Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3330897pxa; Tue, 18 Aug 2020 12:23:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzX80BN/JLVjR1qAjussjcOEAr0u0dhywBqVd75z7THDBIiavhbR7NVdksUrg65yvhUg3iN X-Received: by 2002:a17:906:6558:: with SMTP id u24mr762248ejn.364.1597778585195; Tue, 18 Aug 2020 12:23:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597778585; cv=none; d=google.com; s=arc-20160816; b=xiceqxT+Vso36DXVMFkbsChzuJSiMmE70gvbTmtrnZfNJCc7qKXQ4Mqx7+6XbPSYow fzLzY450U8ro6BAZmUNdeuFf0Y9Pj4GSflUdDzwJmYXkkMzSlrqJn1mZfW5ZD6lLb2MF O3jEPF3UiDC0wJ+NXWnGm61UVq2eNhHpgDWHlAvuKJKCWpyyWfi+oVwtaPmAagv5izDB oWEqpGiH0CSTJ4NlQtxx/RYU1CX95wDO9s2VZhSShWu931X0XpI876NVQdF5VarPMEPU H50FOYR+5C5ngMWZxr4Tza7EAeMq62vygkHY6PwUnzmQZy5bpDWuvCHCo8t1GP2SshqS iG9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=zqSUjfhetXa5IuRw9JeF+TW2/+QsT5+pQU8GGaPMx7M=; b=l6q+hOGLpwpnaACJlb7/HdZq7kYLYeCqmQziXi6RIpAUt9GtHiEByuNPmzySZQeOh+ sKEWlwFvnEOtGZhvvhX/W9gwWYsQ58T+olrdWu9Wj3FiuUd7/l3QSvJ3q9QhAeRhK8N6 Nh8bpF1hl3Tz+y+i5cLUz3Crb960BapHolThCkB8Qpl2uZyWmAzciG5oPzmcnaTNDCIc cn4rmx9ISRQR78V9lEogv3zTb0Cd/s35hrQoWO7PGUqNkqKQRS+opp3Up8eosWWYRW16 kWCgWsXd1UjPnAW2YSFonNX/UtyjSVEZ/wlh2A+uxoQgR2/22bYk2mSMB3AcZSYoHxAa HTuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fdirQtS3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v9si13905013ejg.518.2020.08.18.12.22.41; Tue, 18 Aug 2020 12:23:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fdirQtS3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726685AbgHRTV7 (ORCPT + 99 others); Tue, 18 Aug 2020 15:21:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726633AbgHRTVz (ORCPT ); Tue, 18 Aug 2020 15:21:55 -0400 Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8182C061343 for ; Tue, 18 Aug 2020 12:21:54 -0700 (PDT) Received: by mail-pg1-x543.google.com with SMTP id i10so4664376pgk.1 for ; Tue, 18 Aug 2020 12:21:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=zqSUjfhetXa5IuRw9JeF+TW2/+QsT5+pQU8GGaPMx7M=; b=fdirQtS35bnk6l7y3oW8Lw0Cg/XmLySVy6zO41Bo0Jky1Yq7FjctMNf30HUh477Q0+ k6bc/NwkvecrpTp319yOav2wSqUK7Y/7nyq8iWZrm1pDxIhDit1RZAWjuv/9EcNrcDYK Z8IwnKbdRyVfphkNX5Weqbt3bjg5GNhOj2mdI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=zqSUjfhetXa5IuRw9JeF+TW2/+QsT5+pQU8GGaPMx7M=; b=B7Q7l9zi/SjyZmaVCidZ9bwNJm/nVxA4M4zwqbXc04WEzTplNDPouqWc4JG6vygPg8 KULqt9J+zdEO2JuKmsWyikcpaAr1GT9cl8K/Rk3aHtgTe2ehrv4yqVJQkzNfUtK0eEa6 QlckPe0IuTcyKOUCkLLkV/lAyfqyoAxOZci4rGbs0UM/cXcre1/WvfObE3xvmU/VBIq/ NrNJOOq/8OVj1C9ABQkZTTCYc4jTJYBo7dIsKpcul0PTP6eEZqiR/CwlezW+d6mdVO38 fu31v/IU/WPymW9md1THbgO3a7FMumAAJV5l5cYsUxXftsj5bhN5bA2Dayf0VTcXv4Ug uW3g== X-Gm-Message-State: AOAM533XJOB6abIYqSllLl3bBETPi1kw2PWdkz+eXOEIIStxgbZC3yFd EzGqqQg2FLIHISRh2yR+grHegA== X-Received: by 2002:aa7:984e:: with SMTP id n14mr16437303pfq.272.1597778514020; Tue, 18 Aug 2020 12:21:54 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n26sm24981410pff.30.2020.08.18.12.21.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Aug 2020 12:21:52 -0700 (PDT) Date: Tue, 18 Aug 2020 12:21:51 -0700 From: Kees Cook To: "H. Peter Anvin" Cc: Nick Desaulniers , Masahiro Yamada , Andrew Morton , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Michal Marek , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, Tony Luck , Dmitry Vyukov , Michael Ellerman , Joe Perches , Joel Fernandes , Daniel Axtens , Arvind Sankar , Andy Shevchenko , Alexandru Ardelean , Yury Norov , x86@kernel.org, Ard Biesheuvel , "Paul E . McKenney" , Daniel Kiper , Bruce Ashfield , Marco Elver , Vamshi K Sthambamkadi , Andi Kleen , Linus Torvalds , =?iso-8859-1?Q?D=E1vid_Bolvansk=FD?= , Eli Friedman , stable@vger.kernel.org, Sami Tolvanen Subject: Re: [PATCH 1/4] Makefile: add -fno-builtin-stpcpy Message-ID: <202008181214.5C736E7@keescook> References: <20200817220212.338670-1-ndesaulniers@google.com> <20200817220212.338670-2-ndesaulniers@google.com> <82bbeff7-acc3-410c-9bca-3644b141dc1a@zytor.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <82bbeff7-acc3-410c-9bca-3644b141dc1a@zytor.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 17, 2020 at 03:31:26PM -0700, H. Peter Anvin wrote: > On 2020-08-17 15:02, Nick Desaulniers wrote: > > LLVM implemented a recent "libcall optimization" that lowers calls to > > `sprintf(dest, "%s", str)` where the return value is used to > > `stpcpy(dest, str) - dest`. This generally avoids the machinery involved > > in parsing format strings. This optimization was introduced into > > clang-12. Because the kernel does not provide an implementation of > > stpcpy, we observe linkage failures for almost all targets when building > > with ToT clang. > > > > The interface is unsafe as it does not perform any bounds checking. > > Disable this "libcall optimization" via `-fno-builtin-stpcpy`. > > > > Unlike > > commit 5f074f3e192f ("lib/string.c: implement a basic bcmp") > > which cited failures with `-fno-builtin-*` flags being retained in LLVM > > LTO, that bug seems to have been fixed by > > https://reviews.llvm.org/D71193, so the above sha can now be reverted in > > favor of `-fno-builtin-bcmp`. > > > > stpcpy() and (to a lesser degree) mempcpy() are fairly useful routines > in general. Perhaps we *should* provide them? As Nick mentioned, I really don't want to expand the already bad interfaces from libc. We have enough messes to clean up already, and I don't want to add more. The kernel already uses a subset of C, we have (several) separate non-libc memory allocators, we're using strscpy() and scnprintf() widely in favor of their buggy libc counterparts, etc. We don't need to match the libc string interfaces especially when they're arguably bug-prone foot-guns. :) -- Kees Cook