[PATCH v4] fortify: Work around Clang inlining bugs

[PATCH v4] fortify: Work around Clang inlining bugs

[Kees Cook]

To enable FORTIFY_SOURCE support for Clang, the kernel must work around
a pair of bugs, related to Clang's inlining:

1) Change all the fortified string APIs into macros with different
inline names to bypass Clang's broken inline-of-a-builtin detection:
https://bugs.llvm.org/show_bug.cgi?id=50322

2) Lift all misbehaving __builtin_object_size() calls into the macros
to bypass Clang's broken __builtin_object_size() arguments-of-an-inline
visibility:
https://github.com/ClangBuiltLinux/linux/issues/1401

One behavioral difference needed to be handled due to 1): the real
strlen() function can be a constant expression (for use with static
initializers), and that compiler magic needed to be reproduced in
the macro.

The workaround in 2) means Clang only gains single-level visibility
for the FORTIFY protection: any additional layers of inlining will
obscure the detection. This limitation will go away once the Clang
bug is fixed.

And finally, working around these bugs exposed a third bug which had
no identifiable workaround: globally defined variables did not work
with __builtin_constant_p():
https://bugs.llvm.org/show_bug.cgi?id=41459
See commit a52f8a59aef4 ("fortify: Explicitly disable Clang support").
This was fixed in Clang 13, so only Clang 13 and later gain FORTIFY
coverage.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
v1: https://lore.kernel.org/linux-hardening/20210727205855.411487-61-keescook@chromium.org/
v2: https://lore.kernel.org/linux-hardening/20210818060533.3569517-64-keescook@chromium.org/
v3: https://lore.kernel.org/linux-hardening/20211213223331.135412-18-keescook@chromium.org/
v4:
 - make sure strlen() can still be used as a constant expression
 - improve commit message with more details
---
 include/linux/fortify-string.h | 97 +++++++++++++++++++++-------------
 security/Kconfig               |  2 +-
 2 files changed, 61 insertions(+), 38 deletions(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index c45159dbdaa1..d5184e4e3244 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -2,6 +2,8 @@
 #ifndef _LINUX_FORTIFY_STRING_H_
 #define _LINUX_FORTIFY_STRING_H_
 
+#include <linux/const.h>
+
 #define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline))
 #define __RENAME(x) __asm__(#x)
 
@@ -50,10 +52,10 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size)
 #define __underlying_strncpy	__builtin_strncpy
 #endif
 
-__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
+#define strncpy(p, q, s) __fortify_strncpy(p, q, s, __builtin_object_size(p, 1))
+__FORTIFY_INLINE char *__fortify_strncpy(char *p, const char *q,
+					 __kernel_size_t size, const size_t p_size)
 {
-	size_t p_size = __builtin_object_size(p, 1);
-
 	if (__builtin_constant_p(size) && p_size < size)
 		__write_overflow();
 	if (p_size < size)
@@ -61,10 +63,9 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
 	return __underlying_strncpy(p, q, size);
 }
 
-__FORTIFY_INLINE char *strcat(char *p, const char *q)
+#define strcat(p, q) __fortify_strcat(p, q, __builtin_object_size(p, 1))
+__FORTIFY_INLINE char *__fortify_strcat(char *p, const char *q, const size_t p_size)
 {
-	size_t p_size = __builtin_object_size(p, 1);
-
 	if (p_size == (size_t)-1)
 		return __underlying_strcat(p, q);
 	if (strlcat(p, q, p_size) >= p_size)
@@ -73,9 +74,10 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q)
 }
 
 extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen);
-__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen)
+#define strnlen(p, s) __fortify_strnlen(p, s, __builtin_object_size(p, 1))
+__FORTIFY_INLINE __kernel_size_t __fortify_strnlen(const char *p, size_t maxlen,
+						   const size_t p_size)
 {
-	size_t p_size = __builtin_object_size(p, 1);
 	size_t p_len = __compiletime_strlen(p);
 	size_t ret;
 
@@ -93,11 +95,18 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen)
 	return ret;
 }
 
-/* defined after fortified strnlen to reuse it. */
-__FORTIFY_INLINE __kernel_size_t strlen(const char *p)
+/*
+ * Defined after fortified strnlen to reuse it. However, it must still be
+ * possible for strlen() to be used on compile-time strings for use in
+ * static initializers (i.e. as a constant expression).
+ */
+#define strlen(p)						   \
+	__builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \
+		__builtin_strlen(p),				   \
+		__fortify_strlen(p, __builtin_object_size(p, 1)))
+__FORTIFY_INLINE __kernel_size_t __fortify_strlen(const char *p, const size_t p_size)
 {
 	__kernel_size_t ret;
-	size_t p_size = __builtin_object_size(p, 1);
 
