diff mbox series

fortify: Provide a memcpy trap door for sharp corners

Message ID 20220511025301.3636666-1-keescook@chromium.org (mailing list archive)
State Accepted
Commit 43213daed6d6cb60e8cf69058a6db8648a556d9d
Delegated to: Netdev Maintainers
Headers show
Series fortify: Provide a memcpy trap door for sharp corners | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 18090 this patch: 18090
netdev/cc_maintainers warning 2 maintainers not CCed: andriy.shevchenko@linux.intel.com linux@roeck-us.net
netdev/build_clang success Errors and warnings before: 3311 this patch: 3311
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 17324 this patch: 17324
netdev/checkpatch warning CHECK: Alignment should match open parenthesis WARNING: line length of 83 exceeds 80 columns
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Kees Cook May 11, 2022, 2:53 a.m. UTC
As we continue to narrow the scope of what the FORTIFY memcpy() will
accept and build alternative APIs that give the compiler appropriate
visibility into more complex memcpy scenarios, there is a need for
"unfortified" memcpy use in rare cases where combinations of compiler
behaviors, source code layout, etc, result in cases where the stricter
memcpy checks need to be bypassed until appropriate solutions can be
developed (i.e. fix compiler bugs, code refactoring, new API, etc). The
intention is for this to be used only if there's no other reasonable
solution, for its use to include a justification that can be used
to assess future solutions, and for it to be temporary.

Example usage included, based on analysis and discussion from:
https://lore.kernel.org/netdev/CANn89iLS_2cshtuXPyNUGDPaic=sJiYfvTb_wNLgWrZRyBxZ_g@mail.gmail.com

Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Coco Li <lixiaoyan@google.com>
Cc: Tariq Toukan <tariqt@nvidia.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: netdev@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_tx.c |  8 +++++++-
 include/linux/fortify-string.h                  | 16 ++++++++++++++++
 include/linux/string.h                          |  4 ++++
 3 files changed, 27 insertions(+), 1 deletion(-)

Comments

Jakub Kicinski May 11, 2022, 4:24 p.m. UTC | #1
On Tue, 10 May 2022 19:53:01 -0700 Kees Cook wrote:
> As we continue to narrow the scope of what the FORTIFY memcpy() will
> accept and build alternative APIs that give the compiler appropriate
> visibility into more complex memcpy scenarios, there is a need for
> "unfortified" memcpy use in rare cases where combinations of compiler
> behaviors, source code layout, etc, result in cases where the stricter
> memcpy checks need to be bypassed until appropriate solutions can be
> developed (i.e. fix compiler bugs, code refactoring, new API, etc). The
> intention is for this to be used only if there's no other reasonable
> solution, for its use to include a justification that can be used
> to assess future solutions, and for it to be temporary.
> 
> Example usage included, based on analysis and discussion from:
> https://lore.kernel.org/netdev/CANn89iLS_2cshtuXPyNUGDPaic=sJiYfvTb_wNLgWrZRyBxZ_g@mail.gmail.com

Saeed, ack for taking this in directly? Or do you prefer to take this
plus Eric's last BIG TCP patch via your tree?
Saeed Mahameed May 12, 2022, 8:42 a.m. UTC | #2
On 11 May 09:24, Jakub Kicinski wrote:
>On Tue, 10 May 2022 19:53:01 -0700 Kees Cook wrote:
>> As we continue to narrow the scope of what the FORTIFY memcpy() will
>> accept and build alternative APIs that give the compiler appropriate
>> visibility into more complex memcpy scenarios, there is a need for
>> "unfortified" memcpy use in rare cases where combinations of compiler
>> behaviors, source code layout, etc, result in cases where the stricter
>> memcpy checks need to be bypassed until appropriate solutions can be
>> developed (i.e. fix compiler bugs, code refactoring, new API, etc). The
>> intention is for this to be used only if there's no other reasonable
>> solution, for its use to include a justification that can be used
>> to assess future solutions, and for it to be temporary.
>>
>> Example usage included, based on analysis and discussion from:
>> https://lore.kernel.org/netdev/CANn89iLS_2cshtuXPyNUGDPaic=sJiYfvTb_wNLgWrZRyBxZ_g@mail.gmail.com
>
>Saeed, ack for taking this in directly? Or do you prefer to take this
>plus Eric's last BIG TCP patch via your tree?

