From patchwork Wed Feb  2 00:30:30 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12732455
Return-Path: <linux-security-module-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6FD04C433FE
	for <linux-security-module@archiver.kernel.org>;
 Wed,  2 Feb 2022 00:30:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243357AbiBBAag (ORCPT
        <rfc822;linux-security-module@archiver.kernel.org>);
        Tue, 1 Feb 2022 19:30:36 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51534 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243340AbiBBAaf (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Tue, 1 Feb 2022 19:30:35 -0500
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com
 [IPv6:2607:f8b0:4864:20::102a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B71B8C061714
        for <linux-security-module@vger.kernel.org>;
 Tue,  1 Feb 2022 16:30:35 -0800 (PST)
Received: by mail-pj1-x102a.google.com with SMTP id
 s61-20020a17090a69c300b001b4d0427ea2so5107012pjj.4
        for <linux-security-module@vger.kernel.org>;
 Tue, 01 Feb 2022 16:30:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=+fInRCxHTyu6etxtEUEoIMD7U9glEHrt4elCFOp/5mk=;
        b=KVIt5HZpEeVD5/Y6so7IW5ZdtbtEHOzFNbZCAJCM2/Gq4/FzExrFsOC7OjSSxN+/5I
         LW+7C3qaWu1N1mvQfeeQSiYOuc0sIQXPMM8rIwj5h2+f3aMI/MXonOQD/P191JV/CLhx
         c/92nhGCU4UVBnrUoAkc3RR1TKiHGyNzsshh4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=+fInRCxHTyu6etxtEUEoIMD7U9glEHrt4elCFOp/5mk=;
        b=fRG/zQh3jaWr1Rh4jkQrcOI5Y3CD7UMUSKmyFLECwrRCoduBP0XjnpREyVBkpEt48Y
         S4h2BHDAFHrYRzC0DhF42tMEZdB33rCDZUXRlpDS7RH6WTfU5gG4BhFL7UWtgGkCOv7T
         Bn4jsEPl6u6RF316zF3d4NTKBXRvzmuunha3hrpM1I6umo+ay/N7wn3gDH6f6gM6EqcF
         HHBEFnvbbxNn3N4tn1fELkdHLtT2xGlY4LQdi9QNszkU7NNReJ1Uv66kL5KIOmPAm8vR
         yJksHTZRHn2aqLdn8ymYVny2NEiakCXuTAIbdOJNnOXmDpFCxXq86y+0/tEBUy77ShGc
         AKJQ==
X-Gm-Message-State: AOAM530fy9vy0wyrQQUOJXfnsHFrgII75jIfxaXYrnlwkRYZZabHDvC8
        g8bQ+NI4buZPjkux44xbIpPQQA==
X-Google-Smtp-Source: 
 ABdhPJz2sZEZicmGiuJ5cu7scof9QLNxu+YdEKntlFyEcaL7mkXaZfTlZDlxvVfnu/3FH9oPbCtoTQ==
X-Received: by 2002:a17:902:d4ca:: with SMTP id
 o10mr28009120plg.29.1643761835231;
        Tue, 01 Feb 2022 16:30:35 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id
 h5sm23550577pfi.111.2022.02.01.16.30.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Feb 2022 16:30:34 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Miguel Ojeda <ojeda@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Nathan Chancellor <nathan@kernel.org>, llvm@lists.linux.dev,
        George Burgess IV <gbiv@google.com>,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: [PATCH 1/4] Compiler Attributes: Add Clang's __pass_object_size
Date: Tue,  1 Feb 2022 16:30:30 -0800
Message-Id: <20220202003033.704951-2-keescook@chromium.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220202003033.704951-1-keescook@chromium.org>
References: <20220202003033.704951-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1822; h=from:subject;
 bh=19F95PyhJpZJNu+jRloPaxSM8AkVKKPr2V5iA4Cbh2I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCodDJMeW62Db8IsOYk7kn1DY5ku66emtLiRLb7
 iklN8EKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJiK/D/
 9hn4aKhWIVO239nGcT383ZMMwc72d5AIKe4PEY+RtwiM78keImZbgPc7yBMNWOEzt7H9FMMvj+wM1N
 zMA/31pZxCYrn1Y0rPtIfEDY3tgTq0LB18HvPS55EQACK42W1PJAHyAn/uccfnnBMP5y9QpCwGCWIE
 sjD6hm8bJHCzNXaG8lnmhGmKyAPH8HESaBVWryT2UNp17v2NwIhJJBvEMwexw0F3BQcAKJ+1OK6P2o
 CWaHd+7yRezSD+6uy5ha8uoeQk16uuAZa5h7NUhX8mXaHFdwylAIbBo8ofs3KmsfqyEMtbvt2wFBYb
 gbIUMad0eNBGP8+2KQLRa+jNsCFwZ9tHXaMWO5POYyKEBH1AEFMR7qipCv4z7QoRRMerySMKRa+RuL
 /rxxqMx9GUZPG14qbAX+9sTpbP/0roTer9c5ajMzcFCP9QJHBSIena8p93oQNBaRL3Di/+40oH7Xap
 no+KQiZyy6VNUdc782ntdzPr2abM0jAmvUnwrgBwhGnBhbokfeZIIqilUVW70bar4Rhk7xx84AjcrD
 laa29AMbyXoPrGUrucjqsZpvFN91ixc+lmMG5aez9mxUee0y6bRy/PUrmc2vudcSdv66VAPE/qQ3sE
 iBKBHg7arRR2eiw+8Y2vYIdRzwgiAKbBIoL6e/tzwNNidPyYiO+ZHtbqbcyA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>

