From patchwork Sun Aug 22 07:50:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451247 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66B17C4338F for ; Sun, 22 Aug 2021 07:51:37 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 1743B6124D for ; Sun, 22 Aug 2021 07:51:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1743B6124D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 27A7A6B0074; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 22C578D0002; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 015516B0074; Sun, 22 Aug 2021 03:51:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0086.hostedemail.com [216.40.44.86]) by kanga.kvack.org (Postfix) with ESMTP id DAC956B0074 for ; Sun, 22 Aug 2021 03:51:30 -0400 (EDT) Received: from smtpin17.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 8378A82499A8 for ; Sun, 22 Aug 2021 07:51:30 +0000 (UTC) X-FDA: 78501946740.17.3A13704 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by imf29.hostedemail.com (Postfix) with ESMTP id 316B490001BC for ; Sun, 22 Aug 2021 07:51:30 +0000 (UTC) Received: by mail-pj1-f49.google.com with SMTP id h1so4149726pjs.2 for ; Sun, 22 Aug 2021 00:51:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=kwHDlRYGw2pe2VpozCEASD85dDS6sHxCPa/xDSIICvM=; b=VJB3FTt5q3R3nGTwAgDC29A/KPNoR+UpkxoBw0Dq4oRvBhiadsp7xDfQYieHFnlYbk 4FxWfTV91NYwkFNCEBLbyPpmTlxrZQr0gC271DLHzeiQnbnlhlxApp/G+sbOQk8iU7Eg P4t+2DpWPq78fX+VsMvxWmM5/zw7BIsDMwPjo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kwHDlRYGw2pe2VpozCEASD85dDS6sHxCPa/xDSIICvM=; b=Dos5x+qWHH/gRI4h18b90p8J7wfMsGFbJcbsIso34UNIk7CF4+LodNT9jKpe3h67CD 7hGTRDB6wN4zgpYtBXQngFdacC1UvffSNH5nqXf7s9UdC2+YGjKBv6jg4lGGa0JQsqio Ykbyt4HsRYc8Q2JaqAj3UeTeZd9JMoDubXpiwenxPQk8lt8xziPP/uYFPMyjTEaWb2IS rzyM3G5wGKyyqhaeXe2SxqFKW3j9XAYZc2g1RielqMCKWYU1ueEB1FHH92o6smxsRBb4 MldZ08AjNO6d1ASXcGQnw5kKODCuvh04G6xt9KdTJiAZopL1afT24Nlu33oZRevRPTLs tBhg== X-Gm-Message-State: AOAM53395pi0uIzs+m73sxR0kpe1s3plShQIYFDPym4yh+Vy8UwZGkqX 5UimQPWq2e2ISffy01Bgba//ng== X-Google-Smtp-Source: ABdhPJy91PqrhLQGvyTAftsayxdZqXZXrWDF2+1RCGOwRui/AsaObRqzH9olXGQRjCk+pfD4T5l3Nw== X-Received: by 2002:a17:90a:1f09:: with SMTP id u9mr13451822pja.206.1629618689283; Sun, 22 Aug 2021 00:51:29 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j5sm16177432pjv.56.2021.08.22.00.51.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:27 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Tyrel Datwyler , Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 01/25] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp Date: Sun, 22 Aug 2021 00:50:58 -0700 Message-Id: <20210822075122.864511-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1793; h=from:subject; bh=ug7KtAnqHA97F0XIHxj84B1vcjl5KTaHRbDt5BL2iJc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH029iMytTOfEkySdRelPdaDhR6VhLaGeRkdoDa 4ABOm4yJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9AAKCRCJcvTf3G3AJjv2D/ 48Fr/XBXtchVss+4cH6PQaHpgRQzDXtB1e3n+pg90FdtK9Gu2IOW5Eeo4HeRN99/sieQG+UcSe490f qdjzZblkN7rCOZs5uC7Qv2WpSpX0BBhVlJiGfxEbCTMtN/McHWDMfDGmctuVYCjiFd7y7Qpjh/L95Y m7MEuz01lgiYVwA7kXYcrKV101D+aRlU+gawH0a187wiLOGq8y3BJAooZKrFbYl1355a2kJZCjPGoC hfz0Zlx7XRVAVlQj2eCSdwACSCDiDmZx+gKHkVGAa0CtgE0F32xohvWP2x4Yt3yFRHQZDV+m2xqDvg jdu7NtA6bQe03uJ61mDeZEZmxbYOgkiliI38njvH83Gv+Oio1sCmUJjxyDGm325T/wynBN5hbw25If e7zPYndMKDwfXXY+dtyCHCMOh0rwCnS8C5qg3Z+ez6sc/fc1H3oGeSo4BsvngOPFd0iFMrdzhmT9Y4 eXJZW8YHVV7l2UMynV+iVHszGnG5p93QrqnK5KN++aRu+Vr8WKiP9AlwHb8ALA+9vT6sy4fojF/6p1 yL/9kO9S1YrHvKzdaJA1a0FZiq0azd5ExdJrqy3oB43u2iZm/iUYWiea6jYZ0NIrVuHaNcIy9Dn8By CUJjki1mhqlzaYinYiWB2xUvQmLUuuYrVcDc6adS96luBv0lQeyKTVjBPPdw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=VJB3FTt5; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.49 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 316B490001BC X-Stat-Signature: f9nr8j59ocnmhah89y14rkyioups6tso X-HE-Tag: 1629618690-273860 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Instead of writing beyond the end of evt_struct->iu.srp.cmd, target the upper union (evt_struct->iu.srp) instead, as that's what is being wiped. Cc: Tyrel Datwyler Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook Acked-by: Martin K. Petersen Link: https://lore.kernel.org/lkml/yq135rzp79c.fsf@ca-mkp.ca.oracle.com Acked-by: Tyrel Datwyler Link: https://lore.kernel.org/lkml/6eae8434-e9a7-aa74-628b-b515b3695359@linux.ibm.com --- drivers/scsi/ibmvscsi/ibmvscsi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c index e6a3eaaa57d9..3bd3a0124123 100644 --- a/drivers/scsi/ibmvscsi/ibmvscsi.c +++ b/drivers/scsi/ibmvscsi/ibmvscsi.c @@ -1055,8 +1055,9 @@ static int ibmvscsi_queuecommand_lck(struct scsi_cmnd *cmnd, return SCSI_MLQUEUE_HOST_BUSY; /* Set up the actual SRP IU */ + BUILD_BUG_ON(sizeof(evt_struct->iu.srp) != SRP_MAX_IU_LEN); + memset(&evt_struct->iu.srp, 0x00, sizeof(evt_struct->iu.srp)); srp_cmd = &evt_struct->iu.srp.cmd; - memset(srp_cmd, 0x00, SRP_MAX_IU_LEN); srp_cmd->opcode = SRP_CMD; memcpy(srp_cmd->cdb, cmnd->cmnd, sizeof(srp_cmd->cdb)); int_to_scsilun(lun, &srp_cmd->lun); From patchwork Sun Aug 22 07:50:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451243 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99352C432BE for ; Sun, 22 Aug 2021 07:51:32 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 1B14A61284 for ; Sun, 22 Aug 2021 07:51:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1B14A61284 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 407126B006C; Sun, 22 Aug 2021 03:51:30 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 33A506B0075; Sun, 22 Aug 2021 03:51:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 00A6A6B0072; Sun, 22 Aug 2021 03:51:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0181.hostedemail.com [216.40.44.181]) by kanga.kvack.org (Postfix) with ESMTP id D03DD6B0073 for ; Sun, 22 Aug 2021 03:51:29 -0400 (EDT) Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 2B1DE27742 for ; Sun, 22 Aug 2021 07:51:29 +0000 (UTC) X-FDA: 78501946698.06.A4B4A14 Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by imf17.hostedemail.com (Postfix) with ESMTP id D2749F00038F for ; Sun, 22 Aug 2021 07:51:28 +0000 (UTC) Received: by mail-pj1-f52.google.com with SMTP id qe12-20020a17090b4f8c00b00179321cbae7so10084176pjb.2 for ; Sun, 22 Aug 2021 00:51:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=swoxKUxBx5afVLnEB5LhIDPkkheQprnH5K11Nt9R4rs=; b=A29wjJmazwrwxGZxMq+h34s9h8NzAPtZ5DxKcdKlMgNObBxVDvNDynzqlcY71e41mj U4426P8/21pDEkSEQl5Vye5goYrgP8qo83lOcPnb8Mluvdkf2mU/RrS+84b6r0rkTA7n NWDx2rvLg8JBxbks9wmwuHN3s+p3Igzuid9d8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=swoxKUxBx5afVLnEB5LhIDPkkheQprnH5K11Nt9R4rs=; b=opsvZrdoncil1fJCdYzdY1Ya3yOMjGNkyt+yaktEXfUnHUlqRTysKHYg1mMdSrb7Lp orFtjrsUYOscgYE6Jp/BkSCpnAMD+SD0u4dgTfQbVbfpFlxpVBOm3BWAImqY2HQ0ddJR Itb1M/R+Ppe0zjwcGXmP5Tse5zAARfh1OA1iVWvy/AtQcPMIFg8LNWENNddMy4KxcQzF Ze34nhIbJGk/R3X3Ac0qKP41I1bYKDvAZGOVW0ihRmTfEO7IK9HL2fm5a9+KAVcPYNb6 m7eoAN5iL7+f3WjDrAi6RpLvXCiDQzOzbCbhwXfS6wTfGCNwB3H0V5ZzIQnpFanpgOt/ eSrA== X-Gm-Message-State: AOAM532WKGRNiXNzxuxLRzBDVB5gS/ZtJPq9VhkCb3WKk9b2kmgsrAsk zKiEzoJNF3i8e2ABdMmof80cQw== X-Google-Smtp-Source: ABdhPJxCvC5U8Hsd1nche8TY3/3w65Fwg7CcKKRcABytGvVOTqdPGhB5VrMGcJgmSP25a1YwSAnEXg== X-Received: by 2002:a17:90a:9205:: with SMTP id m5mr13759811pjo.172.1629618687826; Sun, 22 Aug 2021 00:51:27 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x4sm784551pjq.20.2021.08.22.00.51.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:27 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Benjamin Herrenschmidt , Qinglang Miao , "Gustavo A. R. Silva" , Hulk Robot , Wang Wensheng , linuxppc-dev@lists.ozlabs.org, Michael Ellerman , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 02/25] powerpc: Split memset() to avoid multi-field overflow Date: Sun, 22 Aug 2021 00:50:59 -0700 Message-Id: <20210822075122.864511-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1383; h=from:subject; bh=fQWaTRNAnHwzjDX7zkAYJFkFU9dO7FLED20FxzY84uw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH0nC39QXqUTtg73y7LwI1M2THJ6kxy1tIRNS78 0fFAH3qJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9AAKCRCJcvTf3G3AJnv2D/ wObLbEonTkdJhW6C+/WSz4E6oGnBggzSnLMUS882u8jeYadM5HfcUGcFJ1IZoQ6kX6jFoodlo/qVnf lv6ENdcXT7oa5GLQDJd4zp1Un3jz2a3qKkKwRJJSPIvUcVqp9VUZniIeP+gfhhYaPISc6W1RDet5PU ROdHz5TDjq6eCQV5GY1zKOsKcoUcvC0OVslx6dQsCCfN8mKnM3iHXqaPAB7G5IuV403ICtdQhZvuJH FJuzCsKGcftKt80P0Zoel7L966sN/WwnqiHtjEj5Q4Ha+cpB4OZbMjB+2+M/jH0QC3oVuUo3AU3yj0 ok95VgvvkcJN0Htt9NFvC5AlZBlnB5QI8JUP8jSvS4z1ZL/G4JQLsEr1riP0klpc4IOAfStks3pI70 FKMswg8epOans0r7tNzpu4yUEjM53slyrCrPKvmlCkCQH6PZ9HpL5UeSdjvmKMkopb4mcKpOJKZpPV 2y8VLpuG0jg5g4hX+/itWAXGLAwnR7BX1ZxzgZ28P0SF6/C4DDHWrrDeF9XVdF9bcQkO4TLjui7wbi nL4Fc4wq+gL4gtVmXqAAe18gdYsilyD4H0XXHcga+xLL80dr04yJe/zWFZWwb7pCdm/o3CVYxCoA4Y oQBZ3nMgYoV4HF+OrXkF4vTxkiD1vjqS4oYPHI5RM0UIBNPZH+F7nsJ6feWg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=A29wjJma; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.52 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: D2749F00038F X-Stat-Signature: pgw1s3pdoa15od5mt13y1kpdjgs9jagt X-HE-Tag: 1629618688-149739 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Instead of writing across a field boundary with memset(), move the call to just the array, and an explicit zeroing of the prior field. Cc: Benjamin Herrenschmidt Cc: Qinglang Miao Cc: "Gustavo A. R. Silva" Cc: Hulk Robot Cc: Wang Wensheng Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Kees Cook Reviewed-by: Michael Ellerman Link: https://lore.kernel.org/lkml/87czqsnmw9.fsf@mpe.ellerman.id.au --- drivers/macintosh/smu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/macintosh/smu.c b/drivers/macintosh/smu.c index 94fb63a7b357..3e2b25ea58a3 100644 --- a/drivers/macintosh/smu.c +++ b/drivers/macintosh/smu.c @@ -848,7 +848,8 @@ int smu_queue_i2c(struct smu_i2c_cmd *cmd) cmd->read = cmd->info.devaddr & 0x01; switch(cmd->info.type) { case SMU_I2C_TRANSFER_SIMPLE: - memset(&cmd->info.sublen, 0, 4); + cmd->info.sublen = 0; + memset(cmd->info.subaddr, 0, sizeof(cmd->info.subaddr)); break; case SMU_I2C_TRANSFER_COMBINED: cmd->info.devaddr &= 0xfe; From patchwork Sun Aug 22 07:51:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451241 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 832EEC4320A for ; Sun, 22 Aug 2021 07:51:31 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 10B7A61266 for ; Sun, 22 Aug 2021 07:51:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 10B7A61266 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 1903E6B0073; Sun, 22 Aug 2021 03:51:30 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 167396B006C; Sun, 22 Aug 2021 03:51:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ED4638D0001; Sun, 22 Aug 2021 03:51:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0124.hostedemail.com [216.40.44.124]) by kanga.kvack.org (Postfix) with ESMTP id CF6F16B0072 for ; Sun, 22 Aug 2021 03:51:29 -0400 (EDT) Received: from smtpin32.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 6828E181E9955 for ; Sun, 22 Aug 2021 07:51:29 +0000 (UTC) X-FDA: 78501946698.32.D9E5ECB Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by imf03.hostedemail.com (Postfix) with ESMTP id 20E5F3000096 for ; Sun, 22 Aug 2021 07:51:29 +0000 (UTC) Received: by mail-pj1-f42.google.com with SMTP id n5so9984736pjt.4 for ; Sun, 22 Aug 2021 00:51:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=m8xtan08Su1aPHkuXwbXQb4qxZDxvf0Qz0X3flwzJxU=; b=KNehxyZsX5RaJK5y2Pm9Hy+GMM4ouGgu1mtFCNGf5Q4+XuYzcpek8mmjIelGU5Zh/K SGkkAqqI6ZtkljguX0dRdZq8VyLLpX++4gkynq16kQAfwn/sMu2R1vnWUVqCmuKBnTmr vHvxL4HNIkK65E56/fAQ7HpRp1zSvwPTX7iiY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=m8xtan08Su1aPHkuXwbXQb4qxZDxvf0Qz0X3flwzJxU=; b=qfQ8/LHf+x90tVr6w7ImLEh6gjYliFAQqyyPZIe4XtBF01EYAJX8euwl4c+u7Psw3H BTuDrzOs+Xi7zQsnhI7ioKsX1RBLZsvdyAmBnEhe7jNtNviuGMRRlblZKgK83tnfosmU v2PhwtJ0xL+Aa6B6yyvO+DAXPSNBanJ06rhHotJnRpaJLiGoWEwcPlcT9AbCb4hrz2wY 8gElB1hWhu5KRV9C7rSltul88kCmRxO6ySd324AdwGu/3al/CHL+FQivgwcREofOmrNf DXHNMR76Fjo/sM/B1pkDR7rJhsX9XfYzVh/2n68dCcAge6zLa4qvEieF7UoGjEv7UlQm SQTA== X-Gm-Message-State: AOAM533nQik5ODey1FzrArb8mm9R9ZVE2luu11RdlcXqipK5LLGAPU2d jrMExyc1PAClHAoyqMw3QY1OmA== X-Google-Smtp-Source: ABdhPJynYb3pa8ejO4B+aEHLyl8/2mMaKNSH2/9APepsItN8LomW9d8AfJf7FjCm4rK6LixtzjSB6w== X-Received: by 2002:a17:902:e744:b029:12d:6479:83a3 with SMTP id p4-20020a170902e744b029012d647983a3mr23356458plf.30.1629618688348; Sun, 22 Aug 2021 00:51:28 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z3sm12422917pff.47.2021.08.22.00.51.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:27 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 03/25] stddef: Fix kerndoc for sizeof_field() and offsetofend() Date: Sun, 22 Aug 2021 00:51:00 -0700 Message-Id: <20210822075122.864511-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=973; h=from:subject; bh=LSI9Ve3iPXm24/e6+dJ/Whm/+Dq6iMvpCYAHC2kT7As=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH1w21LSBQACqZKJobE9QLuzQzYC1C0zIz8fHlJ j7xmpjuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9QAKCRCJcvTf3G3AJrdkD/ wKmF69TzlROZwIafqz2MLoItMJiWF/65+N6fmS2XO9e48KkVpSl2fKtlLamzp4HmXqzSDnzqrZdPk0 itFI4TMiLP++478UHgC0wuWMMe4Ducifntz4TDVW0g5+G/cwTzzgJwGz9AMHNgjY7TdhfBw4EE3c0D Jeug5F7twQ9FjEDaMzmLLynDQY/yeNO5HDDqHVdZRS6Qp2l0RhfF878rFc3Jp0ufEWS3VE/bCVlZ7x eQY2TrsxGok6P//wlSnfvOPbDermCWJr0reeYZcxyWC2YqbW++crZK5dk9aK0237tPWEG2O1QO3ofD Ac3IBz2jVy1oGQ8VmJIoxLQ9Lh85+lvUqiLs6S1VTNTlVAGB6NHYhTgWC2xVBdtVCuwsvs/Qt1xm3j LT/xKjTkZkRyGB+QGDb5XPiXh351iZH6rNoDnL+iR58vjO0MItRJqo9ydXevQg+Ul5b1XHrCiI3rzA 6c9Wk6pWdD0gJ1ch+rNk9dMJqfelisvVjpAsPQE8V4NYMfmaYgVUBqghH3LW8+LqCpidDMrXk1RM8c InBmG9X4jSf5m2HaoIoQudmq8ipqnFpqMY1T2r/AbgbTovYcSWFMXMwKGZ1+tgY8JfOJs69rtkN9pW nrxhwXPO6Od0J3Im7hVxdDvu4WFS68ohxHONWzmNrusiExiSogibF5+dCOvw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=KNehxyZs; spf=pass (imf03.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.42 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 20E5F3000096 X-Stat-Signature: r7gzs6t4w6p4gbx4u3gc5c53ogy7inxc X-HE-Tag: 1629618688-591227 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Adjust the comment styles so these are correctly identified as valid kern-doc. Signed-off-by: Kees Cook --- include/linux/stddef.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/stddef.h b/include/linux/stddef.h index 998a4ba28eba..8553b33143d1 100644 --- a/include/linux/stddef.h +++ b/include/linux/stddef.h @@ -20,7 +20,7 @@ enum { #endif /** - * sizeof_field(TYPE, MEMBER) + * sizeof_field() - Report the size of a struct field in bytes * * @TYPE: The structure containing the field of interest * @MEMBER: The field to return the size of @@ -28,7 +28,7 @@ enum { #define sizeof_field(TYPE, MEMBER) sizeof((((TYPE *)0)->MEMBER)) /** - * offsetofend(TYPE, MEMBER) + * offsetofend() - Report the offset of a struct field within the struct * * @TYPE: The type of the structure * @MEMBER: The member within the structure to get the end offset of From patchwork Sun Aug 22 07:51:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451249 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25841C00144 for ; Sun, 22 Aug 2021 07:51:40 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id C56B761220 for ; Sun, 22 Aug 2021 07:51:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org C56B761220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 6C0766B0075; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 670A28D0001; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4EA8A6B0078; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0165.hostedemail.com [216.40.44.165]) by kanga.kvack.org (Postfix) with ESMTP id 1E0878D0001 for ; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id BEC6B181C9D41 for ; Sun, 22 Aug 2021 07:51:30 +0000 (UTC) X-FDA: 78501946740.39.2E87CD0 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) by imf09.hostedemail.com (Postfix) with ESMTP id 7D83D3000107 for ; Sun, 22 Aug 2021 07:51:30 +0000 (UTC) Received: by mail-pj1-f53.google.com with SMTP id h1so4149730pjs.2 for ; Sun, 22 Aug 2021 00:51:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eA1/RCZvA4eh8kSUwIkQsy83t52sxem7VcmVr/L+Sis=; b=OybusePZZZlI1BC9BNqbzYpfQ7d/uK2tBU5R2GteBcuKpkUjhmYHqKRLMD4r9xUQ0H UNDwlfNxmKhsyB/Pa3TWBIx4sEF1ESvBwBlrZ5Wwsr5wAtEggxmZLTKfyz9XtN21Fm0c 3DUMdF1ODQj9qhRHyqJc1flLkHB3zoZiYFPHA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eA1/RCZvA4eh8kSUwIkQsy83t52sxem7VcmVr/L+Sis=; b=CLoFcvZ7KWy/IUJfsNxS3jbdhrwzVHePSAqeKSawdl+UuLWeALCfY9CbHd1INVtr1s 6vsJEKcsAbGWBUyn8USPvbsWQFN+ycce2bkAxP6a4uqCyTbsrff1fKeoJbNrauZ86yyM anvfisdhq7IvjNZqh71ZgdFTMUD+ADx1aigk+PcE+KNhTJa8ebaGCODHTv4yzvE1h9gL YbSsqUCt7npbzNssn7wm1sn2lJclLA6dHlgD9tdqqNEfyF8g1OLBlr7AWNkGg7Q3HKGm E8MrGSszLKKT+CR6GtsENJNX7ajdhmVkXf20j2mlFDzTP5KBkC1hhchFZMVJYJZHoF9f SqSQ== X-Gm-Message-State: AOAM533Pmnz4bLniwSjE/6gauacxF6A39Y7NL/48i2OBWVZ69fVQjtQ3 jgSJ/J3gRF/JqW7nTK2g1VWapg== X-Google-Smtp-Source: ABdhPJzE9jMd+PS6f52ZpztVGK5B+iBkJ+6r6yiipWSzjTBftlqmy2oeRM8qy359aegah4DvQecJaQ== X-Received: by 2002:a17:902:8bc4:b029:12b:8470:e29e with SMTP id r4-20020a1709028bc4b029012b8470e29emr23726292plo.2.1629618689604; Sun, 22 Aug 2021 00:51:29 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a190sm10053648pfa.49.2021.08.22.00.51.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:27 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Keith Packard , "Gustavo A . R . Silva" , Rasmus Villemoes , Dan Williams , Daniel Vetter , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 04/25] stddef: Introduce struct_group() helper macro Date: Sun, 22 Aug 2021 00:51:01 -0700 Message-Id: <20210822075122.864511-5-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=9843; h=from:subject; bh=u5fX+UqxhdcioJkWviuiAc++ub9cxwZ1QofYrPUghAU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH1sowy/yBp3PMXTkKsKq1zkOkKRGQ55eXH3/HT KSxoXF+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9QAKCRCJcvTf3G3AJshxEA CuVHRbQoEYAR/xN1/Thv8kPAvZyr5+zcAeXlzgJU52GJWkOw9CZd5y2Mna9TAZuYWbMHmOYwdty5gW Ne6tJU4xflqK4syBvoAWw7A7e4elXNXKI4xVYSOha5hUV22qUO8oo/jyFtWjOSv4ESvsMOjPX54z8E MxiJ6jlBr8xV+T4sRp0m+kIGjT/1My/B5TkOXxgunLwN0Ygwz3+pfsuUY3y2b+YmXw8FtDRzxi7pke dS/3wcN4C1iBJssBhqExyrNbURFRqJAG8bewokSkRiIRwalR/4VAapEH1lvqpenLk0iivEfw99oDE6 Kp+x24HKjPGzhpKeaG5eeHTogQVxMzzrjOqkdtK/Bc4AaHYuWci4KJSzpyZ/IC7h/kAxS6F3jpX6Ot Ul7ZSEM+xaRbisMzCO63UXZVvWJ2dKaCOB2qo23D2pyMAa4/QrlXWw9mSVTxje05EmuT/7avuMvT0d Ydi10515xpc4x9+pW6PHDN4JHN0V5Cms7vPXJjdvr+GbxZ6PEOR10vH8o65HqtZ7ffCCPIH6kMI5a8 4ECSsf3mR7bXhbWlCYiYrsJlvLS/0RORQ90wOF+AyxNxRX/bZV4kjlYRIOHwmV2Nkwu9GVk8JJRvDZ UtTbi4V00YbxSf6v3G8e49vym8169FoHnBELFjnIXCITJM1EOO1FwJlZ8p3g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=OybusePZ; spf=pass (imf09.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.53 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Stat-Signature: o3nrko7hoh7bpxnbnt7ur35hj33a85p7 X-Rspamd-Queue-Id: 7D83D3000107 X-Rspamd-Server: rspam04 X-HE-Tag: 1629618690-33205 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Kernel code has a regular need to describe groups of members within a structure usually when they need to be copied or initialized separately from the rest of the surrounding structure. The generally accepted design pattern in C is to use a named sub-struct: struct foo { int one; struct { int two; int three, four; } thing; int five; }; This would allow for traditional references and sizing: memcpy(&dst.thing, &src.thing, sizeof(dst.thing)); However, doing this would mean that referencing struct members enclosed by such named structs would always require including the sub-struct name in identifiers: do_something(dst.thing.three); This has tended to be quite inflexible, especially when such groupings need to be added to established code which causes huge naming churn. Three workarounds exist in the kernel for this problem, and each have other negative properties. To avoid the naming churn, there is a design pattern of adding macro aliases for the named struct: #define f_three thing.three This ends up polluting the global namespace, and makes it difficult to search for identifiers. Another common work-around in kernel code avoids the pollution by avoiding the named struct entirely, instead identifying the group's boundaries using either a pair of empty anonymous structs of a pair of zero-element arrays: struct foo { int one; struct { } start; int two; int three, four; struct { } finish; int five; }; struct foo { int one; int start[0]; int two; int three, four; int finish[0]; int five; }; This allows code to avoid needing to use a sub-struct named for member references within the surrounding structure, but loses the benefits of being able to actually use such a struct, making it rather fragile. Using these requires open-coded calculation of sizes and offsets. The efforts made to avoid common mistakes include lots of comments, or adding various BUILD_BUG_ON()s. Such code is left with no way for the compiler to reason about the boundaries (e.g. the "start" object looks like it's 0 bytes in length), making bounds checking depend on open-coded calculations: if (length > offsetof(struct foo, finish) - offsetof(struct foo, start)) return -EINVAL; memcpy(&dst.start, &src.start, offsetof(struct foo, finish) - offsetof(struct foo, start)); However, the vast majority of places in the kernel that operate on groups of members do so without any identification of the grouping, relying either on comments or implicit knowledge of the struct contents, which is even harder for the compiler to reason about, and results in even more fragile manual sizing, usually depending on member locations outside of the region (e.g. to copy "two" and "three", use the start of "four" to find the size): BUILD_BUG_ON((offsetof(struct foo, four) < offsetof(struct foo, two)) || (offsetof(struct foo, four) < offsetof(struct foo, three)); if (length > offsetof(struct foo, four) - offsetof(struct foo, two)) return -EINVAL; memcpy(&dst.two, &src.two, length); In order to have a regular programmatic way to describe a struct region that can be used for references and sizing, can be examined for bounds checking, avoids forcing the use of intermediate identifiers, and avoids polluting the global namespace, introduce the struct_group() macro. This macro wraps the member declarations to create an anonymous union of an anonymous struct (no intermediate name) and a named struct (for references and sizing): struct foo { int one; struct_group(thing, int two; int three, four; ); int five; }; if (length > sizeof(src.thing)) return -EINVAL; memcpy(&dst.thing, &src.thing, length); do_something(dst.three); There are some rare cases where the resulting struct_group() needs attributes added, so struct_group_attr() is also introduced to allow for specifying struct attributes (e.g. __align(x) or __packed). Additionally, there are places where such declarations would like to have the