Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3342954pxb;
        Mon, 18 Oct 2021 13:12:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwuefXTwpyJTHhsp4Qc++pL69FNOlyvbsshGTL7ABG2azQz2gnkJxa7UQW3zvQX6HKhRR/q
X-Received: by 2002:a17:90a:8b89:: with SMTP id z9mr1195441pjn.89.1634587932869;
        Mon, 18 Oct 2021 13:12:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1634587932; cv=none;
        d=google.com; s=arc-20160816;
        b=KH18XvhO+GFkiAAi1+aQwc2hF6vzOZRtSKFYcrgej7iIVcQP37r8csx7KxBxls3M2d
         8PJPuQPWs4WEGsJVKzFLH0jHUgmjcsJfeR689dx6P3/K0QE6pfGnuqMWGp5B17k+Jjhs
         lbt6U2XtcJPsMRXSDYK3qtcJU+cuhTMbfdfApvtbKjPEiZIgu+ZiI+qCL2EN67YtWjs9
         KDExdDldSCz+LOrq77z35bgS30iwZxPWzRuzF+mjOTLZFKJMLW/osBm6W4uDxOZF+tQA
         Otstji4VmrtG6tMvGdlk5l0X/w+ZxezlroKR5sGoeXdQf88Z/4/ZBueNge4Kp/0twqZB
         RktQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=pd8u+ZDzk8BlGfUixSzB7lCbznQ9iL75zxyd6Vop+Bg=;
        b=X2szhfzM9C4/hx6eP0ab2nS3MXCYxyednEe7G6QT1ar3C0Z6ahBFgTozB36ywxBhwc
         dNkYo3GUmwJjoNTsf/U7WjKRuKLerhzRxTGG+di4xw6UcWtbr1/52SZzhyc3thXiiatn
         CiruonYaG2RjzHxx5eahYVkCcj5XdqCy64DGRY5lIlT/WEWV4iYMQP6eh+HBhGflzyxI
         7XE2FarRW9SawBwm5YByaybhGF1NlUCCei3vwx5c5/lt/F9mi4wlMZE41PrC+WQU1RrY
         R3YFXvAJt7feqaIiZzl5Guy0TtdgugINHEU7hqpBVd0ZZ5Uixk6sHOai1i6QUL1xdokD
         /XKg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dz7ITajD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s15si29974445plg.442.2021.10.18.13.11.59;
        Mon, 18 Oct 2021 13:12:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dz7ITajD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233709AbhJRULi (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Mon, 18 Oct 2021 16:11:38 -0400
Received: from mail.kernel.org ([198.145.29.99]:44720 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S233688AbhJRULi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Oct 2021 16:11:38 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8ED2161206;
        Mon, 18 Oct 2021 20:09:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1634587766;
        bh=vP/q8RAdwKPOaVadQ+zBGMSPKsA6SzxEBfr5WcIOjGU=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=dz7ITajDyNGZb0OpVqVG3EXS45e16zdG+PDOFEDg+Fi2zxEWN01Ts/+YoKs6BV6bP
         0ybkaW9sVT7heZEOmjM2qs8iDYXFlHdGS+wpKB1eJzn96xQFDpvW70G+5qPSMwZC/W
         aluxIzGeYuhD30bfaX+fYAWwd0yjlc9JLN7z7nKxReMxdCLpXn9HIbMavdGjJSq+Ah
         LS+ZuKw+HON06LSQtn9/o6z9zOWcKsu0daoAF+3H4U+i4vym8K20CNknY1Tvg4uN6d
         EnAcam42k+VeQllPnAycyjZQgDVzZ+GWUtjmwQzKGohwnWXnFT9BliSOaiTTqZhfWY
         KG1n2ynkUjr/g==
Received: by mail-wm1-f54.google.com with SMTP id n40-20020a05600c3ba800b0030da2439b21so368250wms.0;
        Mon, 18 Oct 2021 13:09:26 -0700 (PDT)
X-Gm-Message-State: AOAM533Yfp21BXZ/STsKMmk+ub0pREdLVGHYccxRckDIwt+94eaS+Y8Q
        B9cwoejsBVfsYEmMpCtteIJbRx8rp2v3Oq0J4x4=
X-Received: by 2002:a05:600c:1548:: with SMTP id f8mr1129122wmg.35.1634587765086;
 Mon, 18 Oct 2021 13:09:25 -0700 (PDT)
MIME-Version: 1.0
References: <20211013150025.2875883-1-arnd@kernel.org> <20211013150025.2875883-2-arnd@kernel.org>
 <202110181247.8F53380@keescook>
In-Reply-To: <202110181247.8F53380@keescook>
From:   Arnd Bergmann <arnd@kernel.org>
Date:   Mon, 18 Oct 2021 22:09:09 +0200
X-Gmail-Original-Message-ID: <CAK8P3a2wO+diAvRXtZKq+z84sfson6GhxgL9gpBG_BP4h5bSQA@mail.gmail.com>
Message-ID: <CAK8P3a2wO+diAvRXtZKq+z84sfson6GhxgL9gpBG_BP4h5bSQA@mail.gmail.com>
Subject: Re: [PATCH 2/2] kasan: use fortified strings for hwaddress sanitizer
To:     Kees Cook <keescook@chromium.org>
Cc:     linux-hardening@vger.kernel.org,
        Andrey Ryabinin <ryabinin.a.a@gmail.com>,
        Alexander Potapenko <glider@google.com>,
        Andrey Konovalov <andreyknvl@gmail.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        kasan-dev <kasan-dev@googlegroups.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Nathan Chancellor <nathan@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Miguel Ojeda <ojeda@kernel.org>,
        Sami Tolvanen <samitolvanen@google.com>,
        Marco Elver <elver@google.com>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Ard Biesheuvel <ardb@kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        llvm@lists.linux.dev
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 18, 2021 at 9:57 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Oct 13, 2021 at 05:00:06PM +0200, Arnd Bergmann wrote:
> > From: Arnd Bergmann <arnd@arndb.de>
> >
> > GCC has separate macros for -fsanitize=kernel-address and
> > -fsanitize=kernel-hwaddress, and the check in the arm64 string.h
> > gets this wrong, which leads to string functions not getting
> > fortified with gcc. The newly added tests find this:
> >
> > warning: unsafe memchr() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memchr.c
> > warning: unsafe memchr_inv() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memchr_inv.c
> > warning: unsafe memcmp() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memcmp.c
> > warning: unsafe memscan() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memscan.c
> > warning: unsafe memcmp() usage lacked '__read_overflow2' warning in /git/arm-soc/lib/test_fortify/read_overflow2-memcmp.c
> > warning: unsafe memcpy() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memcpy.c
> > warning: unsafe memmove() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memmove.c
> > warning: unsafe memcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memcpy.c
> > warning: unsafe memmove() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memmove.c
> > warning: unsafe memset() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memset.c
> > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy-lit.c
> > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy.c
> > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy-src.c
> > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy.c
> > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy-src.c
> > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy.c
> > warning: unsafe strscpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strscpy.c
> >
>
> What is the build config that trips these warnings?

