[v2,0/2] FORTIFY_SOURCE: detect intra-object overflow in string functions

Message

Daniel Axtens Jan. 20, 2020, 4:54 a.m. UTC

When the fortify feature was first introduced in commit 6974f0c4555e
("include/linux/string.h: add the option of fortified string.h functions"),
Daniel Micay observed:

  * It should be possible to optionally use __builtin_object_size(x, 1) for
    some functions (C strings) to detect intra-object overflows (like
    glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
    approach to avoid likely compatibility issues.

This patch set:

 - converts a number of string functions to use __builtin_object_size(x, 1)

 - adds LKDTM tests for both types of fortified function.

This change passes an allyesconfig on powerpc and x86, and an x86 kernel
built with it survives running with syz-stress from syzkaller, so it seems
safe so far.

Daniel Axtens (2):
  string.h: detect intra-object overflow in fortified string functions
  lkdtm: tests for FORTIFY_SOURCE

 drivers/misc/lkdtm/bugs.c  | 51 ++++++++++++++++++++++++++++++++++++++
 drivers/misc/lkdtm/core.c  |  2 ++
 drivers/misc/lkdtm/lkdtm.h |  2 ++
 include/linux/string.h     | 27 ++++++++++++--------
 4 files changed, 71 insertions(+), 11 deletions(-)