struct be tagged, so struct_group_tagged() is added. Given there is a need for a handful of UAPI uses too, the underlying __struct_group() macro has been defined in UAPI so it can be used there too. To avoid confusing scripts/kernel-doc, hide the macro from its struct parsing. Co-developed-by: Keith Packard Signed-off-by: Keith Packard Acked-by: Gustavo A. R. Silva Link: https://lore.kernel.org/lkml/20210728023217.GC35706@embeddedor Enhanced-by: Rasmus Villemoes Link: https://lore.kernel.org/lkml/41183a98-bdb9-4ad6-7eab-5a7292a6df84@rasmusvillemoes.dk Enhanced-by: Dan Williams Link: https://lore.kernel.org/lkml/1d9a2e6df2a9a35b2cdd50a9a68cac5991e7e5f0.camel@intel.com Enhanced-by: Daniel Vetter Link: https://lore.kernel.org/lkml/YQKa76A6XuFqgM03@phenom.ffwll.local Acked-by: Dan Williams Signed-off-by: Kees Cook --- include/linux/stddef.h | 48 +++++++++++++++++++++++++++++++++++++ include/uapi/linux/stddef.h | 21 ++++++++++++++++ scripts/kernel-doc | 7 ++++++ 3 files changed, 76 insertions(+) diff --git a/include/linux/stddef.h b/include/linux/stddef.h index 8553b33143d1..8b103a53b000 100644 --- a/include/linux/stddef.h +++ b/include/linux/stddef.h @@ -36,4 +36,52 @@ enum { #define offsetofend(TYPE, MEMBER) \ (offsetof(TYPE, MEMBER) + sizeof_field(TYPE, MEMBER)) +/** + * struct_group() - Wrap a set of declarations in a mirrored struct + * + * @NAME: The identifier name of the mirrored sub-struct + * @MEMBERS: The member declarations for the mirrored structs + * + * Used to create an anonymous union of two structs with identical + * layout and size: one anonymous and one named. The former can be + * used normally without sub-struct naming, and the latter can be + * used to reason about the start, end, and size of the group of + * struct members. + */ +#define struct_group(NAME, MEMBERS...) \ + __struct_group(/* no tag */, NAME, /* no attrs */, MEMBERS) + +/** + * struct_group_attr() - Create a struct_group() with trailing attributes + * + * @NAME: The identifier name of the mirrored sub-struct + * @ATTRS: Any struct attributes to apply + * @MEMBERS: The member declarations for the mirrored structs + * + * Used to create an anonymous union of two structs with identical + * layout and size: one anonymous and one named. The former can be + * used normally without sub-struct naming, and the latter can be + * used to reason about the start, end, and size of the group of + * struct members. Includes structure attributes argument. + */ +#define struct_group_attr(NAME, ATTRS, MEMBERS...) \ + __struct_group(/* no tag */, NAME, ATTRS, MEMBERS) + +/** + * struct_group_tagged() - Create a struct_group with a reusable tag + * + * @TAG: The tag name for the named sub-struct + * @NAME: The identifier name of the mirrored sub-struct + * @MEMBERS: The member declarations for the mirrored structs + * + * Used to create an anonymous union of two structs with identical + * layout and size: one anonymous and one named. The former can be + * used normally without sub-struct naming, and the latter can be + * used to reason about the start, end, and size of the group of + * struct members. Includes struct tag argument for the named copy, + * so the specified layout can be reused later. + */ +#define struct_group_tagged(TAG, NAME, MEMBERS...) \ + __struct_group(TAG, NAME, /* no attrs */, MEMBERS) + #endif diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h index ee8220f8dcf5..610204f7c275 100644 --- a/include/uapi/linux/stddef.h +++ b/include/uapi/linux/stddef.h @@ -4,3 +4,24 @@ #ifndef __always_inline #define __always_inline inline #endif + +/** + * __struct_group() - Create a mirrored named and anonyomous struct + * + * @TAG: The tag name for the named sub-struct (usually empty) + * @NAME: The identifier name of the mirrored sub-struct + * @ATTRS: Any struct attributes (usually empty) + * @MEMBERS: The member declarations for the mirrored structs + * + * Used to create an anonymous union of two structs with identical layout + * and size: one anonymous and one named. The former's members can be used + * normally without sub-struct naming, and the latter can be used to + * reason about the start, end, and size of the group of struct members. + * The named struct can also be explicitly tagged for layer reuse, as well + * as both having struct attributes appended. + */ +#define __struct_group(TAG, NAME, ATTRS, MEMBERS...) \ + union { \ + struct { MEMBERS } ATTRS; \ + struct TAG { MEMBERS } ATTRS NAME; \ + } diff --git a/scripts/kernel-doc b/scripts/kernel-doc index 7c4a6a507ac4..d9715efbe0b7 100755 --- a/scripts/kernel-doc +++ b/scripts/kernel-doc @@ -1245,6 +1245,13 @@ sub dump_struct($$) { $members =~ s/\s*CRYPTO_MINALIGN_ATTR/ /gos; $members =~ s/\s*____cacheline_aligned_in_smp/ /gos; $members =~ s/\s*____cacheline_aligned/ /gos; + # unwrap struct_group(): + # - first eat non-declaration parameters and rewrite for final match + # - then remove macro, outer parens, and trailing semicolon + $members =~ s/\bstruct_group\s*\(([^,]*,)/STRUCT_GROUP(/gos; + $members =~ s/\bstruct_group_(attr|tagged)\s*\(([^,]*,){2}/STRUCT_GROUP(/gos; + $members =~ s/\b__struct_group\s*\(([^,]*,){3}/STRUCT_GROUP(/gos; + $members =~ s/\bSTRUCT_GROUP(\(((?:(?>[^)(]+)|(?1))*)\))[^;]*;/$2/gos; my $args = qr{([^,)]+)}; # replace DECLARE_BITMAP From patchwork Sun Aug 22 07:51:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451261 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 940A2C4338F for ; Sun, 22 Aug 2021 07:51:56 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 482D761247 for ; Sun, 22 Aug 2021 07:51:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 482D761247 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 3DB406B0081; Sun, 22 Aug 2021 03:51:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 38A076B0082; Sun, 22 Aug 2021 03:51:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1DCAE6B0083; Sun, 22 Aug 2021 03:51:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0170.hostedemail.com [216.40.44.170]) by kanga.kvack.org (Postfix) with ESMTP id E02676B0081 for ; Sun, 22 Aug 2021 03:51:34 -0400 (EDT) Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 7DEEA82499A8 for ; Sun, 22 Aug 2021 07:51:34 +0000 (UTC) X-FDA: 78501946908.31.B152E18 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by imf09.hostedemail.com (Postfix) with ESMTP id 3787C3000103 for ; Sun, 22 Aug 2021 07:51:34 +0000 (UTC) Received: by mail-pl1-f181.google.com with SMTP id o10so8430487plg.0 for ; Sun, 22 Aug 2021 00:51:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6C21nGDw7vC+YBB6XbuzwfBKcOzsmqPCIkUK4Z1vJAk=; b=Ji3zF0ScHvssM3yEcYuqxBVQT7opuzxr2ml2VOmlokTrlcGiRxuQRIE5ii4b9MyZsw dzz+42Ry/0UFEtiSFUqmob6u3PEqDrgN7h0KHRchUbyVZTFVR1/Pke/pWz/OrnW853AD Q9jPbDCw/vc7NpeDWdXq8N6YVitMmJptYA4bU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6C21nGDw7vC+YBB6XbuzwfBKcOzsmqPCIkUK4Z1vJAk=; b=BBwaIlLNjY3SkD16DZFTeCIpIH93pQiviZRzdTxaf3YYWwxmq+ZrUfZxo286YMM4QB L7FqnWx9nPfCUcTTRvA3ybl8Egg7bD/Un8bT0FYWc19l9lDAkPQ8uLhDfiPSk5PY45Oq 9W0au8PRPYhJQhnAXIxsy7m9ewGQAE8QsD5EdgwVPL7j6zkXk7MdtvPHRmt6W2OY8176 VQxkDT3eK360fo9Xq2JPZy+6IkJ6A1GlsGQKT9sUx0JgRb/r5pk2kBur1qg1HeMV4bBC KKqyhL7FvM07+tLvzPu8VUAx/wSureC/kAwmgyNSXZBzexyuWD0QUkQ+wKj/a8JwM9+V svRA== X-Gm-Message-State: AOAM533B9kXG5q+FQCRi88AyF8ie2vaOA4PKxpYCIGD2PeTWy+zn5DiJ 9Xbpm8suj1nUTGm2ITjJIaiUOw== X-Google-Smtp-Source: ABdhPJxKtIv7kfe7mAWtdJ1vmYPKu66XmZYKB4qFJwGNRru8Yzc+vuKS3S7aSG0NOIOGLmCJGX+CmQ== X-Received: by 2002:a17:90a:7141:: with SMTP id g1mr13915053pjs.142.1629618693402; Sun, 22 Aug 2021 00:51:33 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 6sm12363166pfg.108.2021.08.22.00.51.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:29 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Alison Schofield , Vishal Verma , Ira Weiny , Ben Widawsky , linux-cxl@vger.kernel.org, Dan Williams , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 05/25] cxl/core: Replace unions with struct_group() Date: Sun, 22 Aug 2021 00:51:02 -0700 Message-Id: <20210822075122.864511-6-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3038; h=from:subject; bh=aPnZgEf5gVMxv6joe4aeeaiC41mLeeNUPXEOUkw15pA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH1V4pv+RrBgTmMfewsiWCP2lqqF6kbWCQzkQgf mFzlBb2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9QAKCRCJcvTf3G3AJo0+D/ 9Jz/jR+mz50zVHd7Qz1HuijCsP3CE2am0+KSpb3turLr/DMNZftg1bJZUaHMny9kE5HxKOU7Hw365I +KzZ46ZTSCsYKwyppITdzOEZ8X/Lr6/IGEDb6NdSf86zNTdy+PvM2giYo3xWD9h2wGq/Yfxus5TsqA dsA8ZUz7aPT+In5PBqttwprSQV8R0TibJ17vAUSz8nRloqstcZAkMFi3mmFjwBduSfjcKoXGpBR4iJ eJQrVtIY2J1mFanh4xHcuC07Fad5zIrlnhh3k/JeZvE/5mAEMZ0ovV/VBEvUI7TC74akrzULbSGL7p Ae0AvSGT+zys7+FHAL4TCnQDh1FieT9rO+HrqhI7EJa10sBfW6TucEe3Xyor1dZY+gZ4+4gUHQKUMK cjhgpnGRrvsLBvBgJWJrGKYgW8pKRGwwmmZv87ww1DsqmyN/KCj09A3psEvUzEFhi9Nnz9azNymdHM eIHNPagW3o/kGhkq3WwN0nGkQEnDDtVZa4Z0WslkQt9kIi+2KhhYT/LHNQJaaD6Vimd++nKexjFR4i 8Ed9z2zrtMLgohvCkvIllZwpsILkqj9IX+DelmMyDTbNrVtDH9uUjra2j/J+6V1QWqrvu5vHhEbtbA 1eJNDdy+jCHsMUjTsSnycxghYAyQi0tZfPmJCHv6D6BqvNCkWMvew3qC0tuw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Ji3zF0Sc; spf=pass (imf09.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.181 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 3787C3000103 X-Stat-Signature: o7put7e5b16nhx634wp7fkgzz8kath3t X-HE-Tag: 1629618694-732404 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Use the newly introduced struct_group_typed() macro to clean up the declaration of struct cxl_regs. Cc: Alison Schofield Cc: Vishal Verma Cc: Ira Weiny Cc: Ben Widawsky Cc: linux-cxl@vger.kernel.org Suggested-by: Dan Williams Link: https://lore.kernel.org/lkml/1d9a2e6df2a9a35b2cdd50a9a68cac5991e7e5f0.camel@intel.com Reviewed-by: Dan Williams Signed-off-by: Kees Cook --- drivers/cxl/cxl.h | 61 ++++++++++++++--------------------------------- 1 file changed, 18 insertions(+), 43 deletions(-) diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h index b6bda39a59e3..97a83ba4e783 100644 --- a/drivers/cxl/cxl.h +++ b/drivers/cxl/cxl.h @@ -75,52 +75,27 @@ static inline int cxl_hdm_decoder_count(u32 cap_hdr) #define CXLDEV_MBOX_BG_CMD_STATUS_OFFSET 0x18 #define CXLDEV_MBOX_PAYLOAD_OFFSET 0x20 -#define CXL_COMPONENT_REGS() \ - void __iomem *hdm_decoder - -#define CXL_DEVICE_REGS() \ - void __iomem *status; \ - void __iomem *mbox; \ - void __iomem *memdev - -/* See note for 'struct cxl_regs' for the rationale of this organization */ -/* - * CXL_COMPONENT_REGS - Common set of CXL Component register block base pointers - * @hdm_decoder: CXL 2.0 8.2.5.12 CXL HDM Decoder Capability Structure - */ -struct cxl_component_regs { - CXL_COMPONENT_REGS(); -}; - -/* See note for 'struct cxl_regs' for the rationale of this organization */ -/* - * CXL_DEVICE_REGS - Common set of CXL Device register block base pointers - * @status: CXL 2.0 8.2.8.3 Device Status Registers - * @mbox: CXL 2.0 8.2.8.4 Mailbox Registers - * @memdev: CXL 2.0 8.2.8.5 Memory Device Registers - */ -struct cxl_device_regs { - CXL_DEVICE_REGS(); -}; - /* - * Note, the anonymous union organization allows for per - * register-block-type helper routines, without requiring block-type - * agnostic code to include the prefix. + * Using struct_group() allows for per register-block-type helper routines, + * without requiring block-type agnostic code to include the prefix. */ struct cxl_regs { - union { - struct { - CXL_COMPONENT_REGS(); - }; - struct cxl_component_regs component; - }; - union { - struct { - CXL_DEVICE_REGS(); - }; - struct cxl_device_regs device_regs; - }; + /* + * Common set of CXL Component register block base pointers + * @hdm_decoder: CXL 2.0 8.2.5.12 CXL HDM Decoder Capability Structure + */ + struct_group_tagged(cxl_component_regs, component, + void __iomem *hdm_decoder; + ); + /* + * Common set of CXL Device register block base pointers + * @status: CXL 2.0 8.2.8.3 Device Status Registers + * @mbox: CXL 2.0 8.2.8.4 Mailbox Registers + * @memdev: CXL 2.0 8.2.8.5 Memory Device Registers + */ + struct_group_tagged(cxl_device_regs, device_regs, + void __iomem *status, *mbox, *memdev; + ); }; struct cxl_reg_map { From patchwork Sun Aug 22 07:51:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451253 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EDCDC4338F for ; Sun, 22 Aug 2021 07:51:43 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B33E061220 for ; Sun, 22 Aug 2021 07:51:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B33E061220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id E13416B0078; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DC3E96B007B; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CB2286B007D; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0074.hostedemail.com [216.40.44.74]) by kanga.kvack.org (Postfix) with ESMTP id AC92C6B0078 for ; Sun, 22 Aug 2021 03:51:31 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 44660181EBF0E for ; Sun, 22 Aug 2021 07:51:31 +0000 (UTC) X-FDA: 78501946782.25.4C3DBDD Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by imf30.hostedemail.com (Postfix) with ESMTP id 07A05E001981 for ; Sun, 22 Aug 2021 07:51:30 +0000 (UTC) Received: by mail-pf1-f180.google.com with SMTP id t13so12590820pfl.6 for ; Sun, 22 Aug 2021 00:51:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=EgOg6z4ir95Zy10fHRjoUwnI8LbWbKa5Pjct0WSqQUs=; b=X1EMayCs/qB2r9f5fK/aqXTaadXkir+n79SFzg5Q6klhYx1INCIJsgHq6PjNAXNHl+ APcxYE1wbdhjazCPzQ6IBq27fKZFbv7r6EcXIYjy/LL6Tj+VzU90xHQMUDbc6doI+Cnu nZ3653fSFZzwk3XojMVyctN6izzx6i2OAarwY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EgOg6z4ir95Zy10fHRjoUwnI8LbWbKa5Pjct0WSqQUs=; b=bJO9dlCn/qulI/b2QNarBZWjykSdGqgzPOpMgoqnSziFEwR5Rj+e6hk95LEpWChJhi nRFeV6Z5HwFBS0GLXbLrqCX50c0MvquLXDR2w311AIctKfFTb+rfxDe39a/EIsVmAZsE aaXwXk4YpXTCUR0SV6d5y/d0qReX05YrO7O1Z3wtxEJDrs++CG/DVxMfoVhmngd+m19/ xktRp60sAcU8ZQ0M34HQ9+AfRGfZdOsQ7ucACESSL+YBLsD+OlgbqaxWox/hhZImpc2d Tbsb2Dd7ZHrL3VtI1nftJqpIECp3xbH4IniNtk8HS64N9+QwAnJs8HSNN1002fKVmMYS g0hA== X-Gm-Message-State: AOAM531vPjdSFU1MeIL1pkyeLRzJw8F+v2KkqsBPsA61t9gyyBRXNW4n x/ks6pdHmSKJFSF9CPbrZqP/fQ== X-Google-Smtp-Source: ABdhPJw7C5xQ5/m+sP33rop6Z8GoQz5BydKBecgPsK39OZJU5KMqOHiB1tDQAvxWx7M6Zvuq175P0g== X-Received: by 2002:a63:2242:: with SMTP id t2mr25957753pgm.111.1629618690175; Sun, 22 Aug 2021 00:51:30 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e3sm12311603pfi.189.2021.08.22.00.51.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:29 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Michael Chan , "Gustavo A . R . Silva" , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 06/25] bnxt_en: Use struct_group_attr() for memcpy() region Date: Sun, 22 Aug 2021 00:51:03 -0700 Message-Id: <20210822075122.864511-7-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2644; h=from:subject; bh=2rfmjsXHCFfyDOdRvlFf8r1FgJW3UMhnCJ1YAXz54ew=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH1vwTutLxawm3vMmILurmAXksF5urmT0OkpQYc fUQkmMeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9QAKCRCJcvTf3G3AJgdEEA CqtV3IuBw5t9VSjAEmApP1pCjuuqD8Tv7dsbR6DE5lEGzlIBCFWcqPdSSwSr4L1MvpNuLbQjYDpL5Z Egsyufnt6YK2ulVD7b+zVP4jNuFWs9G5PzbEjtpf1V/GuVz3rwrPyn709rtFvD1ywQg2UDqypJ0aBO A9vtGQH9TSTOIyP1sgR5Ka/IAGcX7FKzwz7MwUtKjJZMA3+XIyvIBd6zZTHRgHD7F44+jqz6/cGaQY mj+w91SIUb4kFe/uyPb1YJFU/tqJSdAc7/tidGhmtbYWe4NgFAw6lYWDckMHdqJxeqfFYM7vl4+fEe sX2ABDZPMTKsmxPny9Q0e2ElMyFFfoHabff3BacYDb68B3yQSSeFy15EGeOlrmLacPIp6o58dOAPJF Ev9s+kkhDeT0+F75F1Mv9eFy49FSWl9LFUfeHuCr0ZESZjOvnkiLc9WVeFZCfXUMtzjZvUL4mbkIsA KqWIrFyr0Y3xgIDLxUmIJuoCVrGFrLydeZ4wvaG/EtxOyIvsNip5nOvQp8VRY2YZaGTYmFEYh/HB4u PU2C50Yh/4qH0WCCimOlVwHUAaewAJlqXRVMX7U0POtwFWLOEuEEK4QExxp0Hg6xL62zLtmLZ+4vWa U22onqiS4WB8wBQTqV/U8pFTTI0ntm6ZbNqXkXeR2VqEeV6mBfDHiq7gPf+w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=X1EMayCs; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf30.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.180 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 07A05E001981 X-Stat-Signature: 3t9ukmo566zdynoexkgn5tmdcem7yoi5 X-HE-Tag: 1629618690-66838 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() around members queue_id, min_bw, max_bw, tsa, pri_lvl, and bw_weight so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of queue_id. "pahole" shows no size nor member offset changes to struct bnxt_cos2bw_cfg. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations). Signed-off-by: Kees Cook Reviewed-by: Michael Chan Link: https://lore.kernel.org/lkml/CACKFLinDc6Y+P8eZ=450yA1nMC7swTURLtcdyiNR=9J6dfFyBg@mail.gmail.com Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/lkml/20210728044517.GE35706@embeddedor --- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 ++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 ++++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c index 8e90224c43a2..2ddebbfc9cc9 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c @@ -148,10 +148,10 @@ static int bnxt_hwrm_queue_cos2bw_qcfg(struct bnxt *bp, struct ieee_ets *ets) } data = &resp->queue_id0 + offsetof(struct bnxt_cos2bw_cfg, queue_id); - for (i = 0; i < bp->max_tc; i++, data += sizeof(cos2bw) - 4) { + for (i = 0; i < bp->max_tc; i++, data += sizeof(cos2bw.cfg)) { int tc; - memcpy(&cos2bw.queue_id, data, sizeof(cos2bw) - 4); + memcpy(&cos2bw.cfg, data, sizeof(cos2bw.cfg)); if (i == 0) cos2bw.queue_id = resp->queue_id0; diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h index 6eed231de565..716742522161 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h @@ -23,13 +23,15 @@ struct bnxt_dcb { struct bnxt_cos2bw_cfg { u8 pad[3]; - u8 queue_id; - __le32 min_bw; - __le32 max_bw; + struct_group_attr(cfg, __packed, + u8 queue_id; + __le32 min_bw; + __le32 max_bw; #define BW_VALUE_UNIT_PERCENT1_100 (0x1UL << 29) - u8 tsa; - u8 pri_lvl; - u8 bw_weight; + u8 tsa; + u8 pri_lvl; + u8 bw_weight; + ); u8 unused; }; From patchwork Sun Aug 22 07:51:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451255 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87019C19F39 for ; Sun, 22 Aug 2021 07:51:48 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 350C86128A for ; Sun, 22 Aug 2021 07:51:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 350C86128A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id C3F256B007D; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BF1116B007E; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A48A48D0001; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0253.hostedemail.com [216.40.44.253]) by kanga.kvack.org (Postfix) with ESMTP id 7E2826B007E for ; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) Received: from smtpin32.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 245B427742 for ; Sun, 22 Aug 2021 07:51:32 +0000 (UTC) X-FDA: 78501946824.32.5027229 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by imf03.hostedemail.com (Postfix) with ESMTP id E2EAC3000096 for ; Sun, 22 Aug 2021 07:51:31 +0000 (UTC) Received: by mail-pf1-f178.google.com with SMTP id t13so12590846pfl.6 for ; Sun, 22 Aug 2021 00:51:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4NkVqVqmacCPFQLHisTBuXWwR3jW59S7tqh7b68YAP0=; b=VOieh+oz3krAsmemd8JAxE1OW70YdjtHtradb87zdngOEGdc3ijk6rT2jnRonEvnZq YI5OkUM9gPL+0QTQlckQuUpFmIgAfJzHphLhykalozxUpyFg+gY685TB4rtiQGYDN36L LtGLlufECPHj3O/t5xK2UrJl27thlTi7+jc+4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4NkVqVqmacCPFQLHisTBuXWwR3jW59S7tqh7b68YAP0=; b=PiBiWo3+zqd5gJkqU07D6yQrXQBSPUNBHRyckSwz6pc0ucQbjjpDc2MQxAX2y4b9+4 EYLfOV95a2OVcxVe/GoPiR7Xqk0i3mjRkrjzW8lU6ULjVKvo2mxY6tT0B3Q5UFy0/Uba 6KXvIQiHfTdSy/+s/2vcjychQU4NzKpyYkTSKuPgnlFcVs4akGBL0YJvP/bKWbUW65GC UhmlprGFXZho6IgVM7qBsAIyH4KUpUQdrdXv1PrniIOJaHslMhayKwArczRyZ4mjMS3r 2Hz0roOWaWxh6le+y78dMvpPkKkkOHRKsS81HdhLqgdgDkoC+a0nW2W71wQ8xP/U1uO/ +BdA== X-Gm-Message-State: AOAM531HrMwm9ffPyJUfAdX5JsWARq/+zdbG88UWfaFo8Ywe9exonug3 FLbLdHOOfP7tJhNC5/GQWVcOYQ== X-Google-Smtp-Source: ABdhPJwWP8jaiAQuxTM/c9lobxClDZOjQaaNTOFC8XZ6RjfrKIPxhZmwpqTJeuKg9E5tfh2wRFTbaQ== X-Received: by 2002:aa7:8683:0:b029:3e0:9a61:b505 with SMTP id d3-20020aa786830000b02903e09a61b505mr28699813pfo.10.1629618691176; Sun, 22 Aug 2021 00:51:31 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id ds6sm15863866pjb.32.2021.08.22.00.51.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:29 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Joerg Roedel , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 07/25] iommu/amd: Use struct_group() for memcpy() region Date: Sun, 22 Aug 2021 00:51:04 -0700 Message-Id: <20210822075122.864511-8-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1493; h=from:subject; bh=UVbvWOW7x4MKaEbPfdgMN6YucCopn2OgnRsLaMXPm6Y=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH2VqtN1ff5F4pCfQC8LCAMeT8BUlql/ZYuegnS qqE020KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9gAKCRCJcvTf3G3AJt9hEA CPyxXUooiUxHazGTqO7twmxywSUXadYscq6cu7BwlM2up+ktHuyDjJooZ0wPB6MlYD0IMvKRihjXN8 88gxtASTkKCxkAXAhKwAXE2cR055izczBy9XbCIhg/0ewbMZVc2NbZt6egkIQesda6Jk+qIrgbFvJT MCxtR/C5ywqKO9RWKE/YI9djbRJYOUdEnYLIz6TRUs3MAttcW/kwX/p54qvRmAGv5mk2sPSfGSXdTW +ylLQ55kBYE2W2U8vaGTYWd45RSuk1ckm7OBTHXeOPSw0YIRfec5RAsrlUiin5DRCoR0FhTs3LiHZ5 LtsPogWji78cnOISRH3il4zZFqyTJ4s39/cEqRCRvTmhaCEeec2gg7JnXpEcPKJ2RXWpvPtk3BCuaW rNYlu9VHVa/tD6dT0vMxiRd0jho1/hn/PXD5JFx+eSgJYogLZz13Pk2avyQyVHLptwIq/eHMDI6nr4 X3viZBB3ToUbqPEv5XPItaLZW4s78+g3N3xqZP2bGEEwfoZgYQI4yri0GlLVgONhK2KW6lzsPHclaY IdIfPtSEuMheY52Ku6RfAAKd0uu2ROYg37+iUZKXMpEOsoiiKr3DklFKYeqr1VStjduXfJwki+102q uiwLIFstLYM73b6NC3iogqIcMnWPJLLgqAszJ/70pj5D6as6xqOooQXgOxIQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=VOieh+oz; spf=pass (imf03.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.178 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: E2EAC3000096 X-Stat-Signature: i6uzdh8gadqi4nnhfs1rsruxaej6tiog X-HE-Tag: 1629618691-441523 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct ivhd_entry around members ext and hidh, so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of ext. "pahole" shows no size nor member offset changes to struct ivhd_entry. "objdump -d" shows no object code changes. Acked-by: Joerg Roedel Signed-off-by: Kees Cook --- drivers/iommu/amd/init.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index 46280e6e1535..2df84737417b 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -121,8 +121,10 @@ struct ivhd_entry { u8 type; u16 devid; u8 flags; - u32 ext; - u32 hidh; + struct_group(ext_hid, + u32 ext; + u32 hidh; + ); u64 cid; u8 uidf; u8 uidl; @@ -1378,7 +1380,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu, break; } - memcpy(hid, (u8 *)(&e->ext), ACPIHID_HID_LEN - 1); + BUILD_BUG_ON(sizeof(e->ext_hid) != ACPIHID_HID_LEN - 1); + memcpy(hid, &e->ext_hid, ACPIHID_HID_LEN - 1); hid[ACPIHID_HID_LEN - 1] = '\0'; if (!