From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 67DB73483 for ; Fri, 30 Jul 2021 02:39:25 +0000 (UTC) Received: by mail-pj1-f44.google.com with SMTP id nh14so1266392pjb.2 for ; Thu, 29 Jul 2021 19:39:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=NHuO3a4lOV1ak/eQfFp+AAaG2sMLeGDAKzyV4AOK0RE=; b=j8UqRed6HOKlyVkSoS05EJXewa+eUCRzTuOxtwGX5fDIEozj4tBUf/Pb6CHGAaLmaA 0lvkqjJ4PTgUwIVlwmbeuhhcBcZAYaZZ7EQBi+8oHJhkCGFeyBQklkhQLoPwf8W6+nzt YRqHGvdjQepkZ10ZG9+WbgEXKCY3JTIc9WoQ4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=NHuO3a4lOV1ak/eQfFp+AAaG2sMLeGDAKzyV4AOK0RE=; b=KyCV6jrS82nFlBuL35HAGVBRvBsi+WrKMt4hLrmpvcIu9D4mHQU2hEcGCo2Vd/LrHK enDkFc6sWpXFH9I+LZ+ZmPWyYQ66ARBqaq5VV9H17vAiPCBdi3vdTCNe2YlH3iP1ZFz2 fQeQCHrWzhfwudhzOFRm21fxzijp1jZMUTzE4J0mn6yjtaYvKTSO7Vy7hVQxBVA/H7Jz cGf5hcsV4RVrnAanWh6EU73KyF9kevlo8n+awvMmOoDuMKtVVeKTi71oYJ81vQjlChKt y81DP8ugDwYm+OKzHx0iTBHGSrkAdO58MEjlpPMQoJMUOq2n+BUT/NhZqMrLgpquRIEj /gYQ== X-Gm-Message-State: AOAM533SL5K2L6jop1i8TFrKum1Z2jq6Rlcdn9Xuiy50N78kN4pbCz0s SQf6rkZbiLvJeHpdWlZO1tUYcA== X-Google-Smtp-Source: ABdhPJzo5u8p9hbDXhUl8yhRH+ETwKt9UE7110pr1bIcu8dZOn97UljUZ8gMIyei6sG4Pc+UC9HyCw== X-Received: by 2002:a17:902:c409:b029:12c:8d18:a03 with SMTP id k9-20020a170902c409b029012c8d180a03mr518065plk.81.1627612764988; Thu, 29 Jul 2021 19:39:24 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x7sm195258pfn.70.2021.07.29.19.39.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jul 2021 19:39:24 -0700 (PDT) Date: Thu, 29 Jul 2021 19:39:23 -0700 From: Kees Cook To: Rasmus Villemoes Cc: linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" , Keith Packard , Greg Kroah-Hartman , Andrew Morton , linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-staging@lists.linux.dev, linux-block@vger.kernel.org, linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com Subject: Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time Message-ID: <202107291938.B26E4916@keescook> References: <20210727205855.411487-1-keescook@chromium.org> <20210727205855.411487-35-keescook@chromium.org> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, Jul 28, 2021 at 01:19:59PM +0200, Rasmus Villemoes wrote: > On 27/07/2021 22.58, Kees Cook wrote: > > > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size() > > internal[0] to determine the available size at a target address based on > > the compile-time known structure layout details. It operates in two > > modes: outer bounds (0) and inner bounds (1). In mode 0, the size of the > > enclosing structure is used. In mode 1, the size of the specific field > > is used. For example: > > > > struct object { > > u16 scalar1; /* 2 bytes */ > > char array[6]; /* 6 bytes */ > > u64 scalar2; /* 8 bytes */ > > u32 scalar3; /* 4 bytes */ > > } instance; > > > > > > __builtin_object_size(instance.array, 0) == 18, since the remaining size > > of the enclosing structure starting from "array" is 18 bytes (6 + 8 + 4). > > I think the compiler would usually end up making that struct size 24, > with 4 bytes of trailing padding (at least when alignof(u64) is 8). In > that case, does __builtin_object_size(instance.array, 0) actually > evaluate to 18, or to 22? A quick test on x86-64 suggests the latter, so > the memcpy(, , 20) would not be a violation. > > Perhaps it's better to base the example on something which doesn't have > potential trailing padding - so either add another 4 byte member, or > also make scalar2 u32. Yup, totally right. Thanks! I've fixed the example now for v2. -- Kees Cook From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36D4BC4320A for ; Fri, 30 Jul 2021 02:39:27 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EF28060F4A for ; Fri, 30 Jul 2021 02:39:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org