In order to gain greater visibility to type information when using
__builtin_object_size(), Clang has a function attribute "pass_object_size"
that will make size information available for marked arguments in
a function by way of implicit additional function arguments that are
then wired up the __builtin_object_size().

This is needed to implement FORTIFY_SOURCE in Clang, as a workaround
to Clang's __builtin_object_size() having limited visibility[1] into types
across function calls (even inlines).

This has an additional benefit that it can be used even on non-inline
functions to gain argument size information.

[1] https://github.com/llvm/llvm-project/issues/53516

Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: llvm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/compiler_attributes.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
index 37e260020221..cc751e0770f5 100644
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -263,6 +263,17 @@
  */
 #define __packed                        __attribute__((__packed__))
 
+/*
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size
+ *
+ * The "type" argument should match the __builtin_object_size(p, type) usage.
+ */
+#if __has_attribute(__pass_object_size__)
+# define __pass_object_size(type)	__attribute__((__pass_object_size__(type)))
+#else
+# define __pass_object_size(type)
+#endif
+
 /*
  *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute
  */

From patchwork Wed Feb  2 00:30:31 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12732457
Return-Path: <linux-security-module-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1C8E1C4167B
	for <linux-security-module@archiver.kernel.org>;
 Wed,  2 Feb 2022 00:30:39 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243375AbiBBAah (ORCPT
        <rfc822;linux-security-module@archiver.kernel.org>);
        Tue, 1 Feb 2022 19:30:37 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51552 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243351AbiBBAag (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Tue, 1 Feb 2022 19:30:36 -0500
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com
 [IPv6:2607:f8b0:4864:20::632])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DB9EC061748
        for <linux-security-module@vger.kernel.org>;
 Tue,  1 Feb 2022 16:30:36 -0800 (PST)
Received: by mail-pl1-x632.google.com with SMTP id z5so16771058plg.8
        for <linux-security-module@vger.kernel.org>;
 Tue, 01 Feb 2022 16:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=bebo5VtQ+fBGReGGI7tcyPsOFW4PGB+odxeVjPqXpcE=;
        b=TyrTR/b+cZDYjKhYpjOptxXGYc5aM6WnQWw5RNUNO6D0RLZ/BxLdeCuea7PAr02Lsm
