[0/4] fortify: Use __builtin_dynamic_object_size() when available

Message ID	20220920192202.190793-1-keescook@chromium.org (mailing list archive)
Headers	show Return-Path: <linux-hardening-owner@kernel.org> From: Kees Cook <keescook@chromium.org> To: linux-hardening@vger.kernel.org Cc: Kees Cook <keescook@chromium.org>, Siddhesh Poyarekar <siddhesh@gotplt.org>, Nathan Chancellor <nathan@kernel.org>, Nick Desaulniers <ndesaulniers@google.com>, Arnd Bergmann <arnd@arndb.de>, Juergen Gross <jgross@suse.com>, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Tom Rix <trix@redhat.com>, Miguel Ojeda <ojeda@kernel.org>, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available Date: Tue, 20 Sep 2022 12:21:58 -0700 Message-Id: <20220920192202.190793-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	fortify: Use __builtin_dynamic_object_size() when available \| expand [0/4] fortify: Use __builtin_dynamic_object_size() when available [1/4] x86/entry: Work around Clang __bdos() bug [2/4] fortify: Explicitly check bounds are compile-time constants [3/4] fortify: Convert to struct vs member helpers [4/4] fortify: Use __builtin_dynamic_object_size() when available

Message ID

20220920192202.190793-1-keescook@chromium.org (mailing list archive)

Headers

From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
        Siddhesh Poyarekar <siddhesh@gotplt.org>,
        Nathan Chancellor <nathan@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Arnd Bergmann <arnd@arndb.de>, Juergen Gross <jgross@suse.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Tom Rix <trix@redhat.com>, Miguel Ojeda <ojeda@kernel.org>,
        linux-kernel@vger.kernel.org, llvm@lists.linux.dev
Subject: [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when
 available
Date: Tue, 20 Sep 2022 12:21:58 -0700
Message-Id: <20220920192202.190793-1-keescook@chromium.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

fortify: Use __builtin_dynamic_object_size() when available | expand

Message

Kees Cook Sept. 20, 2022, 7:21 p.m. UTC

Hi,

This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
size checking from GCC and Clang's __builtin_dynamic_object_size(), which
the compilers can track either via code flow or from __alloc_size() hints.

Thanks,

-Kees

Kees Cook (4):
  x86/entry: Work around Clang __bdos() bug
  fortify: Explicitly check bounds are compile-time constants
  fortify: Convert to struct vs member helpers
  fortify: Use __builtin_dynamic_object_size() when available

 arch/x86/xen/enlighten_pv.c         |   3 +-
 drivers/misc/lkdtm/heap.c           |   1 +
 include/linux/compiler_attributes.h |   5 ++
 include/linux/fortify-string.h      | 125 ++++++++++++++++------------
 4 files changed, 81 insertions(+), 53 deletions(-)

Comments

Siddhesh Poyarekar Sept. 22, 2022, 8:26 p.m. UTC | #1

On 2022-09-20 15:21, Kees Cook wrote:
> Hi,
> 
> This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
> size checking from GCC and Clang's __builtin_dynamic_object_size(), which
> the compilers can track either via code flow or from __alloc_size() hints.
> 

FTR, I ran a linux build using gcc with allyesconfig and 
fortify-metrics[1] to get a sense of how much object size coverage would 
improve with __builtin_dynamic_object_size.  With a total of 3,877 
__builtin_object_size calls, about 11.37% succeed in getting a result 
that is not (size_t)-1.  If they were replaced by 
__builtin_dynamic_object_size as this patch proposes, the success rate 
improves to 16.25%, which is a ~1.4x improvement.

This is a decent improvement by itself but it can be amplified further 
by adding __attribute__((access (...)))[2] to function prototypes and 
definitions, especially for functions that take in buffers and their 
sizes as arguments since __builtin_dynamic_object_size in gcc is capable 
of recognizing that and using it for object size determination (and 
hence to fortify calls) within those functions.

Thanks,
Sid

[1] https://github.com/siddhesh/fortify-metrics
[2] https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html

Kees Cook Sept. 23, 2022, 12:20 a.m. UTC | #2

On Thu, Sep 22, 2022 at 04:26:54PM -0400, Siddhesh Poyarekar wrote:
> On 2022-09-20 15:21, Kees Cook wrote:
> > Hi,
> > 
> > This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
> > size checking from GCC and Clang's __builtin_dynamic_object_size(), which
> > the compilers can track either via code flow or from __alloc_size() hints.
> > 
> 
> FTR, I ran a linux build using gcc with allyesconfig and fortify-metrics[1]
> to get a sense of how much object size coverage would improve with
> __builtin_dynamic_object_size.  With a total of 3,877 __builtin_object_size
> calls, about 11.37% succeed in getting a result that is not (size_t)-1.  If
> they were replaced by __builtin_dynamic_object_size as this patch proposes,
> the success rate improves to 16.25%, which is a ~1.4x improvement.

Thanks for check that! Yeah, a 40% increase in coverage is nice. :0

> This is a decent improvement by itself but it can be amplified further by
> adding __attribute__((access (...)))[2] to function prototypes and
> definitions, especially for functions that take in buffers and their sizes
> as arguments since __builtin_dynamic_object_size in gcc is capable of
> recognizing that and using it for object size determination (and hence to
> fortify calls) within those functions.

Yeah, this could be another interest set of additions. It seems like it
might be more "coder friendly" if, in the future that has the
__element_count__ attribute, it could be used in function parameters
too, like:

If we had:

int do_something(struct context *ctx, u32 *data, int count)

this seems less easy to read to me:

int __access(read_write, 2, 3) do_something(struct context *ctx, u32 *data, int count)

as this seems more readable to me, though I guess the access-mode
information is lost:

int do_something(struct context *ctx, u32 * __element_count(count) data, int count)

But yes, this would be excellent to start adding!

-Kees

Siddhesh Poyarekar Sept. 23, 2022, 12:55 a.m. UTC | #3

On 2022-09-22 20:20, Kees Cook wrote:
> Yeah, this could be another interest set of additions. It seems like it
> might be more "coder friendly" if, in the future that has the
> __element_count__ attribute, it could be used in function parameters
> too, like:
> 
> If we had:
> 
> int do_something(struct context *ctx, u32 *data, int count)
> 
> this seems less easy to read to me:
> 
> int __access(read_write, 2, 3) do_something(struct context *ctx, u32 *data, int count)
> 
> as this seems more readable to me, though I guess the access-mode
> information is lost:
> 
> int do_something(struct context *ctx, u32 * __element_count(count) data, int count)

It doesn't *have* to lose access mode info:

int do_something(struct context *ctx,
		 u32 * __element_count(count, __read_only__) data,
		 int count)
{
...
}

where omitting the access mode could imply __read_write__.

Thanks,
Sid