From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05749C433EF for ; Tue, 8 Feb 2022 22:54:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232978AbiBHWyI (ORCPT ); Tue, 8 Feb 2022 17:54:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54516 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231243AbiBHWxy (ORCPT ); Tue, 8 Feb 2022 17:53:54 -0500 Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52BC8C06157A for ; Tue, 8 Feb 2022 14:53:53 -0800 (PST) Received: by mail-pf1-x42f.google.com with SMTP id x65so964191pfx.12 for ; Tue, 08 Feb 2022 14:53:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+pKKCwBmXwixtezUzkoUFu3Bjm5w2GFf0XFCVfe4NYE=; b=BSLBftoM4FBOwJIrrSUvQhhd8q/l6qwpDxC4+lYOdxVS7gE3KTFk0g6cR5VuWlBnI8 7TGZAWRmC8rxSfM2XxC+GN79gkKAUuW5L8aOoj2P4xwLERLmHJqXkmD0O8xU46wTetlf QpY9wNDNQaybTXnJc20cy7ZvREc4seheS5vLM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+pKKCwBmXwixtezUzkoUFu3Bjm5w2GFf0XFCVfe4NYE=; b=5803zAYr4hHr2l17Z/4Vfy1DFUqY/0ocggwzsi4P2aiKV529EFP74dklrc3Dsy2FCn r04qELfZhuHjIsjYLE7n/sP7kn1ZxYKFBSCiYVHv3PrW9ottp84xbIQlpDWSC139QTrp ZvnapL5puGj45+j8zyV4GkVcwZmgEkXHobYwTUiU7JE5GyURMqM/lAEX14R3ZLQJTw/b rWrx+WWtQkEe2+t0sZlknF04vz8aaG641XhAPX1+3qFXV5VBmb1czRvUqV7tHa5Qyufw Xaqb638TXhA6xMLC72hBdA2WYmKq74i6ikahDfP7y74z9tlth8v67zTDIClco/z6FO1E pXQw== X-Gm-Message-State: AOAM531zh4sMeE9N9CcbK7voHWdHlwYESILWb7lQQsNk/1V18lGEz5Ei 4zD1NGmikb9wU5Qo0sgOWP0zSA== X-Google-Smtp-Source: ABdhPJzuyEJSfykyY2X6LvGI8Qwd5njL5RebiT2KjXy8Eg9W36r33e6nxoZ7Rb153vL9teh5S+ytGQ== X-Received: by 2002:a63:4142:: with SMTP id o63mr4460395pga.425.1644360832858; Tue, 08 Feb 2022 14:53:52 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e13sm81432pfv.3.2022.02.08.14.53.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:52 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v7 1/8] fortify: Replace open-coded __gnu_inline attribute Date: Tue, 8 Feb 2022 14:53:43 -0800 Message-Id: <20220208225350.1331628-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=786; h=from:subject; bh=Eo9tS2UC27BhEc38Fb5maI8Xw9SIbrqr1SdHCXEzltg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR8NbP/P/ugB3o7Sr5ko4fT8kp9TzEABb3gzrl+ Q/TrGw6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fAAKCRCJcvTf3G3AJjfiD/ 0digkvloRtIZnQP10cJ2S8RI7L9o2TPFJXmVyJMLSBZjHNuQgZ4d8direF5MFpr1mRONoLgReT/oJM Fl4Erd5fiE5dq2FegA0gESQs4dFsZ3DarOG6jhTnGmPCDRJRdZW94bF/rUE29ZwpzU26sV4F7wG6uI BtFX7BKbRxTi5Ff8LtnbIElHKXdfw7ixUribBPDScuVF72Ak2dhGFRpxzPdLgYS+vRws2KRY5uEp1a XdoX9Tq7hNfQopX8ztz1/KAjoaV9NKs7I/Oh4nXpDzlq1rlbKH6UcSDj8PGDcyu2BNCzBcrnOqZzxL rCu+eC/UBXDVUiNanSjqI8f+39MYu1DhVurJwYDoG236GtjBsZKNsbQII4GP9kQDE+GTNECSXZGQSH wGU7eQLu79w5rAdUV+lIU+m2LCHsGN4JdpB1GKiaMvgez0uEA3cQUEQYuLy+Q/OPEL6ssfTlLE8IVY s4dXcLi0wP5DBfnNZUa/VLlLJX/uK9lr8UyayPWR3RUmIz9NhhRVYvdG29HToxlodiLno9RhYNIoXt 9DX9iS5f9/0rdmIu+PsiE+S3vCUJ+P+B+cf5qkrlfkVLLHtdZQMKTadkkWw1JyMFreFZjxGjZlU2UX Ss6ERhyUXgMpzsGBji+TRbqoWD8TtA3DiRjJPNduJzxXZuUiVG+6HOaqYnRA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Replace open-coded gnu_inline attribute with the normal kernel convention for attributes: __gnu_inline Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers --- include/linux/fortify-string.