From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0F0170 for ; Wed, 28 Jul 2021 11:20:02 +0000 (UTC) Received: by mail-lf1-f47.google.com with SMTP id f18so3198515lfu.10 for ; Wed, 28 Jul 2021 04:20:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WRpAt4Qf30VQcI04z59j1Xhna4kVm3ZAFQjWCiFVzII=; b=ZITf0JJkY6siA6zuTWx/S+3I3pJ92j2lsEWHCAUrQgybgq2nu7vMyrV5yFzPnr0ASF zQnwOwgLaX1f2Ag8AdE3Zoi+yryD69qxehZj3Axp0G1SI8NHWpwdtRD/AWfB8hXTTU+w 7JIntZBgXB7V3Bx+KAGMmd0eo1ehu7YXfBEGo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WRpAt4Qf30VQcI04z59j1Xhna4kVm3ZAFQjWCiFVzII=; b=ltKT1lZpzy/pzPQpXF0k7xR7H33avvAG8QDp9lCejJSFjNV0vOM25Xh36UriWbfn/d i6VSLrDt3BC0K3f9tOTnR8NoZS+Xyv/0TGDX01Ck5UkGSwWtoozOgUu9lYXP1HKGxeDY j06VxG/qPYm+kKHQKDfEqBOxt9qSSY9gmPU/UBZkLZ+x/aqFO7vqd2jPJHV4fohIQDKG sBECZ3CJZ4lRIARXV9BLBl/SG6nNu2GoHUpNBV57BS2VJ3+YDhw8vF5SM3e7ybCZ2/Rv lyG+evEaRfEU1Rc4fr/uMDNz/XPuXY+c942BzJdlpnylXI80QclLJRky9MIOOQvQAq/8 9Sxg== X-Gm-Message-State: AOAM531WWZW/l/Fkvn4lLibSdsfOvv8qzUWumzsJEoVxKyfheLvbMKtW ce2Jvi3VdQN+86z3fmrkcidSsQ== X-Google-Smtp-Source: ABdhPJwtX9cWcqS+T2RXR4asd80U6YfWCrWHQPG0xseFJRRyUcQAZvx3wnyU+2xS6u5f7adx+ZAvkA== X-Received: by 2002:a19:dc5e:: with SMTP id f30mr20474709lfj.318.1627471200888; Wed, 28 Jul 2021 04:20:00 -0700 (PDT) Received: from [172.16.11.1] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id z4sm564853lfe.274.2021.07.28.04.19.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Jul 2021 04:20:00 -0700 (PDT) Subject: Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time To: Kees Cook , linux-hardening@vger.kernel.org Cc: "Gustavo A. R. Silva" , Keith Packard , Greg Kroah-Hartman , Andrew Morton , linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-staging@lists.linux.dev, linux-block@vger.kernel.org, linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com References: <20210727205855.411487-1-keescook@chromium.org> <20210727205855.411487-35-keescook@chromium.org> From: Rasmus Villemoes Message-ID: Date: Wed, 28 Jul 2021 13:19:59 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In-Reply-To: <20210727205855.411487-35-keescook@chromium.org> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit On 27/07/2021 22.58, Kees Cook wrote: > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size() > internal[0] to determine the available size at a target address based on > the compile-time known structure layout details. It operates in two > modes: outer bounds (0) and inner bounds (1). In mode 0, the size of the > enclosing structure is used. In mode 1, the size of the specific field > is used. For example: > > struct object { > u16 scalar1; /* 2 bytes */ > char array[6]; /* 6 bytes */ > u64 scalar2; /* 8 bytes */ > u32 scalar3; /* 4 bytes */ > } instance; > > > __builtin_object_size(instance.array, 0) == 18, since the remaining size > of the enclosing structure starting from "array" is 18 bytes (6 + 8 + 4). I think the compiler would usually end up making that struct size 24, with 4 bytes of trailing padding (at least when alignof(u64) is 8). In that case, does __builtin_object_size(instance.array, 0) actually evaluate to 18, or to 22? A quick test on x86-64 suggests the latter, so the memcpy(, , 20) would not be a violation. Perhaps it's better to base the example on something which doesn't have potential trailing padding - so either add another 4 byte member, or also make scalar2 u32. Rasmus From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6606C432BE for ; Wed, 28 Jul 2021 11:20:05 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3905660FC4 for ; Wed, 28 Jul 2021 11:20:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 3905660FC4 