| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202410170847.F6C111256F@keescook>
Date: Thu, 17 Oct 2024 09:07:13 -0700
From: Kees Cook <kees@...nel.org>
To: Paul Moore <paul@...l-moore.com>
Cc: Yafang Shao <laoar.shao@...il.com>, linux-hardening@...r.kernel.org
Subject: Re: Fwd: [linux-next:master 4380/4439]
include/linux/fortify-string.h:293:17: error: call to '__write_overflow'
declared with attribute error: detected write beyond size of object (1st
parameter)
On Thu, Oct 17, 2024 at 10:48:04AM -0400, Paul Moore wrote:
> I'm not sure why the kernel test robot only sent this to me, but this
> looks to be a strscpy() issue rather than an audit specific issue.
>
> ---------- Forwarded message ---------
> From: kernel test robot <lkp@...el.com>
> Date: Thu, Oct 17, 2024 at 2:29 AM
> Subject: [linux-next:master 4380/4439]
> include/linux/fortify-string.h:293:17: error: call to
> '__write_overflow' declared with attribute error: detected write
> beyond size of object (1st parameter)
> To: Paul Moore <paul@...l-moore.com>
> Cc: <oe-kbuild-all@...ts.linux.dev>
>
>
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> master
> head: 15e7d45e786a62a211dd0098fee7c57f84f8c681
> commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
> branch 'next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
> config: x86_64-randconfig-005-20241017
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
> compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
> reproduce (this is a W=1 build):
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@...el.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
> In file included from include/linux/string.h:390,
> from include/linux/bitmap.h:13,
> from include/linux/cpumask.h:12,
> from include/linux/smp.h:13,
> from include/linux/lockdep.h:14,
> from include/linux/spinlock.h:63,
> from include/linux/wait.h:9,
> from include/linux/wait_bit.h:8,
> from include/linux/fs.h:6,
> from kernel/auditsc.c:37:
> In function 'sized_strscpy',
> inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
> >> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
> 293 | __write_overflow();
> | ^~~~~~~~~~~~~~~~~~
This is a compile-time bounds check. Let's take a look:
void __audit_ptrace(struct task_struct *t)
{
struct audit_context *context = audit_context();
...
strscpy(context->target_comm, t->comm);
struct audit_context {
...
char target_comm[TASK_COMM_LEN];
struct task_struct {
...
char comm[TASK_COMM_LEN];
So this should be impossible, since the strscpy() check is:
#define __member_size(p) __builtin_object_size(p, 1)
...
#define __compiletime_lessthan(bounds, length) ( \
__builtin_constant_p((bounds) < (length)) && \
(bounds) < (length) \
)
...
const size_t p_size = __member_size(p);
...
if (__compiletime_lessthan(p_size, size))
__write_overflow();
This test should resolve to:
if (TASK_COMM_LEN < TASK_COMM_LEN)
__write_overflow();
I can reproduce this with the randconfig linked above, but not with
allmodconfig nor defconfig+CONFIG_FORTIFY_SOURCE.
Something in the .config is causing the error. (!?) I will start a
CONFIG bisect...
--
Kees Cook
Powered by blists - more mailing lists