From patchwork Thu Mar 2 22:58:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13158015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBB7EC7EE30 for ; Thu, 2 Mar 2023 22:58:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229791AbjCBW6R (ORCPT ); Thu, 2 Mar 2023 17:58:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45094 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229662AbjCBW6Q (ORCPT ); Thu, 2 Mar 2023 17:58:16 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D73D034018 for ; Thu, 2 Mar 2023 14:58:14 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id bo22so686941pjb.4 for ; Thu, 02 Mar 2023 14:58:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1677797894; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AT3F6PV/Pggg/CkzuWX5Xy+4BGT/l5C7re8M8RI6STk=; b=WcYaiUHogtvvYNPobepGTcABFaUKwYqs7PtuA3O0s99eVhoxKw+e6yPMb4lrUJQAQ2 h3/8t+pP9XcgOfHM/ziGuo279IBul1oBHEwELjRlsyDFCSNpq6+4why3TWgZUcUt4p13 FuAT8rb8fZFFnsF79+g91Ebhr05fbM++SWPMs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677797894; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AT3F6PV/Pggg/CkzuWX5Xy+4BGT/l5C7re8M8RI6STk=; b=Iry47LJa9rVa0iYGaYXg1NKbC1FAbdLj8bXlQ4euSlw4PLYaO+IihBgoeLI8gc92/i SvJfsgk7tHJNzo23jGMLHbdTIRMLHMeg3d4BHTK2zG3/pli5a8xDTBjkZ4c988Nzw7lG ZoykYGVU2q7KYoLN2gJbR7HHu7lhPYRnEKDoxlldU4qijYFI3LmgGeYqD2ZFv4J21ve7 SJECeh7HC6LM1zalPE+NUdQh1untq2gAhxEkeHfxF018CUoyadGFNfbR6cFE0Z7md13P jkZNfppjAEyFDTnny1ya2WND9o9btH73y5o6JmNpDzU45NjPy46Bt5cHyZWEbfm2vSUe 7Whw== X-Gm-Message-State: AO0yUKUCxjKcZODl9uC32gr4tqmkyqFnO5n96mHK0H2nm5qLp2WkRRVJ vSJvLgJYWU6VO+5oD5V+7lCPKA== X-Google-Smtp-Source: AK7set+eZzBYjjLeJPRnnkBXL5zbbETqP1VL9/a5unevM1Y9ZpbPpDmtatFRsBuU+7GAcLy4ypSe8w== X-Received: by 2002:a17:902:ab49:b0:19c:e440:924c with SMTP id ij9-20020a170902ab4900b0019ce440924cmr10982581plb.47.1677797894289; Thu, 02 Mar 2023 14:58:14 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id ko4-20020a17090307c400b00186b7443082sm177869plb.195.2023.03.02.14.58.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Mar 2023 14:58:13 -0800 (PST) From: Kees Cook To: Jakub Kicinski Cc: Kees Cook , Andy Shevchenko , Masahiro Yamada , Nathan Chancellor , Nick Desaulniers , Nicolas Schier , Tom Rix , Josh Poimboeuf , Miroslav Benes , Marco Elver , Andrew Morton , Linus Walleij , Cezary Rojewski , Mark Brown , Puyou Lu , linux-hardening@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH] fortify: Improve buffer overflow reporting Date: Thu, 2 Mar 2023 14:58:12 -0800 Message-Id: <20230302225808.never.375-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=8334; h=from:subject:message-id; bh=IGVxzF1sZURWAfeApQZ2Laffmf7md9cyyVm0jLNidck=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBkASoEr1QDrSuZfP6wqZbNYxKDUWf4T4Z4ri/YeJX4 7doK2laJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZAEqBAAKCRCJcvTf3G3AJoMmD/ 96RcvDf478voeYk90+LxlC4QOu/rbWL40dpEjejqKezaHWFCYeqgf1cOGWFwNH4zrIBJGIaYCne0oc gZFyca/p2WyixlCUtRVm/1+sj8kRMWz3XcgBWJm8YrmWChzZ6F3yR4vHmlskREPNbQV5fvgKDsTrI+ ppKxiZkWk/5SLG99RZQTMD4zoMr8mJTPSjgHuejVJ1I5UUCehyH+dKGofdyjT9gGsJz8kuQhu0LrsM lwX4Dnazls6QfuqZ6KqRqfWgquOjzzSdIWbgTM7xOJ56fRUuQ1sAaTTnFNtYwmU6ceK7fuzqwvjSq2 /zUS7TVJ/PqGZDLgVHgPdjj5tWzFH/V7YnoolQEBJfDKlnmsuwlfbaF3tNpyV6RTosVpgL5gUdtSlz OosGQXu5Njl2vgRFxH8w2Vyo8ksotXcxyHJiCvwMYfKubi5Nh110Kw7BcDJuEasBllnXCtQKRz2ZcL +j5pFPv/2Mi6TGZW/8s4U3UVjV996E11/8Ru7IsGVLGEbBmasLev9myu7tAVG7p5V0yshQAfyEI+KO Jao+Lh21UkzhSoDqTqlqR/1WB9kHHWU25uUhBESMzLa75j9QszwAGQaT1uq9oQTbtljXMnJX5aDUb6 