[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKwvOdmzdQ+X2BsUbuVBWzFtaE2Vst4=ihNNR=LmOdozqQ5Ukg@mail.gmail.com>
Date: Thu, 3 Feb 2022 12:18:24 -0800
From: Nick Desaulniers <ndesaulniers@...gle.com>
To: Kees Cook <keescook@...omium.org>,
George Burgess IV <gbiv@...gle.com>
Cc: Miguel Ojeda <ojeda@...nel.org>,
Nathan Chancellor <nathan@...nel.org>, llvm@...ts.linux.dev,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v6 1/4] Compiler Attributes: Add __pass_object_size for Clang
On Thu, Feb 3, 2022 at 9:33 AM Kees Cook <keescook@...omium.org> wrote:
>
> In order to gain greater visibility to type information when using
> __builtin_object_size(), Clang has a function attribute "pass_object_size"
> that will make size information available for marked arguments in
> a function by way of implicit additional function arguments that are
> then wired up the __builtin_object_size().
>
> This is needed to implement FORTIFY_SOURCE in Clang, as a workaround
> to Clang's __builtin_object_size() having limited visibility[1] into types
> across function calls (even inlines).
>
> Since any usage must also be const, include it in the macro.
I really don't like hiding the qualifier in the argument-attribute
macro like that. I'd rather we be more explicit about changing the
function interfaces in include/linux/fortify-string.h.
For instance, in patch 4/4, let's take a look at this hunk:
-__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
...
+__FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3)
+char *strncpy(char * POS p, const char *q, __kernel_size_t size)
manually expanded, this has changed the qualifiers on the type of the
first parameter from `char *` to `char * const`.
I think it might be helpful to quote the docs
(https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size)
>> Additionally, any parameter that pass_object_size is applied to must be marked const at its function’s definition.
One thing that's concerning to me is though:
>> It is an error to take the address of a function with pass_object_size on any of its parameters.
Surely the kernel has indirect calls to some of these functions
somewhere? Is that just an issue for C++ name-mangling perhaps?
>
> This attribute has an additional benefit that it can be used even on
> non-inline functions to gain argument size information.
>
> [1] https://github.com/llvm/llvm-project/issues/53516
>
> Cc: Miguel Ojeda <ojeda@...nel.org>
> Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> Cc: Nathan Chancellor <nathan@...nel.org>
> Cc: llvm@...ts.linux.dev
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> include/linux/compiler_attributes.h | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
> index 37e260020221..4ce370094e3a 100644
> --- a/include/linux/compiler_attributes.h
> +++ b/include/linux/compiler_attributes.h
> @@ -263,6 +263,20 @@
> */
> #define __packed __attribute__((__packed__))
>
> +/*
> + * Note: the "type" argument should match any __builtin_object_size(p, type) usage.
> + *
> + * Optional: not supported by gcc.
> + * Optional: not supported by icc.
> + *
> + * clang: https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size
> + */
> +#if __has_attribute(__pass_object_size__)
> +# define __pass_object_size(type) const __attribute__((__pass_object_size__(type)))
> +#else
> +# define __pass_object_size(type)
> +#endif
> +
> /*
> * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute
> */
> --
> 2.30.2
>
--
Thanks,
~Nick Desaulniers
Powered by blists - more mailing lists