 	/* Give up if we don't know how large p is. */
 	if (p_size == (size_t)-1)
@@ -110,10 +119,14 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p)
 
 /* defined after fortified strlen to reuse it */
 extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy);
-__FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
+#define strlcpy(p, q, s) __fortify_strlcpy(p, q, s,			\
+					   __builtin_object_size(p, 1),	\
+					   __builtin_object_size(q, 1))
+__FORTIFY_INLINE size_t __fortify_strlcpy(char *p, const char *q,
+					  size_t size,
+					  const size_t p_size,
+					  const size_t q_size)
 {
-	size_t p_size = __builtin_object_size(p, 1);
-	size_t q_size = __builtin_object_size(q, 1);
 	size_t q_len;	/* Full count of source string length. */
 	size_t len;	/* Count of characters going into destination. */
 
@@ -137,12 +150,15 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
 
 /* defined after fortified strnlen to reuse it */
 extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy);
-__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size)
+#define strscpy(p, q, s) __fortify_strscpy(p, q, s,			\
+					   __builtin_object_size(p, 1),	\
+					   __builtin_object_size(q, 1))
+__FORTIFY_INLINE ssize_t __fortify_strscpy(char *p, const char *q,
+					   size_t size,
+					   const size_t p_size,
+					   const size_t q_size)
 {
 	size_t len;
-	/* Use string size rather than possible enclosing struct size. */
-	size_t p_size = __builtin_object_size(p, 1);
-	size_t q_size = __builtin_object_size(q, 1);
 
 	/* If we cannot get size of p and q default to call strscpy. */
 	if (p_size == (size_t) -1 && q_size == (size_t) -1)
@@ -183,11 +199,14 @@ __FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size)
 }
 
 /* defined after fortified strlen and strnlen to reuse them */
-__FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
+#define strncat(p, q, count)	__fortify_strncat(p, q, count, \
+						  __builtin_object_size(p, 1), \
+						  __builtin_object_size(q, 1))
+__FORTIFY_INLINE char *__fortify_strncat(char *p, const char *q, size_t count,
+					 const size_t p_size,
+					 const size_t q_size)
 {
 	size_t p_len, copy_len;
-	size_t p_size = __builtin_object_size(p, 1);
-	size_t q_size = __builtin_object_size(q, 1);
 
 	if (p_size == (size_t)-1 && q_size == (size_t)-1)
 		return __underlying_strncat(p, q, count);
@@ -354,10 +373,10 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
 		memmove)
 
 extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
-__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
+#define memscan(p, c, s) __fortify_memscan(p, c, s, __builtin_object_size(p, 0))
+__FORTIFY_INLINE void *__fortify_memscan(void *p, int c, __kernel_size_t size,
+					 const size_t p_size)
 {
-	size_t p_size = __builtin_object_size(p, 0);
-
 	if (__builtin_constant_p(size) && p_size < size)
 		__read_overflow();
 	if (p_size < size)
@@ -365,11 +384,12 @@ __FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
 	return __real_memscan(p, c, size);
 }
 
-__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
+#define memcmp(p, q, s) __fortify_memcmp(p, q, s,			\
+					 __builtin_object_size(p, 0),	\
+					 __builtin_object_size(q, 0))
+__FORTIFY_INLINE int __fortify_memcmp(const void *p, const void *q, __kernel_size_t size,
+				      const size_t p_size, const size_t q_size)
 {
-	size_t p_size = __builtin_object_size(p, 0);
-	size_t q_size = __builtin_object_size(q, 0);
-
 	if (__builtin_constant_p(size)) {
 		if (p_size < size)
 			__read_overflow();
@@ -381,10 +401,10 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
 	return __underlying_memcmp(p, q, size);
 }
 
-__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
+#define memchr(p, c, s) __fortify_memchr(p, c, s, __builtin_object_size(p, 0))
+__FORTIFY_INLINE void *__fortify_memchr(const void *p, int c, __kernel_size_t size,
+					const size_t p_size)
 {
-	size_t p_size = __builtin_object_size(p, 0);
-
 	if (__builtin_constant_p(size) && p_size < size)
 		__read_overflow();
 	if (p_size < size)
@@ -393,10 +413,10 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
 }
 
 void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
-__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size)
+#define memchr_inv(p, c, s) __fortify_memchr_inv(p, c, s, __builtin_object_size(p, 0))
+__FORTIFY_INLINE void *__fortify_memchr_inv(const void *p, int c, size_t size,
+					    const size_t p_size)
 {
-	size_t p_size = __builtin_object_size(p, 0);
-
 	if (__builtin_constant_p(size) && p_size < size)
 		__read_overflow();
 	if (p_size < size)
@@ -417,10 +437,13 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
 }
 
