Hi,
This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
size checking from GCC and Clang's __builtin_dynamic_object_size(), which
the compilers can track either via code flow or from __alloc_size() hints.
Thanks,
-Kees
Kees Cook (4):
x86/entry: Work around Clang __bdos() bug
fortify: Explicitly check bounds are compile-time constants
fortify: Convert to struct vs member helpers
fortify: Use __builtin_dynamic_object_size() when available
arch/x86/xen/enlighten_pv.c | 3 +-
drivers/misc/lkdtm/heap.c | 1 +
include/linux/compiler_attributes.h | 5 ++
include/linux/fortify-string.h | 125 ++++++++++++++++------------
4 files changed, 81 insertions(+), 53 deletions(-)
--
2.34.1
On 2022-09-20 15:21, Kees Cook wrote:
> Hi,
>
> This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
> size checking from GCC and Clang's __builtin_dynamic_object_size(), which
> the compilers can track either via code flow or from __alloc_size() hints.
>
FTR, I ran a linux build using gcc with allyesconfig and
fortify-metrics[1] to get a sense of how much object size coverage would
improve with __builtin_dynamic_object_size. With a total of 3,877
__builtin_object_size calls, about 11.37% succeed in getting a result
that is not (size_t)-1. If they were replaced by
__builtin_dynamic_object_size as this patch proposes, the success rate
improves to 16.25%, which is a ~1.4x improvement.
This is a decent improvement by itself but it can be amplified further
by adding __attribute__((access (...)))[2] to function prototypes and
definitions, especially for functions that take in buffers and their
sizes as arguments since __builtin_dynamic_object_size in gcc is capable
of recognizing that and using it for object size determination (and
hence to fortify calls) within those functions.
Thanks,
Sid
[1] https://github.com/siddhesh/fortify-metrics
[2] https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html
On 2022-09-22 20:20, Kees Cook wrote:
> Yeah, this could be another interest set of additions. It seems like it
> might be more "coder friendly" if, in the future that has the
> __element_count__ attribute, it could be used in function parameters
> too, like:
>
> If we had:
>
> int do_something(struct context *ctx, u32 *data, int count)
>
> this seems less easy to read to me:
>
> int __access(read_write, 2, 3) do_something(struct context *ctx, u32 *data, int count)
>
> as this seems more readable to me, though I guess the access-mode
> information is lost:
>
> int do_something(struct context *ctx, u32 * __element_count(count) data, int count)
It doesn't *have* to lose access mode info:
int do_something(struct context *ctx,
u32 * __element_count(count, __read_only__) data,
int count)
{
...
}
where omitting the access mode could imply __read_write__.
Thanks,
Sid
On Thu, Sep 22, 2022 at 04:26:54PM -0400, Siddhesh Poyarekar wrote:
> On 2022-09-20 15:21, Kees Cook wrote:
> > Hi,
> >
> > This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
> > size checking from GCC and Clang's __builtin_dynamic_object_size(), which
> > the compilers can track either via code flow or from __alloc_size() hints.
> >
>
> FTR, I ran a linux build using gcc with allyesconfig and fortify-metrics[1]
> to get a sense of how much object size coverage would improve with
> __builtin_dynamic_object_size. With a total of 3,877 __builtin_object_size
> calls, about 11.37% succeed in getting a result that is not (size_t)-1. If
> they were replaced by __builtin_dynamic_object_size as this patch proposes,
> the success rate improves to 16.25%, which is a ~1.4x improvement.
Thanks for check that! Yeah, a 40% increase in coverage is nice. :0
> This is a decent improvement by itself but it can be amplified further by
> adding __attribute__((access (...)))[2] to function prototypes and
> definitions, especially for functions that take in buffers and their sizes
> as arguments since __builtin_dynamic_object_size in gcc is capable of
> recognizing that and using it for object size determination (and hence to
> fortify calls) within those functions.
Yeah, this could be another interest set of additions. It seems like it
might be more "coder friendly" if, in the future that has the
__element_count__ attribute, it could be used in function parameters
too, like:
If we had:
int do_something(struct context *ctx, u32 *data, int count)
this seems less easy to read to me:
int __access(read_write, 2, 3) do_something(struct context *ctx, u32 *data, int count)
as this seems more readable to me, though I guess the access-mode
information is lost:
int do_something(struct context *ctx, u32 * __element_count(count) data, int count)
But yes, this would be excellent to start adding!
-Kees
--
Kees Cook