[28/95] string.h: add FORTIFY coverage for strscpy()

Message ID	20201216044350.TKAL6BULW%akpm@linux-foundation.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=WzRt=FU=kvack.org=owner-linux-mm@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EB6602312D Date: Tue, 15 Dec 2020 20:43:50 -0800 From: Andrew Morton <akpm@linux-foundation.org> To: akpm@linux-foundation.org, danielmicay@gmail.com, dja@axtens.net, keescook@chromium.org, laniel_francis@privacyrequired.com, linux-mm@kvack.org, mm-commits@vger.kernel.org, torvalds@linux-foundation.org Subject: [patch 28/95] string.h: add FORTIFY coverage for strscpy() Message-ID: <20201216044350.TKAL6BULW%akpm@linux-foundation.org> In-Reply-To: <20201215204156.f05ec694b907845bcfab5c44@linux-foundation.org> User-Agent: s-nail v14.8.16 Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	[01/95] mm: fix a race on nr_swap_pages \| expand [01/95] mm: fix a race on nr_swap_pages [02/95] mm/memory_hotplug: quieting offline operation [03/95] alpha: replace bogus in_interrupt() [04/95] procfs: delete duplicated words + other fixes [05/95] proc: provide details on indirect branch speculation [06/95] proc: fix lookup in /proc/net subdirectories after setns(2) [07/95] fs/proc: make pde_get() return nothing [08/95] asm-generic: force inlining of get_order() to work around gcc10 poor decision [09/95] kernel.h: split out mathematical helpers [10/95] kernel/acct.c: use #elif instead of #end and #elif [11/95] include/linux/bitmap.h: convert bitmap_empty() / bitmap_full() to return boolean [12/95] bitmap: remove unused function declaration [13/95] lib/test_free_pages.c: add basic progress indicators [14/95] lib/stackdepot.c: replace one-element array with flexible-array member [15/95] lib/stackdepot.c: use flex_array_size() helper in memcpy() [16/95] lib/stackdepot.c: use array_size() helper in jhash2() [17/95] lib/test_lockup.c: minimum fix to get it compiled on PREEMPT_RT [18/95] lib/list_kunit: follow new file name convention for KUnit tests [19/95] lib/linear_ranges_kunit: follow new file name convention for KUnit tests [20/95] lib/bits_kunit: follow new file name convention for KUnit tests [21/95] lib/cmdline: fix get_option() for strings starting with hyphen [22/95] lib/cmdline: allow NULL to be an output for get_option() [23/95] lib/cmdline_kunit: add a new test suite for cmdline API [24/95] ilog2: improve ilog2 for constant arguments [25/95] lib/string: remove unnecessary #undefs [26/95] lib: string.h: detect intra-object overflow in fortified string functions [27/95] lkdtm: tests for FORTIFY_SOURCE [28/95] string.h: add FORTIFY coverage for strscpy() [29/95] drivers/misc/lkdtm: add new file in LKDTM to test fortified strscpy [30/95] drivers/misc/lkdtm/lkdtm.h: correct wrong filenames in comment [31/95] lib: cleanup kstrto() usage [32/95] lib/lz4: explicitly support in-place decompression [33/95] bitops: introduce the for_each_set_clump macro [34/95] lib/test_bitmap.c: add for_each_set_clump test cases [35/95] gpio: thunderx: utilize for_each_set_clump macro [36/95] gpio: xilinx: utilize generic bitmap_get_value and _set_value [37/95] checkpatch: add new exception to repeated word check [38/95] checkpatch: fix false positives in REPEATED_WORD warning [39/95] checkpatch: ignore generated CamelCase