diff mbox

string.h: work around __builtin_constant_p quirk

Message ID 20170807111615.4187078-1-arnd@arndb.de
State New
Headers show

Commit Message

Arnd Bergmann Aug. 7, 2017, 11:15 a.m. UTC 
The compile-time check in the hardened memcpy() triggered a build
error in code that should not have:

In function 'memcpy',
    inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2,
    inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2:
include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
    __read_overflow2();
    ^~~~~~~~~~~~~~~~~~

My understanding is that in the __adfs_dir_put() function, the gcc
uses a specialization for the common 'thissize = 26', which due to
jump threading leads to a case where it has shown that 'thissize'
can be constant, but at the same time another case exists where
it may have a negative value (for sb->s_blocksize=0) that could lead
to overflowing the local 'adfs_direntry de' variable.

The bug was hidden before patch "fortify: use WARN instead of BUG
for now", which apparently dropped the compile-time checks due to
the following code being marked as '__unreachable'.

This reworks the hardened string functions to avoid some branches,
and introduces a macro for checking whether the argument is a
compile-time constant.

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
Fixes: mmotm ("fortify: use WARN instead of BUG for now")
Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>

---
 include/linux/string.h | 62 ++++++++++++++++++++++++++++++--------------------
 1 file changed, 37 insertions(+), 25 deletions(-)

-- 
2.9.0

Comments

Arnd Bergmann Aug. 7, 2017, 10:29 p.m. UTC | #1 
On Mon, Aug 7, 2017 at 11:15 AM, Arnd Bergmann <arnd@arndb.de> wrote:
> The compile-time check in the hardened memcpy() triggered a build

> error in code that should not have:

>

> In function 'memcpy',

>     inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2,

>     inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2:

> include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter

>     __read_overflow2();

>     ^~~~~~~~~~~~~~~~~~

>

> Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785

> Fixes: mmotm ("fortify: use WARN instead of BUG for now")

> Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>


Please ignore this version for now, it seems that I accidentally
disabled all the compile-time
checks with the __builtin_choose_expr

       Arnd
kernel test robot Aug. 9, 2017, 6:09 a.m. UTC | #2 
Hi Arnd,

[auto build test ERROR on next-20170808]
[also build test ERROR on v4.13-rc4]
[cannot apply to linus/master kees/for-next/pstore arm-soc/for-next v4.13-rc4 v4.13-rc3 v4.13-rc2]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Arnd-Bergmann/string-h-work-around-__builtin_constant_p-quirk/20170809-073927
config: i386-randconfig-i1-08071909 (attached as .config)
compiler: gcc-4.8 (Debian 4.8.4-1) 4.8.4
reproduce:
        # save the attached .config to linux build tree
        make ARCH=i386 

All error/warnings (new ones prefixed by >>):

   In file included from arch/x86/include/asm/page_32.h:34:0,
                    from arch/x86/include/asm/page.h:13,
                    from arch/x86/include/asm/thread_info.h:11,
                    from include/linux/thread_info.h:37,
                    from arch/x86/include/asm/preempt.h:6,
                    from include/linux/preempt.h:80,
                    from include/linux/spinlock.h:50,
                    from include/linux/mmzone.h:7,
                    from include/linux/gfp.h:5,
                    from include/linux/slab.h:14,
                    from include/linux/crypto.h:24,
                    from arch/x86/kernel/asm-offsets.c:8:
   include/linux/string.h: In function 'strncpy':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
>> include/linux/string.h:217:21: note: in expansion of macro '__constant_argument'

     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'strlcpy':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:269:21: note: in expansion of macro '__constant_argument'
      size_t constlen = __constant_argument(len);
                        ^
   include/linux/string.h: In function 'memset':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:300:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'memcpy':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:312:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'memmove':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:326:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'memscan':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:340:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'memcmp':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:352:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'memchr':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:365:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'memchr_inv':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:377:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   include/linux/string.h: In function 'kmemdup':
>> include/linux/string.h:212:2: error: first argument to '__builtin_choose_expr' not a constant

     __builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
     ^
   include/linux/string.h:389:21: note: in expansion of macro '__constant_argument'
     size_t constsize = __constant_argument(size);
                        ^
   make[2]: *** [arch/x86/kernel/asm-offsets.s] Error 1
   make[2]: Target '__build' not remade because of errors.
   make[1]: *** [prepare0] Error 2
   make[1]: Target 'prepare' not remade because of errors.
   make: *** [sub-make] Error 2

vim +/__builtin_choose_expr +212 include/linux/string.h

   206	
   207	/*
   208	 * a more reliable check for constant arguments, see
   209	 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
   210	 */
   211	#define __constant_argument(arg) \
 > 212		__builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)

   213	
   214	__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
   215	{
   216		size_t p_size = __builtin_object_size(p, 0);
 > 217		size_t constsize = __constant_argument(size);

   218		if (p_size < constsize)
   219			__write_overflow();
   220		if (p_size < size)
   221			fortify_overflow(__func__);
   222		return __builtin_strncpy(p, q, size);
   223	}
   224	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation
Kees Cook Aug. 15, 2017, 7:07 p.m. UTC | #3 
On Mon, Aug 7, 2017 at 3:29 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> On Mon, Aug 7, 2017 at 11:15 AM, Arnd Bergmann <arnd@arndb.de> wrote:

>> The compile-time check in the hardened memcpy() triggered a build

>> error in code that should not have:

>>

>> In function 'memcpy',

>>     inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2,

>>     inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2:

>> include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter

>>     __read_overflow2();

>>     ^~~~~~~~~~~~~~~~~~

>>

>> Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785

>> Fixes: mmotm ("fortify: use WARN instead of BUG for now")

>> Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")

>> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

>

> Please ignore this version for now, it seems that I accidentally

> disabled all the compile-time

> checks with the __builtin_choose_expr


Just double-checking on this patch. Last I saw you were testing a
tweak to not use __builtin_choose_expr()? I don't see it in -next so I
just wanted to see what was still needed here...

Thanks!

-Kees

-- 
Kees Cook
Pixel Security
diff mbox

Patch

diff --git a/include/linux/string.h b/include/linux/string.h
index 25f47e07c4c6..3ba29007a942 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -203,10 +203,19 @@  void __read_overflow2(void) __compiletime_error("detected read beyond size of ob
 void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter");
 
 #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
+
+/*
+ * a more reliable check for constant arguments, see
+ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
+ */
+#define __constant_argument(arg) \
+	__builtin_choose_expr(__builtin_constant_p(arg), (arg), 0)
+
 __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
-	if (__builtin_constant_p(size) && p_size < size)
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
 		__write_overflow();
 	if (p_size < size)
 		fortify_overflow(__func__);
@@ -257,7 +266,8 @@  __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
 	ret = strlen(q);
 	if (size) {
 		size_t len = (ret >= size) ? size - 1 : ret;
-		if (__builtin_constant_p(len) && len >= p_size)
+		size_t constlen = __constant_argument(len);
+		if (constlen >= p_size)
 			__write_overflow();
 		if (len >= p_size)
 			fortify_overflow(__func__);
@@ -287,7 +297,8 @@  __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
 __FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
-	if (__builtin_constant_p(size) && p_size < size)
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
 		__write_overflow();
 	if (p_size < size)
 		fortify_overflow(__func__);
@@ -298,12 +309,11 @@  __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 	size_t q_size = __builtin_object_size(q, 0);
-	if (__builtin_constant_p(size)) {
-		if (p_size < size)
-			__write_overflow();
-		if (q_size < size)
-			__read_overflow2();
-	}
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
+		__write_overflow();
+	if (q_size < constsize)
+		__read_overflow2();
 	if (p_size < size || q_size < size)
 		fortify_overflow(__func__);
 	return __builtin_memcpy(p, q, size);
@@ -313,12 +323,11 @@  __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 	size_t q_size = __builtin_object_size(q, 0);
-	if (__builtin_constant_p(size)) {
-		if (p_size < size)
-			__write_overflow();
-		if (q_size < size)
-			__read_overflow2();
-	}
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
+		__write_overflow();
+	if (q_size < constsize)
+		__read_overflow2();
 	if (p_size < size || q_size < size)
 		fortify_overflow(__func__);
 	return __builtin_memmove(p, q, size);
@@ -328,7 +337,8 @@  extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
 __FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
-	if (__builtin_constant_p(size) && p_size < size)
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
 		__read_overflow();
 	if (p_size < size)
 		fortify_overflow(__func__);
@@ -339,12 +349,11 @@  __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
 	size_t q_size = __builtin_object_size(q, 0);
-	if (__builtin_constant_p(size)) {
-		if (p_size < size)
-			__read_overflow();
-		if (q_size < size)
-			__read_overflow2();
-	}
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
+		__read_overflow();
+	if (q_size < constsize)
+		__read_overflow2();
 	if (p_size < size || q_size < size)
 		fortify_overflow(__func__);
 	return __builtin_memcmp(p, q, size);
@@ -353,7 +362,8 @@  __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
 __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
-	if (__builtin_constant_p(size) && p_size < size)
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
 		__read_overflow();
 	if (p_size < size)
 		fortify_overflow(__func__);
@@ -364,7 +374,8 @@  void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
 __FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
-	if (__builtin_constant_p(size) && p_size < size)
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
 		__read_overflow();
 	if (p_size < size)
 		fortify_overflow(__func__);
@@ -375,7 +386,8 @@  extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kme
 __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
 {
 	size_t p_size = __builtin_object_size(p, 0);
-	if (__builtin_constant_p(size) && p_size < size)
+	size_t constsize = __constant_argument(size);
+	if (p_size < constsize)
 		__read_overflow();
 	if (p_size < size)
 		fortify_overflow(__func__);