lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKwvOd=T5ownFTe5+M23ZLSPM876_7WAx23GzNeGxkqwGTHERQ@mail.gmail.com>
Date:   Tue, 18 Apr 2023 11:27:10 -0700
From:   Nick Desaulniers <ndesaulniers@...gle.com>
To:     kernel test robot <lkp@...el.com>
Cc:     Kees Cook <keescook@...omium.org>, linux-hardening@...r.kernel.org,
        oe-kbuild-all@...ts.linux.dev, Andy Shevchenko <andy@...nel.org>,
        Cezary Rojewski <cezary.rojewski@...el.com>,
        Puyou Lu <puyou.lu@...il.com>, Mark Brown <broonie@...nel.org>,
        Josh Poimboeuf <jpoimboe@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Brendan Higgins <brendan.higgins@...ux.dev>,
        David Gow <davidgow@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Alexander Potapenko <glider@...gle.com>,
        Zhaoyang Huang <zhaoyang.huang@...soc.com>,
        Randy Dunlap <rdunlap@...radead.org>,
        Geert Uytterhoeven <geert+renesas@...der.be>,
        Miguel Ojeda <ojeda@...nel.org>,
        Alexander Lobakin <aleksander.lobakin@...el.com>,
        Liam Howlett <liam.howlett@...cle.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Dan Williams <dan.j.williams@...el.com>,
        Rasmus Villemoes <linux@...musvillemoes.dk>,
        Yury Norov <yury.norov@...il.com>,
        "Jason A. Donenfeld" <Jason@...c4.com>,
        Sander Vanheule <sander@...nheule.net>,
        Eric Biggers <ebiggers@...gle.com>,
        "Masami Hiramatsu (Google)" <mhiramat@...nel.org>,
        Andrey Konovalov <andreyknvl@...il.com>
Subject: Re: [PATCH v2 09/10] fortify: Add KUnit tests for runtime overflows

On Fri, Apr 7, 2023 at 5:33 PM kernel test robot <lkp@...el.com> wrote:
>
> Hi Kees,
>
> kernel test robot noticed the following build warnings:
>
> [auto build test WARNING on kees/for-next/hardening]
> [also build test WARNING on kees/for-next/pstore kees/for-next/kspp linus/master tip/x86/core v6.3-rc5 next-20230406]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url:    https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/kunit-tool-Enable-CONFIG_FORTIFY_SOURCE-under-UML/20230408-032959
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
> patch link:    https://lore.kernel.org/r/20230407192717.636137-9-keescook%40chromium.org
> patch subject: [PATCH v2 09/10] fortify: Add KUnit tests for runtime overflows
> config: openrisc-randconfig-r034-20230405 (https://download.01.org/0day-ci/archive/20230408/202304080811.nYP4KpPZ-lkp@intel.com/config)
> compiler: or1k-linux-gcc (GCC) 12.1.0
> reproduce (this is a W=1 build):
>         wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
>         chmod +x ~/bin/make.cross
>         # https://github.com/intel-lab-lkp/linux/commit/d212962ef7682ee160bf38fa455475558f031759
>         git remote add linux-review https://github.com/intel-lab-lkp/linux
>         git fetch --no-tags linux-review Kees-Cook/kunit-tool-Enable-CONFIG_FORTIFY_SOURCE-under-UML/20230408-032959
>         git checkout d212962ef7682ee160bf38fa455475558f031759
>         # save the config file
>         mkdir build_dir && cp config build_dir/.config
>         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=openrisc olddefconfig
>         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=openrisc SHELL=/bin/bash lib/
>
> If you fix the issue, kindly add following tag where applicable
> | Reported-by: kernel test robot <lkp@...el.com>
> | Link: https://lore.kernel.org/oe-kbuild-all/202304080811.nYP4KpPZ-lkp@intel.com/
>
> All warnings (new ones prefixed by >>):
>
>    In file included from lib/fortify_kunit.c:28:
>    lib/fortify_kunit.c: In function 'strnlen_test':
> >> lib/fortify_kunit.c:412:31: warning: 'strnlen' specified bound 33 exceeds source size 32 [-Wstringop-overread]

If we expect to validate the runtime behavior of fortify, but using
constants that the compiler can check for readability in this test,
then we might need to use the
_Pragma/__diag infrastructure from include/linux/compiler_types.h to
disable -Wstringop-overread; or disable it at the makefile level.