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=rasmusvillemoes.dk Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 752276E971; Wed, 28 Jul 2021 11:20:04 +0000 (UTC) Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) by gabe.freedesktop.org (Postfix) with ESMTPS id 652D56E971 for ; Wed, 28 Jul 2021 11:20:02 +0000 (UTC) Received: by mail-lf1-x135.google.com with SMTP id bp1so3273500lfb.3 for ; Wed, 28 Jul 2021 04:20:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WRpAt4Qf30VQcI04z59j1Xhna4kVm3ZAFQjWCiFVzII=; b=ZITf0JJkY6siA6zuTWx/S+3I3pJ92j2lsEWHCAUrQgybgq2nu7vMyrV5yFzPnr0ASF zQnwOwgLaX1f2Ag8AdE3Zoi+yryD69qxehZj3Axp0G1SI8NHWpwdtRD/AWfB8hXTTU+w 7JIntZBgXB7V3Bx+KAGMmd0eo1ehu7YXfBEGo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WRpAt4Qf30VQcI04z59j1Xhna4kVm3ZAFQjWCiFVzII=; b=AjmENztpBfphl5P3V//4H1Cfa5se/bFpAu7kibgTP4khelyaDf32G0SiK+0mpiTWid XlvsAyEssJnHp077zhA/OUQHxVhKbmh+1I2yu9LWpkMBslIJxbui3BPkjrPLJNirWrrM 4dfi0Ed9k6N5mWJ0xoCBwFCxDjIbHdKeovaAjp7bsO0TTlkln3KddTxmfAkOudDjU+bM pOBgy+sgM1ZG4qXk3KeCe8Rz6f7pn0HOQhR6iWwOcxO1wKAzI+o9jqo9k4hvB4PgAVv7 qDHL9wvrwtbfNA3h5IER5Yp7tDrId2tl0jKrk3BnyEK/AsYlmA/9IOypTBnbWOi3VYah LtgA== X-Gm-Message-State: AOAM532454pCNyxfhcOuK5asPhmTudSsYHEuzO85CegTAnLUMAB68rKg vKxrUzM6x/U4ORHvosaJa0jW/g== X-Google-Smtp-Source: ABdhPJwtX9cWcqS+T2RXR4asd80U6YfWCrWHQPG0xseFJRRyUcQAZvx3wnyU+2xS6u5f7adx+ZAvkA== X-Received: by 2002:a19:dc5e:: with SMTP id f30mr20474709lfj.318.1627471200888; Wed, 28 Jul 2021 04:20:00 -0700 (PDT) Received: from [172.16.11.1] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id z4sm564853lfe.274.2021.07.28.04.19.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Jul 2021 04:20:00 -0700 (PDT) Subject: Re: [PATCH 34/64] fortify: Detect struct member overflows in memcpy() at compile-time To: Kees Cook , linux-hardening@vger.kernel.org References: <20210727205855.411487-1-keescook@chromium.org> <20210727205855.411487-35-keescook@chromium.org> From: Rasmus Villemoes Message-ID: Date: Wed, 28 Jul 2021 13:19:59 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <20210727205855.411487-35-keescook@chromium.org> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-kbuild@vger.kernel.org, Greg Kroah-Hartman , linux-staging@lists.linux.dev, linux-wireless@vger.kernel.org, "Gustavo A. R. Silva" , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, clang-built-linux@googlegroups.com, Keith Packard , netdev@vger.kernel.org, Andrew Morton Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On 27/07/2021 22.58, Kees Cook wrote: > At its core, FORTIFY_SOURCE uses the compiler's __builtin_object_size() > internal[0] to determine the available size at a target address based on > the compile-time known structure layout details. It operates in two > modes: outer bounds (0) and inner bounds (1). In mode 0, the size of the > enclosing structure is used. In mode 1, the size of the specific field > is used. For example: > > struct object { > u16 scalar1; /* 2 bytes */ > char array[6]; /* 6 bytes */ > u64 scalar2; /* 8 bytes */ > u32 scalar3; /* 4 bytes */ > } instance; > > > __builtin_object_size(instance.array, 0) == 18, since the remaining size > of the enclosing structure starting from "array" is 18 bytes (6 + 8 + 4). I think the compiler would usually end up making that struct size 24, with 4 bytes of trailing padding (at least when alignof(u64) is 8). In that case, does __builtin_object_size(instance.array, 0) actually evaluate to 18, or to 22? A quick test on x86-64 suggests the latter, so the memcpy(, , 20) would not be a violation. Perhaps it's better to base the example on something which doesn't have potential trailing padding - so either add another 4 byte member, or also make scalar2 u32. Rasmus