(*hid)) { From patchwork Sun Aug 22 07:51:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C55F9C432BE for ; Sun, 22 Aug 2021 07:51:45 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 7561561242 for ; Sun, 22 Aug 2021 07:51:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 7561561242 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 7D2BA6B007B; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 782136B007D; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 623066B007E; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0212.hostedemail.com [216.40.44.212]) by kanga.kvack.org (Postfix) with ESMTP id 3B3036B007B for ; Sun, 22 Aug 2021 03:51:32 -0400 (EDT) Received: from smtpin40.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id BAC2927741 for ; Sun, 22 Aug 2021 07:51:31 +0000 (UTC) X-FDA: 78501946782.40.0D3BF4D Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by imf06.hostedemail.com (Postfix) with ESMTP id 7445B801A89B for ; Sun, 22 Aug 2021 07:51:31 +0000 (UTC) Received: by mail-pl1-f176.google.com with SMTP id b9so3990943plx.2 for ; Sun, 22 Aug 2021 00:51:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=fzauuC8ic6euFu2nevB4hJA961dHUsCKyfH8JaAaPYw=; b=lmEkDNTP20jBjNY48XAiYsYW/MBYQ3sN/CDF2Ko50sNEkJm3zQfGkg+k8cRnlKQIyH q83W2P6fjMv7SK5OaniOvebrTxZWqQcnlOjRtzpZ0i8Au70Hd/xOhLzIEpY+vQF4yHf5 uhWRCV8emFDW2PfzDnJr1IOrZmdCLn4Pj/Oo0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fzauuC8ic6euFu2nevB4hJA961dHUsCKyfH8JaAaPYw=; b=eM7Cmm1z2y1s9hucVLBMGViYlsgrdeTYJzR8uHOX69nSJ5Z/oK9KymN6ANQ71bhyIg MtgaKuQvL8DRnIGopDgL2/ZnqFAkA9hxcKK2k6VKrwv6dOUTCpm1ABbvWgoTUvf4cV+k lhrJQb8rPNl2wElGtyLToaaZFifshLXusMbFtOUr8q5z/w9CQ8KfMgu+ZKwrV0I8caUe fKXQmYYceySn6wXHjZUqt1QBo91+VWOPmnQhbOYVOffX7R2gJy2Ix6YynEjfOXIjxqDU 8RFBgLpD5cyMM9E3uDKqc5Kz2pbuWdBjRYkVPGjMO27xDO1uCO48qyRLalf1X/qvUivk X5mQ== X-Gm-Message-State: AOAM532rz72TCZqT+fwfjwnucWJKa+I+dF1s+kl9Co278h7AMPTjkwip 2mWFP1f9Lc+SSMw9egyPk+gFAw== X-Google-Smtp-Source: ABdhPJwHm2Jq6kWwqk6H70hIXs1fPt0IgObmagXMxdXVwaHwcGfUduJAQSApWIitzp5cRJBOqHJRHw== X-Received: by 2002:a17:90a:de04:: with SMTP id m4mr13568742pjv.187.1629618690696; Sun, 22 Aug 2021 00:51:30 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u10sm12058480pfg.168.2021.08.22.00.51.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:29 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Daniel Vetter , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 08/25] drm/mga/mga_ioc32: Use struct_group() for memcpy() region Date: Sun, 22 Aug 2021 00:51:05 -0700 Message-Id: <20210822075122.864511-9-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3914; h=from:subject; bh=uOOrsewr644NJeAzCYidrEKEGv2vRVphg8eu6V3X6z0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH2xzLlFJ+4mCLkGozhJQQt38rzB4tGqclcqzBH ivLGoy6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9gAKCRCJcvTf3G3AJrhbD/ 4pWHRzwDefaEhV+PtbfMW2oQ842w5wgZtULGOftua+s5ddfdO7zhR49LWA+pkGRcCPN1X8PZdqCQoC o32unro6Z2bE/zYqsOWBK3jbO9m+ag7kRx77bouZBKVr/n1vP1DUo0NqDHENxyFa6Iueut7BbVorms u9Jl+/0s8YfVcLNh1dftEErGbN+jNgO8w3Y8b7PJdQdpnE0MSLlk3iLCh7665wNIRPFtRv0qGUQVdG Foj8o43KymbeBHJMcXi+7m67DyS3UyyUIrBJ9hOZaaaS5dTS3JlYJ1vb21Zuv3TL2p/MB+IglbJ0g0 fclaVrLvClh3TIs9oBKHlCXdynkzx9fXYFQVe1te2tY/uwcCb89HW70CW7NqXeDNEuAwb7fltPusYm y/U0s45WLu03V2qRWSm3CWW8Ikh4zwQYME29KsTumgj3q3WRQPutyAPG7NoS7v61mer+w0GLNOynS8 QiafvGY3P7ySMBQOhXtgw5i1reEED28wNoK70Fmozlpc0J8jTcur78j/ggGLda1Yz2oSvaI/qNGeLz VfB6ccEIrzqEksr7BpVpEdGnQzKBlM5qnew3YQSRf21S0yupCAtH8L5I2YWKnlJ/DugUTLFAUL6yhM tLtA4h+B8xHbrX9z9dkNkYiNzS1OJIrir7f4tW/bR0wyuEBNDaLg0BYBGGKg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=lmEkDNTP; spf=pass (imf06.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.176 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 7445B801A89B X-Stat-Signature: b53rk1g3brigyjynqcu3rfubktyiqyof X-HE-Tag: 1629618691-149791 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct drm32_mga_init around members chipset, sgram, maccess, fb_cpp, front_offset, front_pitch, back_offset, back_pitch, depth_cpp, depth_offset, depth_pitch, texture_offset, and texture_size, so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of chipset. "pahole" shows no size nor member offset changes to struct drm32_mga_init. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations). Note that since this is a UAPI header, __struct_group() is used directly. Signed-off-by: Kees Cook Acked-by: Daniel Vetter Link: https://lore.kernel.org/lkml/YQKa76A6XuFqgM03@phenom.ffwll.local --- drivers/gpu/drm/mga/mga_ioc32.c | 27 ++++++++++++++------------- include/uapi/drm/mga_drm.h | 22 ++++++++++++---------- 2 files changed, 26 insertions(+), 23 deletions(-) diff --git a/drivers/gpu/drm/mga/mga_ioc32.c b/drivers/gpu/drm/mga/mga_ioc32.c index 4fd4de16cd32..894472921c30 100644 --- a/drivers/gpu/drm/mga/mga_ioc32.c +++ b/drivers/gpu/drm/mga/mga_ioc32.c @@ -38,16 +38,18 @@ typedef struct drm32_mga_init { int func; u32 sarea_priv_offset; - int chipset; - int sgram; - unsigned int maccess; - unsigned int fb_cpp; - unsigned int front_offset, front_pitch; - unsigned int back_offset, back_pitch; - unsigned int depth_cpp; - unsigned int depth_offset, depth_pitch; - unsigned int texture_offset[MGA_NR_TEX_HEAPS]; - unsigned int texture_size[MGA_NR_TEX_HEAPS]; + struct_group(always32bit, + int chipset; + int sgram; + unsigned int maccess; + unsigned int fb_cpp; + unsigned int front_offset, front_pitch; + unsigned int back_offset, back_pitch; + unsigned int depth_cpp; + unsigned int depth_offset, depth_pitch; + unsigned int texture_offset[MGA_NR_TEX_HEAPS]; + unsigned int texture_size[MGA_NR_TEX_HEAPS]; + ); u32 fb_offset; u32 mmio_offset; u32 status_offset; @@ -67,9 +69,8 @@ static int compat_mga_init(struct file *file, unsigned int cmd, init.func = init32.func; init.sarea_priv_offset = init32.sarea_priv_offset; - memcpy(&init.chipset, &init32.chipset, - offsetof(drm_mga_init_t, fb_offset) - - offsetof(drm_mga_init_t, chipset)); + memcpy(&init.always32bit, &init32.always32bit, + sizeof(init32.always32bit)); init.fb_offset = init32.fb_offset; init.mmio_offset = init32.mmio_offset; init.status_offset = init32.status_offset; diff --git a/include/uapi/drm/mga_drm.h b/include/uapi/drm/mga_drm.h index 8c4337548ab5..bb31567e66c0 100644 --- a/include/uapi/drm/mga_drm.h +++ b/include/uapi/drm/mga_drm.h @@ -279,20 +279,22 @@ typedef struct drm_mga_init { unsigned long sarea_priv_offset; - int chipset; - int sgram; + __struct_group(/* no tag */, always32bit, /* no attrs */, + int chipset; + int sgram; - unsigned int maccess; + unsigned int maccess; - unsigned int fb_cpp; - unsigned int front_offset, front_pitch; - unsigned int back_offset, back_pitch; + unsigned int fb_cpp; + unsigned int front_offset, front_pitch; + unsigned int back_offset, back_pitch; - unsigned int depth_cpp; - unsigned int depth_offset, depth_pitch; + unsigned int depth_cpp; + unsigned int depth_offset, depth_pitch; - unsigned int texture_offset[MGA_NR_TEX_HEAPS]; - unsigned int texture_size[MGA_NR_TEX_HEAPS]; + unsigned int texture_offset[MGA_NR_TEX_HEAPS]; + unsigned int texture_size[MGA_NR_TEX_HEAPS]; + ); unsigned long fb_offset; unsigned long mmio_offset; From patchwork Sun Aug 22 07:51:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451259 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1CBBC432BE for ; Sun, 22 Aug 2021 07:51:53 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 8AF5261220 for ; Sun, 22 Aug 2021 07:51:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8AF5261220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 319FF6B0080; Sun, 22 Aug 2021 03:51:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2A26A8D0001; Sun, 22 Aug 2021 03:51:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 142136B0082; Sun, 22 Aug 2021 03:51:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0127.hostedemail.com [216.40.44.127]) by kanga.kvack.org (Postfix) with ESMTP id E0CBF6B0081 for ; Sun, 22 Aug 2021 03:51:33 -0400 (EDT) Received: from smtpin26.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 952A626827 for ; Sun, 22 Aug 2021 07:51:33 +0000 (UTC) X-FDA: 78501946866.26.322E4FB Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by imf26.hostedemail.com (Postfix) with ESMTP id 55BFF20019D6 for ; Sun, 22 Aug 2021 07:51:33 +0000 (UTC) Received: by mail-pl1-f171.google.com with SMTP id e15so8366505plh.8 for ; Sun, 22 Aug 2021 00:51:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=DEcxgVs1pQEerfVS+rAtkdPSoE4zT/Vk9kMK/QHD9zo=; b=S3EFqfUeYv09+M773x9XOkbEVaEKtQsjAe94UKpghb74KWtIHw5Wl9x5YHJc5KDLb5 Z08MjlgC1zZD3eghEko3XCUFXQjmJicdeiOt8lzig9/IE83bQHqk6+HTn1xO1pDAr7y4 HZhZpPoqy2DyW8m5nLuc8t1idwLC4mSHKrezc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DEcxgVs1pQEerfVS+rAtkdPSoE4zT/Vk9kMK/QHD9zo=; b=G5JDmae6AfBulhKXP2vOAssFhB+YhutCIbRNiEEgGo5qrqt6zkAuvAP0IKdV0hqj3f 5eh8taYiyfkNNhhsT9vzzX2brGqZ6z4LMAik+eNixorBE7BeYVkCOp03edvShejmQBXS c9I9ljlN0/Ev87yGLVM1vmxOs+JDIAsVyilDzfx1kFMCjS3bIyRCT1TZJoctAtC4y7dI es4LFLH+6KX4UCC243mj4Odt+W4x02W2NOXt/8a+7gaF0o3l6Mj2zavxvOkOXBQgIhNT 18TYxoJy9DM+vz/R1WrQ/nRxqNoF9++BFQ3qSNqjfyArS0tviTlZcRtQgI5P+dUbOh42 f/dw== X-Gm-Message-State: AOAM532McS5xj4R/MQwfutgadkxLrwYY2bQYJp9USz0aDqoBra6YW3AR TPztYoNTr8upZnukH8F2RH/RJQ== X-Google-Smtp-Source: ABdhPJyAqNDeFUr1L4+uMN5tHh0G/x9yl00aSUkM1asxLXqcYw8VzEjByQHeYuWTxA/61wm9Kf9tgA== X-Received: by 2002:a17:902:b717:b029:11a:fae3:ba7c with SMTP id d23-20020a170902b717b029011afae3ba7cmr23078166pls.28.1629618692452; Sun, 22 Aug 2021 00:51:32 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id l126sm14090655pgl.14.2021.08.22.00.51.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:29 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Jiri Kosina , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 09/25] HID: cp2112: Use struct_group() for memcpy() region Date: Sun, 22 Aug 2021 00:51:06 -0700 Message-Id: <20210822075122.864511-10-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2250; h=from:subject; bh=n2+aRt88uxiLgSoHrUg0cSNfKLQxENn1KABr0kFU25o=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH2FEUh//RbjPjaOyd8es3V309O0GjLE6nQLoq7 B0hxiv+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9gAKCRCJcvTf3G3AJj3ED/ 0ZsaQprx9neOaNOQN3MUk1sqeucal9QQ1yLOKav1NJPJGiOJfAbspSRgLphn6cqjU66nU9HjmUk19F K2nRieGFwIfIYmjVHsEGFpWyvPX2ceziaeyuWbyaXwgReIE4RFIhVVlL1fmfN4OPiSMifhsbAiJMRX z7nzRApkoNeo1viq83KgInyCeb89xa+FkyrBdP5q8VQmPElZlWPYHmdQRQwbg2K71eL/GOOA3h/MrE oumw0CDEt2cXgD+0onqk4Mki0gAElQou1Pph27qD4kg7zLlgS+twThHlzWia6JngCbfrLYyn6P0LfJ EtFMwqYlEa8ZqEg/ZuApZwe+onyf27Kuj81ArumrWxWf3OAaJE+1Qx3UNZWROBiay7UEtiWvRMHmCT q/k2vz8aGT4DBZRojLjzT3j1hW31SzMMtQayilfnSClxPMdDSn92W9T3GBeorSL+Q2ut+QNBMJKbFq 463knHTzWqubaPvVU8Xmr3uYmhHSLmNBj0+/G/OlbdP8h4WyLxMrBiDYrXVCnJsrfHeWkw948nMzlv WJIn3aKfn19uLK3hkrYQ7N7LQaU4shVZpdlbOb4G8ZWK5PB3bwn7JK3JbNC9mf9e5UUMwG3XeFiaAC L4weoGS/pZbqLaMsPG4RLOojoQh8c/HolxsRrUx1bXwUG29l7mF7Qz5E/gVw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=S3EFqfUe; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf26.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.171 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 55BFF20019D6 X-Stat-Signature: w4qbg7rr8c98mn5uxnd3wjbu48cyc9fn X-HE-Tag: 1629618693-994219 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct cp2112_string_report around members report, length, type, and string, so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of report. "pahole" shows no size nor member offset changes to struct cp2112_string_report. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences.) Acked-by: Jiri Kosina Link: https://lore.kernel.org/lkml/nycvar.YFH.7.76.2108201810560.15313@cbobk.fhfr.pm Signed-off-by: Kees Cook --- drivers/hid/hid-cp2112.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c index 477baa30889c..ece147d1a278 100644 --- a/drivers/hid/hid-cp2112.c +++ b/drivers/hid/hid-cp2112.c @@ -129,10 +129,12 @@ struct cp2112_xfer_status_report { struct cp2112_string_report { u8 dummy; /* force .string to be aligned */ - u8 report; /* CP2112_*_STRING */ - u8 length; /* length in bytes of everyting after .report */ - u8 type; /* USB_DT_STRING */ - wchar_t string[30]; /* UTF16_LITTLE_ENDIAN string */ + struct_group_attr(contents, __packed, + u8 report; /* CP2112_*_STRING */ + u8 length; /* length in bytes of everything after .report */ + u8 type; /* USB_DT_STRING */ + wchar_t string[30]; /* UTF16_LITTLE_ENDIAN string */ + ); } __packed; /* Number of times to request transfer status before giving up waiting for a @@ -986,8 +988,8 @@ static ssize_t pstr_show(struct device *kdev, u8 length; int ret; - ret = cp2112_hid_get(hdev, attr->report, &report.report, - sizeof(report) - 1, HID_FEATURE_REPORT); + ret = cp2112_hid_get(hdev, attr->report, (u8 *)&report.contents, + sizeof(report.contents), HID_FEATURE_REPORT); if (ret < 3) { hid_err(hdev, "error reading %s string: %d\n", kattr->attr.name, ret); From patchwork Sun Aug 22 07:51:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451257 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 305F6C432BE for ; Sun, 22 Aug 2021 07:51:51 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D795D61220 for ; Sun, 22 Aug 2021 07:51:50 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D795D61220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id D78DE6B007E; Sun, 22 Aug 2021 03:51:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D4E6E6B0080; Sun, 22 Aug 2021 03:51:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B555E8D0001; Sun, 22 Aug 2021 03:51:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0173.hostedemail.com [216.40.44.173]) by kanga.kvack.org (Postfix) with ESMTP id 913376B007E for ; Sun, 22 Aug 2021 03:51:33 -0400 (EDT) Received: from smtpin40.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 31F1B181E9955 for ; Sun, 22 Aug 2021 07:51:33 +0000 (UTC) X-FDA: 78501946866.40.4C0B97F Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by imf05.hostedemail.com (Postfix) with ESMTP id DF5435160090 for ; Sun, 22 Aug 2021 07:51:32 +0000 (UTC) Received: by mail-pf1-f173.google.com with SMTP id y190so12610314pfg.7 for ; Sun, 22 Aug 2021 00:51:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RZ8BEPPVll/zwqS70BZ2JYx9ju7xEKmdm5VlWqz/VdI=; b=iQnoPnJ40Ay8cygJzetIn2Rk/uaznhqz/TpzugtPRKTM7BbVoNVwvEf+wJCa4DEmXh 4wH1AAcWnqHVFfOGO+JkZswqsbAccGr97mNT71/Z3PxMlywTWT98WKcQJHVYWiACaxgS 5vvdl0SljDtHKljG6xpzUcVEIts0sPoq5se+8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RZ8BEPPVll/zwqS70BZ2JYx9ju7xEKmdm5VlWqz/VdI=; b=GoJCr4v06TUNyiZTFqq0XWISWcWWsImdeSn+yyU9DZqgDA6l4bGFQDIIQ9ZsU/SIpw eFrQM/x/Bq02Icn+nk0YYElTvKRWGM+RBc7aWYWCvdp+jGZr88OmajRqu+L4EMzXL5X/ o7D0ZeuBxWwnMZ+8CM8RwklMkGaWz2bbETGCAFYJlGw8xjDcUrQjj25HaVPCOoWNf4Kr sQ9vbwwSNXY5VSl+pM0Vis9GrWAnu1PSgdyE7+MJi6IPn7/u7osj9ZDCnQmlEXKAfk5p W8ih6ujuaVt3abpkhngR8EAtOjakTusHNd15xPzOFakbX/Wlt4N3LJTlh+ZpPS88g8ld VsRA== X-Gm-Message-State: AOAM533iTawWFk8Yi3OgQv1J5+dBjLEro8Zcvll7lDdI0xuQXbuH70AZ pgim+5YhtChS8VxF9uuUA3r/hw== X-Google-Smtp-Source: ABdhPJxj+QAwGyr993juNCJvBFdb0ObGsAlJilnIWnp/UGZWNjCNte2p8yIY9KOhLNxBVgJ4H3e48g== X-Received: by 2002:a63:cc0e:: with SMTP id x14mr26811805pgf.352.1629618692173; Sun, 22 Aug 2021 00:51:32 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id v25sm11904465pfm.202.2021.08.22.00.51.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:29 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Jiri Kosina , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 10/25] HID: roccat: Use struct_group() to zero kone_mouse_event Date: Sun, 22 Aug 2021 00:51:07 -0700 Message-Id: <20210822075122.864511-11-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1858; h=from:subject; bh=9rnBN9pp25qHZzpmSwKIY2SR98/yWw6L4NOQkzURsmI=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH2LkwWtaOSS7Sx/Asb2SpLbNNFUNs3zGDDazyV HncbtwyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9gAKCRCJcvTf3G3AJsM2EA CR/tG8xuXRd6A9sHvtzfnyuKbJ8og8+11J/eZ1XFtBWxwj1ZWtRFM7SK4UsGVDCKbkgmTaWm9L42nz Ykh//OfkNzR8v8LgCX5I4afgYhpr+W2+jd7Vs8OSwt5KL+rh73sPUpznE5xXdoCNQh00RnLs0mgovr ym+zLbmN8A0XXaBmNhADwbonxzCDX3ketGY2WDLcLouoaX60Y2NxAlldabWUypxRLYLHxtOjZ19vR9 IOkqfSzRFVJwesNmzkbstIoEBECpzir6s6uUooa4uvcxTxzqhBDtSI8OkYLHr1mvKeo8cAl9m01ml9 r1hJVcdDio1h1TrNn901c8D1YDuau3G4qKcC3bNRryV/AZppmp9yBYHyXNChFegB12MgSw9yfNrvM1 acs0b5CLpypzUdeByvNdm94UY+Q+2rQ4Mi2imV+7l0rAGdcC+LmY0+zyGGmeYt1cjLP6yDrXqsPCbK TPOzODY5r8mgP7t1mgRy/lpSgH7iLKnv1HelL7GrG4tS/NZSPo2XGfxUF4xR1C13X3s/AImf+Uplnh r8cuoliRDvEXGm0Ly7BS/++cBqIK3M7u1iKh/JS3cPKtsuckyYRiAEQBHUsS+I/Atut8nieCNykJVN PnmWbeC/TjpL+BUjubxZwshG+kHeCYpFTMGXL6y/5csfEcVQbYsml1uPEOGw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=iQnoPnJ4; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf05.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.173 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: DF5435160090 X-Stat-Signature: pssp9fjeqkqjr81rtdwr9fniya7pmjdf X-HE-Tag: 1629618692-200941 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct kone_mouse_event that should be initialized to zero. Acked-by: Jiri Kosina Link: https://lore.kernel.org/lkml/nycvar.YFH.7.76.2108201810560.15313@cbobk.fhfr.pm Signed-off-by: Kees Cook --- drivers/hid/hid-roccat-kone.c | 2 +- drivers/hid/hid-roccat-kone.h | 12 +++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c index 1ca64481145e..ea17abc7ad52 100644 --- a/drivers/hid/hid-roccat-kone.c +++ b/drivers/hid/hid-roccat-kone.c @@ -857,7 +857,7 @@ static int kone_raw_event(struct hid_device *hdev, struct hid_report *report, memcpy(&kone->last_mouse_event, event, sizeof(struct kone_mouse_event)); else - memset(&event->tilt, 0, 5); + memset(&event->wipe, 0, sizeof(event->wipe)); kone_keep_values_up_to_date(kone, event); diff --git a/drivers/hid/hid-roccat-kone.h b/drivers/hid/hid-roccat-kone.h index 4a1a9cb76b08..65c800e3addc 100644 --- a/drivers/hid/hid-roccat-kone.h +++ b/drivers/hid/hid-roccat-kone.h @@ -152,11 +152,13 @@ struct kone_mouse_event { uint16_t x; uint16_t y; uint8_t wheel; /* up = 1, down = -1 */ - uint8_t tilt; /* right = 1, left = -1 */ - uint8_t unknown; - uint8_t event; - uint8_t value; /* press = 0, release = 1 */ - uint8_t macro_key; /* 0 to 8 */ + struct_group(wipe, + uint8_t tilt; /* right = 1, left = -1 */ + uint8_t unknown; + uint8_t event; + uint8_t value; /* press = 0, release = 1 */ + uint8_t macro_key; /* 0 to 8 */ + ); } __attribute__ ((__packed__)); enum kone_mouse_events { From patchwork Sun Aug 22 07:51:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451263 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C38BC432BE for ; Sun, 22 Aug 2021 07:51:59 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 331F861247 for ; Sun, 22 Aug 2021 07:51:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 331F861247 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id F24F26B0082; Sun, 22 Aug 2021 03:51:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ED6706B0083; Sun, 22 Aug 2021 03:51:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D260B6B0085; Sun, 22 Aug 2021 03:51:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0031.hostedemail.com [216.40.44.31]) by kanga.kvack.org (Postfix) with ESMTP id B6B456B0082 for ; Sun, 22 Aug 2021 03:51:35 -0400 (EDT) Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 5B0F128488 for ; Sun, 22 Aug 2021 07:51:35 +0000 (UTC) X-FDA: 78501946950.21.34581B3 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by imf10.hostedemail.com (Postfix) with ESMTP id 17417600198A for ; Sun, 22 Aug 2021 07:51:34 +0000 (UTC) Received: by mail-pl1-f176.google.com with SMTP id o10so8430496plg.0 for ; Sun, 22 Aug 2021 00:51:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=afK62obEnzmGfYDuKBrYtTnXazqqlkEC1ozPah846UE=; b=i1xyMIsz0UhMBlCsvjT/pELiTurWMqOD2j4e2UXBqBdplCAa1y83+MbpNb56XWzqeO QAKKZ4PCJHX5ENT7tbdD1Qop48xhwXxPWQa18bIZtA+oZulK87Fe4IcH0L/gBSLcywph YlqdrGLikG1ym2Cde+FxLNEIlqmozwLsogw3U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=afK62obEnzmGfYDuKBrYtTnXazqqlkEC1ozPah846UE=; b=mGYqGjJBIktD4IHmS3+6jfF8rKEN8JEOPt9lSWzWCZqCELJBcdiS+XWGt+8Um6a5eP oNc0sHhPMbf1JHpaWfGWZZE4509kWemMb5CV7G+GubmBFqgOLIJjmYDQzvmloHwMolPW AhhC4lYXN962j2cs4fqvX7v/OMsmOd1f+K6acWy7WfT3VyOsUb+p7k0WazCTJqZ6eFCy iHDujxq0t0oqzOXQDgjWyW8Q7SdA4JvYCdkbDa4MN+ICTt6vbzOTaCatzPDlwr7vzXYn x/SI0gJQcXa0IfrxLiVMZSpIJ5EMmQRD0SLhs9SJNObG6uiLIWXCyr1FctZLcfYO0dA3 2Xbw== X-Gm-Message-State: AOAM531J7fHFnRlTIPzi/bDnbubzpBFcRYfDqFB8nsv/jwTkh5iXnLKz IkwOll4MmQEnMjN7wSFbIk/h1Q== X-Google-Smtp-Source: ABdhPJyt9vTod+UDCk2pGBfXA7Fwnfz9KRZEatSExqgoqwWrNN3mNWIOnTbh1rN4qSEz0XR3SWzWbQ== X-Received: by 2002:a17:90a:f0d1:: with SMTP id fa17mr10237309pjb.33.1629618694325; Sun, 22 Aug 2021 00:51:34 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id i6sm12184446pfa.44.2021.08.22.00.51.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:33 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Marc Kleine-Budde , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 11/25] can: flexcan: Use struct_group() to zero struct flexcan_regs regions Date: Sun, 22 Aug 2021 00:51:08 -0700 Message-Id: <20210822075122.864511-12-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4830; h=from:subject; bh=EYs5XTkDgfX0dhdwidOdX6FaFsG9jCZLc3TTzjkErFE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH2bU8gotlTB34YXFJjHIXg8ae98vYx3WpQHASw gnthe4WJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9gAKCRCJcvTf3G3AJgKqD/ 9Z4CfeQm+LlR9u2hdSRoxj0L/MvAvQco3KQnzJCSUqFfGSv8JXgqqrSAqqFi0GQy9HPotUyYNNuBCT 0faohp2vDaFgIpzrq584FH3bri2F3JHPAn6ArIQjeW+Va7NAkCpv54OzJ25AHXUt4gyBUDMWa+rjdK A17OTiRtnJAOb1rR7NpkbTsYlpgOB6eJIdEPgdRI154Qf+WhPj9FHP8w3yVBhkaRSMrErjDt6zAHM0 NpzmCJGZpIx5GxdHzUwljAJlS8voqeDUFrMXx2LAPCCfjSLfTCU2TJn5ATfagAAXRFHGdxfjOY69y6 10zGTtkt62/WKoV9X+uy4U8mKv/VS/snTNtU8OFEzk0oAjncL77p9y+bJDxk+z8YH1jdcyF5l8y8H5 s+aVfwd4c/d6/Rw8bJlFdLhJ8rhNU6gLTiWMt4BFAXufSfOvzLJB4IRI+n5hbEj5gX+Aqu9zP4Djrj 8+T6F6VgD3d2vuqyst82VvN9z95rClAZXQLHXPkBryN/cJj9w+rk0Z2VE99dFpmkfFKHq/Cwr8nIie BiqZ0LnnYj6IHTIvSU2pYNSQMsdxg9plh72HFQJyIMIF8e6eyRQGwnKo5HzvoQdpiuNEHpIcfy5xu4 JRrxjWp0GWNdjaU0q/j4j1I2xX20ilwf13nFMCMf/Bwgvz6D4oXTLmoTW5QQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=i1xyMIsz; spf=pass (imf10.