>      412 |         KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
>    include/kunit/test.h:584:38: note: in definition of macro 'KUNIT_BASE_BINARY_ASSERTION'
>      584 |         const typeof(left) __left = (left);                                    \
>          |                                      ^~~~
>    include/kunit/test.h:776:9: note: in expansion of macro 'KUNIT_BINARY_INT_ASSERTION'
>      776 |         KUNIT_BINARY_INT_ASSERTION(test,                                       \
>          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~
>    include/kunit/test.h:773:9: note: in expansion of macro 'KUNIT_EXPECT_EQ_MSG'
>      773 |         KUNIT_EXPECT_EQ_MSG(test, left, right, NULL)
>          |         ^~~~~~~~~~~~~~~~~~~
>    lib/fortify_kunit.c:412:9: note: in expansion of macro 'KUNIT_EXPECT_EQ'
>      412 |         KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
>          |         ^~~~~~~~~~~~~~~
>    lib/fortify_kunit.c:359:14: note: source object allocated here
>      359 |         char buf[32];
>          |              ^~~
>    lib/fortify_kunit.c:414:31: warning: 'strnlen' specified bound 34 exceeds source size 32 [-Wstringop-overread]
>      414 |         KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
>    include/kunit/test.h:584:38: note: in definition of macro 'KUNIT_BASE_BINARY_ASSERTION'
>      584 |         const typeof(left) __left = (left);                                    \
>          |                                      ^~~~
>    include/kunit/test.h:776:9: note: in expansion of macro 'KUNIT_BINARY_INT_ASSERTION'
>      776 |         KUNIT_BINARY_INT_ASSERTION(test,                                       \
>          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~
>    include/kunit/test.h:773:9: note: in expansion of macro 'KUNIT_EXPECT_EQ_MSG'
>      773 |         KUNIT_EXPECT_EQ_MSG(test, left, right, NULL)
>          |         ^~~~~~~~~~~~~~~~~~~
>    lib/fortify_kunit.c:414:9: note: in expansion of macro 'KUNIT_EXPECT_EQ'
>      414 |         KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
>          |         ^~~~~~~~~~~~~~~
>    lib/fortify_kunit.c:359:14: note: source object allocated here
>      359 |         char buf[32];
>          |              ^~~
>
>
> vim +/strnlen +412 lib/fortify_kunit.c
>
>    387
>    388  static void strnlen_test(struct kunit *test)
>    389  {
>    390          struct fortify_padding pad = { };
>    391          int i, end = sizeof(pad.buf) - 1;
>    392
>    393          /* Fill 31 bytes with valid characters. */
>    394          for (i = 0; i < sizeof(pad.buf) - 1; i++)
>    395                  pad.buf[i] = i + '0';
>    396          /* Trailing bytes are still %NUL. */
>    397          KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
>    398          KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
>    399
>    400          /* String is terminated, so strnlen() is valid. */
>    401          KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf)), end);
>    402          KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
>    403          /* A truncated strnlen() will be safe, too. */
>    404          KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf) / 2),
>    405                                          sizeof(pad.buf) / 2);
>    406          KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
>    407
>    408          /* Make string unterminated, and recount. */
>    409          pad.buf[end] = 'A';
>    410          end = sizeof(pad.buf);
>    411          /* Reading beyond with strncpy() will fail. */
>  > 412          KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
>    413          KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
>    414          KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
>    415          KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
>    416
>    417          /* Early-truncated is safe still, though. */
>    418          KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
>    419          KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
>    420
>    421          end = sizeof(pad.buf) / 2;
>    422          KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
>    423          KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
>    424  }
>    425
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests



-- 
Thanks,
~Nick Desaulniers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