From patchwork Wed Feb 2 00:30:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12732460 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E6B6C433EF for ; Wed, 2 Feb 2022 00:30:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243354AbiBBAag (ORCPT ); Tue, 1 Feb 2022 19:30:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243343AbiBBAaf (ORCPT ); Tue, 1 Feb 2022 19:30:35 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD272C06173B for ; Tue, 1 Feb 2022 16:30:35 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id m7so1698258pjk.0 for ; Tue, 01 Feb 2022 16:30:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+fInRCxHTyu6etxtEUEoIMD7U9glEHrt4elCFOp/5mk=; b=KVIt5HZpEeVD5/Y6so7IW5ZdtbtEHOzFNbZCAJCM2/Gq4/FzExrFsOC7OjSSxN+/5I LW+7C3qaWu1N1mvQfeeQSiYOuc0sIQXPMM8rIwj5h2+f3aMI/MXonOQD/P191JV/CLhx c/92nhGCU4UVBnrUoAkc3RR1TKiHGyNzsshh4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+fInRCxHTyu6etxtEUEoIMD7U9glEHrt4elCFOp/5mk=; b=nZ6Kv17EbFnriAXCKE6FMZWmj/Z7Rx2JIziklUcNxQYUJRanemZ1qE8zKWHnrgcM8e KjaWfyGXzXkT8OrKFh4tKhQx7m0SkHqEcOhRc0cWy309ll+wvFqNY8p3w0xRxYler06U YsmwqdX5T8Sgv2ZFpGAdAJHn13spD1B/YDTkBJ70kX6N4on0HSW+/e5NTDg/LMxb4s0h 9hvyZoHp5bW7MSux+A0sgv6yvFNbYGXDY/eUViiNXbLzJAm45n40kw2w6DwyjFA4NDs8 XXuecUYRZKtEAflp7CR01cHZSQ2Qutd7+hqvEgJLsHheEFjFTTezJEzXOhLdwHAM9up2 FiXg== X-Gm-Message-State: AOAM532IDUySyYB755aGrVAKioiwBEq+6cRFT5tDX2Uxt2xkKHwp5Bnn VnlOf7QLGOOoUn2+ulqeIIGpdg== X-Google-Smtp-Source: ABdhPJz2sZEZicmGiuJ5cu7scof9QLNxu+YdEKntlFyEcaL7mkXaZfTlZDlxvVfnu/3FH9oPbCtoTQ== X-Received: by 2002:a17:902:d4ca:: with SMTP id o10mr28009120plg.29.1643761835231; Tue, 01 Feb 2022 16:30:35 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id h5sm23550577pfi.111.2022.02.01.16.30.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Feb 2022 16:30:34 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , llvm@lists.linux.dev, George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 1/4] Compiler Attributes: Add Clang's __pass_object_size Date: Tue, 1 Feb 2022 16:30:30 -0800 Message-Id: <20220202003033.704951-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220202003033.704951-1-keescook@chromium.org> References: <20220202003033.704951-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1822; h=from:subject; bh=19F95PyhJpZJNu+jRloPaxSM8AkVKKPr2V5iA4Cbh2I=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCodDJMeW62Db8IsOYk7kn1DY5ku66emtLiRLb7 iklN8EKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJiK/D/ 9hn4aKhWIVO239nGcT383ZMMwc72d5AIKe4PEY+RtwiM78keImZbgPc7yBMNWOEzt7H9FMMvj+wM1N zMA/31pZxCYrn1Y0rPtIfEDY3tgTq0LB18HvPS55EQACK42W1PJAHyAn/uccfnnBMP5y9QpCwGCWIE sjD6hm8bJHCzNXaG8lnmhGmKyAPH8HESaBVWryT2UNp17v2NwIhJJBvEMwexw0F3BQcAKJ+1OK6P2o CWaHd+7yRezSD+6uy5ha8uoeQk16uuAZa5h7NUhX8mXaHFdwylAIbBo8ofs3KmsfqyEMtbvt2wFBYb gbIUMad0eNBGP8+2KQLRa+jNsCFwZ9tHXaMWO5POYyKEBH1AEFMR7qipCv4z7QoRRMerySMKRa+RuL /rxxqMx9GUZPG14qbAX+9sTpbP/0roTer9c5ajMzcFCP9QJHBSIena8p93oQNBaRL3Di/+40oH7Xap no+KQiZyy6VNUdc782ntdzPr2abM0jAmvUnwrgBwhGnBhbokfeZIIqilUVW70bar4Rhk7xx84AjcrD laa29AMbyXoPrGUrucjqsZpvFN91ixc+lmMG5aez9mxUee0y6bRy/PUrmc2vudcSdv66VAPE/qQ3sE iBKBHg7arRR2eiw+8Y2vYIdRzwgiAKbBIoL6e/tzwNNidPyYiO+ZHtbqbcyA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org In order to gain greater visibility to type information when using __builtin_object_size(), Clang has a function attribute "pass_object_size" that will make size information