From patchwork Thu Feb 6 18:11:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13963413 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36E9C1993B1; Thu, 6 Feb 2025 18:11:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738865494; cv=none; b=ghzEfWO/d4gJD1D3RQqeUNksI9sICX0ti1qzbGIstMfro4UARiiQvEvP5itlMjVxDdZJOFdl2KGXrmdZRX1vj2fe+J0AW736DsP+MaJQN4PMz9QjinUeQtUG8uEvU/xGfk9/jy24E7om83hImAromBtje81eHwfibXqXx/GZyqY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738865494; c=relaxed/simple; bh=rxjiRXlnBU5/6YXKyAHnzpq4xMXmOTNG1gjd5WFVALw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=O2AExMGiIaOxyuTZ6dmBjMYmPBkYDw/JXNM6CRe/PMzm1d5Tv/ZdgRxJyHZdosVdN5My5134SXLlDDNSWhTuE0e6vQioxZ0mQ1sGBwPXe8l7dZ9NmKJZwpw3GteuQL5c4H4Y86/TqV4pnv8OpBhTPXmEzAuxQGVmDPd13N16VJ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Jwbva86v; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Jwbva86v" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AD532C4CEDD; Thu, 6 Feb 2025 18:11:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1738865493; bh=rxjiRXlnBU5/6YXKyAHnzpq4xMXmOTNG1gjd5WFVALw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Jwbva86vrk99nVtp1FqhL1r0eIAQXeZ9yI4NKu24dsVN8+M26Jtjo+sDMGxws7MMF Bzr4CJv6auE52k2xTmAbhQA7j3aYugYZJX16ZMqyhoRcKQ6Rwa6kvuOCF5rllZE9TW Z3n9v8YYN1HSTwhbLbH2JeEVYE8norlzDDNDBgsojqvvhB74HLFs9hylogmbLYVX0T 7KZNtMpSshrZNGjON4IqDTBH/B454KDvrD51Jz+4YuK8kj2AQhP9xv0uuKCk2OV7nE 8aXG6qm+x66WeZ7eFTatD5FyntgFISLdIWzHI4QpclGgFTHx5Ez4H/E7cizl7kmFwk mqjXh87FixztA== From: Kees Cook To: Suren Baghdasaryan Cc: Kees Cook , Kent Overstreet , Andy Shevchenko , Luc Van Oostenryck , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , Philipp Reisner , Miguel Ojeda , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 1/3] compiler.h: Move C string helpers into C-only kernel section Date: Thu, 6 Feb 2025 10:11:28 -0800 Message-Id: <20250206181133.3450635-1-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250206175216.work.225-kees@kernel.org> References: <20250206175216.work.225-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2302; i=kees@kernel.org; h=from:subject; bh=rxjiRXlnBU5/6YXKyAHnzpq4xMXmOTNG1gjd5WFVALw=; b=owGbwMvMwCVmps19z/KJym7G02pJDOlLfgfyLy/WD93qO62wfGHQmpWrH0isyjcu85aWuvNFR S+uwkuho5SFQYyLQVZMkSXIzj3OxeNte7j7XEWYOaxMIEMYuDgFYCJV4YwMfx9L7F6yacGplfxi Xno2KeKGt57VJhf2MhTyPHffzqd5nJHhpeXO3gnXbkhP3Bn3y8tqTlKAfzYDT/+kXxISya1lBuX cAA== X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 The C kernel helpers for evaluating C Strings were placed outside of the assembly ifdef. Move them to the correct place so future changes won't confuse the assembler. Fixes: d7a516c6eeae ("compiler.h: Fix undefined BUILD_BUG_ON_ZERO()") Fixes: 559048d156ff ("string: Check for "nonstring" attribute on strscpy() arguments") Signed-off-by: Kees Cook Reviewed-by: Miguel Ojeda --- include/linux/compiler.h | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/include/linux/compiler.h b/include/linux/compiler.h index 240c632c5b95..7af999a131cb 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -214,6 +214,19 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, __v; \ }) +#ifdef __CHECKER__ +#define __BUILD_BUG_ON_ZERO_MSG(e, msg) (0) +#else /* __CHECKER__ */ +#define __BUILD_BUG_ON_ZERO_MSG(e, msg) ((int)sizeof(struct {_Static_assert(!