From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33FB8C43214 for ; Wed, 25 Aug 2021 22:06:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1995360EE9 for ; Wed, 25 Aug 2021 22:06:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234992AbhHYWG6 (ORCPT ); Wed, 25 Aug 2021 18:06:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233792AbhHYWG5 (ORCPT ); Wed, 25 Aug 2021 18:06:57 -0400 Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC020C061757 for ; Wed, 25 Aug 2021 15:06:10 -0700 (PDT) Received: by mail-lf1-x132.google.com with SMTP id z2so2095543lft.1 for ; Wed, 25 Aug 2021 15:06:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ccea3fIlNm7FUfA3rNUTcHdFf0+pm8m4+EKLNy1tSUI=; b=IQRg/zOds6VyPkEBcga03F5+uCR+u/q1eds5g9OOk7xrmPPRTj/nk8nBlNOPovSOYJ 78dlAEVUMZHrJH/YR2nA8JdVlQqM89g3x84xqwiLkVMlOhXiq2T3OtDSmjZnPLE8Px9J /U6LE9Gxxx7cHPu9E6pMtQSTIOJCYkbGdo3Bt/9pTa43tuqsYlxsuNqENZGwzOWSQiKQ RPXdJxCSPlVzpYSd+JZTY7M6j/jQpRK+wCjWIeOYe63oU1etO5HaOCK8gFlOxksWON60 XgPqtpjKSNhIYfebI/YWC3IXitSFJgJNsQfTs3IyE4MijGY9ualMROmfZ5EWGz9Fq7kV EAkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ccea3fIlNm7FUfA3rNUTcHdFf0+pm8m4+EKLNy1tSUI=; b=rwmUARpMvpV+FhFVGgm6PBKQ7mYgTlsIdU4JJnt5/cUoxD9FdMhGo8zjZ4B6mLxw0y iEAH1njCE1chHP1AzNALfpusUTFK/0WvXdnJKKTkCHq16qhWvyTf9zWQfn+63E1RdfO3 lSZ6YVZbgGW+KKpZez2sfybGGnuEJa3qXE3z5lV4znlWCQw6bF5ddbxCIcuBiuV6i1xB AOxiFO01WdgEz1KmBOzCXimL/qgjYr95R++7oFjc46RO71laLRgk1zBmCw4hsfocsbTr XHNBXOtoS7uuRc02MdL8kU/dM4vL5iN9/u44wcWBWHootQ5qDXEfJYbMihzk5bI9t+qZ NyxA== X-Gm-Message-State: AOAM533ftSnuHQjUP3HQwyaoqhRKPXMXArvzq9pi6ITrRB8fZ/YdVLq7 U83amts6W1C3lGpD5VSF6JL769x4nhCPApkxdxtFmQ== X-Google-Smtp-Source: ABdhPJyNQ/WwmaoSwrjefYfWyWAsZKiS9gMfjES83laYfRbmcqiJjJ7AJQDbwjC7dkR4EaWwzmJgZToBkxruPl/Kvt4= X-Received: by 2002:a05:6512:3991:: with SMTP id j17mr229922lfu.374.1629929168689; Wed, 25 Aug 2021 15:06:08 -0700 (PDT) MIME-Version: 1.0 References: <20210822075122.864511-1-keescook@chromium.org> <20210822075122.864511-20-keescook@chromium.org> In-Reply-To: <20210822075122.864511-20-keescook@chromium.org> From: Nick Desaulniers Date: Wed, 25 Aug 2021 15:05:56 -0700 Message-ID: Subject: Re: [PATCH for-next 19/25] fortify: Allow strlen() and strnlen() to pass compile-time known lengths To: Kees Cook Cc: linux-kernel@vger.kernel.org, Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 22, 2021 at 12:57 AM Kees Cook wrote: > > Under CONFIG_FORTIFY_SOURCE, it is possible for the compiler to perform > strlen() and strnlen() at compile-time when the string size is known. > This is required to support compile-time overflow checking in strlcpy(). > > Signed-off-by: Kees Cook > --- > include/linux/fortify-string.h | 47 ++++++++++++++++++++++++++-------- > 1 file changed, 36 insertions(+), 11 deletions(-) > > diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h > index a3cb1d9aacce..e232a63fd826 100644 > --- a/include/linux/fortify-string.h > +++ b/include/linux/fortify-string.h > @@ -10,6 +10,18 @@ void __read_overflow(void) __compiletime_error("detected read beyond size of obj > void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); > void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)"); > > +#define __compiletime_strlen(p) ({ \ > + size_t ret = (size_t)-1; \ > + size_t p_size = __builtin_object_size(p, 1); \ > + if (p_size != (size_t)-1) { \ > + size_t p_len = p_size - 1; \ > + if (__builtin_constant_p(p[p_len]) && \ > + p[p_len] == '\0') \ > + ret = __builtin_strlen(p); \ > + } \ > + ret; \ > +}) Can this be a `static inline` function that accepts a `const char *` and returns a `size_t` rather than a statement expression? > + > #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) > extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); > extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); > @@ -60,21 +72,31 @@ extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(st > __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) > { > size_t p_size = __builtin_object_size(p, 1); > - __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); > + size_t p_len = __compiletime_strlen(p); > + size_t ret; > + > + /* We can take compile-time actions when maxlen is const. */ > + if (__builtin_constant_p(maxlen) && p_len != (size_t)-1) { > + /* If p is const, we can use its compile-time-known len. */ > + if (maxlen >= p_size) > + return p_len; > + } > > + /* Do no check characters beyond the end of p. */ s/no/not/ > + ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); > if (p_size <= ret && maxlen != ret) > fortify_panic(__func__); > return ret; > } > > +/* defined after fortified strnlen to reuse it. */ > __FORTIFY_INLINE __kernel_size_t strlen(const char *p) > { > __kernel_size_t ret; > size_t p_size = __builtin_object_size(p, 1); > > - /* Work around gcc excess stack consumption issue */ > - if (p_size == (size_t)-1 || > - (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0')) > + /* Give up if we don't know how large p is. */ > + if (p_size == (size_t)-1) > return __underlying_strlen(p); > ret = strnlen(p, p_size); > if (p_size <= ret) > @@ -86,24 +108,27 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) > extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); > __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) > { > - size_t ret; > size_t p_size = __builtin_object_size(p, 1); > size_t q_size = __builtin_object_size(q, 1); > + size_t q_len; /* Full count of source string length. */ > + size_t len; /* Count of characters going into destination. */ > > if (p_size == (size_t)-1 && q_size == (size_t)-1) > return __real_strlcpy(p, q, size); > - ret = strlen(q); > - if (size) { > - size_t len = (ret >= size) ? size - 1 : ret; > - > - if (__builtin_constant_p(len) && len >= p_size) > + q_len = strlen(q); > + len = (q_len >= size) ? size - 1 : q_len; > + if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) { > + /* Write size is always larger than destintation. */ s/destintation/destination/ > + if (len >= p_size) > __write_overflow(); > + } > + if (size) { > if (len >= p_size) > fortify_panic(__func__); > __underlying_memcpy(p, q, len); > p[len] = '\0'; > } > - return ret; > + return q_len; > } > > /* defined after fortified strnlen to reuse it */ > -- > 2.30.2 > > -- > You received this message because you are subscribed to the Google Groups "Clang Built Linux" group. > To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20210822075122.864511-20-keescook%40chromium.org. -- Thanks, ~Nick Desaulniers From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5077CC4320E for ; Wed, 25 Aug 2021 22:06:12 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D753F60F45 for ; Wed, 25 Aug 2021 22:06:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D753F60F45 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 72F886B006C; Wed, 25 Aug 2021 18:06:11 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6DF636B0072; Wed, 25 Aug 2021 18:06:11 