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.176 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Stat-Signature: dqjzugy4dh5feo1i7aedd8knrobjasci X-Rspamd-Queue-Id: 17417600198A X-Rspamd-Server: rspam04 X-HE-Tag: 1629618694-605932 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark both regions of struct flexcan_regs that get initialized to zero. Avoid the future warnings: In function 'fortify_memset_chk', inlined from 'memset_io' at ./include/asm-generic/io.h:1169:2, inlined from 'flexcan_ram_init' at drivers/net/can/flexcan.c:1403:2: ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] 199 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'fortify_memset_chk', inlined from 'memset_io' at ./include/asm-generic/io.h:1169:2, inlined from 'flexcan_ram_init' at drivers/net/can/flexcan.c:1408:3: ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] 199 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Acked-by: Marc Kleine-Budde Signed-off-by: Kees Cook --- drivers/net/can/flexcan.c | 68 +++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c index 57f3635ad8d7..b1a261622b76 100644 --- a/drivers/net/can/flexcan.c +++ b/drivers/net/can/flexcan.c @@ -284,31 +284,33 @@ struct flexcan_regs { u32 dbg1; /* 0x58 */ u32 dbg2; /* 0x5c */ u32 _reserved3[8]; /* 0x60 */ - u8 mb[2][512]; /* 0x80 - Not affected by Soft Reset */ - /* FIFO-mode: - * MB - * 0x080...0x08f 0 RX message buffer - * 0x090...0x0df 1-5 reserved - * 0x0e0...0x0ff 6-7 8 entry ID table - * (mx25, mx28, mx35, mx53) - * 0x0e0...0x2df 6-7..37 8..128 entry ID table - * size conf'ed via ctrl2::RFFN - * (mx6, vf610) - */ - u32 _reserved4[256]; /* 0x480 */ - u32 rximr[64]; /* 0x880 - Not affected by Soft Reset */ - u32 _reserved5[24]; /* 0x980 */ - u32 gfwr_mx6; /* 0x9e0 - MX6 */ - u32 _reserved6[39]; /* 0x9e4 */ - u32 _rxfir[6]; /* 0xa80 */ - u32 _reserved8[2]; /* 0xa98 */ - u32 _rxmgmask; /* 0xaa0 */ - u32 _rxfgmask; /* 0xaa4 */ - u32 _rx14mask; /* 0xaa8 */ - u32 _rx15mask; /* 0xaac */ - u32 tx_smb[4]; /* 0xab0 */ - u32 rx_smb0[4]; /* 0xac0 */ - u32 rx_smb1[4]; /* 0xad0 */ + struct_group(init, + u8 mb[2][512]; /* 0x80 - Not affected by Soft Reset */ + /* FIFO-mode: + * MB + * 0x080...0x08f 0 RX message buffer + * 0x090...0x0df 1-5 reserved + * 0x0e0...0x0ff 6-7 8 entry ID table + * (mx25, mx28, mx35, mx53) + * 0x0e0...0x2df 6-7..37 8..128 entry ID table + * size conf'ed via ctrl2::RFFN + * (mx6, vf610) + */ + u32 _reserved4[256]; /* 0x480 */ + u32 rximr[64]; /* 0x880 - Not affected by Soft Reset */ + u32 _reserved5[24]; /* 0x980 */ + u32 gfwr_mx6; /* 0x9e0 - MX6 */ + u32 _reserved6[39]; /* 0x9e4 */ + u32 _rxfir[6]; /* 0xa80 */ + u32 _reserved8[2]; /* 0xa98 */ + u32 _rxmgmask; /* 0xaa0 */ + u32 _rxfgmask; /* 0xaa4 */ + u32 _rx14mask; /* 0xaa8 */ + u32 _rx15mask; /* 0xaac */ + u32 tx_smb[4]; /* 0xab0 */ + u32 rx_smb0[4]; /* 0xac0 */ + u32 rx_smb1[4]; /* 0xad0 */ + ); u32 mecr; /* 0xae0 */ u32 erriar; /* 0xae4 */ u32 erridpr; /* 0xae8 */ @@ -322,9 +324,11 @@ struct flexcan_regs { u32 fdcbt; /* 0xc04 - Not affected by Soft Reset */ u32 fdcrc; /* 0xc08 */ u32 _reserved9[199]; /* 0xc0c */ - u32 tx_smb_fd[18]; /* 0xf28 */ - u32 rx_smb0_fd[18]; /* 0xf70 */ - u32 rx_smb1_fd[18]; /* 0xfb8 */ + struct_group(init_fd, + u32 tx_smb_fd[18]; /* 0xf28 */ + u32 rx_smb0_fd[18]; /* 0xf70 */ + u32 rx_smb1_fd[18]; /* 0xfb8 */ + ); }; static_assert(sizeof(struct flexcan_regs) == 0x4 * 18 + 0xfb8); @@ -1379,14 +1383,10 @@ static void flexcan_ram_init(struct net_device *dev) reg_ctrl2 |= FLEXCAN_CTRL2_WRMFRZ; priv->write(reg_ctrl2, ®s->ctrl2); - memset_io(®s->mb[0][0], 0, - offsetof(struct flexcan_regs, rx_smb1[3]) - - offsetof(struct flexcan_regs, mb[0][0]) + 0x4); + memset_io(®s->init, 0, sizeof(regs->init)); if (priv->can.ctrlmode & CAN_CTRLMODE_FD) - memset_io(®s->tx_smb_fd[0], 0, - offsetof(struct flexcan_regs, rx_smb1_fd[17]) - - offsetof(struct flexcan_regs, tx_smb_fd[0]) + 0x4); + memset_io(®s->init_fd, 0, sizeof(regs->init_fd)); reg_ctrl2 &= ~FLEXCAN_CTRL2_WRMFRZ; priv->write(reg_ctrl2, ®s->ctrl2); From patchwork Sun Aug 22 07:51:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451267 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 493B0C4338F for ; Sun, 22 Aug 2021 07:52:05 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D8BFA61247 for ; Sun, 22 Aug 2021 07:52:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D8BFA61247 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 8E40D6B0083; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8A2B48D0001; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 55E256B0085; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0218.hostedemail.com [216.40.44.218]) by kanga.kvack.org (Postfix) with ESMTP id 33BF36B0087 for ; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id DFF93181C9D41 for ; Sun, 22 Aug 2021 07:51:35 +0000 (UTC) X-FDA: 78501946950.02.E1F5C0B Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by imf26.hostedemail.com (Postfix) with ESMTP id 9E76C20019CF for ; Sun, 22 Aug 2021 07:51:35 +0000 (UTC) Received: by mail-pg1-f181.google.com with SMTP id 17so13632630pgp.4 for ; Sun, 22 Aug 2021 00:51:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=DWlzPq33px7me9bXqrWxCUNZOIwKVGghhiRcqTaUGwk=; b=gPfKFQMLVsihsWfwjKyXw8eKN9/LYpoy0BfXZWoZghZkjSHDycrMbJLsfQOu8JPnss 5oj1cHiIsAZM/NfZGsJ2AXCzirKB9d/YsdpxdLXiEYF/rYG9XNJMfRiwQ2ttqAB4J/Q+ Hm8rWmKxsQMwGnj6/9cjdRQnr8exjxqvMSF74= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DWlzPq33px7me9bXqrWxCUNZOIwKVGghhiRcqTaUGwk=; b=lzBQQvMuHyGLrFeK19tcXOnn3KVox0CZllRnh6NWfXbFpLpjxcmRc8802JA4EcaugU brvVEq90RruszntGKx1L3+WufUTSyJNPNXDb5VU8OVgfN0pClHIubQ6e2fI1NLpppV7b UjZx4/duiHqrBE2P2k1OD5hrPxOefp9lH2CPi2eVZ1psmEKifOTeCuBE2TWE3YuZPrfE 4CHOJFpjhq0/zaPr10OUdTXk1RS5G6xO5SSrJENIXHABv9Bqir9eWd7KaR7cu6iiVsK+ MPcOxAN2/oyKZRzdykNmPKhZyF5Weu0g4LAjPAm5Qswgc1BDY77ZZiJgpyADI2GK3q60 cPNA== X-Gm-Message-State: AOAM5333tzAWw+59VQe4m/6cgGkjiASiU8Os5Uni+YJdvdTDJvWTwcNO kaXCWx9rsVHpsAATuL03LOZv0Q== X-Google-Smtp-Source: ABdhPJx57q7lBXa6cBxaT0JvGsCsoPZ0V/kpdx3Sk+Dify3+znHSnZYjDt6VLOgoka1ZVHTFRBe4pA== X-Received: by 2002:aa7:8b07:0:b029:2f7:d38e:ff1 with SMTP id f7-20020aa78b070000b02902f7d38e0ff1mr28148090pfd.72.1629618694880; Sun, 22 Aug 2021 00:51:34 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u16sm14258530pgh.53.2021.08.22.00.51.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:33 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Greg Kroah-Hartman , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 12/25] cm4000_cs: Use struct_group() to zero struct cm4000_dev region Date: Sun, 22 Aug 2021 00:51:09 -0700 Message-Id: <20210822075122.864511-13-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1633; h=from:subject; bh=XJ28RbiAIR789pL5ljsQmPFQCzt2rgVz2fdwkdxbaR0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH3HlDUPx6be3rlUq/CBmzD2GRCw+0CR7NhVwWw 8Vye4qWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9wAKCRCJcvTf3G3AJqSCEA CNuY2IpYQBx1F7wrvsNNLEopI3m2kTyYLlZtyFsdUm0RGGoBGTywkyBaZO1Edtb4ub6+mqap/aC+SY 2XLyvuCP/jgpm2GALRblFBC48syM/wkzpRMyIo5uZiH54oJf1wwnCjziYmSRLy9OJKYBVj8v+XULQ7 5pgoTn2l8r3lJXYN+PiMNfeww55r6RqbkH+dstdLlUKBwAKur2lj2QVyo2Lm33540agIbJblyncbw9 fq5DGw3Pd/QKuqMIr6XY0skrLTZKRrQzDz+9tlvK6hJm5dSe2NNWEis+W3w9cQVdsrmwxkVNm7ltRk /4RxEsSDvAcw+Vo+KNnMCfkSHp/rxT8lH4l3r2fIpEYKeTUmRvgstPkAjDq58T6nMUR9CiknM9otPV Db14QqEoCl66o3zSZVMihxZd/6VD6NpjmZPHPEprnu2iMnrI5wYDuvqGPpLSQPzAbha9TlvdZy0/MA cFNEFw/QY6nfqTaq2F/HRvlGyaWXstyWj43f1BSgXxwtv5Sn6Ak7ffa8cyu6+/wU253ZxVPhpeRW+A zpMkcwOHeNEEnakTrphUTnKbHw1Xn6Nu/uvAa7K+ZToYKZsfnsArx+2X8DqPKc9y8wMzsdvpO1I06a wupH7l3GAS1uGYa+YmG+RtKpJTHWFEzVgeCqI4WmSAFwevXlrLkYhGA/Od+g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=gPfKFQML; spf=pass (imf26.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.181 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Stat-Signature: 5bku7wz6gswex69im5bmr417oiyawqgj X-Rspamd-Queue-Id: 9E76C20019CF X-Rspamd-Server: rspam04 X-HE-Tag: 1629618695-500844 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Add struct_group() to mark region of struct cm4000_dev that should be initialized to zero. Signed-off-by: Kees Cook Acked-by: Greg Kroah-Hartman Link: https://lore.kernel.org/lkml/YQDvxAofJlI1JoGZ@kroah.com --- drivers/char/pcmcia/cm4000_cs.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c index 8f1bce0b4fe5..adaec8fd4b16 100644 --- a/drivers/char/pcmcia/cm4000_cs.c +++ b/drivers/char/pcmcia/cm4000_cs.c @@ -116,8 +116,9 @@ struct cm4000_dev { wait_queue_head_t atrq; /* wait for ATR valid */ wait_queue_head_t readq; /* used by write to wake blk.read */ - /* warning: do not move this fields. + /* warning: do not move this struct group. * initialising to zero depends on it - see ZERO_DEV below. */ + struct_group(init, unsigned char atr_csum; unsigned char atr_len_retry; unsigned short atr_len; @@ -140,12 +141,10 @@ struct cm4000_dev { struct timer_list timer; /* used to keep monitor running */ int monitor_running; + ); }; -#define ZERO_DEV(dev) \ - memset(&dev->atr_csum,0, \ - sizeof(struct cm4000_dev) - \ - offsetof(struct cm4000_dev, atr_csum)) +#define ZERO_DEV(dev) memset(&((dev)->init), 0, sizeof((dev)->init)) static struct pcmcia_device *dev_table[CM4000_MAX_DEV]; static struct class *cmm_class; From patchwork Sun Aug 22 07:51:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451265 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84C65C4338F for ; Sun, 22 Aug 2021 07:52:02 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 37F6B61247 for ; Sun, 22 Aug 2021 07:52:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 37F6B61247 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 673A96B0087; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5D36B6B0083; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3B1156B0088; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0088.hostedemail.com [216.40.44.88]) by kanga.kvack.org (Postfix) with ESMTP id 17AD46B0085 for ; Sun, 22 Aug 2021 03:51:36 -0400 (EDT) Received: from smtpin36.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id B0A04250DA for ; Sun, 22 Aug 2021 07:51:35 +0000 (UTC) X-FDA: 78501946950.36.15DD8A2 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by imf02.hostedemail.com (Postfix) with ESMTP id 6EFB87001A08 for ; Sun, 22 Aug 2021 07:51:35 +0000 (UTC) Received: by mail-pj1-f42.google.com with SMTP id h1so4149780pjs.2 for ; Sun, 22 Aug 2021 00:51:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BfB3Cmd48Lw3NLo2MjDQrUdYMYAq078Tr/lLK7PF2Ag=; b=WpSZT+yznpJZoZUZ5kVVTpVKD3OohqtuIuknuv8Bv74Y7MkECUy6dKXXvEgCPrHo2M StX+u1larUy+QKmqQ+AAWG7omBTY5WBirDfqH330dR49ICAwhYMMwaUE2HjnepVAO/wm OS/V3yeizwRlzeTjEdAGlaysFMabEff8UgGyI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BfB3Cmd48Lw3NLo2MjDQrUdYMYAq078Tr/lLK7PF2Ag=; b=puUsR+0AcWIDVRaVIoh/ltxSSgAn9JoCu7mLKlY+Kic3Kn/6CKMh+s+mCbas36KbNu IjWubqZ1772KDbGCvUdOiUpv6BaxnzQb/ul+5a2kC/oUYzHfAOeTh4aZFB3HnjoG3EJ8 qQIV1k2vIf4n8tHXvlRNfi7rWNs72F5KXEuraH79W4RYm4DxHDVxRHqrmwWZIx7lMRwR gHSCYy21CXH2hXL79s08YDebTSIMkiuwAi2jXm5I7bk+m0w+vqTScUVTCC9qM67oJKpJ X0kd3W6Zjt6+oiqebJCh3uGoWCTC8vtkEdaHcIqRKaIv4X5UFrIicZa3Yc2VCOXKCfXA DlaA== X-Gm-Message-State: AOAM532rnvmicqJAM0bt8DPSA+TKO2m6kr0tBcKcbHSCJkU5tnv7M12q qYlJ+nx0tQHOMSNQwwwPChHVig== X-Google-Smtp-Source: ABdhPJyw/m0YL+SMwQw9xnTHSvKugbymKWallujGCiV2PHic2NaL3RUN9r6ivfwUSJFox6r2x6VV9A== X-Received: by 2002:a17:90a:7642:: with SMTP id s2mr11394217pjl.128.1629618694601; Sun, 22 Aug 2021 00:51:34 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z12sm1547902pfe.79.2021.08.22.00.51.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:33 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Nick Desaulniers , Miguel Ojeda , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 13/25] compiler_types.h: Remove __compiletime_object_size() Date: Sun, 22 Aug 2021 00:51:10 -0700 Message-Id: <20210822075122.864511-14-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2324; h=from:subject; bh=D5YSORUmsx9ZlfCs+tSqi/CZpajcAvBSa1fzHW5hC6U=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH3mQdShenoA8GqVoEcJNbXyXj34Z55m75eTMc1 mv6GEjiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9wAKCRCJcvTf3G3AJoJRD/ 9QSglgyxVbQqmTx2NOrbeHh77uk5RWPYLHFf6ns+jNsTJ+ow1pQ9dk0XDk/P0uM3m5Rfss9NqadxJF MVFP4US/uGJrooGWaMIChdWImnRSs3D0d82TBTGbb44K0ScN6BhLur7Tpu6VKI4VcQoScI70PTQvKi REZQIUMGvPorwBmUfzZljjfitzvUstplSx02JcC5zqnvSylycjSVT/EZfSFuu/R/VlB/bCNyyRSs/h 2Fqtv37PwfWx1Gvci73CUKFXE04IP/ggsjG2aStDEZr69i+1hf4+7lYzjQXj5ovlb1zDQtL+4M9Ji0 oJLyeaEaFcAl1KgeD1zDrelT64tWw4G0y3DT2/OEohi4kGdjob7w22sUajJa5QtUGzK3AkItO0ckAM nK9EKhMaRFi7TwMoNfsXbsP4PoJVHMSM1pfm7Bg+XElJLMtTya2bxdtFxvKfl10LgNk1zvTtKPJ2yg 0FamEjd/2aciwAmW3JokAc4IR39xnT/6Qvh8WSfTO/sfs51LIdSWpgJhxYM09emhc+AzM1hFvMv2Ta abwMm9kBEmmqGFWqeQUWSN2pHW8TDkhvL3k3Xb3uFkULx7K6wDgOlBhXK9f2W55rbrRoZydPycWLjp ZFW2Mo/eeLeNjXKTeXx/N2SecQUSclhBoQJA9K9S802S5wZnyhYFFUVaHfRg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=WpSZT+yz; spf=pass (imf02.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.42 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Stat-Signature: n1fbwejj9h9hwmpny3bn98kqskawcrcn X-Rspamd-Queue-Id: 6EFB87001A08 X-Rspamd-Server: rspam04 X-HE-Tag: 1629618695-998575 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Since all compilers support __builtin_object_size(), and there is only one user of __compiletime_object_size, remove it to avoid the needless indirection. This lets Clang reason about check_copy_size() correctly. Link: https://github.com/ClangBuiltLinux/linux/issues/1179 Suggested-by: Nick Desaulniers Reviewed-by: Miguel Ojeda Signed-off-by: Kees Cook --- include/linux/compiler-gcc.h | 2 -- include/linux/compiler_types.h | 4 ---- include/linux/thread_info.h | 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index cb9217fc60af..01985821944b 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -41,8 +41,6 @@ #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -#define __compiletime_object_size(obj) __builtin_object_size(obj, 0) - #define __compiletime_warning(message) __attribute__((__warning__(message))) #define __compiletime_error(message) __attribute__((__error__(message))) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index e4ea86fc584d..c43308b0a9a9 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -290,10 +290,6 @@ struct ftrace_likely_data { (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \ sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long)) -/* Compile time object size, -1 for unknown */ -#ifndef __compiletime_object_size -# define __compiletime_object_size(obj) -1 -#endif #ifndef __compiletime_warning # define __compiletime_warning(message) #endif diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h index 0999f6317978..ad0c4e041030 100644 --- a/include/linux/thread_info.h +++ b/include/linux/thread_info.h @@ -203,7 +203,7 @@ static inline void copy_overflow(int size, unsigned long count) static __always_inline __must_check bool check_copy_size(const void *addr, size_t bytes, bool is_source) { - int sz = __compiletime_object_size(addr); + int sz = __builtin_object_size(addr, 0); if (unlikely(sz >= 0 && sz < bytes)) { if (!__builtin_constant_p(bytes)) copy_overflow(sz, bytes); From patchwork Sun Aug 22 07:51:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451269 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1780DC4338F for ; Sun, 22 Aug 2021 07:52:08 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id AD02D61247 for ; Sun, 22 Aug 2021 07:52:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AD02D61247 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id D772B6B0085; Sun, 22 Aug 2021 03:51:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D28546B0088; Sun, 22 Aug 2021 03:51:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B7B338D0001; Sun, 22 Aug 2021 03:51:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0044.hostedemail.com [216.40.44.44]) by kanga.kvack.org (Postfix) with ESMTP id 93C976B0085 for ; Sun, 22 Aug 2021 03:51:37 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 291A482499A8 for ; Sun, 22 Aug 2021 07:51:37 +0000 (UTC) X-FDA: 78501947034.25.EF9EF93 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) by imf30.hostedemail.com (Postfix) with ESMTP id CE276E001981 for ; Sun, 22 Aug 2021 07:51:36 +0000 (UTC) Received: by mail-pj1-f53.google.com with SMTP id j10-20020a17090a94ca00b00181f17b7ef7so3804925pjw.2 for ; Sun, 22 Aug 2021 00:51:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=CuzECHqSba5eY7nnFJUmPxt/bYBuzeDhyAa0OVkC4n4=; b=USFeAqU4vBKDG2YMqPqaocKpSXsJbgoUVF7UqCRgINUMIaqqk1MgdzeZdNEsz5syWE Q/srRcae53qHKuASFzb1YQkRijBTrYE1G6JRIbhFJ3VQ2fE7ADG/FLiSG04tZmIdzaRK ibgyV31RvnIskF3WWcWz1gvBTe89OuW1RvmvY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CuzECHqSba5eY7nnFJUmPxt/bYBuzeDhyAa0OVkC4n4=; b=kSjmtEsRpzJvqeOk9JZ4D+/5ySJeUXW9J4EfVEF0AhQaFU3ZLpTTgnm9wgDjCwjmVS XdWXlIzXfDKHqoNXXgfYHwtF5FA5Uogj/LQIox4PvG1o/xKVhOEEg7TJv2xriHKbqEUK bu/HEGnraGM0QCObx7KZIncA9GonrxtnBoNvadFsou5It7REHyStWb03bCPf6i0sih6S dbuskyWcvBIVpqKxATvh2p/Kmdq6g1MQq0kwUCRNyT8XfaGzOkosik9jSr8jFxkCG3zM ZangGzDxWSy7Z3UfE528jKPZuc/LkBA/b+YCOFV0Us0E1rMVbIAeMkXJCv4ecG0rryUP SlBg== X-Gm-Message-State: AOAM530OSHaQDDuQn7KL7Vn3RzflBDaURYkQSR4376FER1Na22pXI/xv KSnPB5Dw9dz8luqGHEBIeFtGKg== X-Google-Smtp-Source: ABdhPJzJyxventESg31yOthp+HUgzF7BOwI9tsOPhUsHlJOaNAhhtGCDSqdaNTLqzw1tKoOncpUXag== X-Received: by 2002:a17:902:c402:b0:12d:b2fe:f0f1 with SMTP id k2-20020a170902c40200b0012db2fef0f1mr23624016plk.9.1629618695830; Sun, 22 Aug 2021 00:51:35 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c2sm12338876pfp.138.2021.08.22.00.51.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:51:33 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Andy Shevchenko , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 14/25] lib/string: Move helper functions out of string.c Date: Sun, 22 Aug 2021 00:51:11 -0700 Message-Id: <20210822075122.864511-15-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=15944; h=from:subject; bh=fdPsodWtszorf3587zUcTPJmGc3GEyAiUFPzZGwGXEk=; b=owEBbAKT/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH3TR8TGm5yRlZPvSOdrEKiiOFp7tL7cjwQnF3e BnpeiAaJAjIEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9wAKCRCJcvTf3G3AJnX7D/ jIkMWAmbwMF4RwEwkxj2KEpgGHCwmIkz/nkU5g8E5+vb39vpSvl/MAlASCt7qZYshwqzAuBJpUsGOD yasCerv+Qka8zJmGqfWIA8zKQ+bZkXawdCusXFZ/IbyhNmCCzk9D85m9pixePTuMikADPhZmYxUlGz TXmk9tvlzx9U3Np2clRUuDJwjFq1q3N+aRjLVjvzUOt9Ukgd2zS1CyzGNrTkOZ82bUbaBr5WzouSOj TRHmEmC/UEFkhxFOixtKR2HlY+mWlyB0RUiTkC86ClUaPw3cNw5KYvnTOID1Ujd/aOZbKDvoM5NSWG I6Gg3s8SXIXvmSkD31ZydtWBdDR6DRwyLpYt/3ghz4kLZnHTnC4PHE5I3VCbVPgb0i6LzRpaadNLiy r3M8WXJBd0RglXQpHXtnDafar3TuqNrLlTiBsedkwtj7fZLWt1xLu0IrGin88H1uRT9hC6LhZ6ciF2 FSK8PnNGIRtAZnnHuncgnjXnNGyz1FRfwDssItlFGYwQrhf0yFbX5tv+1MYnGCnHQ8OMyaRkxFF/wN RfBfhIrfcFsc1q78qJMoiGJjCrWvOpwmyFbf1eh8SmZJHu5TtgLvHbVsBeYxlcLtWZjskGPCbKxIJN f0aML/mnkeJ7yJjv4uP2JJdn4i+EMT5UcZQu0xAT77yCILeO/n3/6HHAS2 X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=USFeAqU4; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf30.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.53 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: CE276E001981 X-Stat-Signature: tp1c6fqqjp3zb4w769crtw97m4o715en X-HE-Tag: 1629618696-580124 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The core functions of string.c are those that may be implemented by per-architecture functions, or overloaded by FORTIFY_SOURCE. As a result, it needs to be built with __NO_FORTIFY. Without this, macros will collide with function declarations. This was accidentally working due to -ffreestanding (on some architectures). Make this deterministic by explicitly setting __NO_FORTIFY and move all the helper functions into string_helpers.c so that they gain the fortification coverage they had been missing. Acked-by: Andy Shevchenko Signed-off-by: Kees Cook --- arch/arm/boot/compressed/string.c | 1 + arch/s390/lib/string.c | 3 + arch/x86/boot/compressed/misc.h | 2 + arch/x86/boot/compressed/pgtable_64.c | 2 + arch/x86/lib/string_32.c | 1 + lib/string.c | 210 +------------------------- lib/string_helpers.c | 193 +++++++++++++++++++++++ 7 files changed, 208 insertions(+), 204 deletions(-) diff --git a/arch/arm/boot/compressed/string.c b/arch/arm/boot/compressed/string.c index 8c0fa276d994..fcc678fce045 100644 --- a/arch/arm/boot/compressed/string.c +++ b/arch/arm/boot/compressed/string.c @@ -5,6 +5,7 @@ * Small subset of simple string routines */ +#define __NO_FORTIFY #include /* diff --git a/arch/s390/lib/string.c b/arch/s390/lib/string.c index cfcdf76d6a95..392fb9f4f4db 100644 --- a/arch/s390/lib/string.c +++ b/arch/s390/lib/string.c @@ -8,6 +8,9 @@ */ #define IN_ARCH_STRING_C 1 +#ifndef __NO_FORTIFY +# define __NO_FORTIFY +#endif #include #include diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h index 31139256859f..49bde196da9b 100644 --- a/arch/x86/boot/compressed/misc.h +++ b/arch/x86/boot/compressed/misc.h @@ -14,6 +14,8 @@ #undef CONFIG_KASAN #undef CONFIG_KASAN_GENERIC +#define __NO_FORTIFY + /* cpu_feature_enabled() cannot be used this early */ #define USE_EARLY_PGTABLE_L5 diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c index 2a78746f5a4c..a1733319a22a 100644 --- a/arch/x86/boot/compressed/pgtable_64.c +++ b/arch/x86/boot/compressed/pgtable_64.c @@ -1,3 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0 +#include "misc.h" #include #include #include diff --git a/arch/x86/lib/string_32.c b/arch/x86/lib/string_32.c index d15fdae9656e..53b3f202267c 100644 --- a/arch/x86/lib/string_32.c +++ b/arch/x86/lib/string_32.c @@ -11,6 +11,7 @@ * strings. */ +#define __NO_FORTIFY #include #include diff --git a/lib/string.c b/lib/string.c index 77bd0b1d3296..1e6259f263b8 100644 --- a/lib/string.c +++ b/lib/string.c @@ -6,20 +6,15 @@ */ /* - * stupid library routines.. The optimized versions should generally be found - * as inline code in + * This file should be used only for "library" routines that may have + * alternative implementations on specific architectures (generally + * found in ), or get overloaded by FORTIFY_SOURCE. + * (Specifically, this file is built with __NO_FORTIFY.) * - * These are buggy as well.. - * - * * Fri Jun 25 1999, Ingo Oeser - * - Added strsep() which will replace strtok() soon (because strsep() is - * reentrant and should be faster). Use only strsep() in new code, please. - * - * * Sat Feb 09 2002, Jason Thomas , - * Matthew Hawkins - * - Kissed strtok() goodbye + * Other helper functions should live in string_helpers.c. */ +#define __NO_FORTIFY #include #include #include @@ -237,40 +232,6 @@ ssize_t strscpy(char *dest, const char *src, size_t count) EXPORT_SYMBOL(strscpy); #endif -/** - * strscpy_pad() - Copy a C-string into a sized buffer - * @dest: Where to copy the string to - * @src: Where to copy the string from - * @count: Size of destination buffer - * - * Copy the string, or as much of it as fits, into the dest buffer. The - * behavior is undefined if the string buffers overlap. The destination - * buffer is always %NUL terminated, unless it's zero-sized. - * - * If the source string is shorter than the destination buffer, zeros - * the tail of the destination buffer. - * - * For full explanation of why you may want to consider using the - * 'strscpy' functions please see the function docstring for strscpy(). - * - * Returns: - * * The number of characters copied (not including the trailing %NUL) - * * -E2BIG if count is 0 or @src was truncated. - */ -ssize_t strscpy_pad(char *dest, const char *src, size_t count) -{ - ssize_t written; - - written = strscpy(dest, src, count); - if (written < 0 || written == count - 1) - return written; - - memset(dest + written + 1, 0, count - written - 1); - - return written; -} -EXPORT_SYMBOL(strscpy_pad); - /** * stpcpy - copy a string from src to dest returning a pointer to the new end * of dest, including src's %NUL-terminator. May overrun dest. @@ -513,46 +474,6 @@ char *strnchr(const char *s, size_t count, int c) EXPORT_SYMBOL(strnchr); #endif -/** - * skip_spaces - Removes leading whitespace from @str. - * @str: The string to be stripped. - * - * Returns a pointer to the first non-whitespace character in @str. - */ -char *skip_spaces(const char *str) -{ - while (isspace(*str)) - ++str; - return (char *)str; -} -EXPORT_SYMBOL(skip_spaces); - -/** - * strim - Removes leading and trailing whitespace from @s. - * @s: The string to be stripped. - * - * Note that the first trailing whitespace is replaced with a %NUL-terminator - * in the given string @s. Returns a pointer to the first non-whitespace - * character in @s. - */ -char *strim(char *s) -{ - size_t size; - char *end; - - size = strlen(s); - if (!size) - return s; - - end = s + size - 1; - while (end >= s && isspace(*end)) - end--; - *(end + 1) = '\0'; - - return skip_spaces(s); -} -EXPORT_SYMBOL(strim); - #ifndef __HAVE_ARCH_STRLEN /** * strlen - Find the length of a string @@ -687,101 +608,6 @@ char *strsep(char **s, const char *ct) EXPORT_SYMBOL(strsep); #endif -/** - * sysfs_streq - return true if strings are equal, modulo trailing newline - * @s1: one string - * @s2: another string - * - * This routine returns true iff two strings are equal, treating both - * NUL and newline-then-NUL as equivalent string terminations. It's - * geared for use with sysfs input strings, which generally terminate - * with newlines but are compared against values without newlines. - */ -bool sysfs_streq(const char *s1, const char *s2) -{ - while (*s1 && *s1 == *s2) { - s1++; - s2++; - } - - if (*s1 == *s2) - return true; - if (!