Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1870039ybn; Thu, 26 Sep 2019 03:30:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3wdoC7KCeq3CFaixD6+kvrCkmOfWDc45but/6rLMix6E8Wa5lZZ0bzmKNiXZBIwtcBlxC X-Received: by 2002:a05:6402:13c9:: with SMTP id a9mr2663500edx.25.1569493838194; Thu, 26 Sep 2019 03:30:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569493838; cv=none; d=google.com; s=arc-20160816; b=Qth+JvaRVG+rH+ZWdF0TD/5o7UNQEXnmsK3MgGpImOUyJzrvoYBx5aKWqFjyxKYHna 3SE5qF1304xX54D30yY7Bq2jSb3UFJ1yzRo7Qxj4bY853pO6HIZ6ZqeDbtj1GMZuDUYJ oLm0eVhDaIqcfZ7lb5mKonpzUz3GpzprhHXkJsQyGsP3MOgO+3EXcP5v3+Fm1b9wiDWc i9mauu6LwIK24Pofrs2mXsGg5YB67mXQCLeCEYkAGyrPwq8pQf7QH5tXS4N6ofMwB3uq zBC/PY8oxcHbR0RfZYDjttAY2ec+IexK10fTPN+GD7mn+4OaeK8h1Ggom605OAejHbfZ xqKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=JxTQ4Xr3344cpWCG4BIW/1ZqVwik7sHCKiCTOE2X9m4=; b=BRwOryseJ2W+kBXaGFr3LB5d+KI4XfSPCUi1LZe63QCFc5AIv2Yp1WRZybtjFli2Sl AsNoMKJeN+zfLEtwfZG/I9hNgDdaMcefKffblO9E3FaO+nqTRb/9S7So+vSrVS5ollQX SvLmSgSzQMAGhNEtr4GlGhLycNtU3rr28zlE6xX2lPTzk3munAUwpiGbLY9tqXvoEATn 0XDziqDyluKaMg0z2feCoZRoT32lIjP+123feJF6zyU4SwevLux17Tw55WdwHiL6s824 54NS+7koJR3uhhmSmpUnLIqNgAesYlOwkDxF0Tas1bJLC7FIEOcx5Uj5A/WovzlXmm5x AA7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=d7KxK0sC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w11si1171721edi.442.2019.09.26.03.30.14; Thu, 26 Sep 2019 03:30:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=d7KxK0sC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729931AbfIZIvQ (ORCPT + 99 others); Thu, 26 Sep 2019 04:51:16 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:36013 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728138AbfIZIvP (ORCPT ); Thu, 26 Sep 2019 04:51:15 -0400 Received: by mail-lj1-f193.google.com with SMTP id v24so1310160ljj.3 for ; Thu, 26 Sep 2019 01:51:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=JxTQ4Xr3344cpWCG4BIW/1ZqVwik7sHCKiCTOE2X9m4=; b=d7KxK0sCAAvz6z6Y8/K09q831hikJED/i8jll4bvn33Ys1TzPK/1bPUSAbJeeZTEWU uVlRKsN5TIDvkYtTaSbySKPWBn2tBkB9jCWPz2EGcVuwRVsw3t3O/McRsLnocDiEewNh Fl1fBmxfKpOeIzHAZxfu7QTM+DZ2L1UikE3bw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=JxTQ4Xr3344cpWCG4BIW/1ZqVwik7sHCKiCTOE2X9m4=; b=GtqPcu1r/BPB1q+6AdphEjNhQatVa5g/DKGeJ/FuqIRz7EWlAnz8OyJItV3AYq1amE LDCEtCZZzRqNQQgoTc3qTXQpF7stxcjAQkmSO7HCvjf0uR82nJoiEG2Cqo6MEA3RkdT2 7hyVrCp+/x7VyQY7GzMEwBrMvPMZy+sDjLreV3MRQB8ThDybeNyyymYYBuoWC7Oe/yyb rgTK06e0lyqbcw3D27pXOGLPJzNfcwtIZtdV+zC69HRvnIoDKhXpSX/u+WFgQ/8SYlKn LCVpf/dxbv4H60r5SfLMfD5Wo88FuSF/49y9nBc0Qu9wqJSeGImTvLLs5chlLNnaL/VS sGRA== X-Gm-Message-State: APjAAAXmKO7PoNfHCSVxVlXfac+raiErHIxjStB6v//hdxbKPxsrgwN9 xvnUkVxSQ7H3+AWxeeJTQ/r6sw== X-Received: by 2002:a2e:808c:: with SMTP id i12mr1775624ljg.78.1569487871273; Thu, 26 Sep 2019 01:51:11 -0700 (PDT) Received: from [172.16.11.28] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id t27sm393173lfl.48.2019.09.26.01.51.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Sep 2019 01:51:10 -0700 (PDT) Subject: Re: [PATCH V2 1/2] string: Add stracpy and stracpy_pad mechanisms To: Stephen Kitt Cc: Andrew Morton , Joe Perches , Linus Torvalds , linux-kernel@vger.kernel.org, Jonathan Corbet , Kees Cook , Nitin Gote , jannh@google.com, kernel-hardening@lists.openwall.com, Takashi Iwai , Clemens Ladisch , alsa-devel@alsa-project.org References: <20190925145011.c80c89b56fcee3060cf87773@linux-foundation.org> <8039728c-b41d-123c-e1ed-b35daac68fd3@rasmusvillemoes.dk> <24bb53c57767c1c2a8f266c305a670f7@sk2.org> From: Rasmus Villemoes Message-ID: Date: Thu, 26 Sep 2019 10:51:09 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <24bb53c57767c1c2a8f266c305a670f7@sk2.