[60/64] fortify: Work around Clang inlining bugs

Message ID	20210727205855.411487-61-keescook@chromium.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-kbuild-owner@kernel.org> From: Kees Cook <keescook@chromium.org> To: linux-hardening@vger.kernel.org Cc: Kees Cook <keescook@chromium.org>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, Keith Packard <keithpac@amazon.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Andrew Morton <akpm@linux-foundation.org>, linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-staging@lists.linux.dev, linux-block@vger.kernel.org, linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com Subject: [PATCH 60/64] fortify: Work around Clang inlining bugs Date: Tue, 27 Jul 2021 13:58:51 -0700 Message-Id: <20210727205855.411487-61-keescook@chromium.org> In-Reply-To: <20210727205855.411487-1-keescook@chromium.org> References: <20210727205855.411487-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Introduce strict memcpy() bounds checking \| expand [00/64] Introduce strict memcpy() bounds checking [01/64] media: omap3isp: Extract struct group for memcpy() region [02/64] mac80211: Use flex-array for radiotap header bitmap [03/64] rpmsg: glink: Replace strncpy() with strscpy_pad() [04/64] stddef: Introduce struct_group() helper macro [05/64] skbuff: Switch structure bounds to struct_group() [06/64] bnxt_en: Use struct_group_attr() for memcpy() region [07/64] staging: rtl8192e: Use struct_group() for memcpy() region [08/64] staging: rtl8192u: Use struct_group() for memcpy() region [09/64] staging: rtl8723bs: Avoid field-overflowing memcpy() [10/64] lib80211: Use struct_group() for memcpy() region [11/64] net/mlx5e: Avoid field-overflowing memcpy() [12/64] mwl8k: Use struct_group() for memcpy() region [13/64] libertas: Use struct_group() for memcpy() region [14/64] libertas_tf: Use struct_group() for memcpy() region [15/64] ipw2x00: Use struct_group() for memcpy() region [16/64] thermal: intel: int340x_thermal: Use struct_group() for memcpy() region [17/64] iommu/amd: Use struct_group() for memcpy() region [18/64] cxgb3: Use struct_group() for memcpy() region [19/64] ip: Use struct_group() for memcpy() regions [20/64] intersil: Use struct_group() for memcpy() region [21/64] cxgb4: Use struct_group() for memcpy() region [22/64] bnx2x: Use struct_group() for memcpy() region [23/64] drm/amd/pm: Use struct_group() for memcpy() region [24/64] staging: wlan-ng: Use struct_group() for memcpy() region [25/64] drm/mga/mga_ioc32: Use struct_group() for memcpy() region [26/64] net/mlx5e: Use struct_group() for memcpy() region [27/64] HID: cp2112: Use struct_group() for memcpy() region [28/64] compiler_types.h: Remove __compiletime_object_size() [29/64] lib/string: Move helper functions out of string.c [30/64] fortify: Move remaining fortify helpers into fortify-string.h [31/64] fortify: Explicitly disable Clang support [32/64] fortify: Add compile-time FORTIFY_SOURCE tests [33/64] lib: Introduce CONFIG_TEST_MEMCPY [34/64] fortify: Detect struct member overflows in memcpy() at compile-time [35/64] fortify: Detect struct member overflows in memmove() at compile-time [36/64] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp [37/64] string.h: Introduce memset_after() for wiping trailing members/padding [38/64] xfrm: Use memset_after() to clear padding [39/64] mac80211: Use memset_after() to clear tx status [40/64] net: 802: Use memset_after() to clear struct fields [41/64] net: dccp: Use memset_after() for TP zeroing [42/64] net: qede: Use memset_after() for counters [43/64] ath11k: Use memset_after() for clearing queue descriptors [44/64] iw_cxgb4: Use memset_after() for cpl_t5_pass_accept_rpl [45/64] intel_th: msu: Use memset_after() for clearing hw header [46/64] IB/mthca: Use memset_after() for clearing mpt_entry [47/64] btrfs: Use memset_after() to clear end of struct [48/64] drbd: Use struct_group() to zero algs [49/64] cm4000_cs: Use struct_group() to zero struct cm4000_dev region [50/64] KVM: x86: Use struct_group() to zero decode cache [51/64] tracing: Use struct_group() to zero struct trace_iterator [52/64] dm integrity: Use struct_group() to zero struct journal_sector [53/64] HID: roccat: Use struct_group() to zero kone_mouse_event [54/64] ipv6: Use struct_group() to zero rt6_info [55/64] RDMA/mlx5: Use struct_group() to zero struct mlx5_ib_mr [56/64] ethtool: stats: Use struct_group() to clear all stats at once [57/64] netfilter: conntrack: Use struct_group() to zero struct nf_conn [58/64] powerpc: Split memset() to avoid multi-field overflow [59/64] fortify: Detect struct member overflows in memset() at compile-time [60/64] fortify: Work around Clang inlining bugs [61/64] Makefile: Enable -Warray-bounds [62/64] netlink: Avoid false-positive memcpy() warning [63/64] iwlwifi: dbg_ini: Split memcpy() to avoid multi-field write [64/64] fortify: Add run-time WARN for cross-field memcpy()

Message ID

20210727205855.411487-61-keescook@chromium.org (mailing list archive)

State

New, archived

Headers

From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
        "Gustavo A. R. Silva" <gustavoars@kernel.org>,
        Keith Packard <keithpac@amazon.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
        netdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
        linux-staging@lists.linux.dev, linux-block@vger.kernel.org,
        linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com
Subject: [PATCH 60/64] fortify: Work around Clang inlining bugs
Date: Tue, 27 Jul 2021 13:58:51 -0700
Message-Id: <20210727205855.411487-61-keescook@chromium.org>
In-Reply-To: <20210727205855.411487-1-keescook@chromium.org>
References: <20210727205855.411487-1-keescook@chromium.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Introduce strict memcpy() bounds checking | expand

Commit Message

Kees Cook July 27, 2021, 8:58 p.m. UTC

To enable FORTIFY_SOURCE support for Clang, the kernel must work around
a pair of bugs, related to Clang's inlining.

