Message ID | 20230531003404.never.167-kees@kernel.org (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | riscv/purgatory: Do not use fortified string functions | expand |
Hey Kees, On Tue, May 30, 2023 at 05:34:04PM -0700, Kees Cook wrote: > With the addition of -fstrict-flex-arrays=3, struct sha256_state's > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: > > struct sha256_state { > u32 state[SHA256_DIGEST_SIZE / 4]; > u64 count; > u8 buf[SHA256_BLOCK_SIZE]; > }; > > This means that the memcpy() calls with "buf" as a destination in > sha256.c's code will attempt to perform run-time bounds checking, which > could lead to calling missing functions, specifically a potential > WARN_ONCE, which isn't callable from purgatory. > > Reported-by: Thorsten Leemhuis <linux@leemhuis.info> > Closes: https://lore.kernel.org/lkml/175578ec-9dec-7a9c-8d3a-43f24ff86b92@leemhuis.info/ > Bisected-by: "Joan Bruguera Micó" <joanbrugueram@gmail.com> > Fixes: df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") > Cc: Paul Walmsley <paul.walmsley@sifive.com> > Cc: Palmer Dabbelt <palmer@dabbelt.com> > Cc: Albert Ou <aou@eecs.berkeley.edu> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Conor Dooley <conor.dooley@microchip.com> > Cc: Nick Desaulniers <ndesaulniers@google.com> > Cc: Alyssa Ross <hi@alyssa.is> > Cc: Heiko Stuebner <heiko.stuebner@vrull.eu> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: linux-riscv@lists.infradead.org > Signed-off-by: Kees Cook <keescook@chromium.org> Perhaps this is indicative of other issues in RISC-V land, but allmodconfig complains about this patch: ../lib/string.c:17: warning: "__NO_FORTIFY" redefined ../lib/string.c:17:9: warning: preprocessor token __NO_FORTIFY redefined > --- > arch/riscv/purgatory/Makefile | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/arch/riscv/purgatory/Makefile b/arch/riscv/purgatory/Makefile > index 5730797a6b40..11f4c275f141 100644 > --- a/arch/riscv/purgatory/Makefile > +++ b/arch/riscv/purgatory/Makefile > @@ -31,9 +31,9 @@ $(obj)/strncmp.o: $(srctree)/arch/riscv/lib/strncmp.S FORCE > $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE > $(call if_changed_rule,cc_o_c) > > -CFLAGS_sha256.o := -D__DISABLE_EXPORTS > -CFLAGS_string.o := -D__DISABLE_EXPORTS > -CFLAGS_ctype.o := -D__DISABLE_EXPORTS > +CFLAGS_sha256.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY > +CFLAGS_string.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY > +CFLAGS_ctype.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY > > # When linking purgatory.ro with -r unresolved symbols are not checked, > # also link a purgatory.chk binary without -r to check for unresolved symbols. > -- > 2.34.1 > > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv
On Wed, May 31, 2023 at 11:37:20PM +0100, Conor Dooley wrote: > Hey Kees, > > On Tue, May 30, 2023 at 05:34:04PM -0700, Kees Cook wrote: > > With the addition of -fstrict-flex-arrays=3, struct sha256_state's > > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: > > > > struct sha256_state { > > u32 state[SHA256_DIGEST_SIZE / 4]; > > u64 count; > > u8 buf[SHA256_BLOCK_SIZE]; > > }; > > > > This means that the memcpy() calls with "buf" as a destination in > > sha256.c's code will attempt to perform run-time bounds checking, which > > could lead to calling missing functions, specifically a potential > > WARN_ONCE, which isn't callable from purgatory. > > > > Reported-by: Thorsten Leemhuis <linux@leemhuis.info> > > Closes: https://lore.kernel.org/lkml/175578ec-9dec-7a9c-8d3a-43f24ff86b92@leemhuis.info/ > > Bisected-by: "Joan Bruguera Micó" <joanbrugueram@gmail.com> > > Fixes: df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") > > Cc: Paul Walmsley <paul.walmsley@sifive.com> > > Cc: Palmer Dabbelt <palmer@dabbelt.com> > > Cc: Albert Ou <aou@eecs.berkeley.edu> > > Cc: Masahiro Yamada <masahiroy@kernel.org> > > Cc: Conor Dooley <conor.dooley@microchip.com> > > Cc: Nick Desaulniers <ndesaulniers@google.com> > > Cc: Alyssa Ross <hi@alyssa.is> > > Cc: Heiko Stuebner <heiko.stuebner@vrull.eu> > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > > Cc: linux-riscv@lists.infradead.org > > Signed-off-by: Kees Cook <keescook@chromium.org> > > Perhaps this is indicative of other issues in RISC-V land, but > allmodconfig complains about this patch: > > ../lib/string.c:17: warning: "__NO_FORTIFY" redefined > ../lib/string.c:17:9: warning: preprocessor token __NO_FORTIFY redefined Argh, thanks. My compile test clearly failed. I'll fix this up. -Kees > > > --- > > arch/riscv/purgatory/Makefile | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/arch/riscv/purgatory/Makefile b/arch/riscv/purgatory/Makefile > > index 5730797a6b40..11f4c275f141 100644 > > --- a/arch/riscv/purgatory/Makefile > > +++ b/arch/riscv/purgatory/Makefile > > @@ -31,9 +31,9 @@ $(obj)/strncmp.o: $(srctree)/arch/riscv/lib/strncmp.S FORCE > > $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE > > $(call if_changed_rule,cc_o_c) > > > > -CFLAGS_sha256.o := -D__DISABLE_EXPORTS > > -CFLAGS_string.o := -D__DISABLE_EXPORTS > > -CFLAGS_ctype.o := -D__DISABLE_EXPORTS > > +CFLAGS_sha256.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY > > +CFLAGS_string.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY > > +CFLAGS_ctype.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY > > > > # When linking purgatory.ro with -r unresolved symbols are not checked, > > # also link a purgatory.chk binary without -r to check for unresolved symbols. > > -- > > 2.34.1 > > > > > > _______________________________________________ > > linux-riscv mailing list > > linux-riscv@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/linux-riscv
diff --git a/arch/riscv/purgatory/Makefile b/arch/riscv/purgatory/Makefile index 5730797a6b40..11f4c275f141 100644 --- a/arch/riscv/purgatory/Makefile +++ b/arch/riscv/purgatory/Makefile @@ -31,9 +31,9 @@ $(obj)/strncmp.o: $(srctree)/arch/riscv/lib/strncmp.S FORCE $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE $(call if_changed_rule,cc_o_c) -CFLAGS_sha256.o := -D__DISABLE_EXPORTS -CFLAGS_string.o := -D__DISABLE_EXPORTS -CFLAGS_ctype.o := -D__DISABLE_EXPORTS +CFLAGS_sha256.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY +CFLAGS_string.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY +CFLAGS_ctype.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY # When linking purgatory.ro with -r unresolved symbols are not checked, # also link a purgatory.chk binary without -r to check for unresolved symbols.
With the addition of -fstrict-flex-arrays=3, struct sha256_state's trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: struct sha256_state { u32 state[SHA256_DIGEST_SIZE / 4]; u64 count; u8 buf[SHA256_BLOCK_SIZE]; }; This means that the memcpy() calls with "buf" as a destination in sha256.c's code will attempt to perform run-time bounds checking, which could lead to calling missing functions, specifically a potential WARN_ONCE, which isn't callable from purgatory. Reported-by: Thorsten Leemhuis <linux@leemhuis.info> Closes: https://lore.kernel.org/lkml/175578ec-9dec-7a9c-8d3a-43f24ff86b92@leemhuis.info/ Bisected-by: "Joan Bruguera Micó" <joanbrugueram@gmail.com> Fixes: df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") Cc: Paul Walmsley <paul.walmsley@sifive.com> Cc: Palmer Dabbelt <palmer@dabbelt.com> Cc: Albert Ou <aou@eecs.berkeley.edu> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Conor Dooley <conor.dooley@microchip.com> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Alyssa Ross <hi@alyssa.is> Cc: Heiko Stuebner <heiko.stuebner@vrull.eu> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: linux-riscv@lists.infradead.org Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/riscv/purgatory/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)