| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202208311138.2CA3E54B0D@keescook>
Date: Wed, 31 Aug 2022 12:06:26 -0700
From: Kees Cook <keescook@...omium.org>
To: Nick Desaulniers <ndesaulniers@...gle.com>
Cc: Nathan Chancellor <nathan@...nel.org>, Tom Rix <trix@...hat.com>,
linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
llvm@...ts.linux.dev, Jiri Kosina <jikos@...nel.org>,
Benjamin Tissoires <benjamin.tissoires@...hat.com>,
linux-input@...r.kernel.org, Masahiro Yamada <masahiroy@...nel.org>
Subject: Re: [PATCH 2/3] fortify: cosmetic cleanups to __compiletime_strlen
On Tue, Aug 30, 2022 at 01:53:08PM -0700, Nick Desaulniers wrote:
> Two things I noticed in __compiletime_strlen:
Four? :)
> 1. A temporary, __p, is created+used to avoid repeated side effects from
> multiple evaluation of the macro parameter, but the macro parameter
> was being used accidentally in __builtin_object_size.
__builtin_object_size(), like sizeof() but unlike __builtin_strlen(),
will not evaluate side-effects: https://godbolt.org/z/Yaa1z7YvK
And using bos on __p will sometimes mask the actual object, so p needs to
stay the argument.
> 2. The temporary has a curious signedness and const-less qualification.
> Just use __auto_type.
__auto_type is pretty rare in the kernel, but does provide the removal
of "const". Even though the kernel builds with -Wno-pointer-sign, the
explicit case does fix a potential warnings about signedness differences,
not just const differences, for __builtin_strlen() which requires "const
char *", but many arguments are "unsigned char *", "u8 *", etc.
Is __auto_type more readable than the explicit cast? It does seem to
work fine.
> 3. (size_t)-1 is perhaps more readable as -1UL.
That's true, though I kind of prefer (size_t)-1, though yes, it appears
to be the extreme minority in the kernel.
> 4. __p_size == -1UL when __builtin_object_size can't evaluate the
> object size at compile time. We could just reuse __ret and use one
> less variable here.
This seems to get entire optimized away by the compiler? I think it's
more readable to keep the explicit variable.
-Kees
>
> Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com>
> ---
> include/linux/fortify-string.h | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> index c5adad596a3f..aaf73575050f 100644
> --- a/include/linux/fortify-string.h
> +++ b/include/linux/fortify-string.h
> @@ -22,11 +22,10 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
>
> #define __compiletime_strlen(p) \
> ({ \
> - unsigned char *__p = (unsigned char *)(p); \
> - size_t __ret = (size_t)-1; \
> - size_t __p_size = __object_size(p, 1); \
> - if (__p_size != (size_t)-1) { \
> - size_t __p_len = __p_size - 1; \
> + __auto_type __p = (p); \
> + size_t __ret = __object_size(__p, 1); \
> + if (__ret != -1UL) { \
> + size_t __p_len = __ret - 1; \
> if (__builtin_constant_p(__p[__p_len]) && \
> __p[__p_len] == '\0') \
> __ret = __builtin_strlen(__p); \
> --
> 2.37.2.672.g94769d06f0-goog
>
--
Kees Cook
Powered by blists - more mailing lists