| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250112-strlen_use_builtin_constant_p-v2-1-2c85b928c9f4@wanadoo.fr>
Date: Sun, 12 Jan 2025 00:03:05 +0900
From: Vincent Mailhol <mailhol.vincent@...adoo.fr>
To: Kees Cook <kees@...nel.org>, Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>
Cc: David Laight <david.laight@...lab.com>, linux-hardening@...r.kernel.org,
linux-kernel@...r.kernel.org, llvm@...ts.linux.dev,
Vincent Mailhol <mailhol.vincent@...adoo.fr>
Subject: [PATCH v2] fortify: use __builtin_constant_p() in strlen()
The strlen(p) function-like macro uses:
__is_constexpr(__builtin_strlen(p))
in which GCC would only yield true if the argument p is a string
literal. Otherwise, GCC would return false even if p is a const
string.
In contrary, by using:
__builtin_constant_p(__builtin_strlen(p))
then GCC can also recognizes when p is a compile time constant string.
The above is illustrated in [1].
N.B.: clang is not impacted by any of this and gives the same results
with either __is_constexpr() and __builting_constant_p().
Use __builtin_constant_p() instead of __is_constexpr() so that GCC can
do the folding on compile time constant strings.
Replace the __builtin_choose_expr() by a ternary expression because it
is sufficient and it is the pattern advertised in GCC documentation
for initializers for static data [2].
Finally, __is_constexpr() was historically defined in linux/const.h.
Meanwhile is has been moved to compiler.h. Regardless, the
linux/const.h include directive is not needed any more so remove it.
[1] https://godbolt.org/z/rqr3YvoP4
[2] https://gcc.gnu.org/onlinedocs/gcc/Other-Builtins.html#index-_005f_005fbuiltin_005fconstant_005fp
Signed-off-by: Vincent Mailhol <mailhol.vincent@...adoo.fr>
---
This patch is the successor of patch [1] which was part of a longer
series [2]. Meanwhile, I decided to split it, so I am sending this again,
but as a stand-alone patch.
Changes in v2:
- only keep the s/__is_constexpr/__builtin_constant_p/g, do not
change strlen() into an inline function anymore
- Link to v1: https://lore.kernel.org/r/20250108-strlen_use_builtin_constant_p-v1-1-611b52e80a9f@wanadoo.fr
Changes since [1]:
- use __builtin_constant_p() instead and turn strlen() into an
inline function
[1] https://lore.kernel.org/all/20241203-is_constexpr-refactor-v1-6-4e4cbaecc216@wanadoo.fr/
[2] https://lore.kernel.org/all/20241203-is_constexpr-refactor-v1-0-4e4cbaecc216@wanadoo.fr/
---
include/linux/fortify-string.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index e4ce1cae03bf770047ce8a7c032b183683388cd5..ae56a52bf0c5c5d34c4f7029c821ac6ea9f52c3b 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -4,7 +4,6 @@
#include <linux/bitfield.h>
#include <linux/bug.h>
-#include <linux/const.h>
#include <linux/limits.h>
#define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable
@@ -255,8 +254,8 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size
*
*/
#define strlen(p) \
- __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \
- __builtin_strlen(p), __fortify_strlen(p))
+ (__builtin_constant_p(__builtin_strlen(p)) ? \
+ __builtin_strlen(p) : __fortify_strlen(p))
__FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1)
__kernel_size_t __fortify_strlen(const char * const POS p)
{
---
base-commit: 9d89551994a430b50c4fffcb1e617a057fa76e20
change-id: 20250105-strlen_use_builtin_constant_p-515aca505ca4
Best regards,
--
Vincent Mailhol <mailhol.vincent@...adoo.fr>
Powered by blists - more mailing lists