lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220923235424.3303486-1-keescook@chromium.org> Date: Fri, 23 Sep 2022 16:54:24 -0700 From: Kees Cook <keescook@...omium.org> To: Miguel Ojeda <ojeda@...nel.org> Cc: Kees Cook <keescook@...omium.org>, Siddhesh Poyarekar <siddhesh@...plt.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Nathan Chancellor <nathan@...nel.org>, Tom Rix <trix@...hat.com>, llvm@...ts.linux.dev, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: [PATCH] Compiler Attributes: Introduce __access_*() function attribute Added in GCC 10.1, the "access" function attribute to mark pointer arguments for how they are expected to be accessed in a given function. Both their access type (read/write, read-only, or write-only) and bounds are specified. While it is legal to provide only the pointer argument position and access type, design the kernel macros to require also the bounds (element count) argument position: if a function has no bounds argument, refactor the code to include one. These can be used multiple times. For example: __access_wo(2, 3) __access_ro(4, 5) int copy_something(struct context *ctx, u32 *dst, size_t dst_count, u8 *src, int src_len); (And if "dst" will also be read, it could use __access_rw(2, 3) instead.) These can inform the compile-time diagnostics of GCC including -Warray-bounds, -Wstringop-overflow, etc, and can affect __builtin_dynamic_object_size() results. Cc: Miguel Ojeda <ojeda@...nel.org> Cc: Siddhesh Poyarekar <siddhesh@...plt.org> Cc: Nick Desaulniers <ndesaulniers@...gle.com> Cc: Nathan Chancellor <nathan@...nel.org> Cc: Tom Rix <trix@...hat.com> Cc: llvm@...ts.linux.dev Signed-off-by: Kees Cook <keescook@...omium.org> --- include/linux/compiler_attributes.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index 9a9907fad6fd..6f3d40f7ee5e 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -20,6 +20,22 @@ * Provide links to the documentation of each supported compiler, if it exists. */ +/* + * Optional: only supported since gcc >= 10 + * Optional: not supported by Clang + * + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-access-function-attribute + */ +#if __has_attribute(__access__) +#define __access_rw(ptr, count) __attribute__((__access__(read_write, ptr, count))) +#define __access_ro(ptr, count) __attribute__((__access__(read_only, ptr, count))) +#define __access_wo(ptr, count) __attribute__((__access__(write_only, ptr, count))) +#else +#define __access_rw(ptr, count) +#define __access_ro(ptr, count) +#define __access_wo(ptr, count) +#endif + /* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-alias-function-attribute */ -- 2.34.1
Powered by blists - more mailing lists