 /* Defined after fortified strlen to reuse it. */
-__FORTIFY_INLINE char *strcpy(char *p, const char *q)
+#define strcpy(p, q) __fortify_strcpy(p, q,				\
+				      __builtin_object_size(p, 1),	\
+				      __builtin_object_size(q, 1))
+__FORTIFY_INLINE char *__fortify_strcpy(char *p, const char *q,
+					const size_t p_size,
+					const size_t q_size)
 {
-	size_t p_size = __builtin_object_size(p, 1);
-	size_t q_size = __builtin_object_size(q, 1);
 	size_t size;
 
 	/* If neither buffer size is known, immediately give up. */
diff --git a/security/Kconfig b/security/Kconfig
index 0b847f435beb..1a25a567965f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -179,7 +179,7 @@ config FORTIFY_SOURCE
 	depends on ARCH_HAS_FORTIFY_SOURCE
 	# https://bugs.llvm.org/show_bug.cgi?id=50322
 	# https://bugs.llvm.org/show_bug.cgi?id=41459
-	depends on !CC_IS_CLANG
+	depends on !CC_IS_CLANG || CLANG_VERSION >= 130000
 	help
 	  Detect overflows of buffers in common string and memory functions
 	  where the compiler can determine and validate the buffer sizes.
-- 
2.30.2

Re: [PATCH v4] fortify: Work around Clang inlining bugs

[Nick Desaulniers]

On Sun, Jan 30, 2022 at 10:22 AM Kees Cook <keescook@chromium.org> wrote:
>
> To enable FORTIFY_SOURCE support for Clang, the kernel must work around
> a pair of bugs, related to Clang's inlining:
>
> 1) Change all the fortified string APIs into macros with different
> inline names to bypass Clang's broken inline-of-a-builtin detection:
> https://bugs.llvm.org/show_bug.cgi?id=50322
>
> 2) Lift all misbehaving __builtin_object_size() calls into the macros
> to bypass Clang's broken __builtin_object_size() arguments-of-an-inline
> visibility:
> https://github.com/ClangBuiltLinux/linux/issues/1401

^ mentions a difference in compilers for mode 1. I wonder if this
patch could "hoist" the BOS calls into the macro ONLY for mode 1 and
not mode 0 usage? i.e. the str* functions, not the mem* functions.

It's too late to fix these in clang-13.  If we get a fix in clang-14
or later, what does that look like for this header?  Is there a way we
can provide a different header than include/linux/fortify-string.h
just for clang-13 (or whatever versions until the above are fixed)?

I don't see this series getting backported to stable, where older
versions of clang may still be in use.

I'm tempted to say "let's get get these 2 fixed in clang-14" but we'll
probably have to trade something off the existing TODO list.
-- 
Thanks,
~Nick Desaulniers

Re: [PATCH v4] fortify: Work around Clang inlining bugs

[Kees Cook]

On Mon, Jan 31, 2022 at 11:04:36AM -0800, Nick Desaulniers wrote:
> On Sun, Jan 30, 2022 at 10:22 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > To enable FORTIFY_SOURCE support for Clang, the kernel must work around
> > a pair of bugs, related to Clang's inlining:
> >
> > 1) Change all the fortified string APIs into macros with different
> > inline names to bypass Clang's broken inline-of-a-builtin detection:
> > https://bugs.llvm.org/show_bug.cgi?id=50322
> >
> > 2) Lift all misbehaving __builtin_object_size() calls into the macros
> > to bypass Clang's broken __builtin_object_size() arguments-of-an-inline
> > visibility:
> > https://github.com/ClangBuiltLinux/linux/issues/1401
> 
> ^ mentions a difference in compilers for mode 1. I wonder if this
> patch could "hoist" the BOS calls into the macro ONLY for mode 1 and
> not mode 0 usage? i.e. the str* functions, not the mem* functions.

Everything (with a couple exceptions) is using mode 1 after the earlier
patches in the series. e.g.:

+#define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s, \
+		__builtin_object_size(p, 0), __builtin_object_size(q, 0), \
+		__builtin_object_size(p, 1), __builtin_object_size(q, 1), \
+		memcpy)

> It's too late to fix these in clang-13.  If we get a fix in clang-14
> or later, what does that look like for this header?  Is there a way we

If the bos mode 1 got fixed for Clang 14, this patch would likely be
dropped and the Clang + FORTIFY version check would be moved to Clang
14.

> can provide a different header than include/linux/fortify-string.h
> just for clang-13 (or whatever versions until the above are fixed)?

So much of it would be identical. This macro-ification is least
invasive, and it's pretty invasive.

> I don't see this series getting backported to stable, where older
> versions of clang may still be in use.

Right.

> I'm tempted to say "let's get get these 2 fixed in clang-14" but we'll
> probably have to trade something off the existing TODO list.

Agreed.

-- 
Kees Cook