Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <642f4e62.170a0220.1f11f.36df@mx.google.com>
Date:   Thu, 6 Apr 2023 15:57:37 -0700
From:   Kees Cook <keescook@chromium.org>
To:     Andy Shevchenko <andy.shevchenko@gmail.com>
Cc:     linux-hardening@vger.kernel.org, Andy Shevchenko <andy@kernel.org>,
        Cezary Rojewski <cezary.rojewski@intel.com>,
        Puyou Lu <puyou.lu@gmail.com>, Mark Brown <broonie@kernel.org>,
        Josh Poimboeuf <jpoimboe@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Brendan Higgins <brendan.higgins@linux.dev>,
        David Gow <davidgow@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Nathan Chancellor <nathan@kernel.org>,
        Alexander Potapenko <glider@google.com>,
        Zhaoyang Huang <zhaoyang.huang@unisoc.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Geert Uytterhoeven <geert+renesas@glider.be>,
        Miguel Ojeda <ojeda@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Liam Howlett <liam.howlett@oracle.com>,
        Vlastimil Babka <vbabka@suse.cz>,
        Dan Williams <dan.j.williams@intel.com>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        Yury Norov <yury.norov@gmail.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>,
        Sander Vanheule <sander@svanheule.net>,
        Eric Biggers <ebiggers@google.com>,
        "Masami Hiramatsu (Google)" <mhiramat@kernel.org>,
        Andrey Konovalov <andreyknvl@gmail.com>,
        Linus Walleij <linus.walleij@linaro.org>,
        Daniel Latypov <dlatypov@google.com>,
        =?iso-8859-1?Q?Jos=E9_Exp=F3sito?= <jose.exposito89@gmail.com>,
        linux-kernel@vger.kernel.org, kunit-dev@googlegroups.com
Subject: Re: [PATCH 6/9] fortify: Split reporting and avoid passing string
 pointer
References: <20230405235832.never.487-kees@kernel.org>
 <20230406000212.3442647-6-keescook@chromium.org>
 <CAHp75Vf-nG865UwbVjwFjVTtXA7mAdi4FfKCpTHDx55eFnbvAA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHp75Vf-nG865UwbVjwFjVTtXA7mAdi4FfKCpTHDx55eFnbvAA@mail.gmail.com>
Precedence: bulk

On Thu, Apr 06, 2023 at 01:20:52PM +0300, Andy Shevchenko wrote:
> On Thu, Apr 6, 2023 at 3:02 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > In preparation for KUnit testing and further improvements in fortify
> > failure reporting, split out the report and encode the function and
> > access failure (read or write overflow) into a single int argument. This
> > mainly ends up saving some space in the data segment. For a defconfig
> > with FORTIFY_SOURCE enabled:
> >
> > $ size gcc/vmlinux.before gcc/vmlinux.after
> >    text           data     bss     dec              hex filename
> > 26132309        9760658 2195460 38088427        2452eeb gcc/vmlinux.before
> > 26132386        9748382 2195460 38076228        244ff44 gcc/vmlinux.after
> 
> ...
> 
> > +       const char *name;
> > +       const bool write = !!(reason & 0x1);
> 
> Perhaps define that as
> 
> FORTIFY_READ_WRITE  BIT(0)
> FORTIFY_FUNC_SHIFT  1
> 
> const bool write = reason & FORTIFY_READ_WRITE; // and note no need for !! part

Yeah, that reads better. The FIELD_GET suggestion down-thread is
probably how I'll go.

> 
> switch (reason >> FORTIFY_FUNC_SHIFT) {
> 
> > +       switch (reason >> 1) {
> > +       case FORTIFY_FUNC_strncpy:
> > +               name = "strncpy";
> > +               break;
> > +       case FORTIFY_FUNC_strnlen:
> > +               name = "strnlen";
> > +               break;
> > +       case FORTIFY_FUNC_strlen:
> > +               name = "strlen";
> > +               break;
> > +       case FORTIFY_FUNC_strlcpy:
> > +               name = "strlcpy";
> > +               break;
> > +       case FORTIFY_FUNC_strscpy:
> > +               name = "strscpy";
> > +               break;
> > +       case FORTIFY_FUNC_strlcat:
> > +               name = "strlcat";
> > +               break;
> > +       case FORTIFY_FUNC_strcat:
> > +               name = "strcat";
> > +               break;
> > +       case FORTIFY_FUNC_strncat:
> > +               name = "strncat";
> > +               break;
> > +       case FORTIFY_FUNC_memset:
> > +               name = "memset";
> > +               break;
> > +       case FORTIFY_FUNC_memcpy:
> > +               name = "memcpy";
> > +               break;
> > +       case FORTIFY_FUNC_memmove:
> > +               name = "memmove";
> > +               break;
> > +       case FORTIFY_FUNC_memscan:
> > +               name = "memscan";
> > +               break;
> > +       case FORTIFY_FUNC_memcmp:
> > +               name = "memcmp";
> > +               break;
> > +       case FORTIFY_FUNC_memchr:
> > +               name = "memchr";
> > +               break;
> > +       case FORTIFY_FUNC_memchr_inv:
> > +               name = "memchr_inv";
> > +               break;
> > +       case FORTIFY_FUNC_kmemdup:
> > +               name = "kmemdup";
> > +               break;
> > +       case FORTIFY_FUNC_strcpy:
> > +               name = "strcpy";
> > +               break;
> > +       default:
> > +               name = "unknown";
> > +       }
> 
> ...
> 
> > +       WARN(1, "%s: detected buffer %s overflow\n", name, write ? "write" : "read");
> 
> Using str_read_write() ?
> 
> Dunno if it's already there or needs to be added. I have some patches
> to move those str_*() to string_choices.h. We can also prepend yours
> with those.

Oh! Hah. I totally forgot about str_read_write. :) I will use that.

-- 
Kees Cook