defines and enum values [40/95] checkpatch: prefer static const declarations [41/95] checkpatch: allow --fix removal of unnecessary break statements [42/95] checkpatch: extend attributes check to handle more patterns [43/95] checkpatch: add a fixer for missing newline at eof [44/95] checkpatch: update __attribute__((section("name"))) quote removal [45/95] checkpatch: add fix option for GERRIT_CHANGE_ID [46/95] checkpatch: add __alias and __weak to suggested __attribute__ conversions [47/95] checkpatch: improve email parsing [48/95] checkpatch: fix spelling errors and remove repeated word [49/95] checkpatch: avoid COMMIT_LOG_LONG_LINE warning for signature tags [50/95] checkpatch: fix unescaped left brace [51/95] checkpatch: add fix option for ASSIGNMENT_CONTINUATIONS [52/95] checkpatch: add fix option for LOGICAL_CONTINUATIONS [53/95] checkpatch: add fix and improve warning msg for non-standard signature [54/95] checkpatch: add warning for unnecessary use of %h[xudi] and %hh[xudi] [55/95] checkpatch: add warning for lines starting with a '#' in commit log [56/95] checkpatch: fix TYPO_SPELLING check for words with apostrophe [57/95] checkpatch: add printk_once and printk_ratelimit to prefer pr_<level> warning [58/95] fs/nilfs2: remove some unused macros to tame gcc [59/95] kdump: append uts_namespace.name offset to VMCOREINFO [60/95] rapidio: remove unused rio_get_asm() and rio_get_device() [61/95] gcov: remove support for GCC < 4.9 [62/95] gcov: fix kernel-doc markup issue [63/95] bfs: don't use WARNING: string when it's just info. [64/95] relay: remove unused buf_mapped and buf_unmapped callbacks [65/95] relay: require non-NULL callbacks in relay_open() [66/95] relay: make create_buf_file and remove_buf_file callbacks mandatory [67/95] relay: allow the use of const callback structs [68/95] drm/i915: make relay callbacks const [69/95] ath10k: make relay callbacks const [70/95] ath11k: make relay callbacks const [71/95] ath9k: make relay callbacks const [72/95] blktrace: make relay callbacks const [73/95] kernel/resource.c: fix kernel-doc markups [74/95] ubsan: remove redundant -Wno-maybe-uninitialized [75/95] ubsan: move cc-option tests into Kconfig [76/95] ubsan: disable object-size sanitizer under GCC [77/95] ubsan: disable UBSAN_TRAP for allconfig [78/95] ubsan: enable for all*config builds [79/95] ubsan: remove UBSAN_MISC in favor of individual options [80/95] ubsan: expand tests and reporting [81/95] kcov: don't instrument with UBSAN [82/95] lib/ubsan.c: mark type_check_kinds with static keyword [83/95] reboot: refactor and comment the cpu selection code [84/95] reboot: allow to specify reboot mode via sysfs [85/95] reboot: remove cf9_safe from allowed types and rename cf9_force [86/95] reboot: allow to override reboot type if quirks are found [87/95] reboot: hide from sysfs not applicable settings [88/95] fault-injection: handle EI_ETYPE_TRUE [89/95] lib/lzo/lzo1x_compress.c: make lzogeneric1x_1_compress() static [90/95] apparmor: remove duplicate macro list_entry_is_head() [91/95] mm: unexport follow_pte_pmd [92/95] mm: simplify follow_pte{,pmd} [93/95] mm: fix some spelling mistakes in comments [94/95] mmap locking API: don't check locking if the mm isn't live yet [95/95] mm/gup: assert that the mmap lock is held in __get_user_pages()

