Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp780508pxb; Wed, 25 Aug 2021 15:11:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxHrWFEpjUh5WthdhVzZ1m4K5u9JBmD2Qx8NseGpsN3Hlnn0rFzxZdxzMC473Ja/nohVqC X-Received: by 2002:a17:906:38c8:: with SMTP id r8mr887168ejd.172.1629929497682; Wed, 25 Aug 2021 15:11:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629929497; cv=none; d=google.com; s=arc-20160816; b=hMSkJhGO4IgFb1nJMuE9jwDZVI7+okD8ct6UNBO8B9iYsGOXTFNglLkocKTQbhjUi+ uiSwJxEMr6T6lgvepHFHWOaskDoR4VI0Hi1ZZirxosycG6K3/zhuR8dEatSFVPh+FqFm LAeiuZ2/+Q1Gew25Klp9B1SLHrwwpK55Qjy9YNYP+92PpxVDxZe3W90KRh6JYQZinW/0 XdMTcO0jGG5fAiBrzI1ZBJvkIORpjxlbriQjokf97YuQ7+CvAP3fzhE5Cw6YaDLiT3We Bwan7k5NixcyYS0dor6m/Ek24J5o5BGgrq6sKc9CbFRwklcFKtj2U6WeajyJlwmEubCw TEHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ccea3fIlNm7FUfA3rNUTcHdFf0+pm8m4+EKLNy1tSUI=; b=rgkB4JNCFNe22fgiA0rJU5THIGPO4fMNzb1kFZe+ynV19i0C55t+/49XrJPPWmnobM TNFDObqyZxGvOfcQEpv+WwhnLnL6mTF6Uq7U9t9RnGUn0b57i5ibOqihefaWOwGULrlL 45FL4NMkJ9Lbft4w1CoVk1DIDu6+CGDRRocmc7icHZBrbWwVnA8i0n/CBxyR7YmTqTpE EL2IrmBH5dynJjgo3ywnAPMls4Lv2wNnAvMM9cHh4sdAyWv7yf6zT8b9xPyG5/WdDepj Tso1kHgSXXXqercWkXH/foK/IDKe+zTxXLa3uXK8tu7MJPzIAGK5JvA35AdeN9OIKy1j DJTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="IQRg/zOd"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 24si1458406edv.346.2021.08.25.15.11.04; Wed, 25 Aug 2021 15:11:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="IQRg/zOd"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234599AbhHYWG5 (ORCPT + 99 others); Wed, 25 Aug 2021 18:06:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233792AbhHYWG5 (ORCPT ); Wed, 25 Aug 2021 18:06:57 -0400 Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC020C061757 for ; Wed, 25 Aug 2021 15:06:10 -0700 (PDT) Received: by mail-lf1-x132.google.com with SMTP id z2so2095543lft.1 for ; Wed, 25 Aug 2021 15:06:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ccea3fIlNm7FUfA3rNUTcHdFf0+pm8m4+EKLNy1tSUI=; b=IQRg/zOds6VyPkEBcga03F5+uCR+u/q1eds5g9OOk7xrmPPRTj/nk8nBlNOPovSOYJ 78dlAEVUMZHrJH/YR2nA8JdVlQqM89g3x84xqwiLkVMlOhXiq2T3OtDSmjZnPLE8Px9J /U6LE9Gxxx7cHPu9E6pMtQSTIOJCYkbGdo3Bt/9pTa43tuqsYlxsuNqENZGwzOWSQiKQ RPXdJxCSPlVzpYSd+JZTY7M6j/jQpRK+wCjWIeOYe63oU1etO5HaOCK8gFlOxksWON60 XgPqtpjKSNhIYfebI/YWC3IXitSFJgJNsQfTs3IyE4MijGY9ualMROmfZ5EWGz9Fq7kV EAkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ccea3fIlNm7FUfA3rNUTcHdFf0+pm8m4+EKLNy1tSUI=; b=rwmUARpMvpV+FhFVGgm6PBKQ7mYgTlsIdU4JJnt5/cUoxD9FdMhGo8zjZ4B6mLxw0y iEAH1njCE1chHP1AzNALfpusUTFK/0WvXdnJKKTkCHq16qhWvyTf9zWQfn+63E1RdfO3 lSZ6YVZbgGW+KKpZez2sfybGGnuEJa3qXE3z5lV4znlWCQw6bF5ddbxCIcuBiuV6i1xB AOxiFO01WdgEz1KmBOzCXimL/qgjYr95R++7oFjc46RO71laLRgk1zBmCw4hsfocsbTr XHNBXOtoS7uuRc02MdL8kU/dM4vL5iN9/u44wcWBWHootQ5qDXEfJYbMihzk5bI9t+qZ NyxA== X-Gm-Message-State: AOAM533ftSnuHQjUP3HQwyaoqhRKPXMXArvzq9pi6ITrRB8fZ/YdVLq7 U83amts6W1C3lGpD5VSF6JL769x4nhCPApkxdxtFmQ== X-Received: by 2002:a05:6512:3991:: with SMTP id j17mr229922lfu.374.1629929168689; Wed, 25 Aug 2021 15:06:08 -0700 (PDT) MIME-Version: 1.0 References: <20210822075122.864511-1-keescook@chromium.org> <20210822075122.864511-20-keescook@chromium.org> In-Reply-To: <20210822075122.864511-20-keescook@chromium.org> From: Nick Desaulniers Date: Wed, 25 Aug 2021 15:05:56 -0700 Message-ID: Subject: Re: [PATCH for-next 19/25] fortify: Allow strlen() and strnlen() to pass compile-time known lengths To: Kees Cook Cc: linux-kernel@vger.kernel.org, Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 22, 2021 at 12:57 AM Kees Cook wrote: > > Under CONFIG_FORTIFY_SOURCE, it is possible for the compiler to perform > strlen() and strnlen() at compile-time when the string size is known. > This is required to support compile-time overflow checking in strlcpy(). > > Signed-off-by: Kees Cook > --- > include/linux/fortify-string.h | 47 ++++++++++++++++++++++++++-------- > 1 file changed, 36 insertions(+), 11 deletions(-) > > diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h > index a3cb1d9aacce..e232a63fd826 100644 > --- a/include/linux/fortify-string.h > +++ b/include/linux/fortify-string.h > @@ -10,6 +10,18 @@ void __read_overflow(void) __compiletime_error("detected read beyond size of obj > void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); > void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)"); > > +#define __compiletime_strlen(p) ({ \ > + size_t ret = (size_t)-1; \ > + size_t p_size = __builtin_object_size(p, 1); \ > + if (p_size != (size_t)-1) { \ > + size_t p_len = p_size - 1; \ > + if (__builtin_constant_p(p[p_len]) && \ > + p[p_len] == '\0') \ > + ret = __builtin_strlen(p); \ > + } \ > + ret; \ > +}) Can this be a `static inline` function that accepts a `const char *` and returns a `size_t` rather than a statement expression? > + > #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) > extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); > extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); > @@ -60,21 +72,31 @@ extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(st > __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) > { > size_t p_size = __builtin_object_size(p, 1); > - __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); > + size_t p_len = __compiletime_strlen(p); > + size_t ret; > + > + /* We can take compile-time actions when maxlen is const. */ > + if (__builtin_constant_p(maxlen) && p_len != (size_t)-1) { > + /* If p is const, we can use its compile-time-known len. */ > + if (maxlen >= p_size) > + return p_len; > + } > > + /* Do no check characters beyond the end of p. */ s/no/not/ > + ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); > if (p_size <= ret && maxlen != ret) > fortify_panic(__func__); > return ret; > } > > +/* defined after fortified strnlen to reuse it. */ > __FORTIFY_INLINE __kernel_size_t strlen(const char *p) > { > __kernel_size_t ret; > size_t p_size = __builtin_object_size(p, 1); > > - /* Work around gcc excess stack consumption issue */ > - if (p_size == (size_t)-1 || > - (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0')) > + /* Give up if we don't know how large p is. */ > + if (p_size == (size_t)-1) > return __underlying_strlen(p); > ret = strnlen(p, p_size); > if (p_size <= ret) > @@ -86,24 +108,27 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) > extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); > __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) > { > - size_t ret; > size_t p_size = __builtin_object_size(p, 1); > size_t q_size = __builtin_object_size(q, 1); > + size_t q_len; /* Full count of source string length. */ > + size_t len; /* Count of characters going into destination. */ > > if (p_size == (size_t)-1 && q_size == (size_t)-1) > return __real_strlcpy(p, q, size); > - ret = strlen(q); > - if (size) { > - size_t len = (ret >= size) ? size - 1 : ret; > - > - if (__builtin_constant_p(len) && len >= p_size) > + q_len = strlen(q); > + len = (q_len >= size) ? size - 1 : q_len; > + if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) { > + /* Write size is always larger than destintation. */ s/destintation/destination/ > + if (len >= p_size) > __write_overflow(); > + } > + if (size) { > if (len >= p_size) > fortify_panic(__func__); > __underlying_memcpy(p, q, len); > p[len] = '\0'; > } > - return ret; > + return q_len; > } > > /* defined after fortified strnlen to reuse it */ > -- > 2.30.2 > > -- > You received this message because you are subscribed to the Google Groups "Clang Built Linux" group. > To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20210822075122.864511-20-keescook%40chromium.org. -- Thanks, ~Nick Desaulniers