*s1 && *s2 == '\n' && !s2[1]) - return true; - if (*s1 == '\n' && !s1[1] && !*s2) - return true; - return false; -} -EXPORT_SYMBOL(sysfs_streq); - -/** - * match_string - matches given string in an array - * @array: array of strings - * @n: number of strings in the array or -1 for NULL terminated arrays - * @string: string to match with - * - * This routine will look for a string in an array of strings up to the - * n-th element in the array or until the first NULL element. - * - * Historically the value of -1 for @n, was used to search in arrays that - * are NULL terminated. However, the function does not make a distinction - * when finishing the search: either @n elements have been compared OR - * the first NULL element was found. - * - * Return: - * index of a @string in the @array if matches, or %-EINVAL otherwise. - */ -int match_string(const char * const *array, size_t n, const char *string) -{ - int index; - const char *item; - - for (index = 0; index < n; index++) { - item = array[index]; - if (!item) - break; - if (!strcmp(item, string)) - return index; - } - - return -EINVAL; -} -EXPORT_SYMBOL(match_string); - -/** - * __sysfs_match_string - matches given string in an array - * @array: array of strings - * @n: number of strings in the array or -1 for NULL terminated arrays - * @str: string to match with - * - * Returns index of @str in the @array or -EINVAL, just like match_string(). - * Uses sysfs_streq instead of strcmp for matching. - * - * This routine will look for a string in an array of strings up to the - * n-th element in the array or until the first NULL element. - * - * Historically the value of -1 for @n, was used to search in arrays that - * are NULL terminated. However, the function does not make a distinction - * when finishing the search: either @n elements have been compared OR - * the first NULL element was found. - */ -int __sysfs_match_string(const char * const *array, size_t n, const char *str) -{ - const char *item; - int index; - - for (index = 0; index < n; index++) { - item = array[index]; - if (!item) - break; - if (sysfs_streq(item, str)) - return index; - } - - return -EINVAL; -} -EXPORT_SYMBOL(__sysfs_match_string); - #ifndef __HAVE_ARCH_MEMSET /** * memset - Fill a region of memory with the given value @@ -1125,27 +951,3 @@ void *memchr_inv(const void *start, int c, size_t bytes) return check_bytes8(start, value, bytes % 8); } EXPORT_SYMBOL(memchr_inv); - -/** - * strreplace - Replace all occurrences of character in string. - * @s: The string to operate on. - * @old: The character being replaced. - * @new: The character @old is replaced with. - * - * Returns pointer to the nul byte at the end of @s. - */ -char *strreplace(char *s, char old, char new) -{ - for (; *s; ++s) - if (*s == old) - *s = new; - return s; -} -EXPORT_SYMBOL(strreplace); - -void fortify_panic(const char *name) -{ - pr_emerg("detected buffer overflow in %s\n", name); - BUG(); -} -EXPORT_SYMBOL(fortify_panic); diff --git a/lib/string_helpers.c b/lib/string_helpers.c index 5a35c7e16e96..e9433caab217 100644 --- a/lib/string_helpers.c +++ b/lib/string_helpers.c @@ -692,3 +692,196 @@ void kfree_strarray(char **array, size_t n) kfree(array); } EXPORT_SYMBOL_GPL(kfree_strarray); + +/** + * strscpy_pad() - Copy a C-string into a sized buffer + * @dest: Where to copy the string to + * @src: Where to copy the string from + * @count: Size of destination buffer + * + * Copy the string, or as much of it as fits, into the dest buffer. The + * behavior is undefined if the string buffers overlap. The destination + * buffer is always %NUL terminated, unless it's zero-sized. + * + * If the source string is shorter than the destination buffer, zeros + * the tail of the destination buffer. + * + * For full explanation of why you may want to consider using the + * 'strscpy' functions please see the function docstring for strscpy(). + * + * Returns: + * * The number of characters copied (not including the trailing %NUL) + * * -E2BIG if count is 0 or @src was truncated. + */ +ssize_t strscpy_pad(char *dest, const char *src, size_t count) +{ + ssize_t written; + + written = strscpy(dest, src, count); + if (written < 0 || written == count - 1) + return written; + + memset(dest + written + 1, 0, count - written - 1); + + return written; +} +EXPORT_SYMBOL(strscpy_pad); + +/** + * skip_spaces - Removes leading whitespace from @str. + * @str: The string to be stripped. + * + * Returns a pointer to the first non-whitespace character in @str. + */ +char *skip_spaces(const char *str) +{ + while (isspace(*str)) + ++str; + return (char *)str; +} +EXPORT_SYMBOL(skip_spaces); + +/** + * strim - Removes leading and trailing whitespace from @s. + * @s: The string to be stripped. + * + * Note that the first trailing whitespace is replaced with a %NUL-terminator + * in the given string @s. Returns a pointer to the first non-whitespace + * character in @s. + */ +char *strim(char *s) +{ + size_t size; + char *end; + + size = strlen(s); + if (!size) + return s; + + end = s + size - 1; + while (end >= s && isspace(*end)) + end--; + *(end + 1) = '\0'; + + return skip_spaces(s); +} +EXPORT_SYMBOL(strim); + +/** + * sysfs_streq - return true if strings are equal, modulo trailing newline + * @s1: one string + * @s2: another string + * + * This routine returns true iff two strings are equal, treating both + * NUL and newline-then-NUL as equivalent string terminations. It's + * geared for use with sysfs input strings, which generally terminate + * with newlines but are compared against values without newlines. + */ +bool sysfs_streq(const char *s1, const char *s2) +{ + while (*s1 && *s1 == *s2) { + s1++; + s2++; + } + + if (*s1 == *s2) + return true; + if (!*s1 && *s2 == '\n' && !s2[1]) + return true; + if (*s1 == '\n' && !s1[1] && !*s2) + return true; + return false; +} +EXPORT_SYMBOL(sysfs_streq); + +/** + * match_string - matches given string in an array + * @array: array of strings + * @n: number of strings in the array or -1 for NULL terminated arrays + * @string: string to match with + * + * This routine will look for a string in an array of strings up to the + * n-th element in the array or until the first NULL element. + * + * Historically the value of -1 for @n, was used to search in arrays that + * are NULL terminated. However, the function does not make a distinction + * when finishing the search: either @n elements have been compared OR + * the first NULL element was found. + * + * Return: + * index of a @string in the @array if matches, or %-EINVAL otherwise. + */ +int match_string(const char * const *array, size_t n, const char *string) +{ + int index; + const char *item; + + for (index = 0; index < n; index++) { + item = array[index]; + if (!item) + break; + if (!strcmp(item, string)) + return index; + } + + return -EINVAL; +} +EXPORT_SYMBOL(match_string); + +/** + * __sysfs_match_string - matches given string in an array + * @array: array of strings + * @n: number of strings in the array or -1 for NULL terminated arrays + * @str: string to match with + * + * Returns index of @str in the @array or -EINVAL, just like match_string(). + * Uses sysfs_streq instead of strcmp for matching. + * + * This routine will look for a string in an array of strings up to the + * n-th element in the array or until the first NULL element. + * + * Historically the value of -1 for @n, was used to search in arrays that + * are NULL terminated. However, the function does not make a distinction + * when finishing the search: either @n elements have been compared OR + * the first NULL element was found. + */ +int __sysfs_match_string(const char * const *array, size_t n, const char *str) +{ + const char *item; + int index; + + for (index = 0; index < n; index++) { + item = array[index]; + if (!item) + break; + if (sysfs_streq(item, str)) + return index; + } + + return -EINVAL; +} +EXPORT_SYMBOL(__sysfs_match_string); + +/** + * strreplace - Replace all occurrences of character in string. + * @s: The string to operate on. + * @old: The character being replaced. + * @new: The character @old is replaced with. + * + * Returns pointer to the nul byte at the end of @s. + */ +char *strreplace(char *s, char old, char new) +{ + for (; *s; ++s) + if (*s == old) + *s = new; + return s; +} +EXPORT_SYMBOL(strreplace); + +void fortify_panic(const char *name) +{ + pr_emerg("detected buffer overflow in %s\n", name); + BUG(); +} +EXPORT_SYMBOL(fortify_panic); From patchwork Sun Aug 22 07:51:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451291 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAAFFC4338F for ; Sun, 22 Aug 2021 07:57:17 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6F1A861266 for ; Sun, 22 Aug 2021 07:57:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6F1A861266 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id DA6F68D0009; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ADAEE8D000C; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 902428D000B; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0244.hostedemail.com [216.40.44.244]) by kanga.kvack.org (Postfix) with ESMTP id 5B2658D0009 for ; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) Received: from smtpin36.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id E2F57181CBC3D for ; Sun, 22 Aug 2021 07:57:00 +0000 (UTC) X-FDA: 78501960600.36.6B620C4 Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by imf11.hostedemail.com (Postfix) with ESMTP id 92679F0000B2 for ; Sun, 22 Aug 2021 07:57:00 +0000 (UTC) Received: by mail-pg1-f170.google.com with SMTP id s11so13649124pgr.11 for ; Sun, 22 Aug 2021 00:57:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ph4GT+kwYLxKYCnHgj0jmviVrrZnOYP9VDlVxWdpZQQ=; b=cbLTkI8FGlMZoWwhmEL31Z1PpldZ0bP1X2vFQGCguwY5ox7lY/NOROJg1Xo/BU8tS/ dTs5W1L6oA+/2K1K+Tx4FfqCmeih9PwnXsX9lmumaLgQ3WuL9MkoBNqvAUkXzifIUUa+ GJGdLE7kOjtc8r9IN3SzhvqM4bH7FMBRKuB9c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ph4GT+kwYLxKYCnHgj0jmviVrrZnOYP9VDlVxWdpZQQ=; b=DW93HtBP6mfeqqL76BcGSIaHPAIRricymG6+YizXzx0AYf7lswBFlQSf5AMBkNyORN 3q2l16nq3QzGPkkaojh71sbAGnPFzLTaN3eY+jd1dd/fu5dkiHApuoBoEtmZH1EYZ21t tkM74AEYudXeCyiHRVqLObJDos0kRarTTOoPTvysIik6jLtKpZrl72pU8aVJRHpTU88D 0b1FvvyW0kYEFGmPJ3sP5yxLQUCabpiFV5D8mV7JRUbeE3u+XRAk1dUKLe7pwfRYgOHI A185TJ9sWvmrM74BPKKC5qDhFk4QQArDlq+S6RIeo6EdipAsiT1MMLrnledeCXT+8Aq9 az5A== X-Gm-Message-State: AOAM531YdzpkFFWBI/90hNmoxyrwpyiYyq+lP5lP73fK9hwJcfBH/2O2 8xGKzQqeNv4iVB89Ydy8/aUfMw== X-Google-Smtp-Source: ABdhPJzlbbguhPCOwVVseo2aHiBc5K1TMiBPy0saNT0fZdfylNZQrj8879LHDAnvJwM3IAaZ+bBpLw== X-Received: by 2002:a63:1e5c:: with SMTP id p28mr27011640pgm.89.1629619019738; Sun, 22 Aug 2021 00:56:59 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u10sm12069888pfg.168.2021.08.22.00.56.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:57 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Francis Laniel , Rasmus Villemoes , Daniel Micay , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 15/25] fortify: Move remaining fortify helpers into fortify-string.h Date: Sun, 22 Aug 2021 00:51:12 -0700 Message-Id: <20210822075122.864511-16-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3207; h=from:subject; bh=93UyhKlsXw7Mzj4VgqjxzznxP8lIxJTMZfvK+B8oq14=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH3OYfO092ICV+ibgtBFhM/x4pDGM/xKvrIF7Y4 u9GhAY2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB9wAKCRCJcvTf3G3AJhbFEA CQLxyeDalkY9Ndqv9AMIJK+dR3dgTsvujTNcKxybFXMsPX5qQiLXzxnYHbnEZA6O9qCYtJGHDMqouc paqokzs2Ftz7Kl0kFYhdvYUcwRL9fpEtbKHFDkqhMKF8IiA+10Ii//mSexWDVUVLe8NK5LHKoLvbo8 48TXLu3uXiOmZGOYPlIBcvX5mpJM2AYJynN6+0hTg2FmNBd45C6pNtPNsA7DThyPl6jNJ+igNROeMK UThLUHiK5Q79iJFl6WC973bw5kezzGgJIdI6a1lppHVtLPsr9I5yI7GZkEjcPAq+rpaCy/gE1MmBci +SVMcWyeDoz5d99y1b0ctqGrX/yRGTZdo3lW8fTBk/iJ7UC9lp+SOtUYvqOIwMZbvntUVHp1kGEMuI xvTohIpbi6bWZ9S6I3OH9M2GFX31nnJkgChPBA+BqgBGC/ZCheCUWV+Ph5b2zeXaScEgHD81mhCo8P +O00gNJc7y/qHI9jPjraGc1ZlgsasPmF+GZDL0trnSJ7/PGjHQddLBdFytk8Mv3CyvxuCCG8JhqslH bHEx7JNqbiE8wYakA5zgtjc+KBMZyD8P4dBOVVGTMAMWshyQdGGbaeBIxwVrQBxq+2a/GOgpwpdKuv clylHOCpzbAArRCT+MmyC53n3BEbpzanfvZzsn7CJEuuvmmYH6WttlaIdD6Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: 92679F0000B2 Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=cbLTkI8F; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf11.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.170 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam01 X-Stat-Signature: 47mhi19df968iw9jdbixmxmyj471uwmu X-HE-Tag: 1629619020-851135 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When commit a28a6e860c6c ("string.h: move fortified functions definitions in a dedicated header.") moved the fortify-specific code, some helpers were left behind. Move the remaining fortify-specific helpers into fortify-string.h so they're together where they're used. This requires that any FORTIFY helper function prototypes be conditionally built to avoid "no prototype" warnings. Additionally removes unused helpers. Acked-by: Francis Laniel Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers --- include/linux/fortify-string.h | 7 +++++++ include/linux/string.h | 9 --------- lib/string_helpers.c | 2 ++ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index c1be37437e77..7e67d02764db 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -2,6 +2,13 @@ #ifndef _LINUX_FORTIFY_STRING_H_ #define _LINUX_FORTIFY_STRING_H_ +#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) +#define __RENAME(x) __asm__(#x) + +void fortify_panic(const char *name) __noreturn __cold; +void __read_overflow(void) __compiletime_error("detected read beyond size of object (1st parameter)"); +void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); +void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)"); #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); diff --git a/include/linux/string.h b/include/linux/string.h index b48d2d28e0b1..9473f81b9db2 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -249,15 +249,6 @@ static inline const char *kbasename(const char *path) return tail ? tail + 1 : path; } -#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) -#define __RENAME(x) __asm__(#x) - -void fortify_panic(const char *name) __noreturn __cold; -void __read_overflow(void) __compiletime_error("detected read beyond size of object passed as 1st parameter"); -void __read_overflow2(void) __compiletime_error("detected read beyond size of object passed as 2nd parameter"); -void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); -void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); - #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) #include #endif diff --git a/lib/string_helpers.c b/lib/string_helpers.c index e9433caab217..1274f45ffaf4 100644 --- a/lib/string_helpers.c +++ b/lib/string_helpers.c @@ -879,9 +879,11 @@ char *strreplace(char *s, char old, char new) } EXPORT_SYMBOL(strreplace); +#ifdef CONFIG_FORTIFY_SOURCE void fortify_panic(const char *name) { pr_emerg("detected buffer overflow in %s\n", name); BUG(); } EXPORT_SYMBOL(fortify_panic); +#endif /* CONFIG_FORTIFY_SOURCE */ From patchwork Sun Aug 22 07:51:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451293 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 369D2C4338F for ; Sun, 22 Aug 2021 07:57:20 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id DF24261051 for ; Sun, 22 Aug 2021 07:57:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org DF24261051 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 3FBD18D000C; Sun, 22 Aug 2021 03:57:02 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 337CE8D000B; Sun, 22 Aug 2021 03:57:02 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1D7D28D000C; Sun, 22 Aug 2021 03:57:02 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0203.hostedemail.com [216.40.44.203]) by kanga.kvack.org (Postfix) with ESMTP id F25C48D000B for ; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) Received: from smtpin11.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 99F11299D8 for ; Sun, 22 Aug 2021 07:57:01 +0000 (UTC) X-FDA: 78501960642.11.A83A18B Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by imf07.hostedemail.com (Postfix) with ESMTP id 1B447100009E for ; Sun, 22 Aug 2021 07:57:00 +0000 (UTC) Received: by mail-pj1-f48.google.com with SMTP id qe12-20020a17090b4f8c00b00179321cbae7so10087927pjb.2 for ; Sun, 22 Aug 2021 00:57:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6lG0U8bM2TUXGlj9bAHKfwVFEdBo2YZlvkgJ69Lo3ko=; b=hmArB39kTHDWjHkicA8v/VnEfzXloQM/um2zezothBwlueh0y6wW3Ms8vGXfoJFyQu 9A2CZuvT+yTq1xfM2MniAoudl7ERA9s4DODVC4WVCS7baDau/R9Bq+raDBaJCFMYFDg8 1Ot2UvIT1AT4E6UxA8DYaVwHg6TZbar8hqrzE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6lG0U8bM2TUXGlj9bAHKfwVFEdBo2YZlvkgJ69Lo3ko=; b=tBuoOW9D81bbTqSJUiAsZRRFK18xOS+S2Uak31AYKrro3mRSRCOQs38vxEDBMaDrIp Zx2z24GM5sg0biRVmJt6yZDJvtu1z6kBBOU6n3pOqVpH4Dk4LV/Do99BmwSmcodr4M+h wIoy4dJDI1X6hNY0OFND8d4X8nRwA17wXS/yH9/SOnBcht92VJojMO02SAmpmzA6peaZ dn9LGER/LcU24l1vd/4z6W66KuN3MWwrSSLeGyHitMvsGNkAciBk5zE9Jcr8Mmka6WJ0 HxRc2iFPQGNY+ITVa/GBDEAjLY+OjeBrqu03D/ga1b6N5HEeLRGjNCxCbN0ZIMUg1bsu Uzjw== X-Gm-Message-State: AOAM5305MIJDR1VgzYYZeH/CPe+G3lzf/VBTqRTTNWkmwh5VztB0o4QN qBn2TSakGlEx8NIvsHPWK+PYrg== X-Google-Smtp-Source: ABdhPJxbZc4slAX4O5AT09UD6LAIss4P9R7ITuHe4cUc8SdAMeUm7ZtkSm+bN61mJQs8bLc5Pz9K6g== X-Received: by 2002:a17:902:9b90:b029:12d:5ce1:4d99 with SMTP id y16-20020a1709029b90b029012d5ce14d99mr23174201plp.37.1629619020320; Sun, 22 Aug 2021 00:57:00 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id v63sm14116932pgv.59.2021.08.22.00.56.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:57 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 16/25] fortify: Explicitly disable Clang support Date: Sun, 22 Aug 2021 00:51:13 -0700 Message-Id: <20210822075122.864511-17-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1427; h=from:subject; bh=MScHo/g3fAm2U5yn8644/6JAGaRCvw+x4s3NMxUkYP4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH4DmaoP7/LrBvrUTwAq8PIwkOtE8yNEb1/iGaE eotqJxGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+AAKCRCJcvTf3G3AJouiEA CsQiKQU8yYLNVDRGiXfb930RN38G6VaPkiNVGfbOxlF8/NoReYlwwRLDaxYLWGNC+2hr+Mc+tSLQkC OyYXt34aEJ8RAaHd9J/XKojK7zzp175gEonMD/B1Z27Cvc3YwQ9PZFZ9zHiRgdfGEb+A1L4m6XAHs2 nVTs1DLzBrka+jxx90WoJMswpooU+snjTASsX2dUlc5/iKaRIhoUCKJ7MiU8u5DJJrP13KYk1T1qw5 IQV6HcCiUU2CqwU7BOrGvW+aPV7uZH+nVbHKkB8ast8zYcMQW7Hk/zjl6bd+KOo5c85wp81wg1hbbO uY+ZPXO1XtkxBufB7aLp1K13CSmSaUZn2tBdS54SF6pVZ0Up1NdhFTHyITFWebbJ4MCYmcwKl2TonX 3NPE4QX26nK4llSQO92fZCvFrk6ZPmic7RjHU8me+iXixcjehnqvwvLLIzXBm0Si0rTGbXGndfwSh9 30hPvjFC3PxNl08R8Jp76/DvMcL6t1PkoUS5jjcny0Pijci3ywE60TO6ZcVL1BUAVyvrB4nKoecydW h16hmhXHPA0TGXjR4MsY3oP/BlGTZGS3wgyOFsxYY05ZtlMM3lVw9gALsWACvz6yCe1FZ1auY1Ubho MMH2LGLCeJq1miHi8AvBF8sQ4ceYrPEArUoWMsDNaXMI+EwkqvkExj1J8m0Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=hmArB39k; spf=pass (imf07.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.48 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 1B447100009E X-Stat-Signature: jp979fpjk4ngymd9papb6knroa181hex X-HE-Tag: 1629619020-164054 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Clang has never correctly compiled the FORTIFY_SOURCE defenses due to a couple bugs: Eliding inlines with matching __builtin_* names https://bugs.llvm.org/show_bug.cgi?id=50322 Incorrect __builtin_constant_p() of some globals https://bugs.llvm.org/show_bug.cgi?id=41459 In the process of making improvements to the FORTIFY_SOURCE defenses, the first (silent) bug (coincidentally) becomes worked around, but exposes the latter which breaks the build. As such, Clang must not be used with CONFIG_FORTIFY_SOURCE until at least latter bug is fixed (in Clang 13), and the fortify routines have been rearranged. Update the Kconfig to reflect the reality of the current situation. Signed-off-by: Kees Cook Acked-by: Nick Desaulniers --- security/Kconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/Kconfig b/security/Kconfig index 0ced7fd33e4d..fe6c0395fa02 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -191,6 +191,9 @@ config HARDENED_USERCOPY_PAGESPAN config FORTIFY_SOURCE bool "Harden common str/mem functions against buffer overflows" depends on ARCH_HAS_FORTIFY_SOURCE + # https://bugs.llvm.org/show_bug.cgi?id=50322 + # https://bugs.llvm.org/show_bug.cgi?id=41459 + depends on !CC_IS_CLANG help Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. From patchwork Sun Aug 22 07:51:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451283 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07DA4C4338F for ; Sun, 22 Aug 2021 07:57:08 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id AF55161220 for ; Sun, 22 Aug 2021 07:57:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AF55161220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 003C08D0008; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EF5358D0007; Sun, 22 Aug 2021 03:56:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D71D88D0008; Sun, 22 Aug 2021 03:56:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0233.hostedemail.com [216.40.44.233]) by kanga.kvack.org (Postfix) with ESMTP id ABBEF8D0007 for ; Sun, 22 Aug 2021 03:56:59 -0400 (EDT) Received: from smtpin26.