Message ID

20201216044350.TKAL6BULW%akpm@linux-foundation.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EB6602312D
Date: Tue, 15 Dec 2020 20:43:50 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, danielmicay@gmail.com, dja@axtens.net,
 keescook@chromium.org, laniel_francis@privacyrequired.com,
 linux-mm@kvack.org, mm-commits@vger.kernel.org,
 torvalds@linux-foundation.org
Subject: [patch 28/95] string.h: add FORTIFY coverage for
 strscpy()
Message-ID: <20201216044350.TKAL6BULW%akpm@linux-foundation.org>
In-Reply-To: <20201215204156.f05ec694b907845bcfab5c44@linux-foundation.org>
User-Agent: s-nail v14.8.16
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

[01/95] mm: fix a race on nr_swap_pages | expand

Commit Message

Andrew Morton Dec. 16, 2020, 4:43 a.m. UTC

From: Francis Laniel <laniel_francis@privacyrequired.com>
Subject: string.h: add FORTIFY coverage for strscpy()

The fortified version of strscpy ensures the following before vanilla strscpy
is called:

1. There is no read overflow because we either size is smaller than
   src length or we shrink size to src length by calling fortified
   strnlen.

2. There is no write overflow because we either failed during
   compilation or at runtime by checking that size is smaller than dest
   size.

Link: https://lkml.kernel.org/r/20201122162451.27551-4-laniel_francis@privacyrequired.com
Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/string.h |   48 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

Comments

Linus Torvalds Dec. 16, 2020, 7:26 a.m. UTC | #1

On Tue, Dec 15, 2020 at 8:43 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> From: Francis Laniel <laniel_francis@privacyrequired.com>
> Subject: string.h: add FORTIFY coverage for strscpy()
>
> The fortified version of strscpy ensures the following [..]

So I've taken this, because it follows the pattern of what we already
have, but I have to say that the "fortify" stuff is now about half of
string.h.

I think it should probably be split out into its own header file, and
then string.h could just do

  #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) &&
defined(CONFIG_FORTIFY_SOURCE)
     #include <linux/fortify-string.h>
  #endif

or similar.

That won't help my merge window build times (I build with
allmodconfig, so I'll have CONFIG_FORTIFY_SOURCE=y and so my poor
compiler will end up always going off and seeing all that every time
somebody glances at string.h), but I think it would be a cleanup
regardless.

And people who _don't_ build with FORTIFY_SOURCE wouldn't have to read
and parse that big chunk every time <linux/string.h> gets included.

(And yes, just reading the source file and tokenizing it - even if
it's all inside an #ifdef that turns off all the other phases - is
actually quite noticeable overhead in a C compiler. Surprisingly so)

           Linus

--- a/include/linux/string.h~stringh-add-fortify-coverage-for-strscpy
+++ a/include/linux/string.h
@@ -6,6 +6,7 @@ 
 #include <linux/compiler.h>	/* for inline */
 #include <linux/types.h>	/* for size_t */
 #include <linux/stddef.h>	/* for NULL */
+#include <linux/errno.h>	/* for E2BIG */
 #include <stdarg.h>
 #include <uapi/linux/string.h>
 
@@ -357,6 +358,53 @@  __FORTIFY_INLINE size_t strlcpy(char *p,
 	return ret;
 }
 
+/* defined after fortified strnlen to reuse it */
+extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy);
+__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size)
+{
+	size_t len;
+	/* Use string size rather than possible enclosing struct size. */
+	size_t p_size = __builtin_object_size(p, 1);
+	size_t q_size = __builtin_object_size(q, 1);
+
+	/* If we cannot get size of p and q default to call strscpy. */
+	if (p_size == (size_t) -1 && q_size == (size_t) -1)
+		return __real_strscpy(p, q, size);
+
+	/*
+	 * If size can be known at compile time and is greater than
+	 * p_size, generate a compile time write overflow error.
+	 */
+	if (__builtin_constant_p(size) && size > p_size)
+		__write_overflow();
+
+	/*
+	 * This call protects from read overflow, because len will default to q
+	 * length if it smaller than size.
+	 */
+	len = strnlen(q, size);
+	/*
+	 * If len equals size, we will copy only size bytes which leads to
+	 * -E2BIG being returned.
+	 * Otherwise we will copy len + 1 because of the final '\O'.
+	 */
+	len = len == size ? size : len + 1;
+
+	/*
+	 * Generate a runtime write overflow error if len is greater than
+	 * p_size.
+	 */
+	if (len > p_size)
+		fortify_panic(__func__);
+
+	/*
+	 * We can now safely call vanilla strscpy because we are protected from:
+	 * 1. Read overflow thanks to call to strnlen().
+	 * 2. Write overflow thanks to above ifs.
+	 */
+	return __real_strscpy(p, q, len);
+}
+
 /* defined after fortified strlen and strnlen to reuse them */
 __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
 {

[28/95] string.h: add FORTIFY coverage for strscpy()

Commit Message

Comments

Patch