : this field could be in headers_start/headers_end section
+ /* Note : this field could be in the headers group.
* It is not yet because we do not want to have a 16 bit hole
*/
new->queue_mapping = old->queue_mapping;
- memcpy(&new->headers_start, &old->headers_start,
- offsetof(struct sk_buff, headers_end) -
- offsetof(struct sk_buff, headers_start));
+ memcpy(&new->headers, &old->headers, sizeof(new->headers));
CHECK_SKB_FIELD(protocol);
CHECK_SKB_FIELD(csum);
CHECK_SKB_FIELD(hash);
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 05/64] skbuff: Switch structure bounds to struct_group()
@ 2021-07-27 20:57 ` Kees Cook
0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2021-07-27 20:57 UTC (permalink / raw)
To: linux-hardening
Cc: Kees Cook, linux-kbuild, Greg Kroah-Hartman, linux-staging,
linux-wireless, linux-kernel, dri-devel, Gustavo A. R. Silva,
linux-block, clang-built-linux, Keith Packard, netdev,
Andrew Morton
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.
Replace the existing empty member position markers "headers_start" and
"headers_end" with a struct_group(). This will allow memcpy() and sizeof()
to more easily reason about sizes, and improve readability.
"pahole" shows no size nor member offset changes to struct sk_buff.
"objdump -d" shows no no meaningful object code changes (i.e. only source
line number induced differences and optimizations.)
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/wireguard/queueing.h | 4 +---
include/linux/skbuff.h | 9 ++++-----
net/core/skbuff.c | 14 +++++---------
3 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/drivers/net/wireguard/queueing.h b/drivers/net/wireguard/queueing.h
index 4ef2944a68bc..52da5e963003 100644
--- a/drivers/net/wireguard/queueing.h
+++ b/drivers/net/wireguard/queueing.h
@@ -79,9 +79,7 @@ static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
u8 sw_hash = skb->sw_hash;
u32 hash = skb->hash;
skb_scrub_packet(skb, true);
- memset(&skb->headers_start, 0,
- offsetof(struct sk_buff, headers_end) -
- offsetof(struct sk_buff, headers_start));
+ memset(&skb->headers, 0, sizeof(skb->headers));
if (encapsulating) {
skb->l4_hash = l4_hash;
skb->sw_hash = sw_hash;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index f19190820e63..b4032e9b130e 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -800,11 +800,10 @@ struct sk_buff {
__u8 active_extensions;
#endif
- /* fields enclosed in headers_start/headers_end are copied
+ /* Fields enclosed in headers group are copied
* using a single memcpy() in __copy_skb_header()
*/
- /* private: */
- __u32 headers_start[0];
+ struct_group(headers,
/* public: */
/* if you move pkt_type around you also must adapt those constants */
@@ -920,8 +919,8 @@ struct sk_buff {
u64 kcov_handle;
#endif
- /* private: */
- __u32 headers_end[0];
+ ); /* end headers group */
+
/* public: */
/* These elements must be at the end, see alloc_skb() for details. */
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index fc7942c0dddc..5f29c65507e0 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -987,12 +987,10 @@ void napi_consume_skb(struct sk_buff *skb, int budget)
}
EXPORT_SYMBOL(napi_consume_skb);
-/* Make sure a field is enclosed inside headers_start/headers_end section */
+/* Make sure a field is contained by headers group */
#define CHECK_SKB_FIELD(field) \
- BUILD_BUG_ON(offsetof(struct sk_buff, field) < \
- offsetof(struct sk_buff, headers_start)); \
- BUILD_BUG_ON(offsetof(struct sk_buff, field) > \
- offsetof(struct sk_buff, headers_end)); \
+ BUILD_BUG_ON(offsetof(struct sk_buff, field) != \
+ offsetof(struct sk_buff, headers.field)); \
static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
{
@@ -1004,14 +1002,12 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
__skb_ext_copy(new, old);
__nf_copy(new, old, false);
- /* Note : this field could be in headers_start/headers_end section
+ /* Note : this field could be in the headers group.
* It is not yet because we do not want to have a 16 bit hole
*/
new->queue_mapping = old->queue_mapping;
- memcpy(&new->headers_start, &old->headers_start,
- offsetof(struct sk_buff, headers_end) -
- offsetof(struct sk_buff, headers_start));
+ memcpy(&new->headers, &old->headers, sizeof(new->headers));
CHECK_SKB_FIELD(protocol);
CHECK_SKB_FIELD(csum);
CHECK_SKB_FIELD(hash);
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 05/64] skbuff: Switch structure bounds to struct_group()
2021-07-27 20:57 ` Kees Cook
@ 2021-07-28 3:50 ` Gustavo A. R. Silva
-1 siblings, 0 replies; 5+ messages in thread
From: Gustavo A. R. Silva @ 2021-07-28 3:50 UTC (permalink / raw)
To: Kees Cook
Cc: linux-hardening, Keith Packard, Greg Kroah-Hartman,
Andrew Morton, linux-kernel, linux-wireless, netdev, dri-devel,
linux-staging, linux-block, linux-kbuild, clang-built-linux
On Tue, Jul 27, 2021 at 01:57:56PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields.
