Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6644883iob; Wed, 11 May 2022 02:07:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxE3PX/tb6fYQhVjT6pHF8uevR1iaIdmUxAabnotJP5klr8UZLBf8m20YesFotiVDzNVIp6 X-Received: by 2002:a17:90a:4897:b0:1c7:5fce:cbcd with SMTP id b23-20020a17090a489700b001c75fcecbcdmr4267748pjh.45.1652260039248; Wed, 11 May 2022 02:07:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652260039; cv=none; d=google.com; s=arc-20160816; b=V21enSOG55YS/607RcDZHCBgrIVHGa8k6Qafz/8lPGktpNbFAcXUP5xcAI96ddMCZR C3nUp40DEEy2PDwFMe9l8DMisJ5pkHkTKVIv7tfq78qRk7TMioK1uutg7NEmnVA8cjND rFENmSJURXtoKFGyXlmSXfYILk7uKxF0naMoz4MKW+9k4tXcVfeOO9I6GX/tDUa3m6UX OpMALr/vTtIEaCtd8fiZy+f9e4XpRPCmaQYm0vrN3l0Fdr/HhFTmFltNGlrEistfJH3p 53mrVZlRWuC0miubScGz31Hhcfb8dMu2t8RvQUafHiiByNDFNAksk5yqLKBDsXfuNy/U WwiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Sa6iliEUhHDKiJ4d5VKYWANmjzvcVks6FAQCBioSqwo=; b=f7qW5G32z8FejbM/t7xTaTmqBPHfZ5wnQ+eTfYTYsQ3AOJAbcc1SkfBGbdB8cfGQwG GbdNoF4rpPLYhnThalNhA+alHshcv/3CEskUayiMdB3rY86XQ+XRHJ62octRWALAH/Dm 8Qqf17ZlIm24ygEP1U7cTDgLooO4BJ36LNE/SO55Gj7aH5bQ2ODDL1E9k2JaRNw4om/i 4DnRzip3ZMG+KQSjqW9qKrl+nfp043cT1eH1LSKJc9vLC6u7aZwD9GRSkO/3zCClUCNH Xcy3llWCjj6lZb9Bc/2TpdrvlQ1jtbTDe4iliV592SsKHnxyETYs8xE/4/Siwo2wZSVi A+PA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iLg1sZkL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d6-20020a170902cec600b0015eaa354289si2103846plg.193.2022.05.11.02.07.07; Wed, 11 May 2022 02:07:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iLg1sZkL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241581AbiEKCxs (ORCPT + 99 others); Tue, 10 May 2022 22:53:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241829AbiEKCxU (ORCPT ); Tue, 10 May 2022 22:53:20 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EAC3824959 for ; Tue, 10 May 2022 19:53:05 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id i17so549049pla.10 for ; Tue, 10 May 2022 19:53:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Sa6iliEUhHDKiJ4d5VKYWANmjzvcVks6FAQCBioSqwo=; b=iLg1sZkLeKPM2kWZK1dOBgkVtvIv9fskmkv+uRa3VrGM/iSiUFxz9myhwDCq/lYtMQ uqYJxL/zrLKanqkbFe33nehGm6l5DZ8mvHCYyk8RO7ro9VrUdoxqMHW1qj/9L4C/sZR+ 79n1lE2VsyCc+x3k5bTSQqe4BWZOIwuScBssM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Sa6iliEUhHDKiJ4d5VKYWANmjzvcVks6FAQCBioSqwo=; b=q1BTtqcZ0uTZlsPsyRBy+6pUIY2waZi95lnL2iKOio0vzJ4rAbS8gSlI4mwauMf490 +yCVyLbAMlCEekEsiwo5aqqkhBA5gwvaqEAaDTyDuCVR8zAxzazl/kCCPdVtLCRaP/nT dCh1eFI1gIziu/P0LpZnTaclrQbFgi35ICcQHOumVZMRJ74hdmv0RSSR2PKJ1GwjM6T5 81d4efz3q+PbPitYXnhqGlCTecI2ouP6O7MiBRaaDpAfa6ZuGzD1B/G+/WtfNXhUXXaR Ga8Hb6H3I7kgYhW/GYwKqBVf2ezR1rtyYTLFLC1x1bAHHNrG3Cx+28c3h3UdCkQ6xnHY 5i8Q== X-Gm-Message-State: AOAM533nWXH4g0eGC5hJ0JxsU8qeZIBTiEgMPIWDrLsgeRCZiRu44n8e d+IkXxLnGdy2+4xvbw6+b5A5cA== X-Received: by 2002:a17:902:d4c2:b0:15e:abd0:926f with SMTP id o2-20020a170902d4c200b0015eabd0926fmr23646480plg.129.1652237585369; Tue, 10 May 2022 19:53:05 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n9-20020a170902968900b0015e8d4eb1d7sm363503plp.33.2022.05.10.19.53.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 May 2022 19:53:05 -0700 (PDT) From: Kees Cook To: Jakub Kicinski Cc: Kees Cook , Eric Dumazet , "David S. Miller" , Paolo Abeni , Coco Li , Tariq Toukan , Saeed Mahameed , Leon Romanovsky , netdev@vger.kernel.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org Subject: [PATCH] fortify: Provide a memcpy trap door for sharp corners Date: Tue, 10 May 2022 19:53:01 -0700 Message-Id: <20220511025301.3636666-1-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4296; h=from:subject; bh=zskFoaXURO/IVylo7b2S5LXUxKy16zZKQmnvSBayKxA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBieyUMQ7ji1ylNdh9eL1qcvtxDkFAlxq4iz5ETfoxb d7pbo8iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnslDAAKCRCJcvTf3G3AJnjwD/ 4vfLAWnR6lv2s6quyKFRlqqPX6DLgsFQO/0o6PWTm5WPdSp+jXJqvlubxLwxyUfRZUbAjVMOhXxrZz KnVhdajFWHnLc9B7YN9txp8Hh+eKcnC/OHn7yNU8hpZKQniQmkPh4D9/b1vwGodxeF6+u63TcnX8Z+ zZKjmoKETwoY1YykOIEE1Xqg8ox/oT52kP9u1N092vsWV6YXGrtSUQzsEqal/HToEvS6eW+ZUTi8i3 EyzzxjYtTSltgVY3Et9AqCO9Uo+0Ik7Go0rzqSNgnp0GS8xpKOFXb2g124++75uNB7utcfKmGn5yfR Wb4rd1+trzcYq7kxQp1xPZHqXXLV9UzeTqzToIVwDOwsWyKRmNdmsX9hDkiNiCn+7N9X+l9/gIbMm2 +RjZ/MRfPPTNuGmpliyix25Smdz53NXN1FrhronUFYEKnf1WpUEwTEvF4O42vsCTekwqIrgGXCLurf S/7d3fS4v4Bg8cA+5Qh+Uk0+ZqrTXgUP6OaDMkTICNXHTUGS80cHN7CrFE6q1UO+tsNQ/Fsge8taJS gm+Kiyli7VLSzYhXC0sKHxbB0JH0xP5894RSoW/K/PoLq+kRq7B1YseAHyV0Qfk5+iriQajxk+fnBQ egtZMtFQH8mxnRG8Q/Oo/X9lppUulkGrhJw92Vl2hjcQ77wy6/uvc14JCVXA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As we continue to narrow the scope of what the FORTIFY memcpy() will accept and build alternative APIs that give the compiler appropriate visibility into more complex memcpy scenarios, there is a need for "unfortified" memcpy use in rare cases where combinations of compiler behaviors, source code layout, etc, result in cases where the stricter memcpy checks need to be bypassed until appropriate solutions can be developed (i.e. fix compiler bugs, code refactoring, new API, etc). The intention is for this to be used only if there's no other reasonable solution, for its use to include a justification that can be used to assess future solutions, and for it to be temporary. Example usage included, based on analysis and discussion from: https://lore.kernel.org/netdev/CANn89iLS_2cshtuXPyNUGDPaic=sJiYfvTb_wNLgWrZRyBxZ_g@mail.gmail.com Cc: Jakub Kicinski Cc: Eric Dumazet Cc: "David S. Miller" Cc: Paolo Abeni Cc: Coco Li Cc: Tariq Toukan Cc: Saeed Mahameed Cc: Leon Romanovsky Cc: netdev@vger.kernel.org Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 8 +++++++- include/linux/fortify-string.h | 16 ++++++++++++++++ include/linux/string.h | 4 ++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c index 2dc48406cd08..5855d8f9c509 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c @@ -386,7 +386,13 @@ mlx5e_sq_xmit_wqe(struct mlx5e_txqsq *sq, struct sk_buff *skb, stats->added_vlan_packets++; } else { eseg->inline_hdr.sz |= cpu_to_be16(attr->ihs); - memcpy(eseg->inline_hdr.start, skb->data, attr->ihs); + unsafe_memcpy(eseg->inline_hdr.start, skb->data, attr->ihs, + /* This copy has been bounds-checked earlier in + * mlx5i_sq_calc_wqe_attr() and intentionally + * crosses a flex array boundary. Since it is + * performance sensitive, splitting the copy is + * undesirable. + */); } dseg += wqe_attr->ds_cnt_inl; } else if (skb_vlan_tag_present(skb)) { diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 295637a66c46..3b401fa0f374 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -52,6 +52,22 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) #define __underlying_strncpy __builtin_strncpy #endif +/** + * unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking + * + * @dst: Destination memory address to write to + * @src: Source memory address to read from + * @bytes: How many bytes to write to @dst from @src + * @justification: Free-form text or comment describing why the use is needed + * + * This should be used for corner cases where the compiler cannot do the + * right thing, or during transitions between APIs, etc. It should be used + * very rarely, and includes a place for justification detailing where bounds + * checking has happened, and why existing solutions cannot be employed. + */ +#define unsafe_memcpy(dst, src, bytes, justification) \ + __underlying_memcpy(dst, src, bytes) + /* * Clang's use of __builtin_object_size() within inlines needs hinting via * __pass_object_size(). The preference is to only ever use type 1 (member diff --git a/include/linux/string.h b/include/linux/string.h index b6572aeca2f5..61ec7e4f6311 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -252,6 +252,10 @@ static inline const char *kbasename(const char *path) #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) #include #endif +#ifndef unsafe_memcpy +#define unsafe_memcpy(dst, src, bytes, justification) \ + memcpy(dst, src, bytes) +#endif void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, int pad); -- 2.32.0