EF28060F4A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 738BE6F39E; Fri, 30 Jul 2021 02:39:26 +0000 (UTC) Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by gabe.freedesktop.org (Postfix) with ESMTPS id 5719A6F39E for ; Fri, 30 Jul 2021 02:39:25 +0000 (UTC) Received: by mail-pj1-x1029.google.com with SMTP id j1so13001021pjv.3 for ; Thu, 29 Jul 2021 19:39:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=NHuO3a4lOV1ak/eQfFp+AAaG2sMLeGDAKzyV4AOK0RE=; b=j8UqRed6HOKlyVkSoS05EJXewa+eUCRzTuOxtwGX5fDIEozj4tBUf/Pb6CHGAaLmaA 0lvkqjJ4PTgUwIVlwmbeuhhcBcZAYaZZ7EQBi+8oHJhkCGFeyBQklkhQLoPwf8W6+nzt YRqHGvdjQepkZ10ZG9+WbgEXKCY3JTIc9WoQ4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=NHuO3a4lOV1ak/eQfFp+AAaG2sMLeGDAKzyV4AOK0RE=; b=NNWvNaYar01O6v30Av/CBxr2IK9lkr29V/tsDCSSOm8p4DTK6c8rbkhrzHFMSbPEU4 gWBRCx5sqYLkWwmX/R0gQjaxFhuObRmm1xu/beWz6HIUovSFUfU8E7Oaxb+VMwsXutPn 1G7yVEnmMdH83AFEFy5EcQDX+HoW5n+jHfsxjRno1okGRMBaVkJEY64sk59NFGoh7x0Z yb+VwPjBd4v7BbP+ILFX+Ul0oLmi5kQrZ37jS738w3p5y2kRUliSNWmmei1qwc/ufiha NpkEhOx5msRmvqXTSY4DjP2Xsn0MOrYhYY2T0qlebUwVAVyHt12rVUSlDoRH6MCdZw01 MN4w== X-Gm-Message-State: AOAM530o1mFwuUYjqFSTOCa8lOVZlH8/kOesS3RcihBMaeY7bcq4cu/H lSKIuvC72zJ3Ian02olCb7/4uA== X-Google-Smtp-Source: ABdhPJzo5u8p9hbDXhUl8yhRH+ETwKt9UE7110pr1bIcu8dZOn97UljUZ8gMIyei6sG4Pc+UC9HyCw== X-Received: by 2002:a17:902:c409:b029:12c:8d18:a03 with SMTP id k9-20020a170902c409b029012c8d180a03mr518065plk.81.1627612764988; Thu, 29 Jul 2021 19:39:24 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x7sm195258pfn.70.2021.07.29.19.39.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jul 2021 19:39:24 -0700 (PDT) Date: Thu, 29 Jul 2021 19:39:23 -0700 From: Kees Cook To: Rasmus Villemoes Subject: Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time Message-ID: <202107291938.B26E4916@keescook> References: <20210727205855.411487-1-keescook@chromium.org> <20210727205855.411487-35-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-kbuild@vger.kernel.org, Greg Kroah-Hartman , linux-staging@lists.linux.dev, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, "Gustavo A. R. Silva" , linux-block@vger.kernel.org, clang-built-linux@googlegroups.com, Keith Packard , linux-hardening@vger.kernel.org, netdev@vger.kernel.org, Andrew Morton Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On Wed, Jul 28, 2021 at 01:19:59PM +0200, Rasmus Villemoes wrote: > On 27/07/2021 22.58, Kees Cook wrote: > > > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size() > > internal[0] to determine the available size at a target address based on > > the compile-time known structure layout details. It operates in two > > modes: outer bounds (0) and inner bounds (1). In mode 0, the size of the > > enclosing structure is used. In mode 1, the size of the specific field > > is used. For example: > > > > struct object { > > u16 scalar1; /* 2 bytes */ > > char array[6]; /* 6 bytes */ > > u64 scalar2; /* 8 bytes */ > > u32 scalar3; /* 4 bytes */ > > } instance; > > > > > > __builtin_object_size(instance.array, 0) == 18, since the remaining size > > of the enclosing structure starting from "array" is 18 bytes (6 + 8 + 4). > > I think the compiler would usually end up making that struct size 24, > with 4 bytes of trailing padding (at least when alignof(u64) is 8). In > that case, does __builtin_object_size(instance.array, 0) actually > evaluate to 18, or to 22? A quick test on x86-64 suggests the latter, so > the memcpy(, , 20) would not be a violation. > > Perhaps it's better to base the example on something which doesn't have > potential trailing padding - so either add another 4 byte member, or > also make scalar2 u32. Yup, totally right. Thanks! I've fixed the example now for v2. -- Kees Cook