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 57D96299DA for ; Sun, 22 Aug 2021 07:56:59 +0000 (UTC) X-FDA: 78501960558.26.CE8D24A Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by imf19.hostedemail.com (Postfix) with ESMTP id 12A7DB0000A7 for ; Sun, 22 Aug 2021 07:56:58 +0000 (UTC) Received: by mail-pj1-f48.google.com with SMTP id n5so9988156pjt.4 for ; Sun, 22 Aug 2021 00:56:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mboTeGUKr9yolgqYZyfRuYdmdGDjzaFuP+f8ddDuJQs=; b=XBzC31VH8i8YFSRYWUDQDKnfPjacjuEkYZb43tC9vNuaDj/OpZDKardqf1WUo2sasc qo24sxFkkBPYPPGcAobqrN/+kT5bHgYaqIdGhfFbyb6oGFWgMYhc3D40ZGex/hK30hr1 OsgTDmiU+s2z9HboX9Yia271ldfY+LiL633/o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mboTeGUKr9yolgqYZyfRuYdmdGDjzaFuP+f8ddDuJQs=; b=OgKEyfS9y77SAW70vQL36Z6vwbqVcksIuawF5wxJHzX+0HmMJLaB4JgGbELjxn54dc qrHgGP50bzUW05bWOMb2Hth4fqSmeILcFFNwewFtPWiXIAwixPbIVqV7s0N83wmyZtKl yvN6MxmEzBX0n4jgHh5x7Xm/hzUPR2WgA5JIyUAFdG32bEhUTlsK6WHxtd6Heg4Dyzih D8Bx3b+EM7wjUlIh0QpthPoLiaRiXVLRuP9l2tcBUbZckuPOfe+tRd5iZM6sMsb8wjnI 2QinHX0OPBybKLeI6dsHM0UZAclbCtQ+PXzsltxGixfvCnSHoo4vYFLAiL8EMGYszpr+ Kv/Q== X-Gm-Message-State: AOAM5339O5zBpkkX+9D9xMNOpQ/jxsbvcW/ncTThxL2KqF7EbqcHzuxt C9L8aUFmz/2qJDPdDdLLlBQ7RQ== X-Google-Smtp-Source: ABdhPJy70piasRcCiq1N1hSgrYpJdyQ7VNKb16zqOJbn9anqN5BpWkCkqwMAwM30x8WGb1EwEiH3zw== X-Received: by 2002:a17:902:7282:b029:12c:75a0:faa5 with SMTP id d2-20020a1709027282b029012c75a0faa5mr23697524pll.35.1629619018281; Sun, 22 Aug 2021 00:56:58 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z3sm10510268pjn.43.2021.08.22.00.56.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:57 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Daniel Axtens , Francis Laniel , Rasmus Villemoes , Daniel Micay , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 17/25] fortify: Fix dropped strcpy() compile-time write overflow check Date: Sun, 22 Aug 2021 00:51:14 -0700 Message-Id: <20210822075122.864511-18-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1260; h=from:subject; bh=sAqjTzTf+mWFy7xD73ZEpzjamgoLfVlMB8Pw3aei0Xc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH4HMEpm10nE/aAHB48K6cSsvZL5sfcJfQj9wD4 87AucWeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+AAKCRCJcvTf3G3AJlWyD/ 43aKzGW6g25weJEJsyQ7zCnEMVGGabRxLFQoGd2ODvAXaG7BEMjTe6KHLFfYgussxYeGPNYMyIFUqK ifxOcEWs0Swau1DhGUkYHxZXaXGgspP22zyTe6AzhaxlbCDY/rrzd1zZTyorgwHOOdVZhI2aPTHdlc 20vpjKyvE7Ca62vG9hu9k/970JL1vPz37iEwCMcNW3gO3l62qI7A+xuf+CIYEtvAO85k8sOwHCPCL+ /ACPHoZvTKubJE/7j8ccUcqmiqRTXSSmOpzWpz3iiv0C2+OlQnZjSsruizTYFTcgBjftFuNWAnfZ89 ktCe3sKEYiELWm4h9bXxcUN+iEomsBMWsRmNZhm3pHBtSenmqFvhIzE5KSUTmgiaHT3eKum6L995xf tY+jrUPWQJ0bNaOSYuNN+EMKPS2QNtM9zNjtijutTMjlZ7EEstt9td94KI9DO/GA2s99IKcTOw4WvC Eg2GKgIAfOkfKa9wTCadBJKiDQn2lDy5XKGYjoGsbbdhhJqjqLiIQDvE8L0FEMEHvZoRykYosNVXZt eBUj6YYoLvPEnpoaKqBUBvLRfgevLlTuZBwzsD3IgpPqgYK42igeCrm6ZYu/Di6WM55WjvAnKfkdat 5uXvPQNcUMMrgXfuYJtJxTEuQyw8V1ZdY/Zh5EaIf2hnmN/+DKeKMaN9MP3Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=XBzC31VH; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf19.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.48 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 12A7DB0000A7 X-Stat-Signature: cnxr4gn6eghjsjgychh6ff3jqthp41zz X-HE-Tag: 1629619018-105716 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The implementation for intra-object overflow in str*-family functions accidentally dropped compile-time write overflow checking in strcpy(), leaving it entirely to run-time. Add back the intended check. Fixes: 6a39e62abbaf ("lib: string.h: detect intra-object overflow in fortified string functions") Cc: Daniel Axtens Cc: Francis Laniel Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers --- include/linux/fortify-string.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 7e67d02764db..68bc5978d916 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -287,7 +287,10 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q) if (p_size == (size_t)-1 && q_size == (size_t)-1) return __underlying_strcpy(p, q); size = strlen(q) + 1; - /* test here to use the more stringent object size */ + /* Compile-time check for const size overflow. */ + if (__builtin_constant_p(size) && p_size < size) + __write_overflow(); + /* Run-time check for dynamic size overflow. */ if (p_size < size) fortify_panic(__func__); memcpy(p, q, size); From patchwork Sun Aug 22 07:51:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451289 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41D8CC4320E for ; Sun, 22 Aug 2021 07:57:15 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id EB4E561242 for ; Sun, 22 Aug 2021 07:57:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org EB4E561242 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id ADBF78D000D; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9C6B48D0009; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 83FE88D000C; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0240.hostedemail.com [216.40.44.240]) by kanga.kvack.org (Postfix) with ESMTP id 5CD6F8D000B for ; Sun, 22 Aug 2021 03:57:01 -0400 (EDT) Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 10B8B181CC1BC for ; Sun, 22 Aug 2021 07:57:01 +0000 (UTC) X-FDA: 78501960642.06.1610775 Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by imf10.hostedemail.com (Postfix) with ESMTP id C7D13600198A for ; Sun, 22 Aug 2021 07:57:00 +0000 (UTC) Received: by mail-pg1-f177.google.com with SMTP id c17so13653246pgc.0 for ; Sun, 22 Aug 2021 00:57:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hSMMgZw7/2olmGwk+x9hLUDcbTdJzqluz+oi39a5oaM=; b=IBY/Ab1jTqOxNATsWUpsmSxONXTQq2Ys6gb1+Vyxa8Lpbog138B9bqIQgjgqYQbCAy Au0vGoYwvkwjmd/JfcVLueZEasVH4PU5lYaXM7S83ecygMUinu7K8Zq1MrpNBh3GCN+p l3bxNibyZlNWMuffpyWPrCb1ABH1473Nbupzo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hSMMgZw7/2olmGwk+x9hLUDcbTdJzqluz+oi39a5oaM=; b=mZDsnVfRhNpU3E28990orJKrbHScQQ0+kKvlwRvVqaYu4TQfCHu18n9Qmw2jAepzFH si9GKUJ3Pdhv6OhsA+O7xGZAXXnf2pEQ1sbmjzE2iIZaoAS6YrJBF1QF44jTOPL6Gq8J Ax9k+k9s9COd5atkjnhj561I0fRDSzChp20DVlh6mrEa96hA6lhAFN2ZpyzPO37HsUI8 w3I5HI1dzZYDxwjdxvNI28KMl2Zre0Qr86RdYlhydzem6B7DiKjRNumZ/8gWpvNHGmgx aAgzXHbhSSc7yzcMFXtb2h7omQULmsT3qJyRY6rJvF95RDdNj3IOz9PS/qK6h8xG8LOP znDw== X-Gm-Message-State: AOAM531yiebVgd73g8Of9vks1D5gPlHEXUcs/Gs0MzBzzT/N80cYQaz6 zsgm7mUnYL4X8DZ2WzETkgqkEA== X-Google-Smtp-Source: ABdhPJyXbJowrE/7sid2FKC9cN6WVRYZytt653/I23EunqSwlP9yMw5BQyJG2TAm9RFSJrZx51VZrw== X-Received: by 2002:a05:6a00:213c:b0:3e1:c3af:134 with SMTP id n28-20020a056a00213c00b003e1c3af0134mr28070949pfj.5.1629619020040; Sun, 22 Aug 2021 00:57:00 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s2sm12005635pfw.193.2021.08.22.00.56.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:57 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Francis Laniel , Rasmus Villemoes , Daniel Micay , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 18/25] fortify: Prepare to improve strnlen() and strlen() warnings Date: Sun, 22 Aug 2021 00:51:15 -0700 Message-Id: <20210822075122.864511-19-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1906; h=from:subject; bh=wvK3U1xEzLn7HBnl3TVbXk2P5Mye7QhLMp4JdS3JmN8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH4jtivRrqM/8t8pX2BgfBDvrRaH9kWYRdFJy03 ZmaWqcKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+AAKCRCJcvTf3G3AJl6KD/ 9ZeXY58Pb6asLkXbDN3ArZieQhAzcaOUkAzqG+27e2UGmpU0fknMzrGcr5+bkH2vEtiT4wNbDYkQq4 pZ6OZKutd6P6bu3+l+mKEmtVzf6KkiOK6TyJu8byh1zcL79cPXCfg8pQlRxXiNw9RFS166rGMNLxYZ nIEGonm/floTW9BuU4HFNu/TrNFbG3SJgO0nucUsT4WiBiLchgd5aWvp5Gwrv4sn923STbNDhw75NS 43aU65qAxXTi7xVG/NA05RHFoPMpNcl8avEQOoC0yj4euWk9XBOOG8cUT1FrJMNzbSWDjOAx3/bM4v 0clrSucVbpwU/vo+jp9jqrVBhOTsTMe+8wfTYd++e+iKkMkWcWnv//tV/sjsZDhzvXa6H0+INFk1XL lpxEWUOQpYeNp2yhvPBG2mkdvFZiDBLLhr+L3bawbfVA3Bz5X2Qo7e4vQrSlPv0cegUmMFAVIUJWL/ /LioZcopshY+OJkRivbWBSt0y2S43LUmbf+LS8vD8ednSpZl/Dd8ZuWHxgO3SJc/2ByaujeQIdUPI/ BhgTHT8Enu0y2D/+PDRvmDd3WdSYPYc9dmbrkn7GDGz4NFQ/2ZFnWHLUARALIAj8mKIoM4tyL/IlMb Wssv9xgg1JIxTzM7sy2rjvrfS8sqTwDadM85qSaEWTOpykmLWQrNYVa+tR7Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: C7D13600198A Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="IBY/Ab1j"; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf10.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.177 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam01 X-Stat-Signature: ag4ibkg6oq9m9ep6edr8wjppekib76eo X-HE-Tag: 1629619020-465191 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In order to have strlen() use fortified strnlen() internally, swap their positions in the source. Doing this as part of later changes makes review difficult, so reoroder it here; no code changes. Cc: Francis Laniel Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers --- include/linux/fortify-string.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 68bc5978d916..a3cb1d9aacce 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -56,6 +56,17 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) return p; } +extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); +__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) +{ + size_t p_size = __builtin_object_size(p, 1); + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + + if (p_size <= ret && maxlen != ret) + fortify_panic(__func__); + return ret; +} + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) { __kernel_size_t ret; @@ -71,17 +82,6 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) return ret; } -extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); -__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) -{ - size_t p_size = __builtin_object_size(p, 1); - __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); - - if (p_size <= ret && maxlen != ret) - fortify_panic(__func__); - return ret; -} - /* defined after fortified strlen to reuse it */ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) From patchwork Sun Aug 22 07:51:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451287 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF6EDC4320A for ; Sun, 22 Aug 2021 07:57:12 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 8072E61051 for ; Sun, 22 Aug 2021 07:57:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8072E61051 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id A75128D0007; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 97FEE8D000B; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 66E318D0009; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0208.hostedemail.com [216.40.44.208]) by kanga.kvack.org (Postfix) with ESMTP id 36DC98D0007 for ; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id DC1B082499A8 for ; Sun, 22 Aug 2021 07:56:59 +0000 (UTC) X-FDA: 78501960558.31.2F5531A Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by imf10.hostedemail.com (Postfix) with ESMTP id 987DB600198A for ; Sun, 22 Aug 2021 07:56:59 +0000 (UTC) Received: by mail-pg1-f179.google.com with SMTP id q2so13636223pgt.6 for ; Sun, 22 Aug 2021 00:56:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/IK2hUcT/4MYA89svC69IqQzJMxj9iX8eWhKLXV32Iw=; b=QCLdF+eD0anvEeWmalPSIHQDeFFhVXfkPNxoAL80wy2cfcL6ACoqSdB9gkksbW4ara cUfJu5UBfqt9XyNRqvYrrwTAQ1GEBtmaHDiKfHYgEdDdFVCzLFgdXRmHOzKPfysJQzjS z/xEGc3jiiIXY7kxxXwT+9TFBnlrpvOxikJ2E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/IK2hUcT/4MYA89svC69IqQzJMxj9iX8eWhKLXV32Iw=; b=F1T+os57k4+O3tUmc5yc7whzj3/IHcVAtRr8cys8nJr7DRw9gE2wOqG2hArnLxAMtC OEieogFp/BvVsQDIO5b89LKN3VrTmNiU251OdpKRsn/prEuQabVYWB4TBvwJEqe1xZPa xtIb3N2zJul2KDEXM8LYSEKoNvqF4wNrcRA16K8p0WbH0F7zWmnOv0iHhvVPk9Y/f8wq 9yqdfFxlJW5ozWT13srhNEsTGtXP/RYG+paIbQOFxJrWTABJ5/BCNRivVFKu4lzZZHnu ECT34mutUZ2NT3Gpti2o7AUbs+KpRszY8iriIpzCHx9lEBN75SChMvAfmDoMivB4ukaU dTvQ== X-Gm-Message-State: AOAM533f+ztp9e456B31qCcnbNFzmNBgxhvT6XlZ0ZuXTkPtxfU95IQS gLBnkonpdAi665B2+ZHrRHBk1AxEspa+qw== X-Google-Smtp-Source: ABdhPJzq+TtZMZSw8dHF+lSpjwFHFLC/dgieYhWajSzCVBQ6JialEzTQyJ9NmX8gtFmU5viJM2uayw== X-Received: by 2002:a63:5604:: with SMTP id k4mr26801500pgb.363.1629619018842; Sun, 22 Aug 2021 00:56:58 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id m28sm14880372pgl.9.2021.08.22.00.56.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:57 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 19/25] fortify: Allow strlen() and strnlen() to pass compile-time known lengths Date: Sun, 22 Aug 2021 00:51:16 -0700 Message-Id: <20210822075122.864511-20-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4037; h=from:subject; bh=A8Geo8n4i5qwpvkI4vHxNJg+9VAd1dz9Zyf2I1wPWkI=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH41/syAnC8eDuJXMCDQbQtT/FS9k5h9kcLncy9 eJedf0qJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+AAKCRCJcvTf3G3AJrn9D/ 9w5dThNsyCdRB28y4gKpDDLcvUjRa1Q7oKkwUtwYdV4cfAf+oyY6FWe+T3MEuQEGGcOExyAmym8iuM YdmWCH662e/XOVtgNQqcXFcLIOs0PWUTdV1Ps7VotgZMQFC2oVwakzruXHCfkyrKUEtcR5z0CILGRn t8zpD6TGNmD40Ks+KA3xAF4dpBjzIzL5Z/Sbix2dA6CwwEOedcVhEoOZkwefsdAqsCRIDrsxe46uhR yTqT1Py3Ztyo4HBf5/fq0ZvpqMNknPbP2I9+yxFrBfP2wJDCZcS7MR2x7q/USsg4Jm4oUzdL4M869d XaY4fTLBn0Skhh1lYpQRY7tw0HAru9lWcfYHIwQpzINLpSk4Gtcnik3fND1lF7OcQSnu/HmTyRBWes Pw83R50BMTQ8a/vjGbbbKml6GSvKB+UsGwvFTPgRD6xN71rN8D8YCvPxS+12ubmM+cTDFHZ/BX0QuD lMXeN2s9Zzs584Jq/4VOo/4f6vtSgmd2BOwzfyyDo+eYNHIPxS4YFZGaxGjcxgp9Tqz6cnc+5iHa1s 9lIm/i+0pU3Q0IcYwzFXrhkrNCarXCgQ8jI+7+dMIxsDfQQBkh+kv4HVXAM7bqjhArAiqt5J+w+QSP jotniJxsBv+glaPCKkmwkAM/MdceVn/RgSpZqz9gbeHZz+aD8fXSw7K9N+FQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: 987DB600198A Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=QCLdF+eD; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf10.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.179 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam01 X-Stat-Signature: o19xx3czfikuo535mkaimxmmn3gmjjs3 X-HE-Tag: 1629619019-604890 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Under CONFIG_FORTIFY_SOURCE, it is possible for the compiler to perform strlen() and strnlen() at compile-time when the string size is known. This is required to support compile-time overflow checking in strlcpy(). Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 47 ++++++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 11 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index a3cb1d9aacce..e232a63fd826 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -10,6 +10,18 @@ void __read_overflow(void) __compiletime_error("detected read beyond size of obj void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)"); +#define __compiletime_strlen(p) ({ \ + size_t ret = (size_t)-1; \ + size_t p_size = __builtin_object_size(p, 1); \ + if (p_size != (size_t)-1) { \ + size_t p_len = p_size - 1; \ + if (__builtin_constant_p(p[p_len]) && \ + p[p_len] == '\0') \ + ret = __builtin_strlen(p); \ + } \ + ret; \ +}) + #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); @@ -60,21 +72,31 @@ extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(st __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) { size_t p_size = __builtin_object_size(p, 1); - __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + size_t p_len = __compiletime_strlen(p); + size_t ret; + + /* We can take compile-time actions when maxlen is const. */ + if (__builtin_constant_p(maxlen) && p_len != (size_t)-1) { + /* If p is const, we can use its compile-time-known len. */ + if (maxlen >= p_size) + return p_len; + } + /* Do no check characters beyond the end of p. */ + ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); if (p_size <= ret && maxlen != ret) fortify_panic(__func__); return ret; } +/* defined after fortified strnlen to reuse it. */ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) { __kernel_size_t ret; size_t p_size = __builtin_object_size(p, 1); - /* Work around gcc excess stack consumption issue */ - if (p_size == (size_t)-1 || - (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0')) + /* Give up if we don't know how large p is. */ + if (p_size == (size_t)-1) return __underlying_strlen(p); ret = strnlen(p, p_size); if (p_size <= ret) @@ -86,24 +108,27 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) { - size_t ret; size_t p_size = __builtin_object_size(p, 1); size_t q_size = __builtin_object_size(q, 1); + size_t q_len; /* Full count of source string length. */ + size_t len; /* Count of characters going into destination. */ if (p_size == (size_t)-1 && q_size == (size_t)-1) return __real_strlcpy(p, q, size); - ret = strlen(q); - if (size) { - size_t len = (ret >= size) ? size - 1 : ret; - - if (__builtin_constant_p(len) && len >= p_size) + q_len = strlen(q); + len = (q_len >= size) ? size - 1 : q_len; + if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) { + /* Write size is always larger than destintation. */ + if (len >= p_size) __write_overflow(); + } + if (size) { if (len >= p_size) fortify_panic(__func__); __underlying_memcpy(p, q, len); p[len] = '\0'; } - return ret; + return q_len; } /* defined after fortified strnlen to reuse it */ From patchwork Sun Aug 22 07:51:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451285 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 644D6C4320E for ; Sun, 22 Aug 2021 07:57:10 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0520161220 for ; Sun, 22 Aug 2021 07:57:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0520161220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 7A7008D000A; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6E09B8D0007; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 471118D000A; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0157.hostedemail.com [216.40.44.157]) by kanga.kvack.org (Postfix) with ESMTP id 1D91E8D0009 for ; Sun, 22 Aug 2021 03:57:00 -0400 (EDT) Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id B4A20284A0 for ; Sun, 22 Aug 2021 07:56:59 +0000 (UTC) X-FDA: 78501960558.30.051111D Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by imf16.hostedemail.com (Postfix) with ESMTP id 71F48F000091 for ; Sun, 22 Aug 2021 07:56:59 +0000 (UTC) Received: by mail-pj1-f41.google.com with SMTP id oc2-20020a17090b1c0200b00179e56772d6so6769230pjb.4 for ; Sun, 22 Aug 2021 00:56:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=esTuixCLLKpApTRPX2HCFeqFboPKiGroJFfFu+WSZ+c=; b=GKUtY8ZrZ4YxyomQrw3mctoYe3dAP1PnMS0oH7ETjsmOWcGnzH36Ggp0utlA9FaGJ1 u1cxfGaSuq85aAwt3PInT80bQRHWLJfRvEXw/TYYwmghCjwvNXBJgscwf+nt3Co9q1qS ZxoYlFZa21Mv2qWzBdh2u0QB9kPUEQWehtXBo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=esTuixCLLKpApTRPX2HCFeqFboPKiGroJFfFu+WSZ+c=; b=QEjHpk1D+0MbK24BXVzlE/oUme6NdPLrlt81BalnfFBHOdltNWiuF0Y7ywwxqoFVio zp7YwieLdJvRzQU/3s9swlilIiACsmM+QlbpdYaRNYFTYxlUWqC0iaVotZiXCAIyxTVL D67SLbJ3vPXNq5X5fUPnYqgvEeDeWqMuiHvDB72tPvnqz6x9ETulSl8eSa4xnH0JuWWp bBFuXYZJqspjD+0fCOfcZOcytPuAmqD0DQ9QdY27/QipyZSfOLiFcFyQV86DpN2J8ky8 bclZds5UO+mWJe+GTXyp8anoorjQSzwejwVXwI+Xzz30Lw+PLQzxB+km+Dx8li4H1fXW SAWw== X-Gm-Message-State: AOAM531hb7u/5FAC6+9IC4lv9e0gl5dDJsT+Hbffj08mm//YrIEKK7Pf IOgbDHx3UTBewv7joX5mle+g3A== X-Google-Smtp-Source: ABdhPJwo5ELpZ0YQPq/qVUPXhIWu/ybHgv13O9nHqnr1ED+Mg4kLOwRM3DlYKffNYyExkgsEbtfP8w== X-Received: by 2002:a17:902:a40c:b029:12c:17cf:ab6f with SMTP id p12-20020a170902a40cb029012c17cfab6fmr23344154plq.71.1629619018562; Sun, 22 Aug 2021 00:56:58 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x19sm12550691pfo.40.2021.08.22.00.56.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:57 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 20/25] fortify: Add compile-time FORTIFY_SOURCE tests Date: Sun, 22 Aug 2021 00:51:17 -0700 Message-Id: <20210822075122.864511-21-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=14487; h=from:subject; bh=d6cDtDi6tN5v08m75LtOJYNhyRaS100VqVCmwytOPcA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH5ERUpR7c+mr4L29WRtM/FRs2vNUIC5P2B2Vhn t9DCo3uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+QAKCRCJcvTf3G3AJqHbEA CvBOupzpzAqKpudZfOWXmv6P7Rp4Ydmmt21tYPMRTgrUXM0kUkrpQYgJwUIIK6lDPhndiIS0pjsxZO adadaKlLyh1ZAo3I1qLdrxNgl9iEeTiB9yLXVJB8i+1dCVnppO6AesG77zl2Fvku+4mtZzeHvqZV0a n+sF2GLTt0s/mT30JCo3yktg9egOrws4a7ltpSDjNe4PY4kL4VSD501QjGvkJxiacFMJUb8HWBu9IV W/zGJ6til24TARTtvOXxTvOc1WI8uk2FKUToOA6pRJEaM+IICKp/YBJ0jWM8DFyZtuCcKbEtY8uaCr 4yDE7VTOED9w7uSvCOIod5JGQFxKHUmRZ8W0+LiP/YAoF8fGoQI2wnpsujy18ATF40cdjYNZOXkve6 STYbwV0Go/BCiMT75p8TVboQJzQeuJEMw+MkqGSw1SE0Y92ysetyTv+P9pOfDZGiNTB7qsgH+MuQDl ylRzlYqiYAHETYMDuEkICUmfpxZxVq5aZCGsfznDFeijK+aAeFENs6L7U+QS/s85C70WRsPdU6SVoS giWJzqZf25zLjEd1T0AHLCA5z3LFlJyG9prGFIGoslQyAmpOLWO/0bnLPnd5Y2NIbJ/6CHwtKybd9X P02jcYFpzKpayUTPgY2SzN71CYpawRiaELNkz+YBPxx+sJCnsEXzZsdx2S6g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=GKUtY8Zr; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf16.