| Message ID | 20230601160025.gonna.868-kees@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 0f84097ab0157fd06b6085edcbe8eab4c8617654 |
| Headers | show |
| Series | [v2] riscv/purgatory: Do not use fortified string functions | expand |
| Context | Check | Description |
|---|---|---|
| conchuod/cover_letter | success | Single patches do not need cover letters |
| conchuod/tree_selection | success | Guessed tree name to be for-next at HEAD ac9a78681b92 |
| conchuod/fixes_present | success | Fixes tag not required for -next series |
| conchuod/maintainers_pattern | success | MAINTAINERS pattern errors before the patch: 6 and now 6 |
| conchuod/verify_signedoff | success | Signed-off-by tag matches author and committer |
| conchuod/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| conchuod/build_rv64_clang_allmodconfig | success | Errors and warnings before: 14 this patch: 14 |
| conchuod/module_param | success | Was 0 now: 0 |
| conchuod/build_rv64_gcc_allmodconfig | success | Errors and warnings before: 28 this patch: 28 |
| conchuod/build_rv32_defconfig | success | Build OK |
| conchuod/dtb_warn_rv64 | success | Errors and warnings before: 3 this patch: 3 |
| conchuod/header_inline | success | No static functions without inline keyword in header files |
| conchuod/checkpatch | warning | WARNING: Non-standard signature: Bisected-by: |
| conchuod/build_rv64_nommu_k210_defconfig | success | Build OK |
| conchuod/verify_fixes | success | Fixes tag looks correct |
| conchuod/build_rv64_nommu_virt_defconfig | success | Build OK |
On Thu, Jun 01, 2023 at 09:00:28AM -0700, Kees Cook wrote: > With the addition of -fstrict-flex-arrays=3, struct sha256_state's > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: > > struct sha256_state { > u32 state[SHA256_DIGEST_SIZE / 4]; > u64 count; > u8 buf[SHA256_BLOCK_SIZE]; > }; > > This means that the memcpy() calls with "buf" as a destination in > sha256.c's code will attempt to perform run-time bounds checking, which > could lead to calling missing functions, specifically a potential > WARN_ONCE, which isn't callable from purgatory. > > Reported-by: Thorsten Leemhuis <linux@leemhuis.info> > Closes: https://lore.kernel.org/lkml/175578ec-9dec-7a9c-8d3a-43f24ff86b92@leemhuis.info/ > Bisected-by: "Joan Bruguera Micó" <joanbrugueram@gmail.com> > Fixes: df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") > Cc: Paul Walmsley <paul.walmsley@sifive.com> > Cc: Palmer Dabbelt <palmer@dabbelt.com> > Cc: Albert Ou <aou@eecs.berkeley.edu> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Conor Dooley <conor.dooley@microchip.com> Reviewed-by: Conor Dooley <conor.dooley@microchip.com> Thanks for the quick update Kees, Conor.
On Thu, 1 Jun 2023 09:00:28 -0700, Kees Cook wrote: > With the addition of -fstrict-flex-arrays=3, struct sha256_state's > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: > > struct sha256_state { > u32 state[SHA256_DIGEST_SIZE / 4]; > u64 count; > u8 buf[SHA256_BLOCK_SIZE]; > }; > > [...] Applied to for-next/hardening, thanks! [1/1] riscv/purgatory: Do not use fortified string functions https://git.kernel.org/kees/c/ca2ca08f479d
On Thu, 01 Jun 2023 11:27:03 PDT (-0700), keescook@chromium.org wrote: > On Thu, 1 Jun 2023 09:00:28 -0700, Kees Cook wrote: >> With the addition of -fstrict-flex-arrays=3, struct sha256_state's >> trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: >> >> struct sha256_state { >> u32 state[SHA256_DIGEST_SIZE / 4]; >> u64 count; >> u8 buf[SHA256_BLOCK_SIZE]; >> }; >> >> [...] > > Applied to for-next/hardening, thanks! > > [1/1] riscv/purgatory: Do not use fortified string functions > https://git.kernel.org/kees/c/ca2ca08f479d Sorry, I'd just applied this to riscv/fixes as well. I can drop it if you want? I was going to send a PR tomorrow, just LMK.
Hello: This patch was applied to riscv/linux.git (fixes) by Palmer Dabbelt <palmer@rivosinc.com>: On Thu, 1 Jun 2023 09:00:28 -0700 you wrote: > With the addition of -fstrict-flex-arrays=3, struct sha256_state's > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: > > struct sha256_state { > u32 state[SHA256_DIGEST_SIZE / 4]; > u64 count; > u8 buf[SHA256_BLOCK_SIZE]; > }; > > [...] Here is the summary with links: - [v2] riscv/purgatory: Do not use fortified string functions https://git.kernel.org/riscv/c/0f84097ab015 You are awesome, thank you!