available for marked arguments in a function by way of implicit additional function arguments that are then wired up the __builtin_object_size(). This is needed to implement FORTIFY_SOURCE in Clang, as a workaround to Clang's __builtin_object_size() having limited visibility[1] into types across function calls (even inlines). This has an additional benefit that it can be used even on non-inline functions to gain argument size information. [1] https://github.com/llvm/llvm-project/issues/53516 Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/compiler_attributes.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index 37e260020221..cc751e0770f5 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -263,6 +263,17 @@ */ #define __packed __attribute__((__packed__)) +/* + * clang: https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size + * + * The "type" argument should match the __builtin_object_size(p, type) usage. + */ +#if __has_attribute(__pass_object_size__) +# define __pass_object_size(type) __attribute__((__pass_object_size__(type))) +#else +# define __pass_object_size(type) +#endif + /* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute */ From patchwork Wed Feb 2 00:30:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12732462 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F69CC43217 for ; Wed, 2 Feb 2022 00:30:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243350AbiBBAah (ORCPT ); Tue, 1 Feb 2022 19:30:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243349AbiBBAag (ORCPT ); Tue, 1 Feb 2022 19:30:36 -0500 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05FFCC061744 for ; Tue, 1 Feb 2022 16:30:36 -0800 (PST) Received: by mail-pj1-x1033.google.com with SMTP id z10-20020a17090acb0a00b001b520826011so5105340pjt.5 for ; Tue, 01 Feb 2022 16:30:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bebo5VtQ+fBGReGGI7tcyPsOFW4PGB+odxeVjPqXpcE=; b=TyrTR/b+cZDYjKhYpjOptxXGYc5aM6WnQWw5RNUNO6D0RLZ/BxLdeCuea7PAr02Lsm rE9WBgDtTo4EEQfHKZqWpbfruZW4RKTYGA4vl+gwLcTwm7RfM1uLJXfq1C3tM/xOCic2 gOnc5ugpiu1aSgNY0nZV0dRDWXGjEzZZbnn3g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bebo5VtQ+fBGReGGI7tcyPsOFW4PGB+odxeVjPqXpcE=; b=UV+ZA1kZHdwM/PW1yq9aWOUb653LRfLATT6yDVqxiQjaeMpSG0THle2vjVIJfTwE5j JSBXqqH1Hcn+7p+bXmGws2TNWvH8yaM5zCpA0D5MXTPmGXDPmHtdVPd3+vxhv544qfQE UBzYVoLn5dNs14hpQwsV28/Fv1MAn+lSubYkTygWQrQe1pic9VN05ZdIhjzIJ0xYdSJG +fDUxO8Ty1oYEquoYZPUpTQow8iGg/mxTiXPQf719vcW5cHggIRRq622tOd3LskKvfmL cykb4pvrtv6mBPHLNDD9PtZjDov+gMgu9vDmROeopNdWLRk4Ngl6lCSz2E0swpeVSXmO CkPw== X-Gm-Message-State: AOAM5318gHBH9PNloiMiXOzuHk18WIOhRY1YJ71xNd5hzaIiFc2Yq09C KG8phpskIar3hnI057OMPabPeQ== X-Google-Smtp-Source: ABdhPJxGEf8Hi1nqHyOPmLF51OkWLjdfrfUdnvtD357ppDinjvMOloNg8yKcdCKks505YcVAQojr4Q== X-Received: by 2002:a17:902:da92:: with SMTP id j18mr28237959plx.127.1643761835524; Tue, 01 Feb 2022 16:30:35 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a6sm32210500pgq.62.2022.02.01.16.30.