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 26/09/2019 10.25, Stephen Kitt wrote: > Le 26/09/2019 09:29, Rasmus Villemoes a écrit : >> On 26/09/2019 02.01, Stephen Kitt wrote: >>> Le 25/09/2019 23:50, Andrew Morton a écrit : >>>> On Tue, 23 Jul 2019 06:51:36 -0700 Joe Perches wrote: >>>> >> >> Please don't. At least not for the cases where the source is a string >> literal - that just gives worse code generation (because gcc doesn't >> know anything about strscpy or strlcpy), and while a run-time (silent) >> truncation is better than a run-time buffer overflow, wouldn't it be >> even better with a build time error? > > Yes, that was the plan once Joe's patch gets merged (if it does), and my > patch was only an example of using stracpy, as a step on the road. I was > intending to follow up with a patch converting stracpy to something like > https://www.openwall.com/lists/kernel-hardening/2019/07/06/14 > > __FORTIFY_INLINE ssize_t strscpy(char *dest, const char *src, size_t count) > { >     size_t dest_size = __builtin_object_size(dest, 0); >     size_t src_size = __builtin_object_size(src, 0); >     if (__builtin_constant_p(count) && >         __builtin_constant_p(src_size) && >         __builtin_constant_p(dest_size) && Eh? Isn't the output of __builtin_object_size() by definition a compile-time constant - whatever the compiler happens to know about the object size (or a sentinel 0 or -1 depending on the type argument)? > > #define stracpy(dest, src)                        \ > ({                                    \ >     size_t count = ARRAY_SIZE(dest);                \ >     size_t dest_size = __builtin_object_size(dest, 0);        \ >     size_t src_size = __builtin_object_size(src, 0);        \ >     BUILD_BUG_ON(!(__same_type(dest, char[]) ||            \ >                __same_type(dest, unsigned char[]) ||        \ >                __same_type(dest, signed char[])));        \ >                                     \ >     (__builtin_constant_p(count) &&                    \ >      __builtin_constant_p(src_size) &&                \ >      __builtin_constant_p(dest_size) &&                \ >      src_size <= count &&                        \ >      src_size <= dest_size &&                    \ >      src[src_size - 1] == '\0') ?                    \ >         (((size_t) strcpy(dest, src)) & 0) + src_size - 1    \ >     :                                \ >         strscpy(dest, src, count);                \ > }) > > and both of these get optimised to movs when copying a constant string > which fits in the target. But does it catch the case of overflowing a char[] member in a struct passed by reference at build time? I'm surprised that __builtin_object_size(dest, 0) seems to be (size_t)-1, when dest is s->name (with struct s { char name[4]; };). So I'm not very confident that any of the fancy fortify logic actually works here - we _really_ should have some Kbuild infrastructure for saying "this .c file should not compile" so we can test that the fortifications actually work in the simple and common cases. > I was going at this from the angle of improving the existing APIs and > their resulting code. I'm not against stracpy() as a wrapper for strscpy(), but we should make sure that whenever we can fail at build time (i.e., both source and dst lengths known), we do - and in that case also let the compiler optimize the copy (not only to do the immediate movs, but that also gives it wider opportunity to remove it completely as dead stores if the surrounding code ends up dead - with a call to some strscpy(), gcc cannot eliminate that). If stracpy() can be made sufficiently magic that it fails at build time for the string literal cases, fine, let's not add yet another API. Otherwise, I think the static_strcpy() is a much more readable and reliable API for those cases. If I'm reading your stracpy() macro correctly, you're explicitly requesting a run-time truncation (the src_size <= dest_size check causing as to fall back to strscpy) rather than failing at build time. Rasmus