>
> Replace the existing empty member position markers "headers_start" and
> "headers_end" with a struct_group(). This will allow memcpy() and sizeof()
> to more easily reason about sizes, and improve readability.
>
> "pahole" shows no size nor member offset changes to struct sk_buff.
> "objdump -d" shows no no meaningful object code changes (i.e. only source
> line number induced differences and optimizations.)
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks
--
Gustavo
> ---
> drivers/net/wireguard/queueing.h | 4 +---
> include/linux/skbuff.h | 9 ++++-----
> net/core/skbuff.c | 14 +++++---------
> 3 files changed, 10 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/net/wireguard/queueing.h b/drivers/net/wireguard/queueing.h
> index 4ef2944a68bc..52da5e963003 100644
> --- a/drivers/net/wireguard/queueing.h
> +++ b/drivers/net/wireguard/queueing.h
> @@ -79,9 +79,7 @@ static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
> u8 sw_hash = skb->sw_hash;
> u32 hash = skb->hash;
> skb_scrub_packet(skb, true);
> - memset(&skb->headers_start, 0,
> - offsetof(struct sk_buff, headers_end) -
> - offsetof(struct sk_buff, headers_start));
> + memset(&skb->headers, 0, sizeof(skb->headers));
> if (encapsulating) {
> skb->l4_hash = l4_hash;
> skb->sw_hash = sw_hash;
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index f19190820e63..b4032e9b130e 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -800,11 +800,10 @@ struct sk_buff {
> __u8 active_extensions;
> #endif
>
> - /* fields enclosed in headers_start/headers_end are copied
> + /* Fields enclosed in headers group are copied
> * using a single memcpy() in __copy_skb_header()
> */
> - /* private: */
> - __u32 headers_start[0];
> + struct_group(headers,
> /* public: */
>
> /* if you move pkt_type around you also must adapt those constants */
> @@ -920,8 +919,8 @@ struct sk_buff {
> u64 kcov_handle;
> #endif
>
> - /* private: */
> - __u32 headers_end[0];
> + ); /* end headers group */
> +
> /* public: */
>
> /* These elements must be at the end, see alloc_skb() for details. */
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index fc7942c0dddc..5f29c65507e0 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -987,12 +987,10 @@ void napi_consume_skb(struct sk_buff *skb, int budget)
> }
> EXPORT_SYMBOL(napi_consume_skb);
>
> -/* Make sure a field is enclosed inside headers_start/headers_end section */
> +/* Make sure a field is contained by headers group */
> #define CHECK_SKB_FIELD(field) \
> - BUILD_BUG_ON(offsetof(struct sk_buff, field) < \
> - offsetof(struct sk_buff, headers_start)); \
> - BUILD_BUG_ON(offsetof(struct sk_buff, field) > \
> - offsetof(struct sk_buff, headers_end)); \
> + BUILD_BUG_ON(offsetof(struct sk_buff, field) != \
> + offsetof(struct sk_buff, headers.field)); \
>
> static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
> {
> @@ -1004,14 +1002,12 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
> __skb_ext_copy(new, old);
> __nf_copy(new, old, false);
>
> - /* Note : this field could be in headers_start/headers_end section
> + /* Note : this field could be in the headers group.
> * It is not yet because we do not want to have a 16 bit hole
> */
> new->queue_mapping = old->queue_mapping;
>
> - memcpy(&new->headers_start, &old->headers_start,
> - offsetof(struct sk_buff, headers_end) -
> - offsetof(struct sk_buff, headers_start));
> + memcpy(&new->headers, &old->headers, sizeof(new->headers));
> CHECK_SKB_FIELD(protocol);
> CHECK_SKB_FIELD(csum);
> CHECK_SKB_FIELD(hash);
> --
> 2.30.2
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 05/64] skbuff: Switch structure bounds to struct_group()
@ 2021-07-28 3:50 ` Gustavo A. R. Silva
0 siblings, 0 replies; 5+ messages in thread
From: Gustavo A. R. Silva @ 2021-07-28 3:50 UTC (permalink / raw)
To: Kees Cook
Cc: linux-kbuild, Greg Kroah-Hartman, linux-staging, linux-wireless,
linux-kernel, dri-devel, linux-block, clang-built-linux,
Keith Packard, linux-hardening, netdev, Andrew Morton
On Tue, Jul 27, 2021 at 01:57:56PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields.