On Thu, Jun 01, 2023 at 01:17:03PM -0700, Palmer Dabbelt wrote: > On Thu, 01 Jun 2023 11:27:03 PDT (-0700), keescook@chromium.org wrote: > > On Thu, 1 Jun 2023 09:00:28 -0700, Kees Cook wrote: > > > With the addition of -fstrict-flex-arrays=3, struct sha256_state's > > > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: > > > > > > struct sha256_state { > > > u32 state[SHA256_DIGEST_SIZE / 4]; > > > u64 count; > > > u8 buf[SHA256_BLOCK_SIZE]; > > > }; > > > > > > [...] > > > > Applied to for-next/hardening, thanks! > > > > [1/1] riscv/purgatory: Do not use fortified string functions > > https://git.kernel.org/kees/c/ca2ca08f479d > > Sorry, I'd just applied this to riscv/fixes as well. I can drop it if you > want? I was going to send a PR tomorrow, just LMK. I'm fine either way. I was carrying each arch's fix just since it was related to the -fstrict-flex-arrays=3 patch in the hardening tree.
On Thu, 01 Jun 2023 13:31:33 PDT (-0700), keescook@chromium.org wrote: > On Thu, Jun 01, 2023 at 01:17:03PM -0700, Palmer Dabbelt wrote: >> On Thu, 01 Jun 2023 11:27:03 PDT (-0700), keescook@chromium.org wrote: >> > On Thu, 1 Jun 2023 09:00:28 -0700, Kees Cook wrote: >> > > With the addition of -fstrict-flex-arrays=3, struct sha256_state's >> > > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: >> > > >> > > struct sha256_state { >> > > u32 state[SHA256_DIGEST_SIZE / 4]; >> > > u64 count; >> > > u8 buf[SHA256_BLOCK_SIZE]; >> > > }; >> > > >> > > [...] >> > >> > Applied to for-next/hardening, thanks! >> > >> > [1/1] riscv/purgatory: Do not use fortified string functions >> > https://git.kernel.org/kees/c/ca2ca08f479d >> >> Sorry, I'd just applied this to riscv/fixes as well. I can drop it if you >> want? I was going to send a PR tomorrow, just LMK. > > I'm fine either way. I was carrying each arch's fix just since it was > related to the -fstrict-flex-arrays=3 patch in the hardening tree. Works for me, I'll drop it. Reviewed-by: Palmer Dabbelt <palmer@rivosinc.com> Acked-by: Palmer Dabbelt <palmer@rivosinc.com> The bots will probably get confussed and it was briefly visible to linux-next, so there might be a bit of spam.
diff --git a/arch/riscv/purgatory/Makefile b/arch/riscv/purgatory/Makefile index 5730797a6b40..8c73360c42bb 100644 --- a/arch/riscv/purgatory/Makefile +++ b/arch/riscv/purgatory/Makefile @@ -31,7 +31,7 @@ $(obj)/strncmp.o: $(srctree)/arch/riscv/lib/strncmp.S FORCE $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE $(call if_changed_rule,cc_o_c) -CFLAGS_sha256.o := -D__DISABLE_EXPORTS +CFLAGS_sha256.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY CFLAGS_string.o := -D__DISABLE_EXPORTS CFLAGS_ctype.o := -D__DISABLE_EXPORTS
With the addition of -fstrict-flex-arrays=3, struct sha256_state's trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE: struct sha256_state { u32 state[SHA256_DIGEST_SIZE / 4]; u64 count; u8 buf[SHA256_BLOCK_SIZE]; }; This means that the memcpy() calls with "buf" as a destination in sha256.c's code will attempt to perform run-time bounds checking, which could lead to calling missing functions, specifically a potential WARN_ONCE, which isn't callable from purgatory. Reported-by: Thorsten Leemhuis <linux@leemhuis.info> Closes: https://lore.kernel.org/lkml/175578ec-9dec-7a9c-8d3a-43f24ff86b92@leemhuis.info/ Bisected-by: "Joan Bruguera Micó" <joanbrugueram@gmail.com> Fixes: df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") Cc: Paul Walmsley <paul.walmsley@sifive.com> Cc: Palmer Dabbelt <palmer@dabbelt.com> Cc: Albert Ou <aou@eecs.berkeley.edu> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Conor Dooley <conor.dooley@microchip.com> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Alyssa Ross <hi@alyssa.is> Cc: Heiko Stuebner <heiko.stuebner@vrull.eu> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: linux-riscv@lists.infradead.org Signed-off-by: Kees Cook <keescook@chromium.org> --- v2: - only limit fortify for sha256 (conor) v1: https://lore.kernel.org/lkml/20230531003404.never.167-kees@kernel.org --- arch/riscv/purgatory/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)