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.41 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 71F48F000091 X-Stat-Signature: fmrmrqoe9s4b9ce5fzuxfh9fuubb46tu X-HE-Tag: 1629619019-38707 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: While the run-time testing of FORTIFY_SOURCE is already present in LKDTM, there is no testing of the expected compile-time detections. In preparation for correctly supporting FORTIFY_SOURCE under Clang, adding additional FORTIFY_SOURCE defenses, and making sure FORTIFY_SOURCE doesn't silently regress with GCC, introduce a build-time test suite that checks each expected compile-time failure condition. As this is relatively backwards from standard build rules in the sense that a successful test is actually a compile _failure_, create a wrapper script to check for the correct errors, and wire it up as a dummy dependency to lib/string.o, collecting the results into a log file artifact. Signed-off-by: Kees Cook --- lib/.gitignore | 2 + lib/Makefile | 33 +++++++++++ lib/test_fortify/read_overflow-memchr.c | 5 ++ lib/test_fortify/read_overflow-memchr_inv.c | 5 ++ lib/test_fortify/read_overflow-memcmp.c | 5 ++ lib/test_fortify/read_overflow-memscan.c | 5 ++ lib/test_fortify/read_overflow2-memcmp.c | 5 ++ lib/test_fortify/read_overflow2-memcpy.c | 5 ++ lib/test_fortify/read_overflow2-memmove.c | 5 ++ lib/test_fortify/test_fortify.h | 35 +++++++++++ lib/test_fortify/write_overflow-memcpy.c | 5 ++ lib/test_fortify/write_overflow-memmove.c | 5 ++ lib/test_fortify/write_overflow-memset.c | 5 ++ lib/test_fortify/write_overflow-strcpy-lit.c | 5 ++ lib/test_fortify/write_overflow-strcpy.c | 5 ++ lib/test_fortify/write_overflow-strlcpy-src.c | 5 ++ lib/test_fortify/write_overflow-strlcpy.c | 5 ++ lib/test_fortify/write_overflow-strncpy-src.c | 5 ++ lib/test_fortify/write_overflow-strncpy.c | 5 ++ lib/test_fortify/write_overflow-strscpy.c | 5 ++ scripts/test_fortify.sh | 59 +++++++++++++++++++ 21 files changed, 214 insertions(+) create mode 100644 lib/test_fortify/read_overflow-memchr.c create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c create mode 100644 lib/test_fortify/read_overflow-memcmp.c create mode 100644 lib/test_fortify/read_overflow-memscan.c create mode 100644 lib/test_fortify/read_overflow2-memcmp.c create mode 100644 lib/test_fortify/read_overflow2-memcpy.c create mode 100644 lib/test_fortify/read_overflow2-memmove.c create mode 100644 lib/test_fortify/test_fortify.h create mode 100644 lib/test_fortify/write_overflow-memcpy.c create mode 100644 lib/test_fortify/write_overflow-memmove.c create mode 100644 lib/test_fortify/write_overflow-memset.c create mode 100644 lib/test_fortify/write_overflow-strcpy-lit.c create mode 100644 lib/test_fortify/write_overflow-strcpy.c create mode 100644 lib/test_fortify/write_overflow-strlcpy-src.c create mode 100644 lib/test_fortify/write_overflow-strlcpy.c create mode 100644 lib/test_fortify/write_overflow-strncpy-src.c create mode 100644 lib/test_fortify/write_overflow-strncpy.c create mode 100644 lib/test_fortify/write_overflow-strscpy.c create mode 100644 scripts/test_fortify.sh diff --git a/lib/.gitignore b/lib/.gitignore index 5e7fa54c4536..e5e217b8307b 100644 --- a/lib/.gitignore +++ b/lib/.gitignore @@ -4,3 +4,5 @@ /gen_crc32table /gen_crc64table /oid_registry_data.c +/test_fortify.log +/test_fortify/*.log diff --git a/lib/Makefile b/lib/Makefile index 5efd1b435a37..bd17c2bf43e1 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -360,3 +360,36 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) += devmem_is_allowed.o + +# FORTIFY_SOURCE compile-time behavior tests +TEST_FORTIFY_SRCS = $(wildcard $(srctree)/$(src)/test_fortify/*-*.c) +TEST_FORTIFY_LOGS = $(patsubst $(srctree)/$(src)/%.c, %.log, $(TEST_FORTIFY_SRCS)) +TEST_FORTIFY_LOG = test_fortify.log + +quiet_cmd_test_fortify = TEST $@ + cmd_test_fortify = $(CONFIG_SHELL) $(srctree)/scripts/test_fortify.sh \ + $< $@ "$(NM)" $(CC) $(c_flags) \ + $(call cc-disable-warning,fortify-source) + +targets += $(TEST_FORTIFY_LOGS) +clean-files += $(TEST_FORTIFY_LOGS) +clean-files += $(addsuffix .o, $(TEST_FORTIFY_LOGS)) +$(obj)/test_fortify/%.log: $(src)/test_fortify/%.c \ + $(src)/test_fortify/test_fortify.h \ + $(srctree)/include/linux/fortify-string.h \ + $(srctree)/scripts/test_fortify.sh \ + FORCE + $(call if_changed,test_fortify) + +quiet_cmd_gen_fortify_log = GEN $@ + cmd_gen_fortify_log = cat /dev/null > $@ || true + +targets += $(TEST_FORTIFY_LOG) +clean-files += $(TEST_FORTIFY_LOG) +$(obj)/$(TEST_FORTIFY_LOG): $(addprefix $(obj)/, $(TEST_FORTIFY_LOGS)) FORCE + $(call if_changed,gen_fortify_log) + +# Fake dependency to trigger the fortify tests. +ifeq ($(CONFIG_FORTIFY_SOURCE),y) +$(obj)/string.o: $(obj)/$(TEST_FORTIFY_LOG) +endif diff --git a/lib/test_fortify/read_overflow-memchr.c b/lib/test_fortify/read_overflow-memchr.c new file mode 100644 index 000000000000..2743084b32af --- /dev/null +++ b/lib/test_fortify/read_overflow-memchr.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memchr(small, 0x7A, sizeof(small) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/read_overflow-memchr_inv.c b/lib/test_fortify/read_overflow-memchr_inv.c new file mode 100644 index 000000000000..b26e1f1bc217 --- /dev/null +++ b/lib/test_fortify/read_overflow-memchr_inv.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memchr_inv(small, 0x7A, sizeof(small) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/read_overflow-memcmp.c b/lib/test_fortify/read_overflow-memcmp.c new file mode 100644 index 000000000000..d5d301ff64ef --- /dev/null +++ b/lib/test_fortify/read_overflow-memcmp.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memcmp(small, large, sizeof(small) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/read_overflow-memscan.c b/lib/test_fortify/read_overflow-memscan.c new file mode 100644 index 000000000000..c1a97f2df0f0 --- /dev/null +++ b/lib/test_fortify/read_overflow-memscan.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memscan(small, 0x7A, sizeof(small) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/read_overflow2-memcmp.c b/lib/test_fortify/read_overflow2-memcmp.c new file mode 100644 index 000000000000..c6091e640f76 --- /dev/null +++ b/lib/test_fortify/read_overflow2-memcmp.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memcmp(large, small, sizeof(small) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/read_overflow2-memcpy.c b/lib/test_fortify/read_overflow2-memcpy.c new file mode 100644 index 000000000000..07b62e56cf16 --- /dev/null +++ b/lib/test_fortify/read_overflow2-memcpy.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memcpy(large, instance.buf, sizeof(large)) + +#include "test_fortify.h" diff --git a/lib/test_fortify/read_overflow2-memmove.c b/lib/test_fortify/read_overflow2-memmove.c new file mode 100644 index 000000000000..34edfab040a3 --- /dev/null +++ b/lib/test_fortify/read_overflow2-memmove.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memmove(large, instance.buf, sizeof(large)) + +#include "test_fortify.h" diff --git a/lib/test_fortify/test_fortify.h b/lib/test_fortify/test_fortify.h new file mode 100644 index 000000000000..d22664fff197 --- /dev/null +++ b/lib/test_fortify/test_fortify.h @@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#include +#include +#include +#include + +void do_fortify_tests(void); + +#define __BUF_SMALL 16 +#define __BUF_LARGE 32 +struct fortify_object { + int a; + char buf[__BUF_SMALL]; + int c; +}; + +#define LITERAL_SMALL "AAAAAAAAAAAAAAA" +#define LITERAL_LARGE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +const char small_src[__BUF_SMALL] = LITERAL_SMALL; +const char large_src[__BUF_LARGE] = LITERAL_LARGE; + +char small[__BUF_SMALL]; +char large[__BUF_LARGE]; +struct fortify_object instance; +size_t size; + +void do_fortify_tests(void) +{ + /* Normal initializations. */ + memset(&instance, 0x32, sizeof(instance)); + memset(small, 0xA5, sizeof(small)); + memset(large, 0x5A, sizeof(large)); + + TEST; +} diff --git a/lib/test_fortify/write_overflow-memcpy.c b/lib/test_fortify/write_overflow-memcpy.c new file mode 100644 index 000000000000..3b3984e428fb --- /dev/null +++ b/lib/test_fortify/write_overflow-memcpy.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memcpy(instance.buf, large_src, sizeof(large_src)) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-memmove.c b/lib/test_fortify/write_overflow-memmove.c new file mode 100644 index 000000000000..640437c3b3e0 --- /dev/null +++ b/lib/test_fortify/write_overflow-memmove.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memmove(instance.buf, large_src, sizeof(large_src)) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-memset.c b/lib/test_fortify/write_overflow-memset.c new file mode 100644 index 000000000000..36e34908cfb3 --- /dev/null +++ b/lib/test_fortify/write_overflow-memset.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + memset(instance.buf, 0x5A, sizeof(large_src)) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-strcpy-lit.c b/lib/test_fortify/write_overflow-strcpy-lit.c new file mode 100644 index 000000000000..51effb3e50f9 --- /dev/null +++ b/lib/test_fortify/write_overflow-strcpy-lit.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + strcpy(small, LITERAL_LARGE) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-strcpy.c b/lib/test_fortify/write_overflow-strcpy.c new file mode 100644 index 000000000000..84f1c56a64c8 --- /dev/null +++ b/lib/test_fortify/write_overflow-strcpy.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + strcpy(small, large_src) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-strlcpy-src.c b/lib/test_fortify/write_overflow-strlcpy-src.c new file mode 100644 index 000000000000..91bf83ebd34a --- /dev/null +++ b/lib/test_fortify/write_overflow-strlcpy-src.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + strlcpy(small, large_src, sizeof(small) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-strlcpy.c b/lib/test_fortify/write_overflow-strlcpy.c new file mode 100644 index 000000000000..1883db7c0cd6 --- /dev/null +++ b/lib/test_fortify/write_overflow-strlcpy.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + strlcpy(instance.buf, large_src, sizeof(instance.buf) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-strncpy-src.c b/lib/test_fortify/write_overflow-strncpy-src.c new file mode 100644 index 000000000000..8dcfb8c788dd --- /dev/null +++ b/lib/test_fortify/write_overflow-strncpy-src.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + strncpy(small, large_src, sizeof(small) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-strncpy.c b/lib/test_fortify/write_overflow-strncpy.c new file mode 100644 index 000000000000..b85f079c815d --- /dev/null +++ b/lib/test_fortify/write_overflow-strncpy.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + strncpy(instance.buf, large_src, sizeof(instance.buf) + 1) + +#include "test_fortify.h" diff --git a/lib/test_fortify/write_overflow-strscpy.c b/lib/test_fortify/write_overflow-strscpy.c new file mode 100644 index 000000000000..38feddf377dc --- /dev/null +++ b/lib/test_fortify/write_overflow-strscpy.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0-only +#define TEST \ + strscpy(instance.buf, large_src, sizeof(instance.buf) + 1) + +#include "test_fortify.h" diff --git a/scripts/test_fortify.sh b/scripts/test_fortify.sh new file mode 100644 index 000000000000..622c7a0b15e5 --- /dev/null +++ b/scripts/test_fortify.sh @@ -0,0 +1,59 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-only +set -e + +# Argument 1: Source file to build. +IN="$1" +shift +# Extract just the filename for error messages below. +FILE="${IN##*/}" +# Extract the function name for error messages below. +FUNC="${FILE#*-}" +FUNC="${FUNC%%-*}" +FUNC="${FUNC%%.*}" +# Extract the symbol to test for in build/symbol test below. +WANT="__${FILE%%-*}" + +# Argument 2: Where to write the build log. +OUT="$1" +shift +TMP="${OUT}.tmp" + +# Argument 3: Path to "nm" tool. +NM="$1" +shift + +# Remaining arguments are: $(CC) $(c_flags) + +# Clean up temporary file at exit. +__cleanup() { + rm -f "$TMP" +} +trap __cleanup EXIT + +status= +# Attempt to build a source that is expected to fail with a specific warning. +if "$@" -Werror -c "$IN" -o "$OUT".o 2> "$TMP" ; then + # If the build succeeds, either the test has failed or the + # warning may only happen at link time (Clang). In that case, + # make sure the expected symbol is unresolved in the symbol list. + # If so, FORTIFY is working for this case. + if ! $NM -A "$OUT".o | grep -m1 "\bU ${WANT}$" >>"$TMP" ; then + status="warning: unsafe ${FUNC}() usage lacked '$WANT' symbol in $IN" + fi +else + # If the build failed, check for the warning in the stderr (gcc). + if ! grep -q -m1 "error:.*\b${WANT}'" "$TMP" ; then + status="warning: unsafe ${FUNC}() usage lacked '$WANT' warning in $IN" + fi +fi + +if [ -n "$status" ]; then + # Report on failure results, including compilation warnings. + echo "$status" | tee "$OUT" >&2 + cat "$TMP" | tee -a "$OUT" >&2 +else + # Report on good results, and save any compilation output to log. + echo "ok: unsafe ${FUNC}() usage correctly detected with '$WANT' in $IN" >"$OUT" + cat "$TMP" >>"$OUT" +fi From patchwork Sun Aug 22 07:51:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451279 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AB86C4320A for ; Sun, 22 Aug 2021 07:57:03 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id AEA6B61247 for ; Sun, 22 Aug 2021 07:57:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AEA6B61247 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id D243B8D0006; Sun, 22 Aug 2021 03:56:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CAC698D0001; Sun, 22 Aug 2021 03:56:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AD7118D0006; Sun, 22 Aug 2021 03:56:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0239.hostedemail.com [216.40.44.239]) by kanga.kvack.org (Postfix) with ESMTP id 7E5728D0001 for ; Sun, 22 Aug 2021 03:56:58 -0400 (EDT) Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 2A9A882499A8 for ; Sun, 22 Aug 2021 07:56:58 +0000 (UTC) X-FDA: 78501960516.18.E447871 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by imf05.hostedemail.com (Postfix) with ESMTP id D33E55160095 for ; Sun, 22 Aug 2021 07:56:57 +0000 (UTC) Received: by mail-pl1-f173.google.com with SMTP id d17so8346342plr.12 for ; Sun, 22 Aug 2021 00:56:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=K15d43mjq6biIgLR18/PG2ST/9ClHTj/frmKzAh8Fgc=; b=B5QY9BABO+ydPAidOIYg9icRT6RA3TJzzpxIxJHzpK3xJCgD1axrJj40bx21SpJ52o Oe5Ig13T7H7S4fGe3oAM2ZRGMUHW8dsOGGTxUY7BlxiT6uLYHZWGjz3MVxpkghKBQxwT RDPH+h5BIqphwABDAmyO2hmme1bxjIJjQRhYc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K15d43mjq6biIgLR18/PG2ST/9ClHTj/frmKzAh8Fgc=; b=luiVbUmOLw0VbnR8eTN8HawHHN5GMNPN8jojqTWwvFegQLS+0C5qSauGFP0xyhLQny 7V0SCDJOv47HchcYk9oIvAhep1ss/pIkzvSWmNfZKp9BxfKX+rSeuGlJIn11TkD6+bxU 42OeuYDzMGsZzVXEC6XQ4BvsJ+llVNM5BEl5htBAEQM+EgZzhj+dnaEMHtlJFAFzcEGE a8+qakYjRCtV9CUVE/lhTbQBp5d2yyoL30R6Q2b7Ykk/EgGQ6eZVlqOcdRhJ0GfGSJn1 uh9MALG1Z8GNyp+VRdGfhagqhUdyNktRgy/bHrLt+97qiV5jrtP3QmGRpGO7XRLH4Z0V tHJw== X-Gm-Message-State: AOAM531+9L/sYxjvxGa2oa0k0qZ6gqaHfFHYYOxBCd9mnN97GUybc+4B 3BdJjcbq+cOfRlc8H2jKsnArnQ== X-Google-Smtp-Source: ABdhPJzWqLhyoBLtPJm2TcOLdF6MIEB71sJYdvMFFd/ZchUyZ9SRDrN4hHDJyFHLC6S3v2rmybcqiw== X-Received: by 2002:a17:902:b709:b0:12d:a7ab:952f with SMTP id d9-20020a170902b70900b0012da7ab952fmr23596616pls.25.1629619017001; Sun, 22 Aug 2021 00:56:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 66sm12273644pfu.67.2021.08.22.00.56.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:55 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 21/25] lib: Introduce CONFIG_TEST_MEMCPY Date: Sun, 22 Aug 2021 00:51:18 -0700 Message-Id: <20210822075122.864511-22-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10296; h=from:subject; bh=SCs0gUiQeBdkXzSIn2KtU6GgHndNNkCfOloouMv/FjA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH5gffUe7V9h9DhEAh8IAruzpJoIjBSw/gQvBpt RsXbH1SJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+QAKCRCJcvTf3G3AJvgHD/ 9EBKdt7wIMwq+pnHce4zVRAo13cVlsThSeQHWDVBiOwrDL15EUv1ydtUf2763IWxp1RRvbBSiU3TIH sEcLlcN6FHepmlOs3mucsMgU0WXa0k2ir8YDGqk9KdM9M4bkm1nt6bnZs1RrXegQoROLyie0bLSOPk 2MITOblSGe7hKwDKQlWnHwznMZcMEMHfSfIgybxwTCW7pS+gCEyOtIbFxwdlaiURwmFIIRyPitA3Od WGHg5KKfu5AyzYSll2aAnAB7TSg6t4tYMjIIcnElsUdxtxkPCMwFSqbR0re6Azd0lGAjXNx+5YG2O+ +0IeGHcUQQEaSFsCTcXSgK3ZsI5ysmJAiW0rUM8Nl+jNjPIuba4wGlwEiYG44THSu5y0CwYPFkiMd4 pQmWrAaNSYVpuN6+8S9y2Z8P0KeWGD8UqG60ferrjCTbqYu5m0Py85/znwzAW5aD1sEpID8yoBz+n+ SRhglq0gpbGa4k+PHFzqL6YnvV4Bnr4lidQEmoChW8kYcDQmuhe0HFnIdOhHzWLhajkoeL3itvOxzr 9WPPI3cSUu7EKvW86ITqzA656hJCq/P0I6/aSfhNvMxKN5BM2tJVFFcEHKPFnCRDuyDN+l4UcJIPwp 2rRvI7Afl2ewBSTyHLdYIEFZ/Oi7qOrO+JBMhN0s9kK96gbLCjTU4l4xKJZg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=B5QY9BAB; spf=pass (imf05.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.173 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: D33E55160095 X-Stat-Signature: f77rew73bgz195t6b9yz8n6o1g5nzxwu X-HE-Tag: 1629619017-218109 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Before changing anything about memcpy(), memmove(), and memset(), add run-time tests to check basic behaviors for any regressions. Signed-off-by: Kees Cook --- MAINTAINERS | 9 ++ lib/Kconfig.debug | 11 ++ lib/Makefile | 1 + lib/test_memcpy.c | 265 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 286 insertions(+) create mode 100644 lib/test_memcpy.c diff --git a/MAINTAINERS b/MAINTAINERS index 6c8be735cc91..e3ffd4bdc24f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -7248,6 +7248,15 @@ L: netdev@vger.kernel.org S: Maintained F: drivers/net/ethernet/nvidia/* +FORTIFY_SOURCE +M: Kees Cook +L: linux-hardening@vger.kernel.org +S: Supported +F: include/linux/fortify-string.h +F: lib/test_fortify/* +F: scripts/test_fortify.sh +K: \b__NO_FORTIFY\b + FPGA DFL DRIVERS M: Wu Hao R: Tom Rix diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 831212722924..9199be57ba2a 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2467,6 +2467,17 @@ config RATIONAL_KUNIT_TEST If unsure, say N. +config MEMCPY_KUNIT_TEST + tristate "Test memcpy(), memmove(), and memset() functions at runtime" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS + help + Builds unit tests for memcpy(), memmove(), and memset() functions. + For more information on KUnit and unit tests in general please refer + to the KUnit documentation in Documentation/dev-tools/kunit/. + + If unsure, say N. + config TEST_UDELAY tristate "udelay test driver" help diff --git a/lib/Makefile b/lib/Makefile index bd17c2bf43e1..8a4c8bdb38a2 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -77,6 +77,7 @@ obj-$(CONFIG_TEST_MIN_HEAP) += test_min_heap.o obj-$(CONFIG_TEST_LKM) += test_module.o obj-$(CONFIG_TEST_VMALLOC) += test_vmalloc.o obj-$(CONFIG_TEST_OVERFLOW) += test_overflow.o +obj-$(CONFIG_TEST_MEMCPY) += test_memcpy.o obj-$(CONFIG_TEST_RHASHTABLE) += test_rhashtable.o obj-$(CONFIG_TEST_SORT) += test_sort.o obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o diff --git a/lib/test_memcpy.c b/lib/test_memcpy.c new file mode 100644 index 000000000000..ec546cec883e --- /dev/null +++ b/lib/test_memcpy.c @@ -0,0 +1,265 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Test cases for memcpy(), memmove(), and memset(). + */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct some_bytes { + union { + u8 data[32]; + struct { + u32 one; + u16 two; + u8 three; + /* 1 byte hole */ + u32 four[4]; + }; + }; +}; + +#define check(instance, v) do { \ + int i; \ + BUILD_BUG_ON(sizeof(instance.data) != 32); \ + for (i = 0; i < sizeof(instance.data); i++) { \ + KUNIT_ASSERT_EQ_MSG(test, instance.data[i], v, \ + "line %d: '%s' not initialized to 0x%02x @ %d (saw 0x%02x)\n", \ + __LINE__, #instance, v, i, instance.data[i]); \ + } \ +} while (0) + +#define compare(name, one, two) do { \ + int i; \ + BUILD_BUG_ON(sizeof(one) != sizeof(two)); \ + for (i = 0; i < sizeof(one); i++) { \ + KUNIT_EXPECT_EQ_MSG(test, one.data[i], two.data[i], \ + "line %d: %s.data[%d] (0x%02x) != %s.data[%d] (0x%02x)\n", \ + __LINE__, #one, i, one.data[i], #two, i, two.data[i]); \ + } \ + kunit_info(test, "ok: " TEST_OP "() " name "\n"); \ +} while (0) + +static void memcpy_test(struct kunit *test) +{ +#define TEST_OP "memcpy" + struct some_bytes control = { + .data = { 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + }, + }; + struct some_bytes zero = { }; + struct some_bytes middle = { + .data = { 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + }, + }; + struct some_bytes three = { + .data = { 0x00, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x00, 0x00, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + }, + }; + struct some_bytes dest = { }; + int count; + u8 *ptr; + + /* Verify static initializers. */ + check(control, 0x20); + check(zero, 0); + compare("static initializers", dest, zero); + + /* Verify assignment. */ + dest = control; + compare("direct assignment", dest, control); + + /* Verify complete overwrite. */ + memcpy(dest.data, zero.data, sizeof(dest.data)); + compare("complete overwrite", dest, zero); + + /* Verify middle overwrite. */ + dest = control; + memcpy(dest.data + 12, zero.data, 7); + compare("middle overwrite", dest, middle); + + /* Verify argument side-effects aren't repeated. */ + dest = control; + ptr = dest.data; + count = 1; + memcpy(ptr++, zero.data, count++); + ptr += 8; + memcpy(ptr++, zero.data, count++); + compare("argument side-effects", dest, three); +#undef TEST_OP +} + +static void memmove_test(struct kunit *test) +{ +#define TEST_OP "memmove" + struct some_bytes control = { + .data = { 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + }, + }; + struct some_bytes zero = { }; + struct some_bytes middle = { + .data = { 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + }, + }; + struct some_bytes five = { + .data = { 0x00, 0x00, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x00, 0x00, 0x00, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + }, + }; + struct some_bytes overlap = { + .data = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + }, + }; + struct some_bytes overlap_expected = { + .data = { 0x00, 0x01, 0x00, 0x01, 0x02, 0x03, 0x04, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, + }, + }; + struct some_bytes dest = { }; + int count; + u8 *ptr; + + /* Verify static initializers. */ + check(control, 0x99); + check(zero, 0); + compare("static initializers", zero, dest); + + /* Verify assignment. */ + dest = control; + compare("direct assignment", dest, control); + + /* Verify complete overwrite. */ + memmove(dest.data, zero.data, sizeof(dest.data)); + compare("complete overwrite", dest, zero); + + /* Verify middle overwrite. */ + dest = control; + memmove(dest.data + 12, zero.data, 7); + compare("middle overwrite", dest, middle); + + /* Verify argument side-effects aren't repeated. */ + dest = control; + ptr = dest.data; + count = 2; + memmove(ptr++, zero.data, count++); + ptr += 9; + memmove(ptr++, zero.data, count++); + compare("argument side-effects", dest, five); + + /* Verify overlapping overwrite is correct. */ + ptr = &overlap.data[2]; + memmove(ptr, overlap.data, 5); + compare("overlapping write", overlap, overlap_expected); +#undef TEST_OP +} + +static void memset_test(struct kunit *test) +{ +#define TEST_OP "memset" + struct some_bytes control = { + .data = { 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + }, + }; + struct some_bytes complete = { + .data = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + }, + }; + struct some_bytes middle = { + .data = { 0x30, 0x30, 0x30, 0x30, 0x31, 0x31, 0x31, 0x31, + 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, + 0x31, 0x31, 0x31, 0x31, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + }, + }; + struct some_bytes three = { + .data = { 0x60, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x61, 0x61, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + }, + }; + struct some_bytes dest = { }; + int count, value; + u8 *ptr; + + /* Verify static initializers. */ + check(control, 0x30); + check(dest, 0); + + /* Verify assignment. */ + dest = control; + compare("direct assignment", dest, control); + + /* Verify complete overwrite. */ + memset(dest.data, 0xff, sizeof(dest.data)); + compare("complete overwrite", dest, complete); + + /* Verify middle overwrite. */ + dest = control; + memset(dest.data + 4, 0x31, 16); + compare("middle overwrite", dest, middle); + + /* Verify argument side-effects aren't repeated. */ + dest = control; + ptr = dest.data; + value = 0x60; + count = 1; + memset(ptr++, value++, count++); + ptr += 8; + memset(ptr++, value++, count++); + compare("argument side-effects", dest, three); +#undef TEST_OP +} + +static struct kunit_case memcpy_test_cases[] = { + KUNIT_CASE(memset_test), + KUNIT_CASE(memcpy_test), + KUNIT_CASE(memmove_test), + {} +}; + +static struct kunit_suite memcpy_test_suite = { + .name = "memcpy-test", + .test_cases = memcpy_test_cases, +}; + +kunit_test_suite(memcpy_test_suite); + +MODULE_LICENSE("GPL"); From patchwork Sun Aug 22 07:51:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451277 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05D7CC4320A for ; Sun, 22 Aug 2021 07:57:01 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id AD64261220 for ; Sun, 22 Aug 2021 07:57:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AD64261220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id DBE028D0005; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D6F218D0001; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BEE728D0006; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0046.hostedemail.com [216.40.44.46]) by kanga.kvack.org (Postfix) with ESMTP id 9AACF8D0001 for ; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 2B58182499A8 for ; Sun, 22 Aug 2021 07:56:57 +0000 (UTC) X-FDA: 78501960474.20.7E49C84 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by imf06.hostedemail.com (Postfix) with ESMTP id F3782801A89F for ; Sun, 22 Aug 2021 07:56:56 +0000 (UTC) Received: by mail-pj1-f42.google.com with SMTP id mw10-20020a17090b4d0a00b0017b59213831so4812069pjb.0 for ; Sun, 22 Aug 2021 00:56:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QvdBkUpptZhXKvwrMm3zs3qjx3Jw+Diy7BkjH6c2x9o=; b=fg7ZhYLvxUugb8iVfWfC92pGeyt+/r98pwZwtJjW7D5m9+btWV+mAQjVNa2DeXw4uZ TBCIVYhAM3WflYWa48L2s/VrNdwxu7CILWfDneyuRYST6Ezk3jJitCQAyBVZW7Ex0udr QdVPoFRKhE/kfvccRSPKXi6X4fAb/9Tcqr5Xk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QvdBkUpptZhXKvwrMm3zs3qjx3Jw+Diy7BkjH6c2x9o=; b=UKOPHsZo/ahfyFjN3A/sLz2LdipWFlAySvyyv8shFEhDm97l3k9p6vlETTOqgDXd3r GRM9yYoC+rnd1n5rL4wvMNA2Ur9mqCUn+6cFjjkFaTqsYtKa//AdMRNH3Dzapr1hT5lh 7RU0Xohr1lw2QJBXm+ADFYdSUASI3iVv2wdhdx3gtD5zGm37CVCDENYJMpgEq0nMtoPn ERXWD7DxyBEgHLg+rVdo1KefEWSjks6teT5skktnrM8cKZvs48dxQiie3cgtbzSylsNo +C18fLvKqk7axYuCEnK48Qbg02wSotEJQ7/yf5KhLnxH18m2LIbcITbpGhozE2nVtznj dnnw== X-Gm-Message-State: AOAM531nKNmS2852hHeTV15Edt3hZCSCYU968nS9sWkOxjbqUcoFn/Zz npEtpymdWzlJb5xrK9w/RrGuHA== X-Google-Smtp-Source: ABdhPJz1nXhyYemKrw+6kLeSH+jeEvo0I7wavFPKVlcHjoh7EMzwLenW7bCSCiP8kEkvHvQIIQc1kg== X-Received: by 2002:a17:902:d2cd:b0:130:a7b7:3c8f with SMTP id n13-20020a170902d2cd00b00130a7b73c8fmr10580004plc.46.1629619016141; Sun, 22 Aug 2021 00:56:56 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y62sm11996200pfg.88.2021.08.22.00.56.