[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQasYp3dkv5Mx4uEy7ZmtYWywU2wJrto_xvUAjgScXL5w@mail.gmail.com>
Date: Thu, 17 Oct 2024 10:48:04 -0400
From: Paul Moore <paul@...l-moore.com>
To: Yafang Shao <laoar.shao@...il.com>, linux-hardening@...r.kernel.org
Cc: Kees Cook <kees@...nel.org>
Subject: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17:
error: call to '__write_overflow' declared with attribute error: detected
write beyond size of object (1st parameter)
I'm not sure why the kernel test robot only sent this to me, but this
looks to be a strscpy() issue rather than an audit specific issue.
---------- Forwarded message ---------
From: kernel test robot <lkp@...el.com>
Date: Thu, Oct 17, 2024 at 2:29 AM
Subject: [linux-next:master 4380/4439]
include/linux/fortify-string.h:293:17: error: call to
'__write_overflow' declared with attribute error: detected write
beyond size of object (1st parameter)
To: Paul Moore <paul@...l-moore.com>
Cc: <oe-kbuild-all@...ts.linux.dev>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
master
head: 15e7d45e786a62a211dd0098fee7c57f84f8c681
commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
branch 'next' of
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
config: x86_64-randconfig-005-20241017
(https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build):
(https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from include/linux/string.h:390,
from include/linux/bitmap.h:13,
from include/linux/cpumask.h:12,
from include/linux/smp.h:13,
from include/linux/lockdep.h:14,
from include/linux/spinlock.h:63,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from kernel/auditsc.c:37:
In function 'sized_strscpy',
inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
293 | __write_overflow();
| ^~~~~~~~~~~~~~~~~~
In function 'sized_strscpy',
inlined from 'audit_signal_info_syscall' at kernel/auditsc.c:2759:3:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
293 | __write_overflow();
| ^~~~~~~~~~~~~~~~~~
vim +/__write_overflow +293 include/linux/fortify-string.h
a28a6e860c6cf2 Francis Laniel 2021-02-25 274
03699f271de1f4 Kees Cook 2022-09-02 275 /* Defined after
fortified strnlen() to reuse it. */
e6584c3964f2ff Kees Cook 2023-09-20 276 extern ssize_t
__real_strscpy(char *, const char *, size_t) __RENAME(sized_strscpy);
e6584c3964f2ff Kees Cook 2023-09-20 277 __FORTIFY_INLINE
ssize_t sized_strscpy(char * const POS p, const char * const POS q,
size_t size)
a28a6e860c6cf2 Francis Laniel 2021-02-25 278 {
a28a6e860c6cf2 Francis Laniel 2021-02-25 279 /* Use string size
rather than possible enclosing struct size. */
21a2c74b0a2a78 Kees Cook 2023-04-07 280 const size_t p_size =
__member_size(p);
21a2c74b0a2a78 Kees Cook 2023-04-07 281 const size_t q_size =
__member_size(q);
21a2c74b0a2a78 Kees Cook 2023-04-07 282 size_t len;
a28a6e860c6cf2 Francis Laniel 2021-02-25 283
a28a6e860c6cf2 Francis Laniel 2021-02-25 284 /* If we cannot get
size of p and q default to call strscpy. */
311fb40aa0569a Kees Cook 2022-09-02 285 if (p_size == SIZE_MAX
&& q_size == SIZE_MAX)
a28a6e860c6cf2 Francis Laniel 2021-02-25 286 return
__real_strscpy(p, q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25 287
a28a6e860c6cf2 Francis Laniel 2021-02-25 288 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 289 * If size can be
known at compile time and is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25 290 * p_size, generate a
compile time write overflow error.
a28a6e860c6cf2 Francis Laniel 2021-02-25 291 */
fa35198f39571b Kees Cook 2022-09-19 292 if
(__compiletime_lessthan(p_size, size))
a28a6e860c6cf2 Francis Laniel 2021-02-25 @293 __write_overflow();
a28a6e860c6cf2 Francis Laniel 2021-02-25 294
62e1cbfc5d7953 Kees Cook 2022-10-02 295 /* Short-circuit for
compile-time known-safe lengths. */
62e1cbfc5d7953 Kees Cook 2022-10-02 296 if
(__compiletime_lessthan(p_size, SIZE_MAX)) {
62e1cbfc5d7953 Kees Cook 2022-10-02 297 len =
__compiletime_strlen(q);
62e1cbfc5d7953 Kees Cook 2022-10-02 298
62e1cbfc5d7953 Kees Cook 2022-10-02 299 if (len <
SIZE_MAX && __compiletime_lessthan(len, size)) {
62e1cbfc5d7953 Kees Cook 2022-10-02 300
__underlying_memcpy(p, q, len + 1);
62e1cbfc5d7953 Kees Cook 2022-10-02 301 return len;
62e1cbfc5d7953 Kees Cook 2022-10-02 302 }
62e1cbfc5d7953 Kees Cook 2022-10-02 303 }
62e1cbfc5d7953 Kees Cook 2022-10-02 304
a28a6e860c6cf2 Francis Laniel 2021-02-25 305 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 306 * This call protects
from read overflow, because len will default to q
a28a6e860c6cf2 Francis Laniel 2021-02-25 307 * length if it
smaller than size.
a28a6e860c6cf2 Francis Laniel 2021-02-25 308 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 309 len = strnlen(q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25 310 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 311 * If len equals size,
we will copy only size bytes which leads to
a28a6e860c6cf2 Francis Laniel 2021-02-25 312 * -E2BIG being returned.
a28a6e860c6cf2 Francis Laniel 2021-02-25 313 * Otherwise we will
copy len + 1 because of the final '\O'.
a28a6e860c6cf2 Francis Laniel 2021-02-25 314 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 315 len = len == size ?
size : len + 1;
a28a6e860c6cf2 Francis Laniel 2021-02-25 316
a28a6e860c6cf2 Francis Laniel 2021-02-25 317 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 318 * Generate a runtime
write overflow error if len is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25 319 * p_size.
a28a6e860c6cf2 Francis Laniel 2021-02-25 320 */
3d965b33e40d97 Kees Cook 2023-04-07 321 if (p_size < len)
3d965b33e40d97 Kees Cook 2023-04-07 322
fortify_panic(FORTIFY_FUNC_strscpy, FORTIFY_WRITE, p_size, len,
-E2BIG);
a28a6e860c6cf2 Francis Laniel 2021-02-25 323
a28a6e860c6cf2 Francis Laniel 2021-02-25 324 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 325 * We can now safely
call vanilla strscpy because we are protected from:
a28a6e860c6cf2 Francis Laniel 2021-02-25 326 * 1. Read overflow
thanks to call to strnlen().
a28a6e860c6cf2 Francis Laniel 2021-02-25 327 * 2. Write overflow
thanks to above ifs.
a28a6e860c6cf2 Francis Laniel 2021-02-25 328 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 329 return
__real_strscpy(p, q, len);
a28a6e860c6cf2 Francis Laniel 2021-02-25 330 }
a28a6e860c6cf2 Francis Laniel 2021-02-25 331
:::::: The code at line 293 was first introduced by commit
:::::: a28a6e860c6cf231cf3c5171c75c342adcd00406 string.h: move
fortified functions definitions in a dedicated header.
:::::: TO: Francis Laniel <laniel_francis@...vacyrequired.com>
:::::: CC: Linus Torvalds <torvalds@...ux-foundation.org>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
--
paul-moore.com
Powered by blists - more mailing lists