(e), msg);})) +#endif /* __CHECKER__ */ + +/* &a[0] degrades to a pointer: a different type from an array */ +#define __must_be_array(a) __BUILD_BUG_ON_ZERO_MSG(__same_type((a), &(a)[0]), "must be array") + +/* Require C Strings (i.e. NUL-terminated) lack the "nonstring" attribute. */ +#define __must_be_cstr(p) \ + __BUILD_BUG_ON_ZERO_MSG(__annotated(p, nonstring), "must be cstr (NUL-terminated)") + #endif /* __KERNEL__ */ /** @@ -254,19 +267,6 @@ static inline void *offset_to_ptr(const int *off) #define __ADDRESSABLE_ASM_STR(sym) __stringify(__ADDRESSABLE_ASM(sym)) -#ifdef __CHECKER__ -#define __BUILD_BUG_ON_ZERO_MSG(e, msg) (0) -#else /* __CHECKER__ */ -#define __BUILD_BUG_ON_ZERO_MSG(e, msg) ((int)sizeof(struct {_Static_assert(!(e), msg);})) -#endif /* __CHECKER__ */ - -/* &a[0] degrades to a pointer: a different type from an array */ -#define __must_be_array(a) __BUILD_BUG_ON_ZERO_MSG(__same_type((a), &(a)[0]), "must be array") - -/* Require C Strings (i.e. NUL-terminated) lack the "nonstring" attribute. */ -#define __must_be_cstr(p) \ - __BUILD_BUG_ON_ZERO_MSG(__annotated(p, nonstring), "must be cstr (NUL-terminated)") - /* * This returns a constant expression while determining if an argument is * a constant expression, most importantly without evaluating the argument. From patchwork Thu Feb 6 18:11:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13963415 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36F4919ADB0; Thu, 6 Feb 2025 18:11:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738865494; cv=none; b=k5NDr7lH6/mVgcBfOwM+mEJmcZBFexqgoO5B9O3hYYhMM6RvpsokuevGs6QeF+Ll5s7XUhz3lN4gDj+l/TEofoMQGnWEpmlCf1yYk01ddF8+EW641CSXXeHfjxsE4LmXAYMZPP99KFKB4QRWJDMQJ3sc/sct48YB9HzeOPHrsDo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738865494; c=relaxed/simple; bh=HPvFfUBydyi8hNJ/KZN7Ew2hJ0umQS6wowFoOrda14s=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=R1wU2b8ILfMaqZ2C2Dl/9iKVac/V9CQ6OWhmuLRkskkRjfXgOPmzNgYvxdPdujy0F5Bp9ULqrbP6gu80ZkiYJJ5lNOrt02JLRCBdYPqnfWe9ApU2KrOzDg87hOjLosZbdYlmfx0/SZIQnvTGg76ykyItvGbu0vB25NNjk7qgVRw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HJ6bYnF3; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HJ6bYnF3" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AED62C4AF0B; Thu, 6 Feb 2025 18:11:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1738865493; bh=HPvFfUBydyi8hNJ/KZN7Ew2hJ0umQS6wowFoOrda14s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HJ6bYnF3MA511vzkCs/j+C+CGkjxVQLiJERqM6oCzKMaFTKxunvO/XCRwAI4fvJsl IGjGs06oWTV4gpDrDWB+SrRZxX1SNXTC6PU9GFYNBKOn2i2g1AuG6DfhDaOdz73bqR 9MGzjuQnJqCJ4sn238/34GX2bBrrlvtUi/quXRcuzAa0FGriXJPDArNDR07pO3WP0C F7t7zJ9PVJOV02htfV7fjImpngzwJaf26c8VlLWGjpCRRgOQANhqopHSl1PN3rKrEy 04HViZMSeXUk/jhtuqW4edD/qY/7gt9J2xuxXiuNW/amPNqEbzdwvMpb68zhBGP6VX IUChdpFTSNpJA== From: Kees Cook To: Suren Baghdasaryan Cc: Kees Cook , Kent Overstreet , Andy Shevchenko , Luc Van Oostenryck , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , Philipp Reisner , Miguel Ojeda , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 2/3] compiler.h: Introduce __must_be_char_array() Date: Thu, 6 Feb 2025 10:11:29 -0800 Message-Id: <20250206181133.3450635-2-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250206175216.work.225-kees@kernel.org> References: <20250206175216.work.225-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1222; i=kees@kernel.org; h=from:subject; bh=HPvFfUBydyi8hNJ/KZN7Ew2hJ0umQS6wowFoOrda14s=; b=owGbwMvMwCVmps19z/KJym7G02pJDOlLfgeqLhVK3791gfLfUqGPD99MO3Cu5en3bs65v1mML rZwuydldpSyMIhxMciKKbIE2bnHuXi8bQ93n6sIM4eVCWQIAxenAEykZS7Df5dGyeBryS9Mr8w9 36Obznv8SPDf/d4SxlvkeQsXvOqoesrwh4PnRMuqQwXWlhsuFs0tX8SgP9P30qFWpcAn/7Wv+7x cxgkA X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 In preparation for adding stricter type checking to the str/mem*() helpers, provide a way to check that a variable is a character array via __must_be_char_array(). Signed-off-by: Kees Cook --- include/linux/compiler.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/linux/compiler.h b/include/linux/compiler.h index 7af999a131cb..a577fe0b1f8a 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -221,7 +221,13 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, #endif /* __CHECKER__ */ /* &a[0] degrades to a pointer: a different type from an array */ -#define __must_be_array(a) __BUILD_BUG_ON_ZERO_MSG(__same_type((a), &(a)[0]), "must be array") +#define __is_array(a) (!__same_type((a), &(a)[0])) +#define __must_be_array(a) __BUILD_BUG_ON_ZERO_MSG(!__is_array(a), \ + "must be array") + +#define __is_char_array(a) (__is_array(a) && sizeof((a)[0]) == 1) +#define __must_be_char_array(a) __BUILD_BUG_ON_ZERO_MSG(!__is_char_array(a), \ + "must be byte array") /* Require C Strings (i.e. NUL-terminated) lack the "nonstring" attribute. */ #define __must_be_cstr(p) \ From patchwork Thu Feb 6 18:11:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13963416 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36E37199385; Thu, 6 Feb 2025 18:11:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738865494; cv=none; b=f6CpW+kRsjh5B/0g31EIbPNmdt7KICwDi129Q9UCYMpuEvAQFZAPMi+P7CvNTpDh7coOqJJGMCkkxl3q+UU31Dfm+jz/e5iEZ6yby+xmYP26S9UBsPlMnN8KpipnGaLw1vYwdvZBfc1Rg+hsSoF6CNuUbINCksGVXzmSMWrQRo4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738865494; c=relaxed/simple; bh=91NW6YxsPuJbVe3TMPcFmsEh91512TgV/JV4nGsNPQE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=b/LCcoibXkxk9ozMDeFuAh+kBrTlwJduJ/arQ/p5QrHXDlsZOub3AbGuzf1Hs85QNAazp591qXshXhHzkWB2ngUKj0w7Q7ezsrSpRyGuKxaLjij/zubT1837h+1lketRIXXV6iu7WI1FbMjympOOLF9fFdztW5wHoSntENDx4NY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hDZXDJqd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hDZXDJqd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id ADC5CC4CEDF; Thu, 6 Feb 2025 18:11:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1738865493; bh=91NW6YxsPuJbVe3TMPcFmsEh91512TgV/JV4nGsNPQE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hDZXDJqdsiDEJH8nm7vStlfBSE3tLcw1hTN9zCDU2AEJ3daWpqpW6QQghoNoTXpOX yllVXQ8dOIgBNnghe4QIyuxkLOMKJD3m1blrO6J9PustNQfsN8uoTvOpm7AIV8aB/4 le7CAM7Po49M0BhZwdvOKqAI9vm2igVYZIp3GhL2FVwZZofYu0k2dCdYVEXri5zIk8 azL90kGmmxKh+CBiMx8722jlCFT3HAVoL+itkrWIZRyh47Y45enPm0uJ+t1hfUk8VI XqIHYfG7LzajYpHkjoH3MIdmrza2lIQcitMsuIVRW2Y6fcAugnNdCGNerJFxcWZ5kL MJ3IY6jO/OWPg== From: Kees Cook To: Suren Baghdasaryan Cc: Kees Cook , kernel test robot , Kent Overstreet , nathan@kernel.org, Andy Shevchenko , linux-hardening@vger.kernel.org, Luc Van Oostenryck , Nick Desaulniers , Bill Wendling , Justin Stitt , Philipp Reisner , Miguel Ojeda , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 3/3] string.h: Use