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 53123712bb3b..439aad24ab3b 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -2,7 +2,7 @@ #ifndef _LINUX_FORTIFY_STRING_H_ #define _LINUX_FORTIFY_STRING_H_ =20 -#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline)) +#define __FORTIFY_INLINE extern __always_inline __gnu_inline #define __RENAME(x) __asm__(#x) =20 void fortify_panic(const char *name) __noreturn __cold; --=20 2.30.2 From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEBC5C4332F for ; Tue, 8 Feb 2022 22:53:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231775AbiBHWx4 (ORCPT ); Tue, 8 Feb 2022 17:53:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229759AbiBHWxx (ORCPT ); Tue, 8 Feb 2022 17:53:53 -0500 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DE74C06174F for ; Tue, 8 Feb 2022 14:53:52 -0800 (PST) Received: by mail-pf1-x42c.google.com with SMTP id c10so981200pfi.9 for ; Tue, 08 Feb 2022 14:53:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cQMwXqlDPSXD5WcTL3esNOpDqscVXLIQFDsHDlsLA6s=; b=I7DYO0+aevF5VNc7lv6kik71OWvQgcQNZ8zVQtSbj5ylPTl774t0T5TzMtC8W+xc5a G4V4PntNj6Wx//xFTtpnlKptTcgc6sVfB8LfdDkC0cNxX3M4aW4wQMC9A4bNoYOEYM2P 1lHHM0tCCK7nqJYtjXvIGjtcKV/o6fC9kvJcI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cQMwXqlDPSXD5WcTL3esNOpDqscVXLIQFDsHDlsLA6s=; b=S16zmcsKJ2/B/FK5wlqk6EdjlGtzq3nYU+dB98lXaacp63LQHTtIXNaMRuLyLMTZr8 NOm8C+0KHmOxXuHdMUodZYcVkeY3U5SZKzskzzpbDX4hh8auoiP//tAM9+liL+ya7aq3 mnA0Wysmy9wCqFm+xPeBBfdVLkuvd3u+rBqHoe8wqe+logsw4sS0YRB8VFTN4FCD5BME eLcYxqKCPpmgJ5dzqzn5mbabJx/6Zz8F2ymsvAxd3hrFXqpJtuGL6Z06eS3K1jVRIS3M 0TC5XD8HQNxEjZGI3zJZCiM4Q6dXA3wqSPHFCfRb3Ppkj6KMy0bFUQE9UspKiwsfKI9S TC6g== X-Gm-Message-State: AOAM532Do33XJC9kCHigonPN7CUFzVHNFvfPOr2Gf7SQqmMp10/fqDbR 0HKy6Y6lY2tEhnrcKxO8f2Pjbg== X-Google-Smtp-Source: ABdhPJyYhpQYVGMNJXYXnSxOERPvWyclLewnhUUMAxAOZuJ7tLHin//i/EiDuxPbUhpcU0GU9RuCSA== X-Received: by 2002:a63:2322:: with SMTP id j34mr3073107pgj.583.1644360832076; Tue, 08 Feb 2022 14:53:52 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id mj21sm3798910pjb.20.2022.02.08.14.53.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:51 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Nick Desaulniers , Nathan Chancellor , llvm@lists.linux.dev, Miguel Ojeda , George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v7 2/8] Compiler Attributes: Add __pass_object_size for Clang Date: Tue, 8 Feb 2022 14:53:44 -0800 Message-Id: <20220208225350.1331628-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1929; h=from:subject; bh=i0Oi+LXolg+eM3YPVR/El2E4tGz736zn+2NHNZGvzdI=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR8bIQyeNI+NWaNQZqa8J2M9TzhXpEub4iVXEfv UzC3tZiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fAAKCRCJcvTf3G3AJrm5D/ 9EGjvGZsuSNeXlB/ANO8IFgIGTwIXHRLmmfagMWJtTn5f0+hz4BgaRbPeS4QtNZkzoLAPwaQLFqPDc waWxLmtqXpmnn2xxTuscc3+DVmcKeNX9jPGCBmln0sVZkfIMdp5M5Mr//rsJVByTGQZuU/Eo+i27JV nK0CKkl/tQ6TWmER+YJM+f8IjiozsiN6ndeJxch4neSrzjBDqXKeKh0jIsflO8unil9uTNFCa6O674 8lEuyws8iqyFFAPaardjsC/ccYDTNKjvLBEmym9St62Dsg0VwlAz48NVgiZletgVD08a0y76U7vwIW 2eJzMJLV6cz4T/0RwGbtONrbLRXla3EFHGLYDCNClPIB1LXDUS5Qk9L5lGf7Z3rP4PbpCCSoKe8TeT wBp4ONPatn0kMdEzAP6aIgAv7VZ2P45TVzwTx5ThYWW5oG+qenakqfSGKE2udjlkk1wR8GqJBvm7j+ M4o9TTsjguid/+ArNUi5l8WC8wCnt0mXBu4dzJ9JUoTq7ymMKxd5U6fNrmyIp9hlQpGk+kJkDjXk2x YsZ/gC/FzYgLUEpK5QFoK1rbs1mN4jWTcB2uZ2FvHRQNCFKZNsCiFzBH24YPxREDZujwmpu65fnaOH M3DNpnvZOh5sWF0O4YrRZxuHCyONucVcFUVeCShow/6tZFwm9rOa2Nfy8Q9w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In order to gain greater visibility to type information when using __builtin_object_size(), Clang has a function attribute "pass_object_size" that will make size information available for marked arguments in a function by way of implicit additional function arguments that are then wired up the __builtin_object_size(). This