3oOzgW6eNmkEz15kLb2kRELTQ2xiZBkkL7poS2T6NQ3Itn6zW2qVnpPNiB2g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Improve the reporting of buffer overflows under CONFIG_FORTIFY_SOURCE to help accelerate debugging efforts. The calculations are all just sitting in registers anyway, so pass them along to the function to be reported. For example, before: detected buffer overflow in memcpy and after: memcpy: detected buffer overflow: 4096 byte read from buffer of size 1 Cc: Jakub Kicinski Cc: Andy Shevchenko Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Nicolas Schier Cc: Tom Rix Cc: Josh Poimboeuf Cc: Miroslav Benes Cc: Marco Elver Cc: Andrew Morton Cc: Linus Walleij Cc: Cezary Rojewski Cc: Mark Brown Cc: Puyou Lu Cc: linux-hardening@vger.kernel.org Cc: linux-kbuild@vger.kernel.org Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 51 +++++++++++++++++++--------------- lib/string_helpers.c | 5 ++-- 2 files changed, 32 insertions(+), 24 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index c9de1f59ee80..981e2838f99a 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -9,7 +9,7 @@ #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable #define __RENAME(x) __asm__(#x) -void fortify_panic(const char *name) __noreturn __cold; +void fortify_panic(const char *name, bool dest, size_t avail, size_t len) __noreturn __cold; void __read_overflow(void) __compiletime_error("detected read beyond size of object (1st parameter)"); void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?"); @@ -147,7 +147,7 @@ char *strncpy(char * const POS p, const char *q, __kernel_size_t size) if (__compiletime_lessthan(p_size, size)) __write_overflow(); if (p_size < size) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, size); return __underlying_strncpy(p, q, size); } @@ -170,11 +170,13 @@ __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) char *strcat(char * const POS p, const char *q) { size_t p_size = __member_size(p); + size_t size; if (p_size == SIZE_MAX) return __underlying_strcat(p, q); - if (strlcat(p, q, p_size) >= p_size) - fortify_panic(__func__); + size = strlcat(p, q, p_size); + if (p_size < size) + fortify_panic(__func__, 1, p_size, size); return p; } @@ -205,7 +207,7 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size /* Do not check characters beyond the end of p. */ ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); if (p_size <= ret && maxlen != ret) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, ret); return ret; } @@ -241,7 +243,7 @@ __kernel_size_t __fortify_strlen(const char * const POS p) return __underlying_strlen(p); ret = strnlen(p, p_size); if (p_size <= ret) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, ret); return ret; } @@ -282,8 +284,8 @@ __FORTIFY_INLINE size_t strlcpy(char * const POS p, const char * const POS q, si __write_overflow(); } if (size) { - if (len >= p_size) - fortify_panic(__func__); + if (p_size < len) + fortify_panic(__func__, 1, p_size, len); __underlying_memcpy(p, q, len); p[len] = '\0'; } @@ -361,7 +363,7 @@ __FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const POS q, s * p_size. */ if (len > p_size) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, len); /* * We can now safely call vanilla strscpy because we are protected from: @@ -397,13 +399,15 @@ char *strncat(char * const POS p, const char * const POS q, __kernel_size_t coun size_t p_len, copy_len; size_t p_size = __member_size(p); size_t q_size = __member_size(q); + size_t size; if (p_size == SIZE_MAX && q_size == SIZE_MAX) return __underlying_strncat(p, q, count); p_len = strlen(p); copy_len = strnlen(q, count); - if (p_size < p_len + copy_len + 1) - fortify_panic(__func__); + size = p_len + copy_len + 1; + if (p_size < size) + fortify_panic(__func__, 1, p_size, size); __underlying_memcpy(p + p_len, q, copy_len); p[p_len + copy_len] = '\0'; return p; @@ -444,7 +448,7 @@ __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size, * lengths are unknown.) */ if (p_size != SIZE_MAX && p_size < size) - fortify_panic("memset"); + fortify_panic("memset", 1, p_size, size); } #define __fortify_memset_chk(p, c, size, p_size, p_size_field) ({ \ @@ -542,9 +546,10 @@ __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size, * (The SIZE_MAX test is to optimize away checks where the buffer * lengths are unknown.) */ - if ((p_size != SIZE_MAX && p_size < size) || - (q_size != SIZE_MAX && q_size < size)) - fortify_panic(func); + if (p_size != SIZE_MAX && p_size < size) + fortify_panic(func, 1, p_size, size); + if (q_size != SIZE_MAX && q_size < size) + fortify_panic(func, 0, q_size, size); /* * Warn when writing beyond destination field size. @@ -644,7 +649,7 @@ __FORTIFY_INLINE void *memscan(void * const POS0 p, int c, __kernel_size_t size) if (__compiletime_lessthan(p_size, size)) __read_overflow(); if (p_size < size) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, size); return __real_memscan(p, c, size); } @@ -660,8 +665,10 @@ int memcmp(const void * const POS0 p, const void * const POS0 q, __kernel_size_t if (__compiletime_lessthan(q_size, size)) __read_overflow2(); } - if (p_size < size || q_size < size) - fortify_panic(__func__); + if (p_size < size) + fortify_panic(__func__, 1, p_size, size); + if (q_size < size) + fortify_panic(__func__, 0, q_size, size); return __underlying_memcmp(p, q, size); } @@ -673,7 +680,7 @@ void *memchr(const void * const POS0 p, int c, __kernel_size_t size) if (__compiletime_lessthan(p_size, size)) __read_overflow(); if (p_size < size) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, size); return __underlying_memchr(p, c, size); } @@ -685,7 +692,7 @@ __FORTIFY_INLINE void *memchr_inv(const void * const POS0 p, int c, size_t size) if (__compiletime_lessthan(p_size, size)) __read_overflow(); if (p_size < size) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, size); return __real_memchr_inv(p, c, size); } @@ -698,7 +705,7 @@ __FORTIFY_INLINE void *kmemdup(const void * const POS0 p, size_t size, gfp_t gfp if (__compiletime_lessthan(p_size, size)) __read_overflow(); if (p_size < size) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, size); return __real_kmemdup(p, size, gfp); } @@ -735,7 +742,7 @@ char *strcpy(char * const POS p, const char * const POS q) __write_overflow(); /* Run-time check for dynamic size overflow. */ if (p_size < size) - fortify_panic(__func__); + fortify_panic(__func__, 1, p_size, size); __underlying_memcpy(p, q, size); return p; } diff --git a/lib/string_helpers.c b/lib/string_helpers.c index 230020a2e076..b2d3e1d3931e 100644 --- a/lib/string_helpers.c +++ b/lib/string_helpers.c @@ -1021,9 +1021,10 @@ EXPORT_SYMBOL(__read_overflow2_field); void __write_overflow_field(size_t avail, size_t wanted) { } EXPORT_SYMBOL(__write_overflow_field); -void fortify_panic(const char *name) +void fortify_panic(const char *name, bool dest, size_t avail, size_t len) { - pr_emerg("detected buffer overflow in %s\n", name); + pr_emerg("%s: detected buffer overflow: %zu byte %s buffer of size %zu\n", + name, len, dest ? "write to" : "read from", avail); BUG(); } EXPORT_SYMBOL(fortify_panic);