ARRAY_SIZE() for memtostr*()/strtomem*() Date: Thu, 6 Feb 2025 10:11:30 -0800 Message-Id: <20250206181133.3450635-3-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250206175216.work.225-kees@kernel.org> References: <20250206175216.work.225-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3185; i=kees@kernel.org; h=from:subject; bh=91NW6YxsPuJbVe3TMPcFmsEh91512TgV/JV4nGsNPQE=; b=owGbwMvMwCVmps19z/KJym7G02pJDOlLfge+aZ34u+olw66rrsfm/uO9Xzn7NduNMEE+sT2KW QwnPz6u6ChlYRDjYpAVU2QJsnOPc/F42x7uPlcRZg4rE8gQBi5OAZjInScM/6OPFn86LvD4iOxz C9aqBccCbsyo+NJZGfloi7B6hVp1YgojwwWR/JO3r/fkM97+N3PunTWZS8vOml75sfhMYWDA8Vl KR9gA X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 The destination argument of memtostr*() and strtomem*() must be a fixed-size char array at compile time, so there is no need to use __builtin_object_size() (which is useful for when an argument is either a pointer or unknown). Instead use ARRAY_SIZE(), which has the benefit of working around a bug in Clang (fixed[1] in 15+) that got __builtin_object_size() wrong sometimes. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202501310832.kiAeOt2z-lkp@intel.com/ Suggested-by: Kent Overstreet Link: https://github.com/llvm/llvm-project/commit/d8e0a6d5e9dd2311641f9a8a5d2bf90829951ddc [1] Signed-off-by: Kees Cook --- Cc: Suren Baghdasaryan Cc: nathan@kernel.org Cc: Andy Shevchenko Cc: linux-hardening@vger.kernel.org --- include/linux/string.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/linux/string.h b/include/linux/string.h index 493ac4862c77..01ac26be274d 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -411,7 +411,8 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, * must be discoverable by the compiler. */ #define strtomem_pad(dest, src, pad) do { \ - const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _dest_len = __must_be_char_array(dest) + \ + ARRAY_SIZE(dest); \ const size_t _src_len = __builtin_object_size(src, 1); \ \ BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \ @@ -434,7 +435,8 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, * must be discoverable by the compiler. */ #define strtomem(dest, src) do { \ - const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _dest_len = __must_be_char_array(dest) + \ + ARRAY_SIZE(dest); \ const size_t _src_len = __builtin_object_size(src, 1); \ \ BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \ @@ -453,7 +455,8 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, * Note that sizes of @dest and @src must be known at compile-time. */ #define memtostr(dest, src) do { \ - const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _dest_len = __must_be_char_array(dest) + \ + ARRAY_SIZE(dest); \ const size_t _src_len = __builtin_object_size(src, 1); \ const size_t _src_chars = strnlen(src, _src_len); \ const size_t _copy_len = min(_dest_len - 1, _src_chars); \ @@ -478,7 +481,8 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, * Note that sizes of @dest and @src must be known at compile-time. */ #define memtostr_pad(dest, src) do { \ - const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _dest_len = __must_be_char_array(dest) + \ + ARRAY_SIZE(dest); \ const size_t _src_len = __builtin_object_size(src, 1); \ const size_t _src_chars = strnlen(src, _src_len); \ const size_t _copy_len = min(_dest_len - 1, _src_chars); \