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5A7256B0073; Wed, 25 Aug 2021 18:06:11 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0047.hostedemail.com [216.40.44.47]) by kanga.kvack.org (Postfix) with ESMTP id 3CD706B006C for ; Wed, 25 Aug 2021 18:06:11 -0400 (EDT) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id DA8EE14D21 for ; Wed, 25 Aug 2021 22:06:10 +0000 (UTC) X-FDA: 78514986900.20.DCFBABA Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) by imf07.hostedemail.com (Postfix) with ESMTP id 950D810000BA for ; Wed, 25 Aug 2021 22:06:10 +0000 (UTC) Received: by mail-lf1-f42.google.com with SMTP id i9so1983863lfg.10 for ; Wed, 25 Aug 2021 15:06:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ccea3fIlNm7FUfA3rNUTcHdFf0+pm8m4+EKLNy1tSUI=; b=IQRg/zOds6VyPkEBcga03F5+uCR+u/q1eds5g9OOk7xrmPPRTj/nk8nBlNOPovSOYJ 78dlAEVUMZHrJH/YR2nA8JdVlQqM89g3x84xqwiLkVMlOhXiq2T3OtDSmjZnPLE8Px9J /U6LE9Gxxx7cHPu9E6pMtQSTIOJCYkbGdo3Bt/9pTa43tuqsYlxsuNqENZGwzOWSQiKQ RPXdJxCSPlVzpYSd+JZTY7M6j/jQpRK+wCjWIeOYe63oU1etO5HaOCK8gFlOxksWON60 XgPqtpjKSNhIYfebI/YWC3IXitSFJgJNsQfTs3IyE4MijGY9ualMROmfZ5EWGz9Fq7kV EAkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ccea3fIlNm7FUfA3rNUTcHdFf0+pm8m4+EKLNy1tSUI=; b=jvbPBimQy/DFKrzu4oylg6wpW2jbxoDLwq6/izOpcsw6pzCt4FYM9IEV4teWcKO86/ tXwGYH4C1Z7w/rq92/7Z3vSs+5U1mxYay1a2+gSDV+b3NOWTZ2noSPZVCLCJopFjmTgU YSWpFzf8im1/Fpi4RzGfcwuB4ZSkTftd+8btLHSW3lIm+UnN00OYjoWEkyVfjXCibPDS bzg2CtP4abs7sf/d8JcafWd3dVUi1yucCIqANFsYHXwUdF95f4BpsJwmLCwW8xIW4/8b kG+vkyCaX/sacD9dSBSzcUIPOTp8MFNqHS22z5a4BS2ZW8PwxIAafEk0BWX5TvSwZ3mv tV7A== X-Gm-Message-State: AOAM532HtAUVViBQYEUnfk2pU8pEomwJ3WpfGvbqnwjNGf5Bn8kPwWPI 1hBeVPr3aSnXOfxt4u6Ky1XSSeLVToadYxCR59MxqQ== X-Google-Smtp-Source: ABdhPJyNQ/WwmaoSwrjefYfWyWAsZKiS9gMfjES83laYfRbmcqiJjJ7AJQDbwjC7dkR4EaWwzmJgZToBkxruPl/Kvt4= X-Received: by 2002:a05:6512:3991:: with SMTP id j17mr229922lfu.374.1629929168689; Wed, 25 Aug 2021 15:06:08 -0700 (PDT) MIME-Version: 1.0 References: <20210822075122.864511-1-keescook@chromium.org> <20210822075122.864511-20-keescook@chromium.org> In-Reply-To: <20210822075122.864511-20-keescook@chromium.org> From: Nick Desaulniers Date: Wed, 25 Aug 2021 15:05:56 -0700 Message-ID: Subject: Re: [PATCH for-next 19/25] fortify: Allow strlen() and strnlen() to pass compile-time known lengths To: Kees Cook Cc: linux-kernel@vger.kernel.org, Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 950D810000BA Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b="IQRg/zOd"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf07.hostedemail.com: domain of ndesaulniers@google.com designates 209.85.167.42 as permitted sender) smtp.mailfrom=ndesaulniers@google.com X-Rspamd-Server: rspam01 X-Stat-Signature: wuo8p4pmmi74piu56tswhabbfdh5a9bo X-HE-Tag: 1629929170-423656 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sun, Aug 22, 2021 at 12:57 AM Kees Cook wrote: > > Under CONFIG_FORTIFY_SOURCE, it is possible for the compiler to perform > strlen() and strnlen() at compile-time when the string size is known. > This is required to support compile-time overflow checking in strlcpy(). > > Signed-off-by: Kees Cook > --- > include/linux/fortify-string.h | 47 ++++++++++++++++++++++++++-------- > 1 file changed, 36 insertions(+), 11 deletions(-) > > diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h > index a3cb1d9aacce..e232a63fd826 100644 > --- a/include/linux/fortify-string.h > +++ b/include/linux/fortify-string.h > @@ -10,6 +10,18 @@ void __read_overflow(void) __compiletime_error("detected