         rE9WBgDtTo4EEQfHKZqWpbfruZW4RKTYGA4vl+gwLcTwm7RfM1uLJXfq1C3tM/xOCic2
         gOnc5ugpiu1aSgNY0nZV0dRDWXGjEzZZbnn3g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=bebo5VtQ+fBGReGGI7tcyPsOFW4PGB+odxeVjPqXpcE=;
        b=youCqB+gHsM59YyYh/WPv7hXq1h9ZKzVLPx55aXLdRKLzBP/RP1yMWJ6KCu3PHJpBm
         R3dMOrmolEtICELSnYRUI72y6qJGqR4f2D2+zbCaDRuecyj8G24ugNRQ20uDFfGpO8hY
         SI0+3syIeXjprXWdPRNOS//CiG4/HAx1hGwqwl2Pfpb92Ev1dKCJPx5n/69QC6mLGUEO
         PGJB8sDrZ8QxFHSfVQsXKEBbNDBhHvyalt9egPtTWb0BGQprDZqVFxef9+YiFNCaiNZc
         nm09D4tARTDmxwOhO8nPvkYoYb+YWRBbfF51/H7Uy9JFHlWSIlH37usjZ4H69qgOJb4F
         PFYQ==
X-Gm-Message-State: AOAM533cStj+ucJ9uIbe7HtJXl6MqGDpqQ0I0tEwQSYfJX6BYGp0ILcG
        Y1HyQCGbIwEAwuwShbh3zfLkjQ==
X-Google-Smtp-Source: 
 ABdhPJxGEf8Hi1nqHyOPmLF51OkWLjdfrfUdnvtD357ppDinjvMOloNg8yKcdCKks505YcVAQojr4Q==
X-Received: by 2002:a17:902:da92:: with SMTP id
 j18mr28237959plx.127.1643761835524;
        Tue, 01 Feb 2022 16:30:35 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id
 a6sm32210500pgq.62.2022.02.01.16.30.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Feb 2022 16:30:34 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Miguel Ojeda <ojeda@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Nathan Chancellor <nathan@kernel.org>, llvm@lists.linux.dev,
        George Burgess IV <gbiv@google.com>,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: [PATCH 2/4] Compiler Attributes: Add __overloadable
Date: Tue,  1 Feb 2022 16:30:31 -0800
Message-Id: <20220202003033.704951-3-keescook@chromium.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220202003033.704951-1-keescook@chromium.org>
References: <20220202003033.704951-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1362; h=from:subject;
 bh=kPhaiMRcRcpe1F0B+vNrSNLRWFcSehODtiMdmi/QMtI=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCoVkMB/8+aU6DxpDuQAyvQOXwOty/i33WS1w9L
 GmB4MquJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJlxVD/
 0R4klSKDS5K9GW522csvbV4mzUi4w8/kRpEsomBw+LukBZcXh1nDTrWutvawH9QQhZSDDEqPTt3jss
 QxCdMQwEXg6imUgnDLVDxC2lOZde2FG5VH1LLMPlPRKUa66kg3unwFDn3tXGKgknX+Az/mcyGADJGk
 w9gc7pQMS3KpxNJXYQ4acQrYkEvWJ7hztQyYrxgghEDMoFqyxe3q0jf2e4SDKzLL0J5iByXng93YXO
 KJ2Ul5UMv4vyA4OrEnrM7nnvM4CRyolRK2aJQli74CvghDNLe1D8wQ/XT8yGZ4jLxSvKdenneNpDvm
 kGEQvdYaTjV6AwUf29bFjAOgT0nynF6GhK7/ovHS5JYiBpCc0BVgbYO8W74IaL1kUZg5ItcfZ/Lk2u
 ncAcW8ZDqg/0Q4NXZMOOtpFp9YHy0RSElxNs7CO+esY+Aau3u4SASvMcQ/MY8+WL0FJWH1JypgnLS6
 IpcH7s4RR5WACyYKb5LDFTSg0h97WWyYS+FNkuKDIVFw+MlDThzh2+U29sK0zAq0ie5ehUsrj1Ktma
 OzFV4fzB8xeGqogcGpVHh5BVQRTX0/LzggFoBP1cuAspjAIBCr0qnrqr+YWHLyADbg4xS6GZSA8AzH
 qWuXmAGO7jNzyJJleoSO3aZwo+O9ezs/5p2ur6xSbH4V6DSl//IitFElhHnQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>

