From patchwork Thu Feb 3 17:33:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12734438 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 395F7C433F5 for ; Thu, 3 Feb 2022 17:33:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234141AbiBCRdO (ORCPT ); Thu, 3 Feb 2022 12:33:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352888AbiBCRdK (ORCPT ); Thu, 3 Feb 2022 12:33:10 -0500 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E015C061744 for ; Thu, 3 Feb 2022 09:33:10 -0800 (PST) Received: by mail-pj1-x1033.google.com with SMTP id my12-20020a17090b4c8c00b001b528ba1cd7so3715589pjb.1 for ; Thu, 03 Feb 2022 09:33:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=MUiPfv0b7HtsA+1Jcxd4DfVz2PUbbY6hEsnvf5ttu8A=; b=jQX8gcsSwOP/KkAMh84nBim4wKeykymorf6yx9m/h38b779HWbddx6xXTzDoKpAb75 nVQ5JeWLhwZae6+zxQb2tpP83N409i3WWRcHX5vCKkFgiXL9NyftIiPvIL+qIe2+zKrY 6kxji9nYmzRSU+WUV+bq9onehswNvGSwRL7vw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MUiPfv0b7HtsA+1Jcxd4DfVz2PUbbY6hEsnvf5ttu8A=; b=OESe6CzKMazNzEgvjzTxQ8TvolbH37VKo0o6aa6/4IcnwvcvwkMVw4CkRmiGpgQbPv /fBc2HIRK7GHMGpgbms9SDlSVRKoVKW+TeqsSWlmSUKepXccP3ILBDTHaykhDNjCaxgF M68Zf5UMvZyAkP0NXgd15dEVWtGtJM9zWLiGatLVsAJxp04kD2TzFR+N8PXcX0H8k3N9 /RH1N6ItIUVoa6lhhsVHvAT8ldZ6hQob3vhCZDOFpg6fSdnba0EPE8ZSNvoMmw/vqkux B4Tt/LBdwaZxcgi5OQk2n29AFRiBU5r7cyAAT1o9w55gwdhY/vcy1nZTTt0dNQsTZaYX rzrg== X-Gm-Message-State: AOAM533P5cGWdcqm2qFcKC7Oc7X7zYHZUsk9Qp/5ftaoiXBLYB1lXt9u h4JrRwclev7yCQZmrXatTTfm1w== X-Google-Smtp-Source: ABdhPJwm1hJ64GoD9Ys8S1VDk2Ymu61lFup/+cIM4lzAuJOKaqXIk0DUkZSlFidJmOUh9Hqg1vGtlw== X-Received: by 2002:a17:902:7d97:: with SMTP id a23mr36351894plm.92.1643909589655; Thu, 03 Feb 2022 09:33:09 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id lb3sm11414786pjb.47.2022.02.03.09.33.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 09:33:09 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , llvm@lists.linux.dev, George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v6 1/4] Compiler Attributes: Add __pass_object_size for Clang Date: Thu, 3 Feb 2022 09:33:04 -0800 Message-Id: <20220203173307.1033257-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220203173307.1033257-1-keescook@chromium.org> References: <20220203173307.1033257-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1990; h=from:subject; bh=4kvv64bSH/70KUK07qLc8wQXlhwvQ6HObY6O2DORONc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh/BHSjG3rQ/CXubaKddHLMHMFjiyYRstsDgXydL47 wn/JpEeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfwR0gAKCRCJcvTf3G3AJh/yEA CxCjO7ReiNJg3LHPAqDhDOOCqIutYxL53os7hP2tTYD942c2cdT1Qu6VZNnwNRaRUNPiuo+UcKUgzX MqClYq+59CuiJr4gfKJyN0ixxXMuC7YEghZpE2sJnWSGRaRI7XUDjlDnYtdn9sW48QUDfr0cySO4Fd xJ7lY93vsK51fYyRcCGNX0+AGfqa+Q6I0vORoo1WnyhRh50sSfETEEtXM4H8FDqZ8f0fnldWuZKc1N NotoKcD3pvIe5pKTWWxvTyxe9vc1wQtbyWevg/uFVx35supMhYFgHlAxCO4A7in5wBKwH+SBB56x2B 5aV8yQ17ZpKOyLfb8KZG7ZD7mIpOWcsoFaRF8wNTanonUyRuDlToGhRaskCPAjaIXvpeZub+BJGczy 4/Q8LOoJHGu8KQqKNvmDbzZp0xtvatffWwty+zBcBukYxgauzeA9MJdeEJ5HsZFEKKcCJa35indnoB s1SsYtjfMlnlajZ2Tpd43Ys1Ir+mOcbe4mY/j0FuY5cjzit3HBuMv0afU1cgqwsYDx46hwwNJQJ5ce QH5fBHLI7oxky0aDplTKbq/41yqQiH0Z3FQASlOZHVhKkdln4gGoSGrDFP9vuu90k7Gcfph47fcleZ F/8Tc9qTDACdqzb08XSs6+if8D6I8LClaqvaXkPkvAYuEhQ8fHYxSOBSJ8RA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org In order to gain greater visibility to type information when using __builtin_object_size(), Clang has a function attribute "pass_object_size" that will make size information available for marked arguments in a function by way of implicit