lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 23 Sep 2022 16:54:24 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Miguel Ojeda <ojeda@...nel.org>
Cc:     Kees Cook <keescook@...omium.org>,
        Siddhesh Poyarekar <siddhesh@...plt.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Nathan Chancellor <nathan@...nel.org>,
        Tom Rix <trix@...hat.com>, llvm@...ts.linux.dev,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: [PATCH] Compiler Attributes: Introduce __access_*() function attribute

Added in GCC 10.1, the "access" function attribute to mark pointer
arguments for how they are expected to be accessed in a given function.
Both their access type (read/write, read-only, or write-only) and bounds
are specified. While it is legal to provide only the pointer argument
position and access type, design the kernel macros to require also the
bounds (element count) argument position: if a function has no bounds
argument, refactor the code to include one.

These can be used multiple times. For example:

__access_wo(2, 3) __access_ro(4, 5)
int copy_something(struct context *ctx, u32 *dst, size_t dst_count,
		   u8 *src, int src_len);

(And if "dst" will also be read, it could use __access_rw(2, 3) instead.)

These can inform the compile-time diagnostics of GCC including
-Warray-bounds, -Wstringop-overflow, etc, and can affect
__builtin_dynamic_object_size() results.

Cc: Miguel Ojeda <ojeda@...nel.org>
Cc: Siddhesh Poyarekar <siddhesh@...plt.org>
Cc: Nick Desaulniers <ndesaulniers@...gle.com>
Cc: Nathan Chancellor <nathan@...nel.org>
Cc: Tom Rix <trix@...hat.com>
Cc: llvm@...ts.linux.dev
Signed-off-by: Kees Cook <keescook@...omium.org>
---
 include/linux/compiler_attributes.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
index 9a9907fad6fd..6f3d40f7ee5e 100644
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -20,6 +20,22 @@
  * Provide links to the documentation of each supported compiler, if it exists.
  */
 
+/*
+ * Optional: only supported since gcc >= 10
+ * Optional: not supported by Clang
+ *
+ *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-access-function-attribute
+ */
+#if __has_attribute(__access__)
+#define __access_rw(ptr, count)	__attribute__((__access__(read_write, ptr, count)))
+#define __access_ro(ptr, count)	__attribute__((__access__(read_only,  ptr, count)))
+#define __access_wo(ptr, count)	__attribute__((__access__(write_only, ptr, count)))
+#else
+#define __access_rw(ptr, count)
+#define __access_ro(ptr, count)
+#define __access_wo(ptr, count)
+#endif
+
 /*
  *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-alias-function-attribute
  */
-- 
2.34.1

Powered by blists - more mailing lists