In order for FORTIFY_SOURCE to use __pass_object_size on an "inline
extern" function, as all the fortified string functions are, the functions
must be marked as being overloadable (i.e. different prototypes).
This allows the __pass_object_size versions to take precedence.

Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: llvm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/compiler_attributes.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
index cc751e0770f5..51e063347fd6 100644
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -257,6 +257,15 @@
  */
 #define __noreturn                      __attribute__((__noreturn__))
 
+/*
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#overloadable
+ */
+#if __has_attribute(__overloadable__)
+# define __overloadable			__attribute__((__overloadable__))
+#else
+# define __overloadable
+#endif
+
 /*
  *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Type-Attributes.html#index-packed-type-attribute
  * clang: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-packed-variable-attribute

From patchwork Wed Feb  2 00:30:32 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12732458
Return-Path: <linux-security-module-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 55AC6C3525A
	for <linux-security-module@archiver.kernel.org>;
 Wed,  2 Feb 2022 00:30:39 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243349AbiBBAai (ORCPT
        <rfc822;linux-security-module@archiver.kernel.org>);
        Tue, 1 Feb 2022 19:30:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51558 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243362AbiBBAag (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Tue, 1 Feb 2022 19:30:36 -0500
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com
 [IPv6:2607:f8b0:4864:20::633])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94EE8C06173B
        for <linux-security-module@vger.kernel.org>;
 Tue,  1 Feb 2022 16:30:36 -0800 (PST)
Received: by mail-pl1-x633.google.com with SMTP id l13so8129333plg.9
        for <linux-security-module@vger.kernel.org>;
 Tue, 01 Feb 2022 16:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=2O1a7UvShSC3gckKtrO0p2k1de7WSXmEEaGyfLWDtkQ=;
        b=DhNq62Nd1Lt0lyxcdXftZsAHEPJuhU74yO3KkKkhQSkGJgdYSUNMTRxYY5uwjRbOXB
         0KoYCLocVZukIPNWy3uhlLew+5AJ7zaqT0r1cAbvpkyfnrBTgai/iH8aynup4IRfkYwa
         e1RE9tl7lT28g6N4gU0nR/IuWDVFcOb3iYfGA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=2O1a7UvShSC3gckKtrO0p2k1de7WSXmEEaGyfLWDtkQ=;
        b=0GA8gMGRFP4TceLB5KVz40aDUyEcLA3Ag9XDAilnydB7xlXTFYpH4aHo8m+ne1hWyJ
         ilz7UkSIuEqx3al7NP2d/V2R2n6axhiNN/Ip+5224t9IO2RZNYiYYHJb4YyEXQ948uXP
         aMZmuRMc8T2hVYfdYlML2c9MR3dbcAtTBTy3tP6SiMCshmzo0mgumg1P5fdJQS7ITFlX
         NltG8are8VQiJy4BHKygNhQS1Y/NasLbn/u7FrvOSRwD4UCsG9DkuXlIjB4OrGWUOumz
         zUOGxhVugOlnxEUzaojQLJIgcnkUiwkIzKKfG/TE0v6W9g4aHQXsNbkHT2e+vq6tT3aW
         bfNg==
X-Gm-Message-State: AOAM532mw9tS3ZMHlcnuAEnsmSsotEzEFTdeQoRGn6xB80gaUEUuJaJu
        YNcnJqFrKTOKtHyUT73L5qDqDg==
X-Google-Smtp-Source: 