additional function arguments that are then wired up the __builtin_object_size(). This is needed to implement FORTIFY_SOURCE in Clang, as a workaround to Clang's __builtin_object_size() having limited visibility[1] into types across function calls (even inlines). Since any usage must also be const, include it in the macro. This attribute has an additional benefit that it can be used even on non-inline functions to gain argument size information. [1] https://github.com/llvm/llvm-project/issues/53516 Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/compiler_attributes.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index 37e260020221..4ce370094e3a 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -263,6 +263,20 @@ */ #define __packed __attribute__((__packed__)) +/* + * Note: the "type" argument should match any __builtin_object_size(p, type) usage. + * + * Optional: not supported by gcc. + * Optional: not supported by icc. + * + * clang: https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size + */ +#if __has_attribute(__pass_object_size__) +# define __pass_object_size(type) const __attribute__((__pass_object_size__(type))) +#else +# define __pass_object_size(type) +#endif + /* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute */ From patchwork Thu Feb 3 17:33:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12734435 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8F4BEC433EF for ; Thu, 3 Feb 2022 17:33:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352894AbiBCRdK (ORCPT ); Thu, 3 Feb 2022 12:33:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238092AbiBCRdJ (ORCPT ); Thu, 3 Feb 2022 12:33:09 -0500 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84E6FC061714 for ; Thu, 3 Feb 2022 09:33:09 -0800 (PST) Received: by mail-pj1-x1033.google.com with SMTP id s2-20020a17090ad48200b001b501977b23so10695327pju.2 for ; Thu, 03 Feb 2022 09:33:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+zBssxH/WxmaUO1sr/ghPwh4fL8f/bXW9MZNrOKPr/w=; b=oHqJMzOtTUhUby05qTiPD+GwE2p690AUteZEv8NOXiqzXdXNe9W7NYPJF7Fdhhy0d6 HrbpsdReZ8syYLPk1n7PqQX0GrdwxvuhtNFpIWiQQ8VoJYKpVRr/YxdoyGUpZA17rTWO x1c2kkxyfTcGDUI6iBxO9lRGNTqe/95y+6LxY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+zBssxH/WxmaUO1sr/ghPwh4fL8f/bXW9MZNrOKPr/w=; b=2mbqcMCCFSioa4/gEEzTiB6gOgDBH9Sl4inc3ohAnXeUKl7CQ2MPQtYdCXg8GVeB7X bxeI92feh0dzrJaulrCNFi0Y85s4EFrlxWSvD8JRw/iOcUf4BB40kcwJISIP4IXOehlt ihVcDqbe7AQPGnNGVXmOaDMlTKEXwZz/JKJVnif/Ny2ZAdh7Qy9Ctf0zIewKpWmJ5EWn qjTWZc9aOH6c9bIpBHWGobZYbGGPS6nXyHWouV4sG2yuNbzjStyb8tYuccZoxVo9/4yy EBKQ8KfJ++canz6Rsd7JoiQemZeXygb1YcYfXGl1/Hgw6y2rhuxDEiKYW5HJvlCEEpH/ Sigw== X-Gm-Message-State: AOAM531pc7W8awaJt51ghnZV+H8ssqQnYz9NoFHWsRXMcCgS8lDbfFCD eHri4iyDI1SrM1p4yW1gYuUgEg== X-Google-Smtp-Source: ABdhPJwZxP5UEfB4voCN4yq/C38B+fyMmytMwS4/oRagiqzmZRs0yri0Cci2rcPZ2J8Oe8mJzENBOQ== X-Received: by 2002:a17:90a:290b:: with SMTP id g11mr15030650pjd.8.1643909589126; Thu, 03 Feb 2022 09:33:09 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u18sm29724557pfk.14.2022.02.03.09.33.