is needed to implement FORTIFY_SOURCE in Clang, as a workaround to Clang's __builtin_object_size() having limited visibility[1] into types across function calls (even inlines). This attribute has an additional benefit that it can be used even on non-inline functions to gain argument size information. [1] https://github.com/llvm/llvm-project/issues/53516 Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Reviewed-by: Miguel Ojeda Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers --- include/linux/compiler_attributes.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_a= ttributes.h index 37e260020221..d0c503772061 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -263,6 +263,20 @@ */ #define __packed __attribute__((__packed__)) =20 +/* + * Note: the "type" argument should match any __builtin_object_size(p, typ= e) usage. + * + * Optional: not supported by gcc. + * Optional: not supported by icc. + * + * clang: https://clang.llvm.org/docs/AttributeReference.html#pass-object-= size-pass-dynamic-object-size + */ +#if __has_attribute(__pass_object_size__) +# define __pass_object_size(type) __attribute__((__pass_object_size__(type= ))) +#else +# define __pass_object_size(type) +#endif + /* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.ht= ml#index-pure-function-attribute */ --=20 2.30.2 From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59414C433F5 for ; Tue, 8 Feb 2022 22:54:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232599AbiBHWyF (ORCPT ); Tue, 8 Feb 2022 17:54:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230381AbiBHWxy (ORCPT ); Tue, 8 Feb 2022 17:53:54 -0500 Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF151C06157B for ; Tue, 8 Feb 2022 14:53:52 -0800 (PST) Received: by mail-pf1-x430.google.com with SMTP id z35so1060587pfw.2 for ; Tue, 08 Feb 2022 14:53:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=TWuBBZh2D0kGph/0EnqhwxL8jJUMLsx8wV62pCVDmZE=; b=apbBiBy9AWrHOggMW6R6axGZST2zCbKuMgkkIFWgOz1oK1oeUG7PU7xS7o589NzOV3 RzF7qe8Robis5oERDph8tC7pEzzx2NlFoKkQhabOccpW5meN/tvRDgoVtLtIys4+uLY5 bjJREQeIcvwoO+pYP9YFDse/JAViTZDXGrJ0U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TWuBBZh2D0kGph/0EnqhwxL8jJUMLsx8wV62pCVDmZE=; b=j5YamnBA+462IE06DSXgQrbvTI4/DvuvttHAUEH+HzxrVcKMwYzpXwZBe4VBFbBpG9 ZL8leZhigBN3TvcXD7CfYDAnq6D9SOcka0e3OaDc3cADliwJsB8XrGg1AehQxrhhsaRz QshKyuqSMK9MXjPb7E50PUT+75kCeTvWeWe4Oi8sbL5oQ/+lGxorekFMA3OIyuhS8V+Y jGhuTR55AdQSjZqjxCorJB6HkQVpAbOz4a6x3LWX+PkTnqRvFkjN9MrlwUsqkWwgWWcP 4fYgXgIMl2SRmzmZIwVJtR8j0fnbcNOqdwcSDDweRFuAM/C4QsK0CnqUUhInG0qcMqg0 4qEg== X-Gm-Message-State: AOAM531tWPoVYwCBPpR3l8+M0xOYk3uguc53PsXZZyobe7GrRYCcv4zJ fV1TcPb8PGz67InIKIWZCTPnZQ== X-Google-Smtp-Source: ABdhPJw7GxdGnGnxj0CXoo0e4z0hTO5tiNDoxcc7fyV8/xo2mDlhD8VTmkYAYRThYS8osOiqzc1Rlg== X-Received: by 2002:a65:550a:: with SMTP id f10mr5434181pgr.204.1644360832227; Tue, 08 Feb 2022 14:53:52 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id mi18sm3304156pjb.35.2022.02.08.14.53.