 ABdhPJy4Ct5g0MqS0xgNdb9A3ATDvBTCJZs7Cundy1yyR6rX0KSc/3j5mjsPdWjDnsGn15z4kjkonA==
X-Received: by 2002:a17:90b:1e41:: with SMTP id
 pi1mr5192990pjb.62.1643761836157;
        Tue, 01 Feb 2022 16:30:36 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id
 k5sm24652213pfc.85.2022.02.01.16.30.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Feb 2022 16:30:35 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Miguel Ojeda <ojeda@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Nathan Chancellor <nathan@kernel.org>, llvm@lists.linux.dev,
        George Burgess IV <gbiv@google.com>,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: [PATCH 3/4] Compiler Attributes: Add __diagnose_as
Date: Tue,  1 Feb 2022 16:30:32 -0800
Message-Id: <20220202003033.704951-4-keescook@chromium.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220202003033.704951-1-keescook@chromium.org>
References: <20220202003033.704951-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1423; h=from:subject;
 bh=i1fpN36antLyVBs1U1U1fSS2CEHxT+df0ZNPiHFG1jw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCo/jbG9rFQBg8OANce/4aahaOqHs+lh9B2zqU8
 116jf4uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJvOwD/
 sFAXq9aIInuKt669oChD+K7YlLbmjc+0Ev4yHmb/YOCrz7QXAyfTMQZpJqikdYEH3RFaxKnJDgwmzE
 mqc8G2OHkuxL5GyPhpv/O9LhhEfYBf63VDTQb8dWhG/SvsBPXM0q89OlkSDr/noi4du4zL9s+3534O
 kx6nfw288C24GCljYJLELUhi5IazVnMu90Eah73vJwhPj5ePPPV4W1YFVTws466TcQP232pmUTM+SN
 0UGDJm7eowDUNz98idxmkAyF61U/Coi5a+Wd45R7Ieei11bgWmk972riSp9DRlY521GiRGRQ20zHp9
 CAJP6EdVJc9VKK2h1idH4Lb6xwQOfbRRdUXJ1ePh2MMrt2hxWqRLwWpdpoM8hpGljgl70mtNxFSPDa
 q7FCYP3R+2xCQGjbWBftyNcQcsBlEqMLDJFzPfZ3UI/hMCkaW3ettYkIyEtQBwLy8Wq2YOoopQgGFw
 R/UZuVg8I2E6mTDYZU0ucXXYHn/6UkMntLq/F7dJfEqQKL3VPOsiDkdRFxsOpkyAsOS3fQxTmZIhb5
 6GPjfb5mrzyRHCAGhWn+QNb1SQMuBdiSFQueS9KSs8nr9ApRKv6Hh9nnhWC29V7ki4CeKoInqseiEX
 j6AjgVKUE++SxwpcKHyfyy7/tCO16ohvH91YXRrutSLXYc7TxlBPaLRnu7nw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>

Clang will perform various compile-time diagnostics on uses of various
functions (e.g. simple bounds-checking on strcpy(), etc). These
diagnostics can be assigned to other functions (for example, new
implementations of the string functions under CONFIG_FORTIFY_SOURCE)
using the "diagnose_as_builtin" attribute. This allows those functions
to retain their compile-time diagnostic warnings.

Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: llvm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/compiler_attributes.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
index 51e063347fd6..b4ae0d771302 100644
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -100,6 +100,15 @@
 # define __copy(symbol)
 #endif
 
+/*
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#diagnose_as_builtin
+ */
+#if __has_attribute(__diagnose_as_builtin__)
+# define __diagnose_as(builtin...)	__attribute__((__diagnose_as_builtin__(builtin)))
+#else
+# define __diagnose_as(builtin...)
+#endif
+
 /*
  * Don't. Just don't. See commit 771c035372a0 ("deprecate the '__deprecated'
  * attribute warnings entirely and for good") for more information.