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 09:33:08 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , llvm@lists.linux.dev, George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v6 2/4] Compiler Attributes: Add __overloadable for Clang Date: Thu, 3 Feb 2022 09:33:05 -0800 Message-Id: <20220203173307.1033257-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220203173307.1033257-1-keescook@chromium.org> References: <20220203173307.1033257-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1446; h=from:subject; bh=KMIyemBEeogv0prZ4PjXHBrE0psPPqx5j7gZUW7T9OQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh/BHSjKRmsjxgw96UF0ULSGoSRDajl4PKbrjZ5H1m qvM6GwuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfwR0gAKCRCJcvTf3G3AJvp+EA CHifGQYlU/vyOgRTFiBUh2o2UcOBRzjmfvCANd+VySak7rvfpyLFYaD2b/KZR+bvpMIwxmKKRMVMgA bcOzv588jJFGqgeabG/ez2ppSc31+DZYscdVT16K5tdTMd56FsbYQWsIauZGy25an5pOe1vdX7qUdU 96CRYKYktuZCj8rLFsN/2ptyObfY0ZDMWx+oY+uT+eQJsk7QICGaycui8n7ZDF+umQ9bXi34Vmm5a0 iq48nXsnOXqWLSFXEfl23DrXjOWRxhf5IMrwX+7pHvxfE1IXC6oTk+t5Y/LqAirc5OqBEUY2kxS94Z 9nblGXGO3EDSh3DAFhTGUqNO/LdU3HuyFeVau3TSCgD2MFV/kePGim0QGn7NTrvbpclEcBDeV+T1cL uqNDvQsvJ2O6c25GtWehSZWPsb3Q5Sn7oW541ZBfAIUZtAz8tT+8AhYQY6rMcJr10BYH7euQgiYSeH j+rdQCt2ux5XL93GfgjCOaeXaEOT2dPN1hm+mcMJksEY1pG2ZoKsDvrZ2Fl+w0tofWJhPpsN6tbmrj 3yojOjQnE0K+C3p0otFZulTm2JsRe9FUxfV/c3Z0FAKDpaea3BE7TjonpuMsJ4HyockIjz+Fv8dJl5 0PPfQL56Ph+nm9i3dFsl0YbJgHJdaKyCmsevhv8YZEyzCZ8lSXCy6HO38Rxg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org In order for FORTIFY_SOURCE to use __pass_object_size on an "inline extern" function, as all the fortified string functions are, the functions must be marked as being overloadable (i.e. different prototypes). This allows the __pass_object_size versions to take precedence. Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers --- include/linux/compiler_attributes.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index 4ce370094e3a..dc3bf2a6e1c9 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -257,6 +257,18 @@ */ #define __noreturn __attribute__((__noreturn__)) +/* + * Optional: not supported by gcc. + * Optional: not supported by icc. + * + * clang: https://clang.llvm.org/docs/AttributeReference.html#overloadable + */ +#if __has_attribute(__overloadable__) +# define __overloadable __attribute__((__overloadable__)) +#else +# define __overloadable +#endif + /* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Type-Attributes.html#index-packed-type-attribute * clang: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-packed-variable-attribute From patchwork Thu Feb 3 17:33:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12734437 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE0E0C433FE for ; Thu, 3 Feb 2022 17:33:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352905AbiBCRdN (ORCPT ); Thu, 3 Feb 2022 12:33:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352853AbiBCRdJ (ORCPT ); Thu, 3 Feb 2022 12:33:09 -0500 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB80DC06173D for ; Thu, 3 Feb 2022 09:33:09 -0800 (PST) Received: by mail-pj1-x1032.google.com with SMTP id my12-20020a17090b4c8c00b001b528ba1cd7so3715572pjb.1 for ; Thu, 03 Feb 2022 09:33:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=yw6irJOhAN2vbye3KxjS913II9TZEzxb21xQrAwi3o4=; b=mP/6SYnCRJH9tpjoHEfJtObmNSTaNoU503LyosBGp2no0Jy/0I8gdDTScbDK0P+Pj5 NpSVZevzjhlKTmzlpKub1pEGXI6h/dPGSMX6JG4joMv9IVsVGO/3KKdKT1vHuV71aYkq AlgkOo8bpwxTWSGMwZXNOB80pM+oVA+q/YjE4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yw6irJOhAN2vbye3KxjS913II9TZEzxb21xQrAwi3o4=; b=vBFk5Q45HBF4ceFU0WFc6J4vvQaA94fOeTXwWxbPY8eTzK2+YeOHVnbx45tvx95Sa6 K5enxJVFVtrJcLjMNBYb4tx+Y8kC4rEL9Y8YL2fJvvbUQtpHkkaEZ8PXTcTlEcpwc7HQ Bww+W9cgxsoBROU2S0pOqueP4aThJBt5XLWNArJL6zP2jwVN1OtsjQaU/258Eliz5lBh lm5I0Nmf3rpm+AdhQ85EgJ8pCULuHtiQzmgWPaTpjNFnIBNLLXEjGe+hGHmWbImNzsv1 7ThppaVdE5NzgrqiMNEPMYjPzRUOAodMmWtyJunbBihwWP0FCshfh88dEh00br4/0I1T f4HQ== X-Gm-Message-State: AOAM532DZNoXdAY8XhRaPn9D4ecMZR7ratUiLCBfyEffTKRALyzTRzvC 3R4CFR1aqBYLRlcE3vzJA7OL4g== X-Google-Smtp-Source: ABdhPJz4tqpeFvhVI9ywT579VtsGqHvct54NQZZJbykcuYldQGI3P6+8TsH5i1RCoYEBMA+OGSKagQ== X-Received: by 2002:a17:90b:3907:: with SMTP id ob7mr14667143pjb.193.1643909589265; Thu, 03 Feb 2022 09:33:09 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id m7sm16882072pfb.80.2022.02.03.09.33.