From: Nick Desaulniers <ndesaulniers@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Miguel Ojeda <ojeda@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
George Burgess IV <gbiv@google.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
llvm@lists.linux.dev
Subject: Re: [PATCH v7 7/8] fortify: Make sure strlen() may still be used as a constant expression
Date: Tue, 8 Feb 2022 15:17:13 -0800 [thread overview]
Message-ID: <CAKwvOd=wre3uzFVBFaOs4Oud+SobxiW_BwKXMsa5p0tEy6BsiA@mail.gmail.com> (raw)
In-Reply-To: <20220208225350.1331628-8-keescook@chromium.org>
On Tue, Feb 8, 2022 at 2:53 PM Kees Cook <keescook@chromium.org> wrote:
>
> In preparation for enabling Clang FORTIFY_SOURCE support, redefine
> strlen() as a macro that tests for being a constant expression
> so that strlen() can still be used in static initializers, which is
> lost when adding __pass_object_size and __overloadable.
>
> An example of this usage can be seen here:
> https://lore.kernel.org/all/202201252321.dRmWZ8wW-lkp@intel.com/
>
> Notably, this constant expression feature of strlen() is not available
> for architectures that build with -ffreestanding. This means the kernel
> currently does not universally expect strlen() to be used this way, but
> since there _are_ some build configurations that depend on it, retain
> the characteristic for Clang FORTIFY_SOURCE builds too.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> include/linux/fortify-string.h | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> index db1ad1c1c79a..f77cf22e2d60 100644
> --- a/include/linux/fortify-string.h
> +++ b/include/linux/fortify-string.h
> @@ -2,6 +2,8 @@
> #ifndef _LINUX_FORTIFY_STRING_H_
> #define _LINUX_FORTIFY_STRING_H_
>
> +#include <linux/const.h>
> +
> #define __FORTIFY_INLINE extern __always_inline __gnu_inline
> #define __RENAME(x) __asm__(#x)
>
> @@ -95,9 +97,16 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * const p, __kernel_size_t m
> return ret;
> }
>
> -/* defined after fortified strnlen to reuse it. */
> +/*
> + * Defined after fortified strnlen to reuse it. However, it must still be
> + * possible for strlen() to be used on compile-time strings for use in
> + * static initializers (i.e. as a constant expression).
> + */
> +#define strlen(p) \
> + __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \
Is `__is_constexpr(p) == __is_constexpr(__builtin_strlen(p))`? i.e.
can we drop the first `__builtin_strlen`? It seems redundant.
So instead, we'd have:
#define strlen(p) __builtin_choose_expr(__is_constexpr(p),
__builtin_strlen(p), __fortify_strlen(p))
Or is there some funny business where p isn't constexpr but strlen(p)
somehow is? I doubt that. (Or is it that p is constexpr, but
strlen(p) is not?)
(Guess I'm wrong: https://godbolt.org/z/19ffz7vjx)
Ok then.
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
> + __builtin_strlen(p), __fortify_strlen(p))
> __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1)
> -__kernel_size_t strlen(const char * const p)
> +__kernel_size_t __fortify_strlen(const char * const p)
> {
> __kernel_size_t ret;
> size_t p_size = __builtin_object_size(p, 1);
> --
> 2.30.2
>
--
Thanks,
~Nick Desaulniers
next prev parent reply other threads:[~2022-02-08 23:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-08 22:53 [PATCH v7 0/8] fortify: Add Clang support Kees Cook
2022-02-08 22:53 ` [PATCH v7 1/8] fortify: Replace open-coded __gnu_inline attribute Kees Cook
2022-02-08 22:59 ` Nick Desaulniers
2022-02-08 22:53 ` [PATCH v7 2/8] Compiler Attributes: Add __pass_object_size for Clang Kees Cook
2022-02-08 23:00 ` Nick Desaulniers
2022-02-08 22:53 ` [PATCH v7 3/8] Compiler Attributes: Add __overloadable " Kees Cook
2022-02-08 22:53 ` [PATCH v7 4/8] Compiler Attributes: Add __diagnose_as " Kees Cook
2022-02-08 22:53 ` [PATCH v7 5/8] fortify: Make pointer arguments const Kees Cook
2022-02-08 23:02 ` Nick Desaulniers
2022-02-08 22:53 ` [PATCH v7 6/8] fortify: Use __diagnose_as() for better diagnostic coverage Kees Cook
2022-02-08 23:04 ` Nick Desaulniers
2022-02-08 22:53 ` [PATCH v7 7/8] fortify: Make sure strlen() may still be used as a constant expression Kees Cook
2022-02-08 23:17 ` Nick Desaulniers [this message]
2022-02-08 23:58 ` Kees Cook
2022-02-08 22:53 ` [PATCH v7 8/8] fortify: Add Clang support Kees Cook
2022-02-08 23:25 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKwvOd=wre3uzFVBFaOs4Oud+SobxiW_BwKXMsa5p0tEy6BsiA@mail.gmail.com' \
--to=ndesaulniers@google.com \
--cc=gbiv@google.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ojeda@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).