From patchwork Wed Feb  2 00:30:33 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12732459
Return-Path: <linux-security-module-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2A30FC41535
	for <linux-security-module@archiver.kernel.org>;
 Wed,  2 Feb 2022 00:30:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243376AbiBBAai (ORCPT
        <rfc822;linux-security-module@archiver.kernel.org>);
        Tue, 1 Feb 2022 19:30:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51562 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243369AbiBBAag (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Tue, 1 Feb 2022 19:30:36 -0500
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com
 [IPv6:2607:f8b0:4864:20::434])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C64BEC06173E
        for <linux-security-module@vger.kernel.org>;
 Tue,  1 Feb 2022 16:30:36 -0800 (PST)
Received: by mail-pf1-x434.google.com with SMTP id n32so17337113pfv.11
        for <linux-security-module@vger.kernel.org>;
 Tue, 01 Feb 2022 16:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=VjrCPTgmmaKb3y/ZOM5Yq/YGquEY9NIxxYzo4REsL+A=;
        b=b/zacnqWCilFkrdeG/bENv7niD5ssPV4upXLdgRBbFvmZe+0O24r2k94ELOZM+7VQd
         EQO9R/Ieqn+kWjMdHGu/AKAR0R5yKArK3q/KbZzm0dPcpYk6Cn8hcru5R3bjeC4oukKN
         ea3ivYU0wuUD9zb6aj384J9Zf7+50z2ewR480=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=VjrCPTgmmaKb3y/ZOM5Yq/YGquEY9NIxxYzo4REsL+A=;
        b=GjSz5Z2znSZbG/J3wLfhuqMr2Mt+GJTuEPx01U1ATvX/MDCKr+6ATvaDaKz0nGue1g
         VUPDIGh9f/s8jm1lnHGyVij0RqIbpknXutLkEveIwOvZvuLOSTsZsS7MZNbAFzTxD0n+
         hnELyuT/C0RkTJMkgX4noDmyFoSkEWb5jQwLFXnLDc6W5GbnpR56ZveBDezvfTWiSg5y
         GgD/PDk8R7ZFbdkqqQcQUzw7fCOMR4mOkGB5ohvGzM+MKIDzUrz/NoLfh3ze++56a2ff
         uLaFO7cvrPLDXrgZDuWkdDqNq4dcQ1AnhZNkVaJ7nNzJudwprpYzfoVDrohJM1J/GQN8
         6kmA==
X-Gm-Message-State: AOAM531QZorxvzZSDsPg3N1vP/Dm7Q7EL3J1aoR89DcikDeUipedhqhq
        5qEDl4G3qQa1d33lANnpeV8KNA==
X-Google-Smtp-Source: 
 ABdhPJwKfMKHgtPbIeBl1AOuyxfFJBygOcjBsEYx4YMSRW95KxnHg/QjUq3OGwzIGJXkow4ZvokxdA==
X-Received: by 2002:aa7:9682:: with SMTP id f2mr27769999pfk.56.1643761836333;
        Tue, 01 Feb 2022 16:30:36 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id
 kb18sm4478710pjb.30.2022.02.01.16.30.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Feb 2022 16:30:35 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Miguel Ojeda <ojeda@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Nathan Chancellor <nathan@kernel.org>,
        George Burgess IV <gbiv@google.com>, llvm@lists.linux.dev,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: [PATCH 4/4 v5] fortify: Add Clang support
Date: Tue,  1 Feb 2022 16:30:33 -0800
Message-Id: <20220202003033.704951-5-keescook@chromium.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220202003033.704951-1-keescook@chromium.org>
References: <20220202003033.704951-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=8693; h=from:subject;
 bh=SqgzThQs8OQJdMsO9DeWzbUuEtfG/wphz7be5vg/zTA=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCoJxlB2ynAofG2ml7SHWgTF9x+jA4GWAP6eKea
 B1W0cvaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJnYSD/
 9qfvmCRDs9vYWcHXT8jQlo5ViGbkrqp8D30tuRx3GwRHvXpdulxGExMnJaaehX3Q61rIGmgtF1t64O
 lZv7RoqJhfFZsiDnHAi1LhopRzSb6g3Svf3zGRJVNTQuLFfRTNaA1fne/XPa17VX8FFr2xJfmaXH+R
 l3vYqfN9OAos06btMuJ0iwAQ+m5hyzsDIxHYvpfZbxCnEqg6b45b2gd3iiSur0nANFHldvx+QZRrWr
 rjzxN8/puejVdkfM4cJdahxAR4KLp35znd5zVaabHb3cLKsbudphiENo2P/yiuTll6wWGapD0vb1xs
 ShNdM7FlK1junmA01KGeieaNTcix3fqUG9Hpo+dT7wrT8d+4WVMJyuJsYZGnQ/S1Jtec1rHRa90LN3
 nZnTWxKdncW0/nhba4af35A4qbaq7+4qhTNPKuNbM8Oeej5cvUOiKV8ZqY9JovLML2z0lE05KvI3fj
 fPGHkoIhXDvUwaI8nFG8kxXXzSxM8J8H+ZUHIVbbG5Y/n1ZRw5AGQDEvjcWLPB29ETU/K1fj+HNeVi
 rFGxh4ITfN9OnUI8XJLIXUsOMFYMLh6QXdWWgnsDk0DV/O4cZSkW5nZMmMQFu331KzItYLI0fa228K
 kt2LuGtHbjGnVkj3wkoECUB7tMNkFeRRUlooV7BEY236CEeNzlWgBd106Tfg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>

