lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 8 Feb 2022 15:58:26 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Nick Desaulniers <ndesaulniers@...gle.com>
Cc:     Miguel Ojeda <ojeda@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        George Burgess IV <gbiv@...gle.com>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org,
        llvm@...ts.linux.dev
Subject: Re: [PATCH v7 7/8] fortify: Make sure strlen() may still be used as
 a constant expression

On Tue, Feb 08, 2022 at 03:17:13PM -0800, Nick Desaulniers wrote:
> On Tue, Feb 8, 2022 at 2:53 PM Kees Cook <keescook@...omium.org> wrote:
> >
> > In preparation for enabling Clang FORTIFY_SOURCE support, redefine
> > strlen() as a macro that tests for being a constant expression
> > so that strlen() can still be used in static initializers, which is
> > lost when adding __pass_object_size and __overloadable.
> >
> > An example of this usage can be seen here:
> >         https://lore.kernel.org/all/202201252321.dRmWZ8wW-lkp@intel.com/
> >
> > Notably, this constant expression feature of strlen() is not available
> > for architectures that build with -ffreestanding. This means the kernel
> > currently does not universally expect strlen() to be used this way, but
> > since there _are_ some build configurations that depend on it, retain
> > the characteristic for Clang FORTIFY_SOURCE builds too.
> >
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > ---
> >  include/linux/fortify-string.h | 13 +++++++++++--
> >  1 file changed, 11 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> > index db1ad1c1c79a..f77cf22e2d60 100644
> > --- a/include/linux/fortify-string.h
> > +++ b/include/linux/fortify-string.h
> > @@ -2,6 +2,8 @@
> >  #ifndef _LINUX_FORTIFY_STRING_H_
> >  #define _LINUX_FORTIFY_STRING_H_
> >
> > +#include <linux/const.h>
> > +
> >  #define __FORTIFY_INLINE extern __always_inline __gnu_inline
> >  #define __RENAME(x) __asm__(#x)
> >
> > @@ -95,9 +97,16 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * const p, __kernel_size_t m
> >         return ret;
> >  }
> >
> > -/* defined after fortified strnlen to reuse it. */
> > +/*
> > + * Defined after fortified strnlen to reuse it. However, it must still be
> > + * possible for strlen() to be used on compile-time strings for use in
> > + * static initializers (i.e. as a constant expression).
> > + */
> > +#define strlen(p)                                                      \
> > +       __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)),      \
> 
> Is `__is_constexpr(p) == __is_constexpr(__builtin_strlen(p))`? i.e.
> can we drop the first `__builtin_strlen`? It seems redundant.
> 
> So instead, we'd have:
> 
> #define strlen(p) __builtin_choose_expr(__is_constexpr(p),
> __builtin_strlen(p), __fortify_strlen(p))
> 
> Or is there some funny business where p isn't constexpr but strlen(p)
> somehow is? I doubt that.  (Or is it that p is constexpr, but
> strlen(p) is not?)
> 
> (Guess I'm wrong: https://godbolt.org/z/19ffz7vjx)

Yeah, as you've discovered ... funny business. :P

> Ok then.
> Reviewed-by: Nick Desaulniers <ndesaulniers@...gle.com>

Thanks!

-- 
Kees Cook

Powered by blists - more mailing lists