>
> Replace the existing empty member position markers "headers_start" and
> "headers_end" with a struct_group(). This will allow memcpy() and sizeof()
> to more easily reason about sizes, and improve readability.
>
> "pahole" shows no size nor member offset changes to struct sk_buff.
> "objdump -d" shows no no meaningful object code changes (i.e. only source
> line number induced differences and optimizations.)
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks
--
Gustavo
> ---
> drivers/net/wireguard/queueing.h | 4 +---
> include/linux/skbuff.h | 9 ++++-----
> net/core/skbuff.c | 14 +++++---------
> 3 files changed, 10 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/net/wireguard/queueing.h b/drivers/net/wireguard/queueing.h
> index 4ef2944a68bc..52da5e963003 100644
> --- a/drivers/net/wireguard/queueing.h
> +++ b/drivers/net/wireguard/queueing.h
> @@ -79,9 +79,7 @@ static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
> u8 sw_hash = skb->sw_hash;
> u32 hash = skb->hash;
> skb_scrub_packet(skb, true);
> - memset(&skb->headers_start, 0,
> - offsetof(struct sk_buff, headers_end) -
> - offsetof(struct sk_buff, headers_start));
> + memset(&skb->headers, 0, sizeof(skb->headers));
> if (encapsulating) {
> skb->l4_hash = l4_hash;
> skb->sw_hash = sw_hash;
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index f19190820e63..b4032e9b130e 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -800,11 +800,10 @@ struct sk_buff {
> __u8 active_extensions;
> #endif
>
> - /* fields enclosed in headers_start/headers_end are copied
> + /* Fields enclosed in headers group are copied
> * using a single memcpy() in __copy_skb_header()
> */
> - /* private: */
> - __u32 headers_start[0];
> + struct_group(headers,
> /* public: */
>
> /* if you move pkt_type around you also must adapt those constants */
> @@ -920,8 +919,8 @@ struct sk_buff {
> u64 kcov_handle;
> #endif
>
> - /* private: */
> - __u32 headers_end[0];
> + ); /* end headers group */
> +
> /* public: */
>
> /* These elements must be at the end, see alloc_skb() for details. */
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index fc7942c0dddc..5f29c65507e0 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -987,12 +987,10 @@ void napi_consume_skb(struct sk_buff *skb, int budget)
> }
> EXPORT_SYMBOL(napi_consume_skb);
>
> -/* Make sure a field is enclosed inside headers_start/headers_end section */
> +/* Make sure a field is contained by headers group */
> #define CHECK_SKB_FIELD(field) \
> - BUILD_BUG_ON(offsetof(struct sk_buff, field) < \
> - offsetof(struct sk_buff, headers_start)); \
> - BUILD_BUG_ON(offsetof(struct sk_buff, field) > \
> - offsetof(struct sk_buff, headers_end)); \
> + BUILD_BUG_ON(offsetof(struct sk_buff, field) != \
> + offsetof(struct sk_buff, headers.field)); \
>
> static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
> {
> @@ -1004,14 +1002,12 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
> __skb_ext_copy(new, old);
> __nf_copy(new, old, false);
>
> - /* Note : this field could be in headers_start/headers_end section
> + /* Note : this field could be in the headers group.
> * It is not yet because we do not want to have a 16 bit hole
> */
> new->queue_mapping = old->queue_mapping;
>
> - memcpy(&new->headers_start, &old->headers_start,
> - offsetof(struct sk_buff, headers_end) -
> - offsetof(struct sk_buff, headers_start));
> + memcpy(&new->headers, &old->headers, sizeof(new->headers));
> CHECK_SKB_FIELD(protocol);
> CHECK_SKB_FIELD(csum);
> CHECK_SKB_FIELD(hash);
> --
> 2.30.2
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-07-28 3:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-27 23:06 [PATCH 05/64] skbuff: Switch structure bounds to struct_group() kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2021-07-27 20:57 [PATCH 00/64] Introduce strict memcpy() bounds checking Kees Cook
2021-07-27 20:57 ` [PATCH 05/64] skbuff: Switch structure bounds to struct_group() Kees Cook
2021-07-27 20:57 ` Kees Cook
2021-07-28 3:50 ` Gustavo A. R. Silva
2021-07-28 3:50 ` Gustavo A. R. Silva
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.