| Message ID | 20211013150025.2875883-2-arnd@kernel.org (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [1/2] kasan: test: use underlying string helpers | expand |
On Wed, Oct 13, 2021 at 05:00:06PM +0200, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > GCC has separate macros for -fsanitize=kernel-address and > -fsanitize=kernel-hwaddress, and the check in the arm64 string.h > gets this wrong, which leads to string functions not getting > fortified with gcc. The newly added tests find this: > > warning: unsafe memchr() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memchr.c > warning: unsafe memchr_inv() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memchr_inv.c > warning: unsafe memcmp() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memcmp.c > warning: unsafe memscan() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memscan.c > warning: unsafe memcmp() usage lacked '__read_overflow2' warning in /git/arm-soc/lib/test_fortify/read_overflow2-memcmp.c > warning: unsafe memcpy() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memcpy.c > warning: unsafe memmove() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memmove.c > warning: unsafe memcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memcpy.c > warning: unsafe memmove() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memmove.c > warning: unsafe memset() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memset.c > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy-lit.c > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy.c > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy-src.c > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy.c > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy-src.c > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy.c > warning: unsafe strscpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strscpy.c > What is the build config that trips these warnings? In trying to understand this, I see in arch/arm64/include/asm/string.h: #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ !defined(__SANITIZE_ADDRESS__) other architectures (like arm32) do: #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__) so it's okay because it's not getting touched by the hwaddress sanitizer? e.g. I see: config CC_HAS_KASAN_GENERIC def_bool $(cc-option, -fsanitize=kernel-address) config CC_HAS_KASAN_SW_TAGS def_bool $(cc-option, -fsanitize=kernel-hwaddress) > Add a workaround to include/linux/compiler_types.h so we always > define __SANITIZE_ADDRESS__ for either mode, as we already do > for clang. Where is the clang work-around? (Or is this a statement that clang, under -fsanitize=kernel-hwaddress, already sets __SANITIZE_ADDRESS__ by default? > > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > include/linux/compiler_types.h | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h > index aad6f6408bfa..2f2776fffefe 100644 > --- a/include/linux/compiler_types.h > +++ b/include/linux/compiler_types.h > @@ -178,6 +178,13 @@ struct ftrace_likely_data { > */ > #define noinline_for_stack noinline > > +/* > + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel > + */ > +#ifdef __SANITIZE_HWADDRESS__ > +#define __SANITIZE_ADDRESS__ > +#endif Should this go into compiler-gcc.h instead? > + > /* > * Sanitizer helper attributes: Because using __always_inline and > * __no_sanitize_* conflict, provide helper attributes that will either expand > -- > 2.29.2 >
On Mon, Oct 18, 2021 at 9:57 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Oct 13, 2021 at 05:00:06PM +0200, Arnd Bergmann wrote: > > From: Arnd Bergmann <arnd@arndb.de> > > > > GCC has separate macros for -fsanitize=kernel-address and > > -fsanitize=kernel-hwaddress, and the check in the arm64 string.h > > gets this wrong, which leads to string functions not getting > > fortified with gcc. The newly added tests find this: > > > > warning: unsafe memchr() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memchr.c > > warning: unsafe memchr_inv() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memchr_inv.c > > warning: unsafe memcmp() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memcmp.c > > warning: unsafe memscan() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memscan.c > > warning: unsafe memcmp() usage lacked '__read_overflow2' warning in /git/arm-soc/lib/test_fortify/read_overflow2-memcmp.c > > warning: unsafe memcpy() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memcpy.c > > warning: unsafe memmove() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memmove.c > > warning: unsafe memcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memcpy.c > > warning: unsafe memmove() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memmove.c > > warning: unsafe memset() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memset.c > > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy-lit.c > > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy.c > > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy-src.c > > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy.c > > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy-src.c > > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy.c > > warning: unsafe strscpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strscpy.c > > > > What is the build config that trips these warnings? It's a randconfig build, I've uploaded one .config to https://pastebin.com/raw/4TKB9mhs, but I have other ones if you can't reproduce with that one. > In trying to understand this, I see in arch/arm64/include/asm/string.h: > > #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ > !defined(__SANITIZE_ADDRESS__) > > other architectures (like arm32) do: > > #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__) Yes, that is exactly the thing that goes wrong. With clang, __SANITIZE_ADDRESS__ gets set here, but gcc sets __SANITIZE_HWADDRESS__ instead for CONFIG_KASAN_SW_TAGS, so the condition is always true. > > Add a workaround to include/linux/compiler_types.h so we always > > define __SANITIZE_ADDRESS__ for either mode, as we already do > > for clang. > > Where is the clang work-around? (Or is this a statement that clang, > under -fsanitize=kernel-hwaddress, already sets __SANITIZE_ADDRESS__ by > default? I mean this snippet: #if __has_feature(address_sanitizer) || __has_feature(hwaddress_sanitizer) /* Emulate GCC's __SANITIZE_ADDRESS__ flag */ #define __SANITIZE_ADDRESS__ #endif Without that, clang sets neither __SANITIZE_ADDRESS__ nor __SANITIZE_HWADDRESS__ > > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h > > index aad6f6408bfa..2f2776fffefe 100644 > > --- a/include/linux/compiler_types.h > > +++ b/include/linux/compiler_types.h > > @@ -178,6 +178,13 @@ struct ftrace_likely_data { > > */ > > #define noinline_for_stack noinline > > > > +/* > > + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel > > + */ > > +#ifdef __SANITIZE_HWADDRESS__ > > +#define __SANITIZE_ADDRESS__ > > +#endif > > Should this go into compiler-gcc.h instead? Yes, that might be clearer, but the effect is the same, as no other compiler defines those macros. Arnd
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index aad6f6408bfa..2f2776fffefe 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -178,6 +178,13 @@ struct ftrace_likely_data { */ #define noinline_for_stack noinline +/* + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel + */ +#ifdef __SANITIZE_HWADDRESS__ +#define __SANITIZE_ADDRESS__ +#endif + /* * Sanitizer helper attributes: Because using __always_inline and * __no_sanitize_* conflict, provide helper attributes that will either expand