Change all the fortified APIs into macros with different inline names to
bypass Clang's broken inline-of-a-builtin detection:
https://bugs.llvm.org/show_bug.cgi?id=50322

Lift all misbehaving __builtin_object_size() calls into the macros to
bypass Clang's broken __builtin_object_size() arguments-of-an-inline
visibility:
https://github.com/ClangBuiltLinux/linux/issues/1401

Thankfully, due to how the inlining already behaves in GCC, this change
has no effect on GCC builds, but allows Clang to finally gain full
FORTIFY coverage.

However, because of a third bug which had no work-arounds, FORTIFY_SOURCE
will only work with Clang version 13 and later. Update the Kconfig to
reflect the new requirements.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/fortify-string.h | 33 +++++++++++++++++++++------------
 security/Kconfig               |  2 +-
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 718325331021..4afd42079d3b 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -38,10 +38,11 @@  extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size)
 #define __underlying_strncpy	__builtin_strncpy
 #endif
 
-__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
+#define strncpy(p, q, s) __fortify_strncpy(p, q, s, __builtin_object_size(p, 1))
+__FORTIFY_INLINE char *__fortify_strncpy(char *p, const char *q,
+					 __kernel_size_t size,
+					 const size_t p_size)
 {
-	size_t p_size = __builtin_object_size(p, 1);
-
 	if (__builtin_constant_p(size) && p_size < size)
 		__write_overflow();
 	if (p_size < size)
@@ -112,12 +113,15 @@  __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
 
 /* defined after fortified strnlen to reuse it */
 extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy);
-__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size)
+#define strscpy(p, q, s) __fortify_strscpy(p, q, s,			\
+					   __builtin_object_size(p, 1),	\
+					   __builtin_object_size(q, 1))
+__FORTIFY_INLINE ssize_t __fortify_strscpy(char *p, const char *q,
+					   size_t size,
+					   const size_t p_size,
+					   const size_t q_size)
 {
 	size_t len;
-	/* Use string size rather than possible enclosing struct size. */
-	size_t p_size = __builtin_object_size(p, 1);
-	size_t q_size = __builtin_object_size(q, 1);
 
 	/* If we cannot get size of p and q default to call strscpy. */
 	if (p_size == (size_t) -1 && q_size == (size_t) -1)
@@ -329,7 +333,8 @@  __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
 		memmove)
 
 extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
-__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
+#define memscan(p, c, s) __fortify_memscan(p, c, s)
+__FORTIFY_INLINE void *__fortify_memscan(void *p, int c, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 
@@ -340,7 +345,8 @@  __FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
 	return __real_memscan(p, c, size);
 }
 
-__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
+#define memcmp(p, q, s) __fortify_memcmp(p, q, s)
+__FORTIFY_INLINE int __fortify_memcmp(const void *p, const void *q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 	size_t q_size = __builtin_object_size(q, 0);
@@ -356,7 +362,8 @@  __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
 	return __underlying_memcmp(p, q, size);
 }
 
-__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
+#define memchr(p, c, s) __fortify_memchr(p, c, s)
+__FORTIFY_INLINE void *__fortify_memchr(const void *p, int c, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 
@@ -368,7 +375,8 @@  __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
 }
 
 void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
-__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size)
+#define memchr_inv(p, c, s) __fortify_memchr_inv(p, c, s)
+__FORTIFY_INLINE void *__fortify_memchr_inv(const void *p, int c, size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 
@@ -392,7 +400,8 @@  __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
 }
 
 /* Defined after fortified strlen to reuse it. */
-__FORTIFY_INLINE char *strcpy(char *p, const char *q)
+#define strcpy(p, q) __fortify_strcpy(p, q)
+__FORTIFY_INLINE char *__fortify_strcpy(char *p, const char *q)
 {
 	size_t p_size = __builtin_object_size(p, 1);
 	size_t q_size = __builtin_object_size(q, 1);
diff --git a/security/Kconfig b/security/Kconfig
index 8f0e675e70a4..509ec61bc54b 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -193,7 +193,7 @@  config FORTIFY_SOURCE
 	depends on ARCH_HAS_FORTIFY_SOURCE
 	# https://bugs.llvm.org/show_bug.cgi?id=50322
 	# https://bugs.llvm.org/show_bug.cgi?id=41459
-	depends on !CONFIG_CC_IS_CLANG
+	depends on !CONFIG_CC_IS_CLANG || CLANG_VERSION >= 130000
 	help
 	  Detect overflows of buffers in common string and memory functions
 	  where the compiler can determine and validate the buffer sizes.

[60/64] fortify: Work around Clang inlining bugs

Commit Message

Patch