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Feb 2022 16:30:34 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , llvm@lists.linux.dev, George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 2/4] Compiler Attributes: Add __overloadable Date: Tue, 1 Feb 2022 16:30:31 -0800 Message-Id: <20220202003033.704951-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220202003033.704951-1-keescook@chromium.org> References: <20220202003033.704951-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1362; h=from:subject; bh=kPhaiMRcRcpe1F0B+vNrSNLRWFcSehODtiMdmi/QMtI=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCoVkMB/8+aU6DxpDuQAyvQOXwOty/i33WS1w9L GmB4MquJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJlxVD/ 0R4klSKDS5K9GW522csvbV4mzUi4w8/kRpEsomBw+LukBZcXh1nDTrWutvawH9QQhZSDDEqPTt3jss QxCdMQwEXg6imUgnDLVDxC2lOZde2FG5VH1LLMPlPRKUa66kg3unwFDn3tXGKgknX+Az/mcyGADJGk w9gc7pQMS3KpxNJXYQ4acQrYkEvWJ7hztQyYrxgghEDMoFqyxe3q0jf2e4SDKzLL0J5iByXng93YXO KJ2Ul5UMv4vyA4OrEnrM7nnvM4CRyolRK2aJQli74CvghDNLe1D8wQ/XT8yGZ4jLxSvKdenneNpDvm kGEQvdYaTjV6AwUf29bFjAOgT0nynF6GhK7/ovHS5JYiBpCc0BVgbYO8W74IaL1kUZg5ItcfZ/Lk2u ncAcW8ZDqg/0Q4NXZMOOtpFp9YHy0RSElxNs7CO+esY+Aau3u4SASvMcQ/MY8+WL0FJWH1JypgnLS6 IpcH7s4RR5WACyYKb5LDFTSg0h97WWyYS+FNkuKDIVFw+MlDThzh2+U29sK0zAq0ie5ehUsrj1Ktma OzFV4fzB8xeGqogcGpVHh5BVQRTX0/LzggFoBP1cuAspjAIBCr0qnrqr+YWHLyADbg4xS6GZSA8AzH qWuXmAGO7jNzyJJleoSO3aZwo+O9ezs/5p2ur6xSbH4V6DSl//IitFElhHnQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org In order for FORTIFY_SOURCE to use __pass_object_size on an "inline extern" function, as all the fortified string functions are, the functions must be marked as being overloadable (i.e. different prototypes). This allows the __pass_object_size versions to take precedence. Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/compiler_attributes.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index cc751e0770f5..51e063347fd6 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -257,6 +257,15 @@ */ #define __noreturn __attribute__((__noreturn__)) +/* + * clang: https://clang.llvm.org/docs/AttributeReference.html#overloadable + */ +#if __has_attribute(__overloadable__) +# define __overloadable __attribute__((__overloadable__)) +#else +# define __overloadable +#endif + /* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Type-Attributes.html#index-packed-type-attribute * clang: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-packed-variable-attribute From patchwork Wed Feb 2 00:30:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12732463 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47176C4167E for ; Wed, 2 Feb 2022 00:30:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243347AbiBBAai (ORCPT ); Tue, 1 Feb 2022 19:30:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51556 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243365AbiBBAag (ORCPT ); Tue, 1 Feb 2022 19:30:36 -0500 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94E20C061714 for ; Tue, 1 Feb 2022 16:30:36 -0800 (PST) Received: by mail-pl1-x635.google.com with SMTP id c3so16801062pls.5 for ; Tue, 01 Feb 2022 16:30:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2O1a7UvShSC3gckKtrO0p2k1de7WSXmEEaGyfLWDtkQ=; b=DhNq62Nd1Lt0lyxcdXftZsAHEPJuhU74yO3KkKkhQSkGJgdYSUNMTRxYY5uwjRbOXB 0KoYCLocVZukIPNWy3uhlLew+5AJ7zaqT0r1cAbvpkyfnrBTgai/iH8aynup4IRfkYwa e1RE9tl7lT28g6N4gU0nR/IuWDVFcOb3iYfGA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2O1a7UvShSC3gckKtrO0p2k1de7WSXmEEaGyfLWDtkQ=; b=Ks8xbMJ16XhrnshA3aujruh5DrwbEEVD4CZDFBv4eDkGrypAfq2tTKszNLWxkrqVlo 2+WMt61BjVFuqWS62R/aZC4iIgjN73CINAa/tqSy3VEUeYrcfyUDgAX+27BNS0fxnypw JX/wCE0VTelrItZoo+SPfav904Sq8CQFV+UteGIXPClAnAXLilQXMBosjXQUhSmXa73q Dm9iRx+jOLLfiQBClnTmB7iRBZ12ZfmxyollwthdTY7fkISSSwNibygIRmD+1s+y2GgN 9LyqGAx4PWCIfPhjfcX/Y05DsNLxgJ59UU02bQroHmcZjdPdVmKT3rNbjm1TmIKLHvjV lslQ== X-Gm-Message-State: AOAM530Db89ZS9DJhFO/VV26opl8II6w6Sar0eMQvo1wlX01aEh2InIQ kLk4Li2d9K33p4FZnDuYBEpMxeFgTaCk4A== X-Google-Smtp-Source: ABdhPJy4Ct5g0MqS0xgNdb9A3ATDvBTCJZs7Cundy1yyR6rX0KSc/3j5mjsPdWjDnsGn15z4kjkonA== X-Received: by 2002:a17:90b:1e41:: with SMTP id pi1mr5192990pjb.62.1643761836157; Tue, 01 Feb 2022 16:30:36 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k5sm24652213pfc.85.2022.02.01.16.30.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Feb 2022 16:30:35 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , llvm@lists.linux.dev, George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 3/4] Compiler Attributes: Add __diagnose_as Date: Tue, 1 Feb 2022 16:30:32 -0800 Message-Id: <20220202003033.704951-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220202003033.704951-1-keescook@chromium.org> References: <20220202003033.704951-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1423; h=from:subject; bh=i1fpN36antLyVBs1U1U1fSS2CEHxT+df0ZNPiHFG1jw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCo/jbG9rFQBg8OANce/4aahaOqHs+lh9B2zqU8 116jf4uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJvOwD/ sFAXq9aIInuKt669oChD+K7YlLbmjc+0Ev4yHmb/YOCrz7QXAyfTMQZpJqikdYEH3RFaxKnJDgwmzE mqc8G2OHkuxL5GyPhpv/O9LhhEfYBf63VDTQb8dWhG/SvsBPXM0q89OlkSDr/noi4du4zL9s+3534O kx6nfw288C24GCljYJLELUhi5IazVnMu90Eah73vJwhPj5ePPPV4W1YFVTws466TcQP232pmUTM+SN 0UGDJm7eowDUNz98idxmkAyF61U/Coi5a+Wd45R7Ieei11bgWmk972riSp9DRlY521GiRGRQ20zHp9 CAJP6EdVJc9VKK2h1idH4Lb6xwQOfbRRdUXJ1ePh2MMrt2hxWqRLwWpdpoM8hpGljgl70mtNxFSPDa q7FCYP3R+2xCQGjbWBftyNcQcsBlEqMLDJFzPfZ3UI/hMCkaW3ettYkIyEtQBwLy8Wq2YOoopQgGFw R/UZuVg8I2E6mTDYZU0ucXXYHn/6UkMntLq/F7dJfEqQKL3VPOsiDkdRFxsOpkyAsOS3fQxTmZIhb5 6GPjfb5mrzyRHCAGhWn+QNb1SQMuBdiSFQueS9KSs8nr9ApRKv6Hh9nnhWC29V7ki4CeKoInqseiEX j6AjgVKUE++SxwpcKHyfyy7/tCO16ohvH91YXRrutSLXYc7TxlBPaLRnu7nw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Clang will perform various compile-time diagnostics on uses of various functions (e.g. simple bounds-checking on strcpy(), etc). These diagnostics can be assigned to other functions (for example, new implementations of the string functions under CONFIG_FORTIFY_SOURCE) using the "diagnose_as_builtin" attribute. This allows those functions to retain their compile-time diagnostic warnings. Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/compiler_attributes.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index 51e063347fd6..b4ae0d771302 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -100,6 +100,15 @@ # define __copy(symbol) #endif +/* + * clang: https://clang.llvm.org/docs/AttributeReference.html#diagnose_as_builtin + */ +#if __has_attribute(__diagnose_as_builtin__) +# define __diagnose_as(builtin...) __attribute__((__diagnose_as_builtin__(builtin))) +#else +# define __diagnose_as(builtin...) +#endif + /* * Don't. Just don't. See commit 771c035372a0 ("deprecate the '__deprecated' * attribute warnings entirely and for good") for more information. From patchwork Wed Feb 2 00:30:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12732464 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33445C433F5 for ; Wed, 2 Feb 2022 00:30:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243365AbiBBAaj (ORCPT ); Tue, 1 Feb 2022 19:30:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243367AbiBBAag (ORCPT ); Tue, 1 Feb 2022 19:30:36 -0500 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C717AC061401 for ; Tue, 1 Feb 2022 16:30:36 -0800 (PST) Received: by mail-pg1-x534.google.com with SMTP id 133so16926010pgb.0 for ; Tue, 01 Feb 2022 16:30:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VjrCPTgmmaKb3y/ZOM5Yq/YGquEY9NIxxYzo4REsL+A=; b=b/zacnqWCilFkrdeG/bENv7niD5ssPV4upXLdgRBbFvmZe+0O24r2k94ELOZM+7VQd EQO9R/Ieqn+kWjMdHGu/AKAR0R5yKArK3q/KbZzm0dPcpYk6Cn8hcru5R3bjeC4oukKN ea3ivYU0wuUD9zb6aj384J9Zf7+50z2ewR480= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VjrCPTgmmaKb3y/ZOM5Yq/YGquEY9NIxxYzo4REsL+A=; b=ca3CfHp2IdgQHN6tYUl6k8JVZi+xtZ25th/P84P3Y7uf6pfzGIFBBrS9lEf+SDrAPc OXmhgi/CxFgS4P/bjZ3R+ME0SXkFXX1sPXJaU8Bd/D+VwEcDe+bXxydDjq/YhJQiEysh 8hmjtfDVZJVEGQARulxUQgvG6rovD8VuyRRVQWwFNvbeTfXf7jWO+tHm9q1rBGOR0dKk 6Tb0pznVDEAaCrCM7kNYIcbMsQyt5aKNDXftwKHySpu0CHxtjciWwiSWLYUMnM1dH/UD Vx+F3u3J2jw2XvBafcONK+vrReRgOKlAHaYMxYUn1uRvq01DmVUDgTE7hCnnhAgA28wi YlqQ== X-Gm-Message-State: AOAM530jFpAmL1TOcnG7RlPAeHziLqDBl5JcMqpbnKcSc4SXQr4gF93z WtiiZfqJNQtUv0Df4tDzo7+D+g== X-Google-Smtp-Source: ABdhPJwKfMKHgtPbIeBl1AOuyxfFJBygOcjBsEYx4YMSRW95KxnHg/QjUq3OGwzIGJXkow4ZvokxdA== X-Received: by 2002:aa7:9682:: with SMTP id f2mr27769999pfk.56.1643761836333; Tue, 01 Feb 2022 16:30:36 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id kb18sm4478710pjb.30.2022.02.01.16.30.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Feb 2022 16:30:35 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , George Burgess IV , llvm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 4/4 v5] fortify: Add Clang support Date: Tue, 1 Feb 2022 16:30:33 -0800 Message-Id: <20220202003033.704951-5-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220202003033.704951-1-keescook@chromium.org> References: <20220202003033.704951-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=8693; h=from:subject; bh=SqgzThQs8OQJdMsO9DeWzbUuEtfG/wphz7be5vg/zTA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh+dCoJxlB2ynAofG2ml7SHWgTF9x+jA4GWAP6eKea B1W0cvaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfnQqAAKCRCJcvTf3G3AJnYSD/ 9qfvmCRDs9vYWcHXT8jQlo5ViGbkrqp8D30tuRx3GwRHvXpdulxGExMnJaaehX3Q61rIGmgtF1t64O lZv7RoqJhfFZsiDnHAi1LhopRzSb6g3Svf3zGRJVNTQuLFfRTNaA1fne/XPa17VX8FFr2xJfmaXH+R l3vYqfN9OAos06btMuJ0iwAQ+m5hyzsDIxHYvpfZbxCnEqg6b45b2gd3iiSur0nANFHldvx+QZRrWr rjzxN8/puejVdkfM4cJdahxAR4KLp35znd5zVaabHb3cLKsbudphiENo2P/yiuTll6wWGapD0vb1xs ShNdM7FlK1junmA01KGeieaNTcix3fqUG9Hpo+dT7wrT8d+4WVMJyuJsYZGnQ/S1Jtec1rHRa90LN3 nZnTWxKdncW0/nhba4af35A4qbaq7+4qhTNPKuNbM8Oeej5cvUOiKV8ZqY9JovLML2z0lE05KvI3fj fPGHkoIhXDvUwaI8nFG8kxXXzSxM8J8H+ZUHIVbbG5Y/n1ZRw5AGQDEvjcWLPB29ETU/K1fj+HNeVi rFGxh4ITfN9OnUI8XJLIXUsOMFYMLh6QXdWWgnsDk0DV/O4cZSkW5nZMmMQFu331KzItYLI0fa228K kt2LuGtHbjGnVkj3wkoECUB7tMNkFeRRUlooV7BEY236CEeNzlWgBd106Tfg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Enable FORTIFY_SOURCE support for Clang: Use the new __pass_object_size and __overloadable attributes so that Clang will have appropriate visibility into argument types such that __builtin_object_size(p, 1) will behave correctly. Additional details here: https://github.com/llvm/llvm-project/issues/53516 https://github.com/ClangBuiltLinux/linux/issues/1401 Use the new __diagnose_as attribute to make sure no compile-time diagnostic warnings are lost due to the effectively renamed string functions. Redefine strlen() as a macro that tests for being a constant expression so that strlen() can still be used in static initializers, which was lost when adding __pass_object_size and __overloadable. Finally, a bug with __builtin_constant_p() of globally defined variables was fixed in Clang 13, so FORTIFY support must depend on that version or later. Additional details here: https://bugs.llvm.org/show_bug.cgi?id=41459 commit a52f8a59aef4 ("fortify: Explicitly disable Clang support") Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: George Burgess IV Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 52 ++++++++++++++++++++++++---------- security/Kconfig | 2 +- 2 files changed, 38 insertions(+), 16 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index c45159dbdaa1..5482536d3197 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -2,7 +2,9 @@ #ifndef _LINUX_FORTIFY_STRING_H_ #define _LINUX_FORTIFY_STRING_H_ -#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) +#include + +#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) __overloadable #define __RENAME(x) __asm__(#x) void fortify_panic(const char *name) __noreturn __cold; @@ -50,7 +52,11 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) #define __underlying_strncpy __builtin_strncpy #endif -__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) +#define BOS const __pass_object_size(1) +#define BOS0 const __pass_object_size(0) + +__FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3) +char *strncpy(char * BOS p, const char *q, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 1); @@ -61,7 +67,8 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) return __underlying_strncpy(p, q, size); } -__FORTIFY_INLINE char *strcat(char *p, const char *q) +__FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) +char *strcat(char * BOS p, const char *q) { size_t p_size = __builtin_object_size(p, 1); @@ -73,7 +80,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) } extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); -__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) +__FORTIFY_INLINE __kernel_size_t strnlen(const char * BOS p, __kernel_size_t maxlen) { size_t p_size = __builtin_object_size(p, 1); size_t p_len = __compiletime_strlen(p); @@ -93,8 +100,16 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) return ret; } -/* defined after fortified strnlen to reuse it. */ -__FORTIFY_INLINE __kernel_size_t strlen(const char *p) +/* + * Defined after fortified strnlen to reuse it. However, it must still be + * possible for strlen() to be used on compile-time strings for use in + * static initializers (i.e. as a constant expression). + */ +#define strlen(p) \ + __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ + __builtin_strlen(p), __fortify_strlen(p)) +__FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) +__kernel_size_t __fortify_strlen(const char * BOS p) { __kernel_size_t ret; size_t p_size = __builtin_object_size(p, 1); @@ -110,7 +125,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) /* defined after fortified strlen to reuse it */ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); -__FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) +__FORTIFY_INLINE size_t strlcpy(char * BOS p, const char * BOS q, size_t size) { size_t p_size = __builtin_object_size(p, 1); size_t q_size = __builtin_object_size(q, 1); @@ -137,7 +152,7 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) /* defined after fortified strnlen to reuse it */ extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy); -__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size) +__FORTIFY_INLINE ssize_t strscpy(char * BOS p, const char * BOS q, size_t size) { size_t len; /* Use string size rather than possible enclosing struct size. */ @@ -183,7 +198,8 @@ __FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size) } /* defined after fortified strlen and strnlen to reuse them */ -__FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) +__FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3) +char *strncat(char * BOS p, const char * BOS q, __kernel_size_t count) { size_t p_len, copy_len; size_t p_size = __builtin_object_size(p, 1); @@ -354,7 +370,7 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size, memmove) extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan); -__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size) +__FORTIFY_INLINE void *memscan(void * BOS0 p, int c, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 0); @@ -365,7 +381,8 @@ __FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size) return __real_memscan(p, c, size); } -__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size) +__FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3) +int memcmp(const void * BOS0 p, const void * BOS0 q, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 0); size_t q_size = __builtin_object_size(q, 0); @@ -381,7 +398,8 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size) return __underlying_memcmp(p, q, size); } -__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) +__FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3) +void *memchr(const void * BOS0 p, int c, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 0); @@ -393,7 +411,7 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) } void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv); -__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size) +__FORTIFY_INLINE void *memchr_inv(const void * BOS0 p, int c, size_t size) { size_t p_size = __builtin_object_size(p, 0); @@ -405,7 +423,7 @@ __FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size) } extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup); -__FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) +__FORTIFY_INLINE void *kmemdup(const void * BOS0 p, size_t size, gfp_t gfp) { size_t p_size = __builtin_object_size(p, 0); @@ -417,7 +435,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) } /* Defined after fortified strlen to reuse it. */ -__FORTIFY_INLINE char *strcpy(char *p, const char *q) +__FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) +char *strcpy(char * BOS p, const char * BOS q) { size_t p_size = __builtin_object_size(p, 1); size_t q_size = __builtin_object_size(q, 1); @@ -446,4 +465,7 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q) #undef __underlying_strncat #undef __underlying_strncpy +#undef BOS0 +#undef BOS + #endif /* _LINUX_FORTIFY_STRING_H_ */ diff --git a/security/Kconfig b/security/Kconfig index 0b847f435beb..1a25a567965f 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -179,7 +179,7 @@ config FORTIFY_SOURCE depends on ARCH_HAS_FORTIFY_SOURCE # https://bugs.llvm.org/show_bug.cgi?id=50322 # https://bugs.llvm.org/show_bug.cgi?id=41459 - depends on !CC_IS_CLANG + depends on !CC_IS_CLANG || CLANG_VERSION >= 130000 help Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes.