Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp3928950rwi; Sat, 22 Oct 2022 02:23:14 -0700 (PDT) X-Google-Smtp-Source: AMsMyM70w7/JmGnj9KXiP9k4Z568y3V+CMOIVRKYIhi4SRs8A4vpE7GdEoV0Lb7hdRvFAIn9U0m7 X-Received: by 2002:a17:906:1b49:b0:78d:b7b5:71cc with SMTP id p9-20020a1709061b4900b0078db7b571ccmr18944153ejg.536.1666430593910; Sat, 22 Oct 2022 02:23:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666430593; cv=none; d=google.com; s=arc-20160816; b=xGgb7hIas+39CJiTIuxEbKms3zbgY38M6ExiA/1X66evszblwyhSnufhSancFiueKe EFmLfynY4yPYH2ddA6yyJtr3aJN9Vikkx4WugM43TfBbud3DW/2Cw2gbCUf4RKsOF2Ds tS9gXZPcY4VEQmfGGhgRpXJIHL6Y+Qo6d1FS5/xvf4dVKkr4Ahgp4/4ZFfv8+9PmMQ8/ iCtZlcYxfkY9SJ7JkLGczngQzkJW9lOVlJOWS18DfuXVmrqJ5eQBx3DWcdQUVln/gP0+ ZzEMcqAXwIHtW7nQeLZ+vvL/KGFrwa7u6MSuYeXF0BgHjTrXfFRIcg6Dfq5cOdAgkx/s 1MxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LG7kQDXSgEdPfkLBqJx8Jeea0WzstOnh63KhBlYLm9Q=; b=OprzKH6Fe5+oWQIZdATd5aNjL1oreqUE7D1Sso8JvPfNQETzzQkVsOfJQtxr91+GZS da1dicwLw3sQU2WceNb/66ehuetaZeGzrwI7fhXLW9r3FFWhTWBfItfXQYqSVH1Ilq9i q0DCrawNBboFrgrqg69BHibI4BvX9HP/X0Y1uGYNLDEOhUqzx/Q9un/qDoGl09Ho8qZW yGgKR8dPcQ0j0K6cJQNNJk9Y8pw9IDK1IyyrJyYa6pX5h0kY9B0YQF51Decytf/Bov8h iFqGcPjYFATn/N7Nvq4PKnyKjY3FRLS1PTwCXJ5uDJ9pbE4dC5bKo0LEPMCz1G7alIZV /B0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mDrZeKLD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s11-20020a056402014b00b0045ca331c2ebsi19175595edu.232.2022.10.22.02.22.49; Sat, 22 Oct 2022 02:23:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mDrZeKLD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234554AbiJVIra (ORCPT + 99 others); Sat, 22 Oct 2022 04:47:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235174AbiJVIot (ORCPT ); Sat, 22 Oct 2022 04:44:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8D492CB8C5; Sat, 22 Oct 2022 01:08:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 50A7460B1B; Sat, 22 Oct 2022 07:59:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25724C433C1; Sat, 22 Oct 2022 07:59:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666425573; bh=hzbiDCjgP4PWpxtEpRK2mCWbxYUpFdc6paCISbBKNxg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mDrZeKLDuXuU9SGEfDqfISMNuvMjWQ5T2r+ThsxvajZw67xFR2nI+jpYlHd7xSaEJ 0soQ2Eu4YGWUg75v0nF594EGklSJc9hMimMofwyRhVIRgie5cab2IGjlHyjZPRozqi aSbdX1B4YJMfnlX1DX5DTMqNe+Hcoyl3XwoAb484= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nathan Chancellor , Tom Rix , Andrew Morton , Vlastimil Babka , "Steven Rostedt (Google)" , David Gow , Yury Norov , Masami Hiramatsu , Sander Vanheule , linux-hardening@vger.kernel.org, llvm@lists.linux.dev, Nick Desaulniers , Kees Cook , Sasha Levin Subject: [PATCH 5.19 545/717] fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL Date: Sat, 22 Oct 2022 09:27:04 +0200 Message-Id: <20221022072522.458343012@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook [ Upstream commit d07c0acb4f41cc42a0d97530946965b3e4fa68c1 ] With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe a runtime panic while running Android's Compatibility Test Suite's (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate(). __compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example: static const char *v = "FOO BAR"; static const char *y = "FOO BA"; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); } So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there's no benefit to trying to fortify the strlen call site there. Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals. Cc: Nathan Chancellor Cc: Tom Rix Cc: Andrew Morton Cc: Vlastimil Babka Cc: "Steven Rostedt (Google)" Cc: David Gow Cc: Yury Norov Cc: Masami Hiramatsu Cc: Sander Vanheule Cc: linux-hardening@vger.kernel.org Cc: llvm@lists.linux.dev Reviewed-by: Nick Desaulniers Tested-by: Android Treehugger Robot Link: https://android-review.googlesource.com/c/kernel/common/+/2206839 Co-developed-by: Nick Desaulniers Signed-off-by: Nick Desaulniers Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- include/linux/fortify-string.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 3b401fa0f374..fce2fb2fc962 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -19,7 +19,8 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning(" unsigned char *__p = (unsigned char *)(p); \ size_t __ret = (size_t)-1; \ size_t __p_size = __builtin_object_size(p, 1); \ - if (__p_size != (size_t)-1) { \ + if (__p_size != (size_t)-1 && \ + __builtin_constant_p(*__p)) { \ size_t __p_len = __p_size - 1; \ if (__builtin_constant_p(__p[__p_len]) && \ __p[__p_len] == '\0') \ -- 2.35.1