lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202410170847.F6C111256F@keescook>
Date: Thu, 17 Oct 2024 09:07:13 -0700
From: Kees Cook <kees@...nel.org>
To: Paul Moore <paul@...l-moore.com>
Cc: Yafang Shao <laoar.shao@...il.com>, linux-hardening@...r.kernel.org
Subject: Re: Fwd: [linux-next:master 4380/4439]
 include/linux/fortify-string.h:293:17: error: call to '__write_overflow'
 declared with attribute error: detected write beyond size of object (1st
 parameter)

On Thu, Oct 17, 2024 at 10:48:04AM -0400, Paul Moore wrote:
> I'm not sure why the kernel test robot only sent this to me, but this
> looks to be a strscpy() issue rather than an audit specific issue.
> 
> ---------- Forwarded message ---------
> From: kernel test robot <lkp@...el.com>
> Date: Thu, Oct 17, 2024 at 2:29 AM
> Subject: [linux-next:master 4380/4439]
> include/linux/fortify-string.h:293:17: error: call to
> '__write_overflow' declared with attribute error: detected write
> beyond size of object (1st parameter)
> To: Paul Moore <paul@...l-moore.com>
> Cc: <oe-kbuild-all@...ts.linux.dev>
> 
> 
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> master
> head:   15e7d45e786a62a211dd0098fee7c57f84f8c681
> commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
> branch 'next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
> config: x86_64-randconfig-005-20241017
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
> compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
> reproduce (this is a W=1 build):
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@...el.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/
> 
> All errors (new ones prefixed by >>):
> 
>    In file included from include/linux/string.h:390,
>                     from include/linux/bitmap.h:13,
>                     from include/linux/cpumask.h:12,
>                     from include/linux/smp.h:13,
>                     from include/linux/lockdep.h:14,
>                     from include/linux/spinlock.h:63,
>                     from include/linux/wait.h:9,
>                     from include/linux/wait_bit.h:8,
>                     from include/linux/fs.h:6,
>                     from kernel/auditsc.c:37:
>    In function 'sized_strscpy',
>        inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
> >> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
>      293 |                 __write_overflow();
>          |                 ^~~~~~~~~~~~~~~~~~

This is a compile-time bounds check. Let's take a look:

void __audit_ptrace(struct task_struct *t)
{
        struct audit_context *context = audit_context();
	...
        strscpy(context->target_comm, t->comm);


struct audit_context {
	...
        char                target_comm[TASK_COMM_LEN];

struct task_struct {
	...
        char                            comm[TASK_COMM_LEN];

So this should be impossible, since the strscpy() check is:

#define __member_size(p)        __builtin_object_size(p, 1)
...
#define __compiletime_lessthan(bounds, length)  (       \
        __builtin_constant_p((bounds) < (length)) &&    \
        (bounds) < (length)                             \
)
...
        const size_t p_size = __member_size(p);
	...
        if (__compiletime_lessthan(p_size, size))
                __write_overflow();

This test should resolve to:

	if (TASK_COMM_LEN < TASK_COMM_LEN)
                __write_overflow();

I can reproduce this with the randconfig linked above, but not with
allmodconfig nor defconfig+CONFIG_FORTIFY_SOURCE.

Something in the .config is causing the error. (!?) I will start a
CONFIG bisect...

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