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:51 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Nathan Chancellor , llvm@lists.linux.dev, Miguel Ojeda , Nick Desaulniers , George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v7 3/8] Compiler Attributes: Add __overloadable for Clang Date: Tue, 8 Feb 2022 14:53:45 -0800 Message-Id: <20220208225350.1331628-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1518; h=from:subject; bh=l6UvTPRMJNYF2xW3l9gjpmVi+gZHmJuispURJkerkUk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR87AAruZSfd0UK+qa8UyR7X8DXxThgrvDYYjhi UiOBgTCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fAAKCRCJcvTf3G3AJv7SD/ 4t4f9fnUWdK7alIRT5SUzIciYjfn64rlJbPePJi0xAA9ZbdmMJ9N7LPhJlAlxmyzW28hRCAiq3F9qp +MeE+w2Yyt8H028YaykeiK2hF8uy3Fa+XKpv78mU3QXIUzE+LzxjJd9Nvn1+GQZSc/jF86/6+rFLWp 617XKJtg5voAQh6UtSfV46zS2nWsHiEibmhNPhsQjOeEY7++txe6layB5kNUrx6X+W4zyPWfXIe4DQ fkcd2KKnVM75QwqxPSVC2gdw3kNWuY69BCt1sGa6S0oTEgH0aEpu2xaoXh3xDuPGh1/p3nOr/SLT4t bLy4UC/7RV3hwll9c7Ma6AMuUECCb3NmuZUf2Dker0MpvnE4Eq0NSvzBmZQIbhjTnh3zpgJ62zCc5X UFKninZk83cYgp92mWtl1Su+7hKMxPObVCgQWQyefFi0KQ2Vn1f1d9z0fzMmoCQ6Vcknk/A9Nchr7P CQLNHYj78rncFbrJIFaJQbUArBFBmuDvJcr2vlhGQi0jhaZGmztnDr3DuPivCgOBaFI2CBjrDvK1/q O7LrJhMwaO4orNU+ojHaKIcF+ZqQP4nhPUyaDxIs2wVwCnB2uyJ5FvrhU3gBXkuhQVMF/08rMDLV7P 8gjpkaFaYAjg4bfX2lNmF8hfmYGoIdwC9kGpH72kxS4edDknkgk1+ZjuMPBA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In order for FORTIFY_SOURCE to use __pass_object_size on an "extern inline" function, as all the fortified string functions are, the functions must be marked as being overloadable (i.e. different prototypes due to the implicitly injected object size arguments). This allows the __pass_object_size versions to take precedence. Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Reviewed-by: Miguel Ojeda Reviewed-by: Nick Desaulniers Signed-off-by: Kees Cook --- include/linux/compiler_attributes.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_a= ttributes.h index d0c503772061..dcaf55f5d1ae 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -257,6 +257,18 @@ */ #define __noreturn __attribute__((__noreturn__)) =20 +/* + * Optional: not supported by gcc. + * Optional: not supported by icc. + * + * clang: https://clang.llvm.org/docs/AttributeReference.html#overloadable + */ +#if __has_attribute(__overloadable__) +# define __overloadable __attribute__((__overloadable__)) +#else +# define __overloadable +#endif + /* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Type-Attributes.html#i= ndex-packed-type-attribute * clang: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.ht= ml#index-packed-variable-attribute --=20 2.30.2 From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9554AC433EF for ; Tue, 8 Feb 2022 22:54:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233118AbiBHWyP (ORCPT ); Tue, 8 Feb 2022 17:54:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231656AbiBHWxz (ORCPT ); Tue, 8 Feb 2022 17:53:55 -0500 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B96FCC0612C0 for ; Tue, 8 Feb 2022 14:53:53 -0800 (PST) Received: by mail-pj1-x102f.google.com with SMTP id om7so504013pjb.5 for ; Tue, 08 Feb 2022 14:53:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ohL8lfypuNocY9N3S5xez4sUrNp/rSZ6lRXmJ/oGIec=; b=a+KQG1Rc2kD1MkbBccinDb5tC/LMA+IHBJ/AdHYEUGUy+hqYnwOKavdBvCixlgVFs+ lpYzygVgUqVr+eFBw/19XzjpEVnoti8mL6020TaoDsO7aA2Pt8IYssrSOXVcG8C17mgC uRXilp9yNbGAztDJ7mZmVKu9AyO/QmFf7cz5g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ohL8lfypuNocY9N3S5xez4sUrNp/rSZ6lRXmJ/oGIec=; b=EVXy0QMGc8YWp3Knx37ig3/1raHtbvCNx5+FeVxuOsuo+zpC7GvtDM2nQtDBADB9kc bOTJLVQIsNjH5D2zAeoMF1Eth7PF5zcb5iYDHq1aiCcCvct5vf54rtE2zQ/Mcuft6EYr 7iDO1qyg/Qfnhd8BFUzXlaBY6FJVF3AZoqzKiYbWMgm228fLBzTFzewx5g7AdoaH9c6m FWj1vefgbvuTml7ZJv5Ifo1hSY9wAbmd7SGC2iEspfkwhGaYvcyie/TUWbgx7EUny70p v/yRHX53v2IWwWPg8mvGO+X7E83NEJrTW0eRy2JNej2974iE3hIaub1cGt+p0vosW1GS UZUA== X-Gm-Message-State: AOAM532/8EVcjMlc6Vpd7UkEBDdBUajbFecKrqN8OM0RiCIMwAlq2J25 yzUQZPU1BEH/LzpBoyiUMeHpKu7Dtjv/Qg== X-Google-Smtp-Source: ABdhPJyBzW5HujTqEYsotAQ7T1nyLaMwVF7t3phNb3c2J9+G9thOWVC2ZpyyU8poAqLA+AeaN2/0OA== X-Received: by 2002:a17:90a:348e:: with SMTP id p14mr211451pjb.71.1644360833143; Tue, 08 Feb 2022 14:53:53 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id b11sm17224199pfv.192.2022.02.08.14.53.