lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250108-strlen_use_builtin_constant_p-v1-1-611b52e80a9f@wanadoo.fr>
Date: Wed, 08 Jan 2025 23:27:51 +0900
From: Vincent Mailhol <mailhol.vincent@...adoo.fr>
To: Kees Cook <kees@...nel.org>, Nathan Chancellor <nathan@...nel.org>, 
 Nick Desaulniers <ndesaulniers@...gle.com>, 
 Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>
Cc: David Laight <david.laight@...lab.com>, linux-hardening@...r.kernel.org, 
 linux-kernel@...r.kernel.org, llvm@...ts.linux.dev, 
 Vincent Mailhol <mailhol.vincent@...adoo.fr>
Subject: [PATCH] fortify: turn strlen() into an inline function using
 __builtin_constant_p()

The strlen(p) function-like macro uses:

  __is_constexpr(__builtin_strlen(p))

in which GCC would only yield true if the argument p is a string
literal. Otherwise, GCC would return false even if p is a const
string.

In contrary, by using:

  __builtin_constant_p(__builtin_strlen(p))

then GCC can also recognizes when p is a compile time constant string.

The above is illustrated in [1].

N.B.: clang is not impacted by any of this and gives the same results
with either __is_constexpr() and __builting_constant_p().

Use __builtin_constant_p() instead of __is_constexpr() so that GCC can
do the folding on constant strings. This done, strlen() does not
require any more to be a function-like macro, so turn it into a static
inline function. In the process, __fortify_strlen() had to be moved
above strlen() so that it became visible to strlen().

On a side note, strlen() did a double expansion of its argument p.
Turning it into an inline function also resolved this side issue.

[1] https://godbolt.org/z/rqr3YvoP4

Signed-off-by: Vincent Mailhol <mailhol.vincent@...adoo.fr>
---
This patch is the successor of patch [1] which was part of a longer
series [2]. Meanwhile, I decided to split it, so I am sending this again,
but as a stand-alone patch.

Changelog since [1]: use __builtin_constant_p() instead and turn
strlen() into an inline function

[1] https://lore.kernel.org/all/20241203-is_constexpr-refactor-v1-6-4e4cbaecc216@wanadoo.fr/
[2] https://lore.kernel.org/all/20241203-is_constexpr-refactor-v1-0-4e4cbaecc216@wanadoo.fr/
---
 include/linux/fortify-string.h | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index e4ce1cae03bf770047ce8a7c032b183683388cd5..bd22dd66e5f5b66ad839df42247e6436e0afd053 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -4,7 +4,6 @@
 
 #include <linux/bitfield.h>
 #include <linux/bug.h>
-#include <linux/const.h>
 #include <linux/limits.h>
 
 #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable
@@ -241,6 +240,21 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size
  * possible for strlen() to be used on compile-time strings for use in
  * static initializers (i.e. as a constant expression).
  */
+__FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1)
+__kernel_size_t __fortify_strlen(const char * const POS p)
+{
+	const size_t p_size = __member_size(p);
+	__kernel_size_t ret;
+
+	/* Give up if we don't know how large p is. */
+	if (p_size == SIZE_MAX)
+		return __underlying_strlen(p);
+	ret = strnlen(p, p_size);
+	if (p_size <= ret)
+		fortify_panic(FORTIFY_FUNC_strlen, FORTIFY_READ, p_size, ret + 1, ret);
+	return ret;
+}
+
 /**
  * strlen - Return count of characters in a NUL-terminated string
  *
@@ -254,22 +268,12 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size
  * Returns number of characters in @p (NOT including the final NUL).
  *
  */
-#define strlen(p)							\
-	__builtin_choose_expr(__is_constexpr(__builtin_strlen(p)),	\
-		__builtin_strlen(p), __fortify_strlen(p))
 __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1)
-__kernel_size_t __fortify_strlen(const char * const POS p)
+__kernel_size_t strlen(const char *p)
 {
-	const size_t p_size = __member_size(p);
-	__kernel_size_t ret;
-
-	/* Give up if we don't know how large p is. */
-	if (p_size == SIZE_MAX)
-		return __underlying_strlen(p);
-	ret = strnlen(p, p_size);
-	if (p_size <= ret)
-		fortify_panic(FORTIFY_FUNC_strlen, FORTIFY_READ, p_size, ret + 1, ret);
-	return ret;
+	if (__builtin_constant_p(__builtin_strlen(p)))
+		return __builtin_strlen(p);
+	return __fortify_strlen(p);
 }
 
 /* Defined after fortified strnlen() to reuse it. */

---
base-commit: 9d89551994a430b50c4fffcb1e617a057fa76e20
change-id: 20250105-strlen_use_builtin_constant_p-515aca505ca4

Best regards,
-- 
Vincent Mailhol <mailhol.vincent@...adoo.fr>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