Enable FORTIFY_SOURCE support for Clang:

Use the new __pass_object_size and __overloadable attributes so
that Clang will have appropriate visibility into argument types such
that __builtin_object_size(p, 1) will behave correctly. Additional
details here:
    https://github.com/llvm/llvm-project/issues/53516
    https://github.com/ClangBuiltLinux/linux/issues/1401

Use the new __diagnose_as attribute to make sure no compile-time
diagnostic warnings are lost due to the effectively renamed string
functions.

Redefine strlen() as a macro that tests for being a constant expression
so that strlen() can still be used in static initializers, which was
lost when adding __pass_object_size and __overloadable.

Finally, a bug with __builtin_constant_p() of globally defined variables
was fixed in Clang 13, so FORTIFY support must depend on that version or
later. Additional details here:
    https://bugs.llvm.org/show_bug.cgi?id=41459
    commit a52f8a59aef4 ("fortify: Explicitly disable Clang support")

Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: George Burgess IV <gbiv@google.com>
Cc: llvm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/fortify-string.h | 52 ++++++++++++++++++++++++----------
 security/Kconfig               |  2 +-
 2 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index c45159dbdaa1..5482536d3197 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -2,7 +2,9 @@
 #ifndef _LINUX_FORTIFY_STRING_H_
 #define _LINUX_FORTIFY_STRING_H_
 
-#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline))
+#include <linux/const.h>
+
+#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) __overloadable
 #define __RENAME(x) __asm__(#x)
 
 void fortify_panic(const char *name) __noreturn __cold;
@@ -50,7 +52,11 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size)
 #define __underlying_strncpy	__builtin_strncpy
 #endif
 
-__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
+#define BOS	const __pass_object_size(1)
+#define BOS0	const __pass_object_size(0)
+
+__FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3)
+char *strncpy(char * BOS p, const char *q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 1);
 
@@ -61,7 +67,8 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
 	return __underlying_strncpy(p, q, size);
 }
 
-__FORTIFY_INLINE char *strcat(char *p, const char *q)
+__FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2)
+char *strcat(char * BOS p, const char *q)
 {
 	size_t p_size = __builtin_object_size(p, 1);
 
@@ -73,7 +80,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q)
 }
 
 extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen);
-__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen)
+__FORTIFY_INLINE __kernel_size_t strnlen(const char * BOS p, __kernel_size_t maxlen)
 {
 	size_t p_size = __builtin_object_size(p, 1);
 	size_t p_len = __compiletime_strlen(p);
@@ -93,8 +100,16 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen)
 	return ret;
 }
 
