Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp300247pxu;
        Sun, 22 Nov 2020 08:30:00 -0800 (PST)
X-Google-Smtp-Source: ABdhPJy8JVqBzaofGqU5DOTHrzQVqKEeyt1xBkdq1Kawy3MTEdLTFOnv9hUliJOKYrbcI1RwBwOU
X-Received: by 2002:a17:906:1c87:: with SMTP id g7mr35931523ejh.37.1606062600557;
        Sun, 22 Nov 2020 08:30:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606062600; cv=none;
        d=google.com; s=arc-20160816;
        b=cQHPee3qaiAcCe1btKd86i/5Y/jTf3jdMFMmJp/59NP8Ic78yYCBAPkZ++LXfyPcz5
         z8RvUozuJ2ZPsAeJKWithu4PHDryqODAEKVUA7ogc+IBdc3abEjeiPQAEQjxpb2zLSC7
         q2A9s+Fl3vqBpOMF1+yKG+jKkBf3ZUPRl5osBrJlKS1lMMMk9a8QrnrO7euXdal6je4q
         l2ADk/vfQ8a2CU0fH7xqNfXHquQE055UPXqU8QvObC6iGEr7AVMtpeQGAz3L38iPfy1n
         0cNkfSneinrL7OeOMknEGlFot0hHZkFAte8HYQwPQDc+X0AcOB+2qJq0lZ/NSE0UNTz/
         z3Iw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=BG/CzrTa3WYFEisGoWy0mQxFOL8iDAXXCTQMFZDgvGA=;
        b=IBJqmQtBVJ+4TMfWfvCLkORu6CRbLvrrI+K9PalWbBlEUVKvs43SKZGw5PBp+6covu
         C8gn9oeiI+9TwSgN/MrUE6NidnNlUeMqMDDSiDqMPKd3nkd7we3qMs63N9p5AZXxTfYt
         iDQsm/RdTe2vH+gzXJx5m84j0tG+dE5d6ifY79dzJam9Ix9EB3eHwDAGtl3NQEYscz3u
         5OXKe8SKLHvRZFDu5wv2UjOboi/2qzwij4RStgMr3KcgZ9McYxjb8//jwzBUS/0gJzCu
         tE+cwheD23dxEEHKUWS5wXX5OlvWwFfPgOfyWKDMAQ6AAYaXG1d0g/N3UEBrrI21TmCz
         GIIg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@privacyrequired.com header.s=stigmate header.b=Jjlu3Ihe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c7si5150772ejp.437.2020.11.22.08.29.37;
        Sun, 22 Nov 2020 08:30:00 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@privacyrequired.com header.s=stigmate header.b=Jjlu3Ihe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728175AbgKVQZM (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Sun, 22 Nov 2020 11:25:12 -0500
Received: from devianza.investici.org ([198.167.222.108]:62683 "EHLO
        devianza.investici.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728001AbgKVQZK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 22 Nov 2020 11:25:10 -0500
Received: from mx2.investici.org (unknown [127.0.0.1])
        by devianza.investici.org (Postfix) with ESMTP id 4CfFxb2nJHz6vNF;
        Sun, 22 Nov 2020 16:25:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=privacyrequired.com;
        s=stigmate; t=1606062307;
        bh=BG/CzrTa3WYFEisGoWy0mQxFOL8iDAXXCTQMFZDgvGA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Jjlu3Ihec7VLdbPdic8429pyUW/7ja17hN4/xq8IIix8hshUdjDhDAYU3UsKzAHbC
         /u4+m5otR0oPefxnfIdsP1Yh2VIuN0TOaopaAbagWWRstl42xqMocn7J0GDZH5M/Ar
         Q+Vthet+Z6JSCTCFW3wNttZXaeOQOjYubUagzUkw=
Received: from [198.167.222.108] (mx2.investici.org [198.167.222.108]) (Authenticated sender: laniel_francis@privacyrequired.com) by localhost (Postfix) with ESMTPSA id 4CfFxZ6jQGz6vMg;
        Sun, 22 Nov 2020 16:25:06 +0000 (UTC)
From:   laniel_francis@privacyrequired.com
To:     akpm@linux-foundation.org
Cc:     linux-hardening@vger.kernel.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, dja@axtens.net,
        keescook@chromium.org,
        Francis Laniel <laniel_francis@privacyrequired.com>
Subject: [PATCH v7 3/5] string.h: Add FORTIFY coverage for strscpy()
Date:   Sun, 22 Nov 2020 17:24:49 +0100
Message-Id: <20201122162451.27551-4-laniel_francis@privacyrequired.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20201122162451.27551-1-laniel_francis@privacyrequired.com>
References: <20201122162451.27551-1-laniel_francis@privacyrequired.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Francis Laniel <laniel_francis@privacyrequired.com>

The fortified version of strscpy ensures the following before vanilla strscpy
is called:
1. There is no read overflow because we either size is smaller than src length
or we shrink size to src length by calling fortified strnlen.
2. There is no write overflow because we either failed during compilation or at
runtime by checking that size is smaller than dest size.

Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com>
---
 include/linux/string.h | 48 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/include/linux/string.h b/include/linux/string.h
index 46e91d684c47..1cd63a8a23ab 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -6,6 +6,7 @@
 #include <linux/compiler.h>	/* for inline */
 #include <linux/types.h>	/* for size_t */
 #include <linux/stddef.h>	/* for NULL */
+#include <linux/errno.h>	/* for E2BIG */
 #include <stdarg.h>
 #include <uapi/linux/string.h>
 
@@ -357,6 +358,53 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
 	return ret;
 }
 
+/* defined after fortified strnlen to reuse it */
+extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy);
+__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size)
+{
+	size_t len;
+	/* Use string size rather than possible enclosing struct size. */
+	size_t p_size = __builtin_object_size(p, 1);
+	size_t q_size = __builtin_object_size(q, 1);
+
+	/* If we cannot get size of p and q default to call strscpy. */
+	if (p_size == (size_t) -1 && q_size == (size_t) -1)
+		return __real_strscpy(p, q, size);
+
+	/*
+	 * If size can be known at compile time and is greater than
+	 * p_size, generate a compile time write overflow error.
+	 */
+	if (__builtin_constant_p(size) && size > p_size)
+		__write_overflow();
+
+	/*
+	 * This call protects from read overflow, because len will default to q
+	 * length if it smaller than size.
+	 */
+	len = strnlen(q, size);
+	/*
+	 * If len equals size, we will copy only size bytes which leads to
+	 * -E2BIG being returned.
+	 * Otherwise we will copy len + 1 because of the final '\O'.
+	 */
+	len = len == size ? size : len + 1;
+
+	/*
+	 * Generate a runtime write overflow error if len is greater than
+	 * p_size.
+	 */
+	if (len > p_size)
+		fortify_panic(__func__);
+
+	/*
+	 * We can now safely call vanilla strscpy because we are protected from:
+	 * 1. Read overflow thanks to call to strnlen().
+	 * 2. Write overflow thanks to above ifs.
+	 */
+	return __real_strscpy(p, q, len);
+}
+
 /* defined after fortified strlen and strnlen to reuse them */
 __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
 {
-- 
2.20.1