It's a randconfig build, I've uploaded one .config to
https://pastebin.com/raw/4TKB9mhs,
but I have other ones if you can't reproduce with that one.

> In trying to understand this, I see in arch/arm64/include/asm/string.h:
>
> #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
>         !defined(__SANITIZE_ADDRESS__)
>
> other architectures (like arm32) do:
>
> #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)

Yes, that is exactly the thing that goes wrong. With clang, __SANITIZE_ADDRESS__
gets set here, but gcc sets __SANITIZE_HWADDRESS__ instead
for CONFIG_KASAN_SW_TAGS, so the condition is always true.

> > Add a workaround to include/linux/compiler_types.h so we always
> > define __SANITIZE_ADDRESS__ for either mode, as we already do
> > for clang.
>
> Where is the clang work-around? (Or is this a statement that clang,
> under -fsanitize=kernel-hwaddress, already sets __SANITIZE_ADDRESS__ by
> default?

I mean this snippet:

#if __has_feature(address_sanitizer) || __has_feature(hwaddress_sanitizer)
/* Emulate GCC's __SANITIZE_ADDRESS__ flag */
#define __SANITIZE_ADDRESS__
#endif

Without that, clang sets neither __SANITIZE_ADDRESS__ nor
__SANITIZE_HWADDRESS__

> > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> > index aad6f6408bfa..2f2776fffefe 100644
> > --- a/include/linux/compiler_types.h
> > +++ b/include/linux/compiler_types.h
> > @@ -178,6 +178,13 @@ struct ftrace_likely_data {
> >   */
> >  #define noinline_for_stack noinline
> >
> > +/*
> > + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel
> > + */
> > +#ifdef __SANITIZE_HWADDRESS__
> > +#define __SANITIZE_ADDRESS__
> > +#endif
>
> Should this go into compiler-gcc.h instead?

Yes, that might be clearer, but the effect is the same, as no other
compiler defines
those macros.

       Arnd