read beyond size of obj > void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); > void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)"); > > +#define __compiletime_strlen(p) ({ \ > + size_t ret = (size_t)-1; \ > + size_t p_size = __builtin_object_size(p, 1); \ > + if (p_size != (size_t)-1) { \ > + size_t p_len = p_size - 1; \ > + if (__builtin_constant_p(p[p_len]) && \ > + p[p_len] == '\0') \ > + ret = __builtin_strlen(p); \ > + } \ > + ret; \ > +}) Can this be a `static inline` function that accepts a `const char *` and returns a `size_t` rather than a statement expression? > + > #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) > extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); > extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); > @@ -60,21 +72,31 @@ extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(st > __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) > { > size_t p_size = __builtin_object_size(p, 1); > - __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); > + size_t p_len = __compiletime_strlen(p); > + size_t ret; > + > + /* We can take compile-time actions when maxlen is const. */ > + if (__builtin_constant_p(maxlen) && p_len != (size_t)-1) { > + /* If p is const, we can use its compile-time-known len. */ > + if (maxlen >= p_size) > + return p_len; > + } > > + /* Do no check characters beyond the end of p. */ s/no/not/ > + ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); > if (p_size <= ret && maxlen != ret) > fortify_panic(__func__); > return ret; > } > > +/* defined after fortified strnlen to reuse it. */ > __FORTIFY_INLINE __kernel_size_t strlen(const char *p) > { > __kernel_size_t ret; > size_t p_size = __builtin_object_size(p, 1); > > - /* Work around gcc excess stack consumption issue */ > - if (p_size == (size_t)-1 || > - (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0')) > + /* Give up if we don't know how large p is. */ > + if (p_size == (size_t)-1) > return __underlying_strlen(p); > ret = strnlen(p, p_size); > if (p_size <= ret) > @@ -86,24 +108,27 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) > extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); > __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) > { > - size_t ret; > size_t p_size = __builtin_object_size(p, 1); > size_t q_size = __builtin_object_size(q, 1); > + size_t q_len; /* Full count of source string length. */ > + size_t len; /* Count of characters going into destination. */ > > if (p_size == (size_t)-1 && q_size == (size_t)-1) > return __real_strlcpy(p, q, size); > - ret = strlen(q); > - if (size) { > - size_t len = (ret >= size) ? size - 1 : ret; > - > - if (__builtin_constant_p(len) && len >= p_size) > + q_len = strlen(q); > + len = (q_len >= size) ? size - 1 : q_len; > + if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) { > + /* Write size is always larger than destintation. */ s/destintation/destination/ > + if (len >= p_size) > __write_overflow(); > + } > + if (size) { > if (len >= p_size) > fortify_panic(__func__); > __underlying_memcpy(p, q, len); > p[len] = '\0'; > } > - return ret; > + return q_len; > } > > /* defined after fortified strnlen to reuse it */ > -- > 2.30.2 > > -- > You received this message because you are subscribed to the Google Groups "Clang Built Linux" group. > To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20210822075122.864511-20-keescook%40chromium.org. -- Thanks, ~Nick Desaulniers