lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 30 Jan 2022 10:22:04 -0800 From: Kees Cook <keescook@...omium.org> To: Kees Cook <keescook@...omium.org> Cc: Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, llvm@...ts.linux.dev Subject: [PATCH v4] fortify: Work around Clang inlining bugs To enable FORTIFY_SOURCE support for Clang, the kernel must work around a pair of bugs, related to Clang's inlining: 1) Change all the fortified string APIs into macros with different inline names to bypass Clang's broken inline-of-a-builtin detection: https://bugs.llvm.org/show_bug.cgi?id=50322 2) Lift all misbehaving __builtin_object_size() calls into the macros to bypass Clang's broken __builtin_object_size() arguments-of-an-inline visibility: https://github.com/ClangBuiltLinux/linux/issues/1401 One behavioral difference needed to be handled due to 1): the real strlen() function can be a constant expression (for use with static initializers), and that compiler magic needed to be reproduced in the macro. The workaround in 2) means Clang only gains single-level visibility for the FORTIFY protection: any additional layers of inlining will obscure the detection. This limitation will go away once the Clang bug is fixed. And finally, working around these bugs exposed a third bug which had no identifiable workaround: globally defined variables did not work with __builtin_constant_p(): https://bugs.llvm.org/show_bug.cgi?id=41459 See commit a52f8a59aef4 ("fortify: Explicitly disable Clang support"). This was fixed in Clang 13, so only Clang 13 and later gain FORTIFY coverage. Signed-off-by: Kees Cook <keescook@...omium.org> --- v1: https://lore.kernel.org/linux-hardening/20210727205855.411487-61-keescook@chromium.org/ v2: https://lore.kernel.org/linux-hardening/20210818060533.3569517-64-keescook@chromium.org/ v3: https://lore.kernel.org/linux-hardening/20211213223331.135412-18-keescook@chromium.org/ v4: - make sure strlen() can still be used as a constant expression - improve commit message with more details --- include/linux/fortify-string.h | 97 +++++++++++++++++++++------------- security/Kconfig | 2 +- 2 files changed, 61 insertions(+), 38 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index c45159dbdaa1..d5184e4e3244 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -2,6 +2,8 @@ #ifndef _LINUX_FORTIFY_STRING_H_ #define _LINUX_FORTIFY_STRING_H_ +#include <linux/const.h> + #define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) #define __RENAME(x) __asm__(#x) @@ -50,10 +52,10 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) #define __underlying_strncpy __builtin_strncpy #endif -__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) +#define strncpy(p, q, s) __fortify_strncpy(p, q, s, __builtin_object_size(p, 1)) +__FORTIFY_INLINE char *__fortify_strncpy(char *p, const char *q, + __kernel_size_t size, const size_t p_size) { - size_t p_size = __builtin_object_size(p, 1); - if (__builtin_constant_p(size) && p_size < size) __write_overflow(); if (p_size < size) @@ -61,10 +63,9 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) return __underlying_strncpy(p, q, size); } -__FORTIFY_INLINE char *strcat(char *p, const char *q) +#define strcat(p, q) __fortify_strcat(p, q, __builtin_object_size(p, 1)) +__FORTIFY_INLINE char *__fortify_strcat(char *p, const char *q, const size_t p_size) { - size_t p_size = __builtin_object_size(p, 1); - if (p_size == (size_t)-1) return __underlying_strcat(p, q); if (strlcat(p, q, p_size) >= p_size) @@ -73,9 +74,10 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) } extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); -__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) +#define strnlen(p, s) __fortify_strnlen(p, s, __builtin_object_size(p, 1)) +__FORTIFY_INLINE __kernel_size_t __fortify_strnlen(const char *p, size_t maxlen, + const size_t p_size) { - size_t p_size = __builtin_object_size(p, 1); size_t p_len = __compiletime_strlen(p); size_t ret; @@ -93,11 +95,18 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) return ret; } -/* defined after fortified strnlen to reuse it. */ -__FORTIFY_INLINE __kernel_size_t strlen(const char *p) +/* + * Defined after fortified strnlen to reuse it. However, it must still be + * possible for strlen() to be used on compile-time strings for use in + * static initializers (i.e. as a constant expression). + */ +#define strlen(p) \ + __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ + __builtin_strlen(p), \ + __fortify_strlen(p, __builtin_object_size(p, 1))) +__FORTIFY_INLINE __kernel_size_t __fortify_strlen(const char *p, const size_t p_size) { __kernel_size_t ret; - size_t p_size = __builtin_object_size(p, 1); /* Give up if we don't know how large p is. */ if (p_size == (size_t)-1) @@ -110,10 +119,14 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) /* defined after fortified strlen to reuse it */ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); -__FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) +#define strlcpy(p, q, s) __fortify_strlcpy(p, q, s, \ + __builtin_object_size(p, 