Please take both, I asked Eric a question on the BIG TCP patch, but I
won't block the series.

Thanks!
patchwork-bot+netdevbpf@kernel.org May 12, 2022, 9:10 a.m. UTC | #3
Hello:

This patch was applied to netdev/net-next.git (master)
by Paolo Abeni <pabeni@redhat.com>:

On Tue, 10 May 2022 19:53:01 -0700 you wrote:
> As we continue to narrow the scope of what the FORTIFY memcpy() will
> accept and build alternative APIs that give the compiler appropriate
> visibility into more complex memcpy scenarios, there is a need for
> "unfortified" memcpy use in rare cases where combinations of compiler
> behaviors, source code layout, etc, result in cases where the stricter
> memcpy checks need to be bypassed until appropriate solutions can be
> developed (i.e. fix compiler bugs, code refactoring, new API, etc). The
> intention is for this to be used only if there's no other reasonable
> solution, for its use to include a justification that can be used
> to assess future solutions, and for it to be temporary.
> 
> [...]

Here is the summary with links:
  - fortify: Provide a memcpy trap door for sharp corners
    https://git.kernel.org/netdev/net-next/c/43213daed6d6

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
index 2dc48406cd08..5855d8f9c509 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
@@ -386,7 +386,13 @@  mlx5e_sq_xmit_wqe(struct mlx5e_txqsq *sq, struct sk_buff *skb,
 			stats->added_vlan_packets++;
 		} else {
 			eseg->inline_hdr.sz |= cpu_to_be16(attr->ihs);
-			memcpy(eseg->inline_hdr.start, skb->data, attr->ihs);
+			unsafe_memcpy(eseg->inline_hdr.start, skb->data, attr->ihs,
+				/* This copy has been bounds-checked earlier in
+				 * mlx5i_sq_calc_wqe_attr() and intentionally
+				 * crosses a flex array boundary. Since it is
+				 * performance sensitive, splitting the copy is
+				 * undesirable.
+				 */);
 		}
 		dseg += wqe_attr->ds_cnt_inl;
 	} else if (skb_vlan_tag_present(skb)) {
diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 295637a66c46..3b401fa0f374 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -52,6 +52,22 @@  extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size)
 #define __underlying_strncpy	__builtin_strncpy
 #endif
 
+/**
+ * unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking
+ *
+ * @dst: Destination memory address to write to
+ * @src: Source memory address to read from
+ * @bytes: How many bytes to write to @dst from @src
+ * @justification: Free-form text or comment describing why the use is needed
+ *
+ * This should be used for corner cases where the compiler cannot do the
+ * right thing, or during transitions between APIs, etc. It should be used
+ * very rarely, and includes a place for justification detailing where bounds
+ * checking has happened, and why existing solutions cannot be employed.
+ */
+#define unsafe_memcpy(dst, src, bytes, justification)		\
+	__underlying_memcpy(dst, src, bytes)
+
 /*
  * Clang's use of __builtin_object_size() within inlines needs hinting via
  * __pass_object_size(). The preference is to only ever use type 1 (member
diff --git a/include/linux/string.h b/include/linux/string.h
index b6572aeca2f5..61ec7e4f6311 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -252,6 +252,10 @@  static inline const char *kbasename(const char *path)
 #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
 #include <linux/fortify-string.h>
 #endif
+#ifndef unsafe_memcpy
+#define unsafe_memcpy(dst, src, bytes, justification)		\
+	memcpy(dst, src, bytes)
+#endif
 
 void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
 		    int pad);