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:52 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Nathan Chancellor , llvm@lists.linux.dev, Miguel Ojeda , Nick Desaulniers , George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v7 4/8] Compiler Attributes: Add __diagnose_as for Clang Date: Tue, 8 Feb 2022 14:53:46 -0800 Message-Id: <20220208225350.1331628-5-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1574; h=from:subject; bh=4SDaw0EWkM/aZ9UdVR0PvLV5ODFDPttxec88Z3EMAPk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR8XC3tFWBBRxG+54By6AdqIGDcWeT6HebsLJN1 KFjh3N2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fAAKCRCJcvTf3G3AJvxLD/ 9nQbvCbm9F4OKB/+IKlUH5zOUgm4XQQrjsbA/gXEIz2JaWFPEiKLEwYc4GDXx9SbISyZjdwuHdfCRj JkXMK4lRAmn+0pPtL/KWwFnRkBJ2bT8rX1i26Ic9tu8eAA9wMX175dnyN8qMDFt0brcfYtIepO3RvH LcN+nMkNOC5zMDvaDlexQ+L9ruB++xyw9HEQRfHOQi2TdTCIJq6s5cP78+oDV5jjl61gAgLDlA955h Kzeq4OHDuXq2pqAua4m3WIy5Ely5EgFrkVJhcIa2v3zAS2vjsCOLP+icxE073Zq1y4KY2wBoh1l441 L/ndDc23VPXqvzaG//0la5sY90k3EIaepcEoVBBMGQvv63y51Vy2YRwz2D9RG/JhemE9sLqn9uhpiq AbNnKxI3vcj2NnkuqsvOnPxwvpRLAkd4nWZt9e8VgnnC6FyOOrvw3ZlaQlKSpOkX2RuCUv67utgSzK aRPhQJNgwXuZBPXIhpwmvP/neAej+qmqQLjFP4KAc//enP/8FfY+gnl6ZmeIEq8zIEb70c1qz+VcV9 HkA2V85gNsgZlxJ1CgO8uTBqnEDEtLT7hq5YZMAZiloJNZ+7Uxh4lAGisHXah5zOlubVKRoeOAWlLR aMzwxhrRj243m/dYFx639mVQRBNJkuSlPtrP7yQw5ZU5Njjut3tkUOMKy2wA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Clang will perform various compile-time diagnostics on uses of various functions (e.g. simple bounds-checking on strcpy(), etc). These diagnostics can be assigned to other functions (for example, new implementations of the string functions under CONFIG_FORTIFY_SOURCE) using the "diagnose_as_builtin" attribute. This allows those functions to retain their compile-time diagnostic warnings. Cc: Nathan Chancellor Cc: llvm@lists.linux.dev Reviewed-by: Miguel Ojeda Reviewed-by: Nick Desaulniers Signed-off-by: Kees Cook --- include/linux/compiler_attributes.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_a= ttributes.h index dcaf55f5d1ae..445e80517cab 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -100,6 +100,19 @@ # define __copy(symbol) #endif =20 +/* + * Optional: not supported by gcc + * Optional: only supported since clang >=3D 14.0 + * Optional: not supported by icc + * + * clang: https://clang.llvm.org/docs/AttributeReference.html#diagnose_as_= builtin + */ +#if __has_attribute(__diagnose_as_builtin__) +# define __diagnose_as(builtin...) __attribute__((__diagnose_as_builtin__(= builtin))) +#else +# define __diagnose_as(builtin...) +#endif + /* * Don't. Just don't. See commit 771c035372a0 ("deprecate the '__deprecate= d' * attribute warnings entirely and for good") for more information. --=20 2.30.2 From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22ADAC433EF for ; Tue, 8 Feb 2022 22:54:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234336AbiBHWyc (ORCPT ); Tue, 8 Feb 2022 17:54:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232979AbiBHWyI (ORCPT ); Tue, 8 Feb 2022 17:54:08 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0E18C06129A for ; Tue, 8 Feb 2022 14:53:54 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id