From: Arnd Bergmann <arnd@arndb.de>
To: Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Daniel Micay <danielmicay@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
Dan Williams <dan.j.williams@intel.com>,
David Howells <dhowells@redhat.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH] string.h: work around __builtin_constant_p quirk
Date: Mon, 7 Aug 2017 13:15:03 +0200 [thread overview]
Message-ID: <20170807111615.4187078-1-arnd@arndb.de> (raw)
The compile-time check in the hardened memcpy() triggered a build
error in code that should not have:
In function 'memcpy',
inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2,
inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2:
include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
__read_overflow2();
^~~~~~~~~~~~~~~~~~
My understanding is that in the __adfs_dir_put() function, the gcc
uses a specialization for the common 'thissize = 26', which due to
jump threading leads to a case where it has shown that 'thissize'
can be constant, but at the same time another case exists where
it may have a negative value (for sb->s_blocksize=0) that could lead
to overflowing the local 'adfs_direntry de' variable.
The bug was hidden before patch "fortify: use WARN instead of BUG
for now", which apparently dropped the compile-time checks due to
the following code being marked as '__unreachable'.
This reworks the hardened string functions to avoid some branches,
and introduces a macro for checking whether the argument is a
compile-time constant.
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
Fixes: mmotm ("fortify: use WARN instead of BUG for now")
Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
include/linux/string.h | 62 ++++++++++++++++++++++++++++++--------------------
1 file changed, 37 insertions(+), 25 deletions(-)
diff --git a/include/linux/string.h b/include/linux/string.h
index 25f47e07c4c6..3ba29007a942 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -203,10 +203,19 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob
void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter");
#if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
+
+/*
+ * a more reliable check for constant arguments, see
+ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
+ */
+#define __constant_argument(arg) \
+ __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
+
__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
- if (__builtin_constant_p(size) && p_size < size)
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
__write_overflow();
if (p_size < size)
fortify_overflow(__func__);
@@ -257,7 +266,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
ret = strlen(q);
if (size) {
size_t len = (ret >= size) ? size - 1 : ret;
- if (__builtin_constant_p(len) && len >= p_size)
+ size_t constlen = __constant_argument(len);
+ if (constlen >= p_size)
__write_overflow();
if (len >= p_size)
fortify_overflow(__func__);
@@ -287,7 +297,8 @@ __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
__FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
- if (__builtin_constant_p(size) && p_size < size)
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
__write_overflow();
if (p_size < size)
fortify_overflow(__func__);
@@ -298,12 +309,11 @@ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
size_t q_size = __builtin_object_size(q, 0);
- if (__builtin_constant_p(size)) {
- if (p_size < size)
- __write_overflow();
- if (q_size < size)
- __read_overflow2();
- }
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
+ __write_overflow();
+ if (q_size < constsize)
+ __read_overflow2();
if (p_size < size || q_size < size)
fortify_overflow(__func__);
return __builtin_memcpy(p, q, size);
@@ -313,12 +323,11 @@ __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
size_t q_size = __builtin_object_size(q, 0);
- if (__builtin_constant_p(size)) {
- if (p_size < size)
- __write_overflow();
- if (q_size < size)
- __read_overflow2();
- }
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
+ __write_overflow();
+ if (q_size < constsize)
+ __read_overflow2();
if (p_size < size || q_size < size)
fortify_overflow(__func__);
return __builtin_memmove(p, q, size);
@@ -328,7 +337,8 @@ extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
- if (__builtin_constant_p(size) && p_size < size)
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
__read_overflow();
if (p_size < size)
fortify_overflow(__func__);
@@ -339,12 +349,11 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
size_t q_size = __builtin_object_size(q, 0);
- if (__builtin_constant_p(size)) {
- if (p_size < size)
- __read_overflow();
- if (q_size < size)
- __read_overflow2();
- }
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
+ __read_overflow();
+ if (q_size < constsize)
+ __read_overflow2();
if (p_size < size || q_size < size)
fortify_overflow(__func__);
return __builtin_memcmp(p, q, size);
@@ -353,7 +362,8 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
- if (__builtin_constant_p(size) && p_size < size)
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
__read_overflow();
if (p_size < size)
fortify_overflow(__func__);
@@ -364,7 +374,8 @@ void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
- if (__builtin_constant_p(size) && p_size < size)
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
__read_overflow();
if (p_size < size)
fortify_overflow(__func__);
@@ -375,7 +386,8 @@ extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kme
__FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
{
size_t p_size = __builtin_object_size(p, 0);
- if (__builtin_constant_p(size) && p_size < size)
+ size_t constsize = __constant_argument(size);
+ if (p_size < constsize)
__read_overflow();
if (p_size < size)
fortify_overflow(__func__);
--
2.9.0
next reply other threads:[~2017-08-07 11:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-07 11:15 Arnd Bergmann [this message]
2017-08-07 22:29 ` [PATCH] string.h: work around __builtin_constant_p quirk Arnd Bergmann
2017-08-15 19:07 ` Kees Cook
2017-08-09 6:09 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170807111615.4187078-1-arnd@arndb.de \
--to=arnd@arndb.de \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=danielmicay@gmail.com \
--cc=dhowells@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).