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:55 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 22/25] string.h: Introduce memset_after() for wiping trailing members/padding Date: Sun, 22 Aug 2021 00:51:19 -0700 Message-Id: <20210822075122.864511-23-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2741; h=from:subject; bh=E6gFtKPMaqY94NYGTcjgqzMn4Zg8efYnWFddeRIDocU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH50IyFEulz6vf4MWlQ/Ezu82EvPp7pmwWKKNPw FQi+vpGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+QAKCRCJcvTf3G3AJh3rEA CrFF/z6kOuE4E1nPr3TROjLRJGQjTLaabDuXR/aIm4UQKeKkoTwGA2+A4SqjMTq/+P5Ys7g2X4LT/W Z2l1Vk9U0SrRQPJl7vZYRJ+9O4qUs3Kf8Ny2bIVgxeZT2N0blFHjxagjdD8vAzrY3b1LssVIU5HLiQ CkTZwHf1BnUGyXWqlHau1Vtb3xdCMueRk/f0+dyoPkbCq9ZiKc0XgtZ5MOlzVE66BQLezYe3VZxDUH aDeSYCo7PVgr9pV36o86mUKSUXJWTQ74tdMd1P2VvIhlNEI+vIzBXIjvq2l/IC+Ia2/oqyD/PBLJJk RoXa16m2Lr5ydwZuU+5qMNSo8Cz5OcHc0iQS5x/zK4L2Y6i84HtrS2Ja/RoBQ4SawOGvwkqQMDWUhM tML3SJfr/6qBoVbM7j7oTKiWGwFiZkpavW0iPpwrFqTjTonEi3vdUzO/ahwHLs5uU8gEPP+nPovcfo wZ9AAvOWdDZeSU8i0x0zCI2Hiu5fGcmVETpSSG/F1WqZuQHz8KRI4ndkMy5COuwjY5DADDoBVXuei2 GDhIxOMqkO2jtycMsYYhPX4LOTHskAA/ikwrRY9YVN753cwclPR1h9ULCg29KZIvJfiQ4oFMPNQ49S SyWtCljmqAu2E43Fu6xl6RJf6H3Wn1D9Ei2FNzhed+0om1vGjS5eu9TtBUHg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=fg7ZhYLv; spf=pass (imf06.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.42 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: F3782801A89F X-Stat-Signature: 19joqi78zjarjq43s37qhube7f59zqdd X-HE-Tag: 1629619016-252591 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: A common idiom in kernel code is to wipe the contents of a structure after a given member. This is especially useful in places where there is trailing padding. These open-coded cases are usually difficult to read and very sensitive to struct layout changes. Introduce a new helper, memset_after() that takes the target struct instance, the byte to write, and the member name after which the zeroing should start. Additionally adds memset_startat() for wiping trailing members _starting_ at a specific member instead of after a member, which is more readable in certain circumstances, but doesn't include any preceding padding. Signed-off-by: Kees Cook --- include/linux/string.h | 17 +++++++++++++++++ lib/test_memcpy.c | 13 +++++++++++++ 2 files changed, 30 insertions(+) diff --git a/include/linux/string.h b/include/linux/string.h index 9473f81b9db2..d593de2635ba 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -271,6 +271,23 @@ static inline void memcpy_and_pad(void *dest, size_t dest_len, memcpy(dest, src, dest_len); } +/** + * memset_after - Set a value after a struct member to the end of a struct + * + * @obj: Address of target struct instance + * @v: Byte value to repeatedly write + * @member: after which struct member to start writing bytes + * + * This is good for clearing padding following the given member. + */ +#define memset_after(obj, v, member) \ +({ \ + u8 *__ptr = (u8 *)(obj); \ + typeof(v) __val = (v); \ + memset(__ptr + offsetofend(typeof(*(obj)), member), __val, \ + sizeof(*(obj)) - offsetofend(typeof(*(obj)), member)); \ +}) + /** * str_has_prefix - Test if a string has a given prefix * @str: The string to test diff --git a/lib/test_memcpy.c b/lib/test_memcpy.c index ec546cec883e..3b485de8c885 100644 --- a/lib/test_memcpy.c +++ b/lib/test_memcpy.c @@ -215,6 +215,13 @@ static void memset_test(struct kunit *test) 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, }, }; + struct some_bytes after = { + .data = { 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x72, + 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, + 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, + 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, + }, + }; struct some_bytes dest = { }; int count, value; u8 *ptr; @@ -245,6 +252,12 @@ static void memset_test(struct kunit *test) ptr += 8; memset(ptr++, value++, count++); compare("argument side-effects", dest, three); + + /* Verify memset_after() */ + dest = control; + memset_after(&dest, 0x72, three); + compare("memset_after()", dest, after); + #undef TEST_OP } From patchwork Sun Aug 22 07:51:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451281 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C1D8C43216 for ; Sun, 22 Aug 2021 07:57:05 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 2FA8861220 for ; Sun, 22 Aug 2021 07:57:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 2FA8861220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 5D0B28D0001; Sun, 22 Aug 2021 03:56:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 50E968D0007; Sun, 22 Aug 2021 03:56:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 275AC8D0001; Sun, 22 Aug 2021 03:56:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0115.hostedemail.com [216.40.44.115]) by kanga.kvack.org (Postfix) with ESMTP id DAE978D0007 for ; Sun, 22 Aug 2021 03:56:58 -0400 (EDT) Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 6A96D8248D52 for ; Sun, 22 Aug 2021 07:56:58 +0000 (UTC) X-FDA: 78501960516.31.30BF99C Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by imf16.hostedemail.com (Postfix) with ESMTP id 27D72F00008F for ; Sun, 22 Aug 2021 07:56:58 +0000 (UTC) Received: by mail-pl1-f174.google.com with SMTP id c4so8363522plh.7 for ; Sun, 22 Aug 2021 00:56:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KeRymW7dpjbPF0p3gK+nxzTW84+DhIw7kOz+lQywMZ0=; b=GtqbJu9GeClCLuX9kKSu6AhRGxUvezMUT8vQo9fmVoFBFpFdDwLQeC9w7zVGHzwZVs fm2cFLchpTTPvW/jKqNYwBKtia6/BEPXlsXB2QK4X/r/kVuB3K05kOGWQ0AItq116wzt 5YEVQMp/JqDaE2i4NCCQOiVmK7J78FfNN3xTA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KeRymW7dpjbPF0p3gK+nxzTW84+DhIw7kOz+lQywMZ0=; b=kI5LSasgihB5Gp7k/UqznyPD5KN6kbCD5G6cNwcNDmdTTABcEGbAij9obKMG0YdT1/ 8lxRrDT4iHcP7nFvhh0HmW+8k83a5ppAhyxOvseBLtrFNhT6Do38F4qyDud4hSixd5Nn tGQm6QFDXsNOrkAcTfP7L9In7gOv4Oldk0wFtX07H6tBlLJTvVRLQyP5lOpW65JxkecZ gPPf8UNBSzGfu4UDySFYA25k5BVYkX7VmLzBSVXbKqVOrfGWHqPbina9Il0BRyfy7Kuf EJIIozXAegB/mkmWcCbApg2/uMkdzbXRTGVGoRWpopV2dYkbWodgNZPYq4PCTzKsIRyk DcvA== X-Gm-Message-State: AOAM533iBBJo7wDKdfBfhT/973XMcAtYEb14KeFn6iG3yL4ml8OIA5Fr Hj5u5L+n+8W/z8xC0oFPcZbyZA== X-Google-Smtp-Source: ABdhPJw5qqLxbeIMdz9bpb1faLEb3miaokOsGudL8vTF5FOOAvB47FOTI+E5A51WIiKfocd9oLdolA== X-Received: by 2002:a17:902:ed8d:b0:132:39c7:2e1b with SMTP id e13-20020a170902ed8d00b0013239c72e1bmr5655204plj.78.1629619017358; Sun, 22 Aug 2021 00:56:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e26sm12137313pfj.46.2021.08.22.00.56.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:55 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 23/25] xfrm: Use memset_after() to clear padding Date: Sun, 22 Aug 2021 00:51:20 -0700 Message-Id: <20210822075122.864511-24-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1608; h=from:subject; bh=U7PaWYEfsXfIcToHk3c5jWu69loxq4nonTzrBaorlEM=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH5KReKo4xPiA+igvESV/+YjCKmaMo7h3r3peg5 oUkpUq6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+QAKCRCJcvTf3G3AJm2UD/ 98c2p0Ikiqsfy0j09gDXjeb7uKt0hgg7w53Nm+FtEIpYiAbu2CuvI+bHrR+SD7yUMm1+vjr0vc4kcd kZF7jPP29ob7jRgTAFK21qeVCgV4H6OnLOuMGLybTf+p2Z+NTI5pBMwPKdPH1xsMWx+g1eOje4vvFl l0yXN7kbBmP1M+Ra6Ag+4zagN1Ev6Laj3DgeUP/bTFZ8EA7g5kpRr7c+geKPv1VVuyAcVJ+nep0Q/b KYL/q5ggAniSaDOdrr8b2MLWPZ1lrZQEI80Ou6KpNLFSwDdYwFWK250WDmwvSpUPsr5+YPkIapRC89 Jr4Ent2s1dBrTvzGdA/vNUbxWTBYFhYu1+7Ddch+R9FEjI0ePfXW7UhAoXszw1pxzSTd9u2wpyNzW1 i99sojhrSCSWj2+6efx7Ibsm/MPHcA8Ufy5Zd0YX5kjFwE2ZTgoY9FqOuPowQ4nPwXNOhi2ncSuJ49 +FHMc8nTHMmxpRxPcvv01N2GiFUy+iQiXXh9a65TVwmOuxSlOPlYfRUJQ2Gq8nzBOnfzodozrzRVNg mx56HetgdfRArbIMBbUaPP4/eP655rDJIJt9SCjxvLO+flWZkKsMn9hDOno6/nZGQcqqWhoaq1coCe FoDJiZU5nJHDzMdZhRBY57wuh+PEm24MXBWCaRW25xVtt1qVqUQbnw2Vyb0w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=GtqbJu9G; spf=pass (imf16.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.174 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 27D72F00008F X-Stat-Signature: 8qhmg9hpnnwatgjszeea1rs7kojpw7fj X-HE-Tag: 1629619018-981738 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Clear trailing padding bytes using the new helper so that memset() doesn't get confused about writing "past the end" of the last struct member. There is no change to the resulting machine code. Signed-off-by: Kees Cook --- net/xfrm/xfrm_policy.c | 4 +--- net/xfrm/xfrm_user.c | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 827d84255021..a21af241a2bb 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2494,9 +2494,7 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family) xdst = dst_alloc(dst_ops, NULL, 1, DST_OBSOLETE_NONE, 0); if (likely(xdst)) { - struct dst_entry *dst = &xdst->u.dst; - - memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst)); + memset_after(xdst, 0, u.dst); } else xdst = ERR_PTR(-ENOBUFS); diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index b47d613409b7..880d260541c9 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2845,7 +2845,7 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct copy_to_user_state(x, &ue->state); ue->hard = (c->data.hard != 0) ? 1 : 0; /* clear the padding bytes */ - memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard)); + memset_after(ue, 0, hard); err = xfrm_mark_put(skb, &x->mark); if (err) From patchwork Sun Aug 22 07:51:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451273 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56F13C4320E for ; Sun, 22 Aug 2021 07:56:58 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E8A0E61220 for ; Sun, 22 Aug 2021 07:56:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org E8A0E61220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 77D4E8D0003; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 72D348D0002; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5F62E8D0003; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0164.hostedemail.com [216.40.44.164]) by kanga.kvack.org (Postfix) with ESMTP id 3FAC68D0001 for ; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id CD70029230 for ; Sun, 22 Aug 2021 07:56:56 +0000 (UTC) X-FDA: 78501960432.12.352B024 Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by imf06.hostedemail.com (Postfix) with ESMTP id 8F3A3801A89F for ; Sun, 22 Aug 2021 07:56:56 +0000 (UTC) Received: by mail-pg1-f170.google.com with SMTP id r2so13642952pgl.10 for ; Sun, 22 Aug 2021 00:56:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=8KnlZyUJ4JJDBTHC/dBVt831TglW4q/rmR4rnphw0w8=; b=Y+mT4XZsRYnUZT5OLp95OJeCQ/3J4h7jqDHipDXORhXBq3Vr1nwkhUz35awITPj4+r aLT3rWcdQiie6oWVLBnFXsov9u9oPK6OPYBdlK+YEIF9BxK1S0k6QoLn0xR6yglMoU8W pSzXfMTgkRiBXRPvkHaB95zjLQXMO9r+MKhqU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=8KnlZyUJ4JJDBTHC/dBVt831TglW4q/rmR4rnphw0w8=; b=XCAtgfTfK5Om+O3KYvVmLOLOhSxPfXMphEenCBhcIRTwir87AlyIdl2TkWh7vnpiR/ bZYEevUJ5wAL1o011/AkrMItIGY+YDTdzXPXSvcgnRB4MeziBp5WcfmC48k1gzwE6S2f rDwjs81S0tN2h0WsLFNoyC7Ht8KjU5xjMVG19M8ZB0ezYQcRr9lyEnlGxXYDPbSNIkIl mV+y2J95Dl6t+HPDNAvtvH/F7wBtETxVNLi8cYZqud6ddyzpcVF/uJ6SKZafvg46mpLx kvkfD+0TiMRqdwFRPs3IFV7D94TL86Y1YEKKLD5wgejxo8t1/B4H3hXnaUuT280D8bZV En+A== X-Gm-Message-State: AOAM533bEfAI4UMcUSupHZtD69UriWaF37xbK5mg2/w7W+MS0dLEdboF WcZVk2pW7Ve+7draeDj1Kw0LsQ== X-Google-Smtp-Source: ABdhPJyQZnraia8jT9jDkEu1F7LS5sG4ORyySxnjNXW9NLxLiGeok6CdnMMM04AXulnUXcwd06VOwQ== X-Received: by 2002:a05:6a00:1a49:b029:3e0:3b2c:c9c7 with SMTP id h9-20020a056a001a49b02903e03b2cc9c7mr28243759pfv.8.1629619015627; Sun, 22 Aug 2021 00:56:55 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 31sm13965099pgy.26.2021.08.22.00.56.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:55 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 24/25] string.h: Introduce memset_startat() for wiping trailing members and padding Date: Sun, 22 Aug 2021 00:51:21 -0700 Message-Id: <20210822075122.864511-25-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2698; h=from:subject; bh=MIZu0nCxR6KieORNJWhN3qltUR3m4MTuETFcTLC3tSY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH5YaWY/R52rHxtKPpztby55TKg0ehRWRvT+K+I ja0DQ6iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+QAKCRCJcvTf3G3AJu0ND/ 9b6A+AeTKAspoJhIm34uafRRj1V+94SeH/MvXCB9q0DbskDNw57WyI9kT/GkIbWCUJleyzbZRN++i+ +bDJe2xRAPhiofu+4S7lRyRqxwYRUoSAE+DnA6PYJWz0y85VjybzJX28I4vWW1njWrfyTq7akK68qP Cf3KeFQmoeeB/R/qW50eVB+wjN4+KHR1jcr6RcZ9C0ZpXbfCik5gBH9zGR5TE+zpzlTtZ7l+B1/C33 rEXbHWRtf+arRLtfkqLV3OtOoctiNY1nZDKxiO8jV/SCsyiZg9gmKVm1MfGVE9LrUc2OeYF6OxcKRw gtG8h4QI/fFAc1KLnhXrQP+tNflZzqrYQPXAGMfzKu8PvY9/mFeUQbOfmp8qWweBxNPr67znM/TBg2 D3zKxgJW19D4Wm46giezi6of9EoJgGIpaLsnMkoyvUttBe1ycJ9znwzLWB4HB1SaZAO0YBnGVUqBLn uFZ5/qk849G8+x8vZWNNYyOMtq//WryZQBQ3VyL1p4DRezo7cLmLxw+Wuzwl/jk0LFnutkL5JsFYMP hmg+T6IddvJ/aSVlhCojoBGb4IBSWtgMxPbzLivLwM9B3vZC3b7oXPwaoXK7ck72rWEd9EOItygnQz X1hWv17JmRFkE9hXMK1yP7eco8qX4cs6GGCcB0Lnp4EE1zASt6qPboWk3DzA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Y+mT4XZs; spf=pass (imf06.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.170 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 8F3A3801A89F X-Stat-Signature: qyt6tgk5cyhm7irj38ejsjg3pbc96shy X-HE-Tag: 1629619016-217819 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: A common idiom in kernel code is to wipe the contents of a structure starting from a given member. These open-coded cases are usually difficult to read and very sensitive to struct layout changes. Like memset_after(), introduce a new helper, memset_startat() that takes the target struct instance, the byte to write, and the member name where zeroing should start. Note that this doesn't zero padding preceding the target member. For those cases, memset_after() should be used on the preceding member. Signed-off-by: Kees Cook --- include/linux/string.h | 18 ++++++++++++++++++ lib/test_memcpy.c | 11 +++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/linux/string.h b/include/linux/string.h index d593de2635ba..38acc436dba2 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -288,6 +288,24 @@ static inline void memcpy_and_pad(void *dest, size_t dest_len, sizeof(*(obj)) - offsetofend(typeof(*(obj)), member)); \ }) +/** + * memset_startat - Set a value starting at a member to the end of a struct + * + * @obj: Address of target struct instance + * @v: Byte value to repeatedly write + * @member: struct member to start writing at + * + * Note that if there is padding between the prior member and the target + * member, memset_after() should be used to clear the prior padding. + */ +#define memset_startat(obj, v, member) \ +({ \ + u8 *__ptr = (u8 *)(obj); \ + typeof(v) __val = (v); \ + memset(__ptr + offsetof(typeof(*(obj)), member), __val, \ + sizeof(*(obj)) - offsetof(typeof(*(obj)), member)); \ +}) + /** * str_has_prefix - Test if a string has a given prefix * @str: The string to test diff --git a/lib/test_memcpy.c b/lib/test_memcpy.c index 3b485de8c885..fb5deaf04418 100644 --- a/lib/test_memcpy.c +++ b/lib/test_memcpy.c @@ -222,6 +222,13 @@ static void memset_test(struct kunit *test) 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72, }, }; + struct some_bytes startat = { + .data = { 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, + 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, + 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, 0x79, + }, + }; struct some_bytes dest = { }; int count, value; u8 *ptr; @@ -258,6 +265,10 @@ static void memset_test(struct kunit *test) memset_after(&dest, 0x72, three); compare("memset_after()", dest, after); + /* Verify memset_startat() */ + dest = control; + memset_startat(&dest, 0x79, four); + compare("memset_startat()", dest, startat); #undef TEST_OP } From patchwork Sun Aug 22 07:51:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12451275 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40EB3C43214 for ; Sun, 22 Aug 2021 07:56:59 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E511B61051 for ; Sun, 22 Aug 2021 07:56:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org E511B61051 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 9AEEE8D0002; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 927E88D0005; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 691648D0001; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0215.hostedemail.com [216.40.44.215]) by kanga.kvack.org (Postfix) with ESMTP id 4B8998D0002 for ; Sun, 22 Aug 2021 03:56:57 -0400 (EDT) Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 05316274C4 for ; Sun, 22 Aug 2021 07:56:57 +0000 (UTC) X-FDA: 78501960474.13.0A46ECD Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by imf18.hostedemail.com (Postfix) with ESMTP id B45F74002087 for ; Sun, 22 Aug 2021 07:56:56 +0000 (UTC) Received: by mail-pj1-f50.google.com with SMTP id n13-20020a17090a4e0d00b0017946980d8dso16615047pjh.5 for ; Sun, 22 Aug 2021 00:56:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=CkbCUqYXpxKrv+E9RWgklPDu42LROG49HfEVFdt9oJ8=; b=Lis4BwQuqQ5AiwLz0OPNa6NcDbii0sWFsfkJxxc/gLG4M5F6KFpFw0OwJAU4LLha1Y 1VHPMCZBH6hQE8HwtdR6ByL1XQdmTyML/R1CZcj+jmjFz6FmyH8fCprGSTibSI3S7ckw dd651MGZpPUZCJD0eAyGjZ0erQ4aAMTYI08V4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CkbCUqYXpxKrv+E9RWgklPDu42LROG49HfEVFdt9oJ8=; b=QYOUs7QFn79cF1V+23xuFH5lnPFaRUMaxQb73UvAkvK8c53NhORUGXLaipqPx9YzLc rHL4nlSNZe18FUIh5QKIBa+IzjiTjKOt5+tYz/c8OcdODG7DruSFNJbj1HWM9qVPvlXU 3a4o1micZinkCHGRWnVrKDBvumOYB0Ktlq0rjmVS2VJ2+uQxy+K9jmGan/NVDy3TqQPJ j/Z+mK3lbKccCU4VqvR0+gaU76ywZ+rNx8ZB02YhjDcbVhBIMtOGTuSKfDIhp/8XDHfl 3RIhxcHD85eYYvh3ywTshrcI/BHzy9owq5TthKG5JeLsQ/wuxR3ng9UchKmtxGaSDhN+ +ugw== X-Gm-Message-State: AOAM530QWFk5L/2k8Igunv7XLAWQDgPH8e6sQhFlfIBLsVwYN1YOH4ZE Y7URgNoW16sj3Vhrn/6iq5qfSg== X-Google-Smtp-Source: ABdhPJxMh0tsIpdLIetjZVeqwrL9nLQwgUFzp8AC30tGZZ5VwIWzP27ar8snqC6juFu+yovM8qX/ZA== X-Received: by 2002:a17:902:8606:b029:12c:2625:76cf with SMTP id f6-20020a1709028606b029012c262576cfmr23579503plo.17.1629619015880; Sun, 22 Aug 2021 00:56:55 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id w2sm10588697pjq.5.2021.08.22.00.56.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Aug 2021 00:56:55 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Nikolay Borisov , David Sterba , Rasmus Villemoes , Daniel Micay , Francis Laniel , Bart Van Assche , David Gow , linux-mm@kvack.org, clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org Subject: [PATCH for-next 25/25] btrfs: Use memset_startat() to clear end of struct Date: Sun, 22 Aug 2021 00:51:22 -0700 Message-Id: <20210822075122.864511-26-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210822075122.864511-1-keescook@chromium.org> References: <20210822075122.864511-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1155; h=from:subject; bh=XHjqu1RreJZUS0lhfMO2nlVUCup75rB1cNpejDSomCQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhIgH6ZxQKCftHw+bbIsZDc7/cNC2VaaPC/Bzvi8PJ jBI2gduJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYSIB+gAKCRCJcvTf3G3AJlX6D/ 0ccDotcFu1yUXFehzHwNXSmCdP2dRq6MGepK0y703lxGRgYRXH8mgO0Xcee95Lf1qk9czxzNowS6Go sS7b4Pkw/E9zlTldMaPdOl2QcI5czJx7DD1K4TcjXVJIFmS6pKUwT+eyjq0GxpYr7UP56JMbPUEqe5 /FFM82ogo5GKXC7ZpnDH0SAN0vm6d6FA+qTuz09iEWwG/fISmVDLNgt5/5XHX+FBNT9x7tglj+UGJo J1LFFMUYLrtM2xP6W7KZ2dSwVZJXgKwar1gnOJNrESpF5p0R3pv662l39w1R5CaPsMt7yCRg/dKY83 xPpJ6QS6fappboPIqlmH5DsKrwK5tkqUZOo965oL22gXqQLlJrDFBpS+HcA90K77tmUDHw0cA1oZCj xEMwTwSaEaYhTUAETc8W+rxxhHOoWltHARk5AyjoMLUAB9R97PZJqtlzmw3T+LCpHan7/53N3wtmDo twQpqQVoR6GDsE+DDBy0ofV2si8wOgHKYzXDMIJhJ35Axs/8MT4SZe+NZy84FF+nL8DpWAWNa/4QPj +lqLt0IFYNIrpylbCHV7Fr8Rw7AwdoPxNmNyLThTwo3dPw1G+ZNgvqLhqFDYZIQiBRh8ruca3dYIvv JSKCxSme2hIV5U+VcQHoQKeTVwGooGQAZsYFH1gkRt9Apq6nbH2JORDnJ6kQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Lis4BwQu; spf=pass (imf18.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.50 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: B45F74002087 X-Stat-Signature: i5y9jhwop8s1q9rmq5fukdm3y5tmmp8b X-HE-Tag: 1629619016-760974 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Use memset_startat() so memset() doesn't get confused about writing beyond the destination member that is intended to be the starting point of zeroing through the end of the struct. Reviewed-by: Nikolay Borisov Acked-by: David Sterba Signed-off-by: Kees Cook --- fs/btrfs/root-tree.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c index 702dc5441f03..12ceb14a1141 100644 --- a/fs/btrfs/root-tree.c +++ b/fs/btrfs/root-tree.c @@ -39,10 +39,8 @@ static void btrfs_read_root_item(struct extent_buffer *eb, int slot, need_reset = 1; } if (need_reset) { - memset(&item->generation_v2, 0, - sizeof(*item) - offsetof(struct btrfs_root_item, - generation_v2)); - + /* Clear all members from generation_v2 onwards. */ + memset_startat(item, 0, generation_v2); generate_random_guid(item->uuid); } }