-/* defined after fortified strnlen to reuse it. */
-__FORTIFY_INLINE __kernel_size_t strlen(const char *p)
+/*
+ * Defined after fortified strnlen to reuse it. However, it must still be
+ * possible for strlen() to be used on compile-time strings for use in
+ * static initializers (i.e. as a constant expression).
+ */
+#define strlen(p)							\
+	__builtin_choose_expr(__is_constexpr(__builtin_strlen(p)),	\
+		__builtin_strlen(p), __fortify_strlen(p))
+__FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1)
+__kernel_size_t __fortify_strlen(const char * BOS p)
 {
 	__kernel_size_t ret;
 	size_t p_size = __builtin_object_size(p, 1);
@@ -110,7 +125,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p)
 
 /* defined after fortified strlen to reuse it */
 extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy);
-__FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
+__FORTIFY_INLINE size_t strlcpy(char * BOS p, const char * BOS q, size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 1);
 	size_t q_size = __builtin_object_size(q, 1);
@@ -137,7 +152,7 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
 
 /* defined after fortified strnlen to reuse it */
 extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy);
-__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size)
+__FORTIFY_INLINE ssize_t strscpy(char * BOS p, const char * BOS q, size_t size)
 {
 	size_t len;
 	/* Use string size rather than possible enclosing struct size. */
@@ -183,7 +198,8 @@ __FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size)
 }
 
 /* defined after fortified strlen and strnlen to reuse them */
-__FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
+__FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3)
+char *strncat(char * BOS p, const char * BOS q, __kernel_size_t count)
 {
 	size_t p_len, copy_len;
 	size_t p_size = __builtin_object_size(p, 1);
@@ -354,7 +370,7 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
 		memmove)
 
 extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
-__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
+__FORTIFY_INLINE void *memscan(void * BOS0 p, int c, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 
@@ -365,7 +381,8 @@ __FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
 	return __real_memscan(p, c, size);
 }
 
-__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
+__FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3)
+int memcmp(const void * BOS0 p, const void * BOS0 q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 	size_t q_size = __builtin_object_size(q, 0);
@@ -381,7 +398,8 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
 	return __underlying_memcmp(p, q, size);
 }
 
-__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
+__FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3)
+void *memchr(const void * BOS0 p, int c, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 
@@ -393,7 +411,7 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
 }
 
 void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
-__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size)
+__FORTIFY_INLINE void *memchr_inv(const void * BOS0 p, int c, size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 
@@ -405,7 +423,7 @@ __FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size)
 }
 
 extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup);
-__FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
+__FORTIFY_INLINE void *kmemdup(const void * BOS0 p, size_t size, gfp_t gfp)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 
@@ -417,7 +435,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
 }
 
 /* Defined after fortified strlen to reuse it. */
-__FORTIFY_INLINE char *strcpy(char *p, const char *q)
+__FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2)
+char *strcpy(char * BOS p, const char * BOS q)
 {
 	size_t p_size = __builtin_object_size(p, 1);
 	size_t q_size = __builtin_object_size(q, 1);
@@ -446,4 +465,7 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q)
 #undef __underlying_strncat
 #undef __underlying_strncpy
 
+#undef BOS0
+#undef BOS
+
 #endif /* _LINUX_FORTIFY_STRING_H_ */
diff --git a/security/Kconfig b/security/Kconfig
index 0b847f435beb..1a25a567965f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -179,7 +179,7 @@ config FORTIFY_SOURCE
 	depends on ARCH_HAS_FORTIFY_SOURCE
 	# https://bugs.llvm.org/show_bug.cgi?id=50322
 	# https://bugs.llvm.org/show_bug.cgi?id=41459
-	depends on !CC_IS_CLANG
+	depends on !CC_IS_CLANG || CLANG_VERSION >= 130000
 	help
 	  Detect overflows of buffers in common string and memory functions
 	  where the compiler can determine and validate the buffer sizes.