| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250520163320.work.924-kees@kernel.org>
Date: Tue, 20 May 2025 09:33:21 -0700
From: Kees Cook <kees@...nel.org>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Kees Cook <kees@...nel.org>,
kernel test robot <lkp@...el.com>,
Randy Dunlap <rdunlap@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Andy Shevchenko <andy@...nel.org>,
Uros Bizjak <ubizjak@...il.com>,
linux-hardening@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] string.h: Provide basic sanity checks for fallback memcpy()
Instead of defining memcpy() in terms of __builtin_memcpy() deep
in arch/x86/include/asm/string_32.h, notice that it is needed up in
the general string.h, as done with other common C String APIs. This
allows us to add basic sanity checking for pathological "size"
arguments to memcpy(). Besides the run-time checking benefit, this
avoids GCC trying to be very smart about value range tracking[1] when
CONFIG_PROFILE_ALL_BRANCHES=y but FORTIFY_SOURCE=n.
Link: https://lore.kernel.org/all/202505191117.C094A90F88@keescook/ [1]
Reported-by: kernel test robot <lkp@...el.com>
Closes: https://lore.kernel.org/all/202501040747.S3LYfvYq-lkp@intel.com/
Reported-by: Randy Dunlap <rdunlap@...radead.org>
Closes: https://lore.kernel.org/all/e3754f69-1dea-4542-8de0-a567a14fb95b@infradead.org/
Signed-off-by: Kees Cook <kees@...nel.org>
---
Cc: "Mickaël Salaün" <mic@...ikod.net>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: <x86@...nel.org>
Cc: "H. Peter Anvin" <hpa@...or.com>
Cc: Andy Shevchenko <andy@...nel.org>
Cc: Uros Bizjak <ubizjak@...il.com>
Cc: <linux-hardening@...r.kernel.org>
---
arch/x86/include/asm/string_32.h | 6 ------
include/linux/string.h | 13 +++++++++++++
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/arch/x86/include/asm/string_32.h b/arch/x86/include/asm/string_32.h
index 32c0d981a82a..fad9566f43a6 100644
--- a/arch/x86/include/asm/string_32.h
+++ b/arch/x86/include/asm/string_32.h
@@ -145,12 +145,6 @@ static __always_inline void *__constant_memcpy(void *to, const void *from,
#define __HAVE_ARCH_MEMCPY
extern void *memcpy(void *, const void *, size_t);
-#ifndef CONFIG_FORTIFY_SOURCE
-
-#define memcpy(t, f, n) __builtin_memcpy(t, f, n)
-
-#endif /* !CONFIG_FORTIFY_SOURCE */
-
#define __HAVE_ARCH_MEMMOVE
void *memmove(void *dest, const void *src, size_t n);
diff --git a/include/linux/string.h b/include/linux/string.h
index 01621ad0f598..a1f8fdcf8482 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -4,6 +4,7 @@
#include <linux/args.h>
#include <linux/array_size.h>
+#include <linux/bug.h>
#include <linux/cleanup.h> /* for DEFINE_FREE() */
#include <linux/compiler.h> /* for inline */
#include <linux/types.h> /* for size_t */
@@ -390,7 +391,19 @@ static inline const char *kbasename(const char *path)
#if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
#include <linux/fortify-string.h>
+#else
+/* Basic sanity checking even without FORTIFY_SOURCE */
+# ifndef __HAVE_ARCH_MEMCPY
+# define memcpy(t, f, n) \
+ do { \
+ typeof(n) __n = (n); \
+ /* Skip impossible sizes. */ \
+ if (!WARN_ON(__n < 0 || __n == SIZE_MAX)) \
+ __builtin_memcpy(t, f, __n); \
+ } while (0)
+# endif
#endif
+
#ifndef unsafe_memcpy
#define unsafe_memcpy(dst, src, bytes, justification) \
memcpy(dst, src, bytes)
--
2.34.1
Powered by blists - more mailing lists