1), \ + __builtin_object_size(q, 1)) +__FORTIFY_INLINE size_t __fortify_strlcpy(char *p, const char *q, + size_t size, + const size_t p_size, + const size_t q_size) { - size_t p_size = __builtin_object_size(p, 1); - size_t q_size = __builtin_object_size(q, 1); size_t q_len; /* Full count of source string length. */ size_t len; /* Count of characters going into destination. */ @@ -137,12 +150,15 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) /* defined after fortified strnlen to reuse it */ extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy); -__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size) +#define strscpy(p, q, s) __fortify_strscpy(p, q, s, \ + __builtin_object_size(p, 1), \ + __builtin_object_size(q, 1)) +__FORTIFY_INLINE ssize_t __fortify_strscpy(char *p, const char *q, + size_t size, + const size_t p_size, + const size_t q_size) { size_t len; - /* Use string size rather than possible enclosing struct size. */ - size_t p_size = __builtin_object_size(p, 1); - size_t q_size = __builtin_object_size(q, 1); /* If we cannot get size of p and q default to call strscpy. */ if (p_size == (size_t) -1 && q_size == (size_t) -1) @@ -183,11 +199,14 @@ __FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size) } /* defined after fortified strlen and strnlen to reuse them */ -__FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) +#define strncat(p, q, count) __fortify_strncat(p, q, count, \ + __builtin_object_size(p, 1), \ + __builtin_object_size(q, 1)) +__FORTIFY_INLINE char *__fortify_strncat(char *p, const char *q, size_t count, + const size_t p_size, + const size_t q_size) { size_t p_len, copy_len; - size_t p_size = __builtin_object_size(p, 1); - size_t q_size = __builtin_object_size(q, 1); if (p_size == (size_t)-1 && q_size == (size_t)-1) return __underlying_strncat(p, q, count); @@ -354,10 +373,10 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size, memmove) extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan); -__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size) +#define memscan(p, c, s) __fortify_memscan(p, c, s, __builtin_object_size(p, 0)) +__FORTIFY_INLINE void *__fortify_memscan(void *p, int c, __kernel_size_t size, + const size_t p_size) { - size_t p_size = __builtin_object_size(p, 0); - if (__builtin_constant_p(size) && p_size < size) __read_overflow(); if (p_size < size) @@ -365,11 +384,12 @@ __FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size) return __real_memscan(p, c, size); } -__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size) +#define memcmp(p, q, s) __fortify_memcmp(p, q, s, \ + __builtin_object_size(p, 0), \ + __builtin_object_size(q, 0)) +__FORTIFY_INLINE int __fortify_memcmp(const void *p, const void *q, __kernel_size_t size, + const size_t p_size, const size_t q_size) { - size_t p_size = __builtin_object_size(p, 0); - size_t q_size = __builtin_object_size(q, 0); - if (__builtin_constant_p(size)) { if (p_size < size) __read_overflow(); @@ -381,10 +401,10 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size) return __underlying_memcmp(p, q, size); } -__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) +#define memchr(p, c, s) __fortify_memchr(p, c, s, __builtin_object_size(p, 0)) +__FORTIFY_INLINE void *__fortify_memchr(const void *p, int c, __kernel_size_t size, + const size_t p_size) { - size_t p_size = __builtin_object_size(p, 0); - if (__builtin_constant_p(size) && p_size < size) __read_overflow(); if (p_size < size) @@ -393,10 +413,10 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) } void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv); -__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size) +#define memchr_inv(p, c, s) __fortify_memchr_inv(p, c, s, __builtin_object_size(p, 0)) +__FORTIFY_INLINE void *__fortify_memchr_inv(const void *p, int c, size_t size, + const size_t p_size) { - size_t p_size = __builtin_object_size(p, 0); - if (__builtin_constant_p(size) && p_size < size) __read_overflow(); if (p_size < size) @@ -417,10 +437,13 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) } /* Defined after fortified strlen to reuse it. */ -__FORTIFY_INLINE char *strcpy(char *p, const char *q) +#define strcpy(p, q) __fortify_strcpy(p, q, \ + __builtin_object_size(p, 1), \ + __builtin_object_size(q, 1)) +__FORTIFY_INLINE char *__fortify_strcpy(char *p, const char *q, + const size_t p_size, + const size_t q_size) { - size_t p_size = __builtin_object_size(p, 1); - size_t q_size = __builtin_object_size(q, 1); size_t size; /* If neither buffer size is known, immediately give up. */ diff --git a/security/Kconfig b/security/Kconfig index 0b847f435beb..1a25a567965f 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -179,7 +179,7 @@ config FORTIFY_SOURCE depends on ARCH_HAS_FORTIFY_SOURCE # https://bugs.llvm.org/show_bug.cgi?id=50322 # https://bugs.llvm.org/show_bug.cgi?id=41459 - depends on !CC_IS_CLANG + depends on !CC_IS_CLANG || CLANG_VERSION >= 130000 help Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. -- 2.30.2
Powered by blists - more mailing lists