my12-20020a17090b4c8c00b001b528ba1cd7so463296pjb.1 for ; Tue, 08 Feb 2022 14:53:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RQK1jTOQeOeDcMrxpcX0+jaJoRpqKy+sYVOtLLBiOEc=; b=OW45Bp7/57Xj4QE3G+D4x4B7Qw9XY/omgA2TlFYKKu0kM7x7ofKtEAv9M7almXEJP8 W2Sbcv6tGP3DHiA8LDgKmY0xoApNDn/qGeZm1vlxdpIkjHyHijdLdpv+Utb1VIDCdogy Bf6yHvCfgxgqxe/MJ//T+ZdrpjisNxIe5XuUk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RQK1jTOQeOeDcMrxpcX0+jaJoRpqKy+sYVOtLLBiOEc=; b=khnxO0k8h+vKyFR/ZnPCVV++5d5/A++xKwJlCFRFveoE/m1JZ45/cRKn/W97gAZ4S9 1bkQUA7rUDOU4AHazdLCjzrI76MPJd8OUxoDH6qbwQLCY+VhXwpUqPaukFH9T0+tPcpo 9JYyaRHMSly9eYE5z2lydAlianrjihhfCIN+KiQoZf4QcoG5z7Bu7fCalE1yGPMwYeNa XR6jWl5i7q7TSGtjcIod7PqHSZ1Mf7D2sV31NXf/F3CXPGg8ZFOoT6gPbzOflfxxkUbB D3JhAdEYCz9SBzAOkf8KrZZAAxszpR1ADHAgwebNlZWOcjpDHG6JCWzh0+nUA+GST1Sj iScA== X-Gm-Message-State: AOAM530zclK2h+aNBilzWSKGe8PSixgKYlMVlPjGOH0RhjwGVSkIrVZq Q6RARcgCEEL1ZvvxvI0QH+EdxQ== X-Google-Smtp-Source: ABdhPJx1p4D2Bxr/ji1hESBsVRnga6FxSEcwByFRVuDBld5q/haJdK9158wD/igkogTvD7zHE/qhaw== X-Received: by 2002:a17:902:7489:: with SMTP id h9mr2975864pll.8.1644360833718; Tue, 08 Feb 2022 14:53:53 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id mt19sm2897100pjb.32.2022.02.08.14.53.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:53 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v7 5/8] fortify: Make pointer arguments const Date: Tue, 8 Feb 2022 14:53:47 -0800 Message-Id: <20220208225350.1331628-6-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5862; h=from:subject; bh=FmB3l5mJpafh4mYa40exPNAPzxH5eZCFZy/j7r/nMO4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR98vwC81Z1UhGFfsPpF8zbNSOyQNmoYEvWAHHp 0ru94CGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fQAKCRCJcvTf3G3AJoFjD/ 97DFYpNRt49cgBB/AX3bY1ez5hVspIyqFHLarGzB6JZvGg3Nd2PuAUwARwVQtNukRTn2+69Y/WpU3I kNODZyUzXzrS1A4qO5TF4qG5gDt8Syt9V9Z9q3g2BA36TQJSfNEympocPEmZmxFg5gfPfOL9dj7QKN VMr14TQMHO8l9eVCjCG9hTCjA62Oq13N9I1VNSURRRW4oGTY4UnyfevsVEcRKcKC7o3a/P/k1gwQQq HTeWz3PKT4MoJwFZQWG3ZznSFPrZtvcztquj2DLwt8tpEwZ3K1yADZUTowSnP4IOPz4WCuol9ePOeB 0OW35wnIcGnlZ3o4GoKhw9+VdeaA6hFhueP77D11yIVi26PQRqeqV8to/HQQOQjsG2OKLAhiaSfxgp 8+MaWeRJddvZPwBWTGScrSt7DlPcCUqOGJ2eXvR0fuOENJSctGv0yBgKYatBeTk6kLPJ9MR1CDRpuC +gO7wsZu5aZwD297RP3ivDWLUxaEcNORw7JZR17KlSlPKrUOLWrEfPLFhbe3f5szv1HOaVKfT4T/np ZC/DBOBOPfAyQSvkNp+u+zAq8mkKz65ttpexcxQipAbwQgzL+R6WK9jI2fsTC/i9IRYns8qS3N07AS pRvZYDyPYBgexB9tizqttkePsnsKDr6s0y+nHavB03QcRQEeeWk+HL02dPUg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In preparation for using Clang's __pass_object_size attribute, make all the pointer arguments to the fortified string functions const. Nothing was changing their values anyway, so this added requirement (needed by __pass_object_size) requires no code changes and has no impact on the binary instruction output. Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 439aad24ab3b..f874ada4b9af 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -50,7 +50,7 @@ extern char *__underlying_strncpy(char *p, const char *q,= __kernel_size_t size) #define __underlying_strncpy __builtin_strncpy #endif =20 -__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t siz= e) +__FORTIFY_INLINE char *strncpy(char * const p, const char *q, __kernel_siz= e_t size) { size_t p_size =3D __builtin_object_size(p, 1); =20 @@ -61,7 +61,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __= kernel_size_t size) return __underlying_strncpy(p, q, size); } =20 -__FORTIFY_INLINE char *strcat(char *p, const char *q) +__FORTIFY_INLINE char *strcat(char * const p, const char *q) { size_t p_size =3D __builtin_object_size(p, 1); =20 @@ -73,7 +73,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) } =20 extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __REN= AME(strnlen); -__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t ma= xlen) +__FORTIFY_INLINE __kernel_size_t strnlen(const char * const p, __kernel_si= ze_t maxlen) { size_t p_size =3D __builtin_object_size(p, 1); size_t p_len =3D __compiletime_strlen(p); @@ -94,7 +94,7 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, _= _kernel_size_t maxlen) } =20 /* defined after fortified strnlen to reuse it. */ -__FORTIFY_INLINE __kernel_size_t strlen(const char *p) +__FORTIFY_INLINE __kernel_size_t strlen(const char * const p) { __kernel_size_t ret; size_t p_size =3D __builtin_object_size(p, 1); @@ -110,7 +110,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) =20 /* defined after fortified strlen to reuse it */ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcp= y); -__FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) +__FORTIFY_INLINE size_t strlcpy(char * const p, const char * const q, size= _t size) { size_t p_size =3D __builtin_object_size(p, 1); size_t q_size =3D __builtin_object_size(q, 1); @@ -137,7 +137,7 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q,= size_t size) =20 /* defined after fortified strnlen to reuse it */ extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strsc= py); -__FORTIFY_INLINE ssize_t strscpy(char *p, const char *q, size_t size) +__FORTIFY_INLINE ssize_t strscpy(char * const p, const char * const q, siz= e_t size) { size_t len; /* Use string size rather than possible enclosing struct size. */ @@ -183,7 +183,7 @@ __FORTIFY_INLINE ssize_t strscpy(char *p, const char *q= , size_t size) } =20 /* defined after fortified strlen and strnlen to reuse them */ -__FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t cou= nt) +__FORTIFY_INLINE char *strncat(char * const p, const char * const q, __ker= nel_size_t count) { size_t p_len, copy_len; size_t p_size =3D __builtin_object_size(p, 1); @@ -354,7 +354,7 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_= t size, memmove) =20 extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan= ); -__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size) +__FORTIFY_INLINE void *memscan(void * const p, int c, __kernel_size_t size) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -365,7 +365,7 @@ __FORTIFY_INLINE void *memscan(void *p, int c, __kernel= _size_t size) return __real_memscan(p, c, size); } =20 -__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t = size) +__FORTIFY_INLINE int memcmp(const void * const p, const void * const q, __= kernel_size_t size) { size_t p_size =3D __builtin_object_size(p, 0); size_t q_size =3D __builtin_object_size(q, 0); @@ -381,7 +381,7 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *= q, __kernel_size_t size) return __underlying_memcmp(p, q, size); } =20 -__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) +__FORTIFY_INLINE void *memchr(const void * const p, int c, __kernel_size_t= size) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -393,7 +393,7 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __k= ernel_size_t size) } =20 void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_in= v); -__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size) +__FORTIFY_INLINE void *memchr_inv(const void * const p, int c, size_t size) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -405,7 +405,7 @@ __FORTIFY_INLINE void *memchr_inv(const void *p, int c,= size_t size) } =20 extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENA= ME(kmemdup); -__FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) +__FORTIFY_INLINE void *kmemdup(const void * const p, size_t size, gfp_t gf= p) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -417,7 +417,7 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t si= ze, gfp_t gfp) } =20 /* Defined after fortified strlen to reuse it. */ -__FORTIFY_INLINE char *strcpy(char *p, const char *q) +__FORTIFY_INLINE char *strcpy(char * const p, const char * const q) { size_t p_size =3D __builtin_object_size(p, 1); size_t q_size =3D __builtin_object_size(q, 1); --=20 2.30.2 From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D5DBC433EF for ; Tue, 8 Feb 2022 22:54:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231448AbiBHWy2 (ORCPT ); Tue, 8 Feb 2022 17:54:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231262AbiBHWx5 (ORCPT ); Tue, 8 Feb 2022 17:53:57 -0500 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F005C06174F for ; Tue, 8 Feb 2022 14:53:54 -0800 (PST) Received: by mail-pj1-x102c.google.com with SMTP id d9-20020a17090a498900b001b8bb1d00e7so438532pjh.3 for ; Tue, 08 Feb 2022 14:53:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UuLl1lhQUOpyY4F3HChSqUr+c0VI6V5HzLLZgZKWEaw=; b=ik6XSnGwoTVxVDhYB8ynCOQG4c6bMYjzhqvsiu2jcXe2sP8H/QSj3cEyNxiwz0JqcI yhFaUhjIqFt5MOUx2V19RIDMBibxcVbZ6v4Hv6eewU5L6TQXwtUB9sV4WytGY/DN7qwG AFOWBrAzmZHKOJFerj+7gNv3n6o15KnEoDTHQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UuLl1lhQUOpyY4F3HChSqUr+c0VI6V5HzLLZgZKWEaw=; b=5YJ1FxM5yV5xw821e92li1YNkgtWK+Y7bUcoKvJosW8ZeNPCB2ELXDWSsbMraCAX/F JKbQwwHLFfqQYMKX4flsTSDVgJ7vw1gwcoub2auwibFgYEwOIbJz8xT85j47Pc8ClakK vpPlDGh8elj+tpBJs7IXUFka/zvZ0HasQQ0Ap6MtqGidMzMRmQsTqiVB1aM1wZ9FrsTS CMWGNosDH/1BOpg1VOlgkSC/ikZpqjs4P5/9HVgF3LNgLs36u8/6ehCAruvvpwAd1qYB VzWDttywgTqGmEZ5PUC1/npcwhNb5Uz9uWi+paXGmmpS9kKiSjwYsZvKdDhBj4DazP7G 1oKg== X-Gm-Message-State: AOAM531KgiTLm+hPWOlWjrxnlWk7sxP2Q/0yjvh0DbEgCMhI3uATWZOk A06RyTgXqFXGVNLa1EKwBSAd1A== X-Google-Smtp-Source: ABdhPJxFXk/eqGfISYiBlXBCy8lWVfEtqVMkIfl1a7/KbgQHxia/IVUlGc1fcQAipi4dlXl4FbwWrQ== X-Received: by 2002:a17:90a:8401:: with SMTP id j1mr197099pjn.235.1644360833475; Tue, 08 Feb 2022 14:53:53 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p6sm4103431pfo.73.2022.02.08.14.53.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:53 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v7 6/8] fortify: Use __diagnose_as() for better diagnostic coverage Date: Tue, 8 Feb 2022 14:53:48 -0800 Message-Id: <20220208225350.1331628-7-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3932; h=from:subject; bh=PmLo1tH3dH3S3QkOsOrJ2Edy3uWnbVOSIVtbl+9ShXk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR9iyMHXECK2JnvWQS1iN7Uf9vsEXNUF5vYwO7A cAhxA5aJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fQAKCRCJcvTf3G3AJqVYEA CyQ0/tVUuN3tDpvncf1tTIZjtUYX4pf2TahFr8HOnEfQGNMWu5BS9wLCOh3WOdeUYjYVs5VZBA5MIt UaLeH1UXkGbkq9oMh5ufGedggXk5mtvcRDJvD+hhH5Y57jEx+tDCYo+0sVJKJpidE3tgNdwVVxEES4 p5XxCjCT2vuOGMp6SFnxybOIiNno96PSn+pBtz685ioHZj1J5oKXtauJFYIxyB87Jhjwp3nMCqySDx moipYuvoJZzyB31hOAPgVSjNWOTgzuCWt1WsvZ15rkNMCcZ7QFBXVxMI/EG+diCYlkpvB4Z2K4+T5h 1hA5hN5yeMZtbr0MoeMaQA27W3EUviSkedxaq3RbKYMIASvn7/wUXn9RMCrQtT0IjyUe/30NPw04nl fV8bU0Yc/IDWLfpfSbtyan1Fg+1f2kGuCkVjemGnCi/cgzfdNoyW3GHbX9RvJmcdLfoCVazMN/i2il gw3969Ms5R/ZIqU