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 09:33:08 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , llvm@lists.linux.dev, George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v6 3/4] Compiler Attributes: Add __diagnose_as for Clang Date: Thu, 3 Feb 2022 09:33:06 -0800 Message-Id: <20220203173307.1033257-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220203173307.1033257-1-keescook@chromium.org> References: <20220203173307.1033257-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1556; h=from:subject; bh=PFNBq+XBBzqPg0PXB+hOZffkoQePkvVqefaYT0cGhkA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh/BHSJikbTtPWOya8ANlt+DjlpP25rfy61MJkv6kC DdbWiWaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfwR0gAKCRCJcvTf3G3AJvnsD/ 94wjTMkiZ67z0/rOtOWAOd9wx3QvMbt0JJpgWptsGyD2zaCist6dx7Tua/1oHZrwwBfRUXaXY2jOi8 0BxCmdTsmhcqBZVphRl/fbqYikyQG1cj2r41y8eV4xEBf5gzqh3y/7rIJVFpe2PWWodErO9i4j9NkY xYc2Ij/9LuVbbXlL1LSDQpsrEWVaQtBBAwb1wqZsx/+Sghwqn0WjCcY0fbvjjELX9mJyC87AY8kzE8 5Q3i+XRakLy5q3p3ZEqZsAXbM4AMqp1cFDKbf1iHsRaZIn/ZnnQbyFuIkrsWMLINQDp+PFstmIBu9m uJqSIHBIVaJHA/64Yx42sutxUybGcVN7waqVE4U9TT38lPyDwztqH8dk/L/eOTTYSFrZBxBhqQyqsD qfDm3N8ZNdFJkJVk2QCxp52S0ox6GSUeUlr7f/yRs54MJqTGdyWc23qkLlWDkK0Q5KlXQE4box4b9N TsG5seV1LmjHTkspOXw29uwuZ3eIMiRmIQO7+pBMF9+D9hRci+rhmyQLI8WzloRJ7VSiSL1xGdN66S 4YyEfH2sxu7PdtWE56FVHASJXsRQQnNAeqRL53MXxUiSc2/Br/RCtcK32wGH37fxdWCLP1DBCTo+jK gDFLaUlT2bOPk5OTNWCCuZLGRPoOX9XXBKx2NJUjD7k8vEtEWo4uMiPQXakQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Clang will perform various compile-time diagnostics on uses of various functions (e.g. simple bounds-checking on strcpy(), etc). These diagnostics can be assigned to other functions (for example, new implementations of the string functions under CONFIG_FORTIFY_SOURCE) using the "diagnose_as_builtin" attribute. This allows those functions to retain their compile-time diagnostic warnings. Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers --- include/linux/compiler_attributes.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index dc3bf2a6e1c9..df9c7e5e8818 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -100,6 +100,19 @@ # define __copy(symbol) #endif +/* + * Optional: not supported by gcc + * Optional: only supported since clang >= 14.0 + * Optional: not supported by icc + * + * clang: https://clang.llvm.org/docs/AttributeReference.html#diagnose_as_builtin + */ +#if __has_attribute(__diagnose_as_builtin__) +# define __diagnose_as(builtin...) __attribute__((__diagnose_as_builtin__(builtin))) +#else +# define __diagnose_as(builtin...) +#endif + /* * Don't. Just don't. See commit 771c035372a0 ("deprecate the '__deprecated' * attribute warnings entirely and for good") for more information. From patchwork Thu Feb 3 17:33:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12734439 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB3B3C4332F for ; Thu, 3 Feb 2022 17:33:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242666AbiBCRdP (ORCPT ); Thu, 3 Feb 2022 12:33:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352893AbiBCRdK (ORCPT ); Thu, 3 Feb 2022 12:33:10 -0500 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D3E3C06173B for ; Thu, 3 Feb 2022 09:33:10 -0800 (PST) Received: by mail-pj1-x1035.google.com with SMTP id m7so3110535pjk.0 for ; Thu, 03 Feb 2022 09:33:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ohgfedv3LwtwNETDhjR036lLD285TgXCIf8rd9WVcis=; b=ZKq/5ytew9BK9Lh8BB4tSBlllMmYkfCVq5RReDz80vC9xYkeb3gxlImeo5sP73aszU F1MX8UeliIKOo/X5QSMKjUFuwKb28nVnSQAWRmp48ijuMAczEhWp4WqT/MG0VnEhqTui iSVNGj5LfRVfMyc5xznalktQhS8S8ELpgLlXQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ohgfedv3LwtwNETDhjR036lLD285TgXCIf8rd9WVcis=; b=rdalbg6lgg8d1JN8blm+5f/PggkAaRFJ1EB69/MyIf7MubRS4AG1jZeZb0q/W4bzdX ZJS1+tP+m9nvOZ5kHtURuXlyfAAIb+hbX4eAjvX8+e8fovcVF6bgEdeWqe1Ndumbs1Jn GsxCp1SYFuA00CbM7Eyl0nUR0vHaR4jqPA8kmeWNCW4oXn1nETKQZl1Ns5jzWfboEUnM /EAyvnWUzIjhExh3lLdcYwxjeqYiGp3SDm0m5ZNxOUvpV+n0aRJgTn0uBt86il36bYEj NtqKCdPtcxjFY4ivJ7tS18/d3hcAnfw4TLUnTnNVagyzZA9mppEwtiquse8FflGoY9G6 3TaQ== X-Gm-Message-State: AOAM530okoPZNTcjukHLKE8B8H9Ki19GiAbZpMfDWEgjotvNOEP5Dp2q c1vUPC+eveXsO7YkQDQxNkD6zQ== X-Google-Smtp-Source: ABdhPJzsNyxzMdJajlX2kferYLJukTQwYeGriE8c/jigKo0VPiMicgW8v4YjlKseMqZjxCAnoRl9yQ== X-Received: by 2002:a17:902:e74c:: with SMTP id p12mr24215988plf.115.1643909589981; Thu, 03 Feb 2022 09:33:09 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a3sm29194310pfk.73.2022.02.03.09.33.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 09:33:09 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , George Burgess IV , llvm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v6 4/4] fortify: Add Clang support Date: Thu, 3 Feb 2022 09:33:07 -0800 Message-Id: <20220203173307.1033257-5-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220203173307.1033257-1-keescook@chromium.org> References: <20220203173307.1033257-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=9118; h=from:subject; bh=uLvObXCa+adv21+oycDwxFQbsQPVkjm/KcsEJAaVL24=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBh/BHSRAe50TfqZrZ5b0CNzhS6YwX2RSr5uLu8PnaW 83nmD7uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYfwR0gAKCRCJcvTf3G3AJmFOD/ 9dEzcmHLz8Z5AvIisKzABHSI10XiJsEDXvPZaL+ApPvNb3rXZvruQSSk4mD5ey2wzLvhhhscHzI9/a 8Qkn/Qn0MeGULVHxs4ELBiuLaU5Bqgj5ktVPfOw/frDALuyuELU7D5U3fSI9m8hSbOsqRweqSnWeVB TweDP4g472HILclqF44oZ57W2UDFTC8NE1c9HuCsNilCPZ08l/v/QHVPcHpnZY4FruGBAy0uV099F+ KVDpSzmMiv6ErQQM3hqderKgG/2BsnE5HkSLC2dArLdmge686MF+ivACiQp7fM7C5SujNfxTRw4Iqt mJJ/UBr7OoEHBPRLw9Gy0/qgkioHPKCX7cZQP3Nh1UB+kxzAejQDrorU0zmdgJ06GgVWbrv9++h6MX 9pYPK2nxGlwzxo3fBJmYosDkQrRVhM/LL+/2C8vjLeW03Ey0CjFjO76nxW0tuL8X49xtR7zJpKaZ6Y nmNPYJ6UgU8uGwGQJFjYOVnzHTq9ASCFoSlMSKZPFS8Y028G7HaIXJpdGi5yCfQgluHGgbHtHXIzbm 9+/24plGAJOCRBE6SyELvJ5pUiBmsmYnli6yajJKL0lAUjeONI+5gnfxMZR6xFQc4HKcYlU97EPasa FSiiBpm1jDK3c5uzIrWv/NiwigQ6mWUHPWHHnYTOPHNo5vj5oDB/JqOpuQ0g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Enable FORTIFY_SOURCE support for Clang: Use the new __pass_object_size and __overloadable attributes so that Clang will have appropriate visibility into argument sizes such that __builtin_object_size(p, 1) will behave correctly. Additional details here: https://github.com/llvm/llvm-project/issues/53516 https://github.com/ClangBuiltLinux/linux/issues/1401 When available, use the new __diagnose_as attribute to make sure no compile-time diagnostic warnings are lost due to the effectively renamed string functions. Redefine strlen() as a macro that tests for being a constant expression so that strlen() can still be used in static initializers, which was lost when adding __pass_object_size and __overloadable. Finally, a bug with __builtin_constant_p() of globally defined variables was fixed in Clang 13 (and backported to 12.0.1), so FORTIFY support must depend on that version or later. Additional details here: https://bugs.llvm.org/show_bug.cgi?id=41459 commit a52f8a59aef4 ("fortify: Explicitly disable Clang support") Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: George Burgess IV Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 58 +++++++++++++++++++++++++--------- security/Kconfig | 3 +- 2 files changed, 44 insertions(+), 17 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index c45159dbdaa1..2ffe4f2f79eb 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -2,7 +2,9 @@ #ifndef _LINUX_FORTIFY_STRING_H_ #define _LINUX_FORTIFY_STRING_H_ -#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) +#include + +#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) __overloadable #define __RENAME(x) __asm__(#x) void fortify_panic(const char *name) __noreturn __cold; @@ -50,7 +52,17 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) #define __underlying_strncpy __builtin_strncpy #endif -__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) +/* + * Clang's use of __builtin_object_size() within inlines needs hinting via + * __pass_object_size(). The preference is to only ever use type 1 (member + * size, rather than struct size), but there remain some stragglers using + * type 0 that will be converted in the future. + */ +#define POS __pass_object_size(1) +#define POS0 __pass_object_size(0) + +__FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3) +char *strncpy(char * POS p, const char *q, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 1); @@ -61,7 +73,8 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) return __underlying_strncpy(p, q, size); } -__FORTIFY_INLINE char *strcat(char *p, const char *q) +__FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) +char *strcat(char * POS p, const char *q) { size_t p_size = __builtin_object_size(p, 1); @@ -73,7 +86,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) } extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); -__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) +__FORTIFY_INLINE __kernel_size_t strnlen(const char * POS p, __kernel_size_t maxlen) { size_t p_size = __builtin_object_size(p, 1); size_t p_len = __compiletime_strlen(p); @@ -93,8 +106,16 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) return ret; } -/* defined after fortified strnlen to reuse it. */ -__FORTIFY_INLINE __kernel_size_t strlen(const char *p) +/* + * Defined after fortified strnlen to reuse it. However, it must still be + * possible for strlen() to be used on compile-time strings for use in + * static initializers (i.e. as a constant expression). + */ +#define strlen(p) \ + __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ + __builtin_strlen(p), __fortify_strlen(p)) +__FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) +__kernel_size_t __fortify_strlen(const char * POS p) { __kernel_size_t ret; size_t p_size = __builtin_object_size(p, 1); @@ -110,7 +131,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) /* defined after fortified strlen to reuse it */ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); -__FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) +__FORTIFY_INLINE size_t strlcpy(char * POS p, const char * POS q, size_t size) { size_t p_size = __builtin_object_size(p, 1); size_t q_size = __builtin_object_size(q, 1); @@ -137,7 +158,7 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) /* defined after fortified strnlen to reuse it */ extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy); -__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size) +__FORTIFY_INLINE ssize_t strscpy(char * POS p, const char * POS q, size_t size) { size_t len; /* Use string size rather than possible enclosing struct size. */ @@ -183,7 +204,8 @@ __FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size) } /* defined after fortified strlen and strnlen to reuse them */ -__FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) +__FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3) +char *strncat(char * POS p, const char * POS q, __kernel_size_t count) { size_t p_len, copy_len; size_t p_size = __builtin_object_size(p, 1); @@ -354,7 +376,7 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size, memmove) extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan); -__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size) +__FORTIFY_INLINE void *memscan(void * POS0 p, int c, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 0); @@ -365,7 +387,8 @@ __FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size) return __real_memscan(p, c, size); } -__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size) +__FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3) +int memcmp(const void * POS0 p, const void * POS0 q, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 0); size_t q_size = __builtin_object_size(q, 0); @@ -381,7 +404,8 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size) return __underlying_memcmp(p, q, size); } -__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) +__FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3) +void *memchr(const void * POS0 p, int c, __kernel_size_t size) { size_t p_size = __builtin_object_size(p, 0); @@ -393,7 +417,7 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) } void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv); -__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size) +__FORTIFY_INLINE void *memchr_inv(const void * POS0 p, int c, size_t size) { size_t p_size = __builtin_object_size(p, 0); @@ -405,7 +429,7 @@ __FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size) } extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup); -__FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) +__FORTIFY_INLINE void *kmemdup(const void * POS0 p, size_t size, gfp_t gfp) { size_t p_size = __builtin_object_size(p, 0); @@ -417,7 +441,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) } /* Defined after fortified strlen to reuse it. */ -__FORTIFY_INLINE char *strcpy(char *p, const char *q) +__FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) +char *strcpy(char * POS p, const char * POS q) { size_t p_size = __builtin_object_size(p, 1); size_t q_size = __builtin_object_size(q, 1); @@ -446,4 +471,7 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q) #undef __underlying_strncat #undef __underlying_strncpy +#undef POS0 +#undef POS + #endif /* _LINUX_FORTIFY_STRING_H_ */ diff --git a/security/Kconfig b/security/Kconfig index 0b847f435beb..c125026ed088 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -177,9 +177,8 @@ config HARDENED_USERCOPY_PAGESPAN config FORTIFY_SOURCE bool "Harden common str/mem functions against buffer overflows" depends on ARCH_HAS_FORTIFY_SOURCE - # https://bugs.llvm.org/show_bug.cgi?id=50322 # https://bugs.llvm.org/show_bug.cgi?id=41459 - depends on !CC_IS_CLANG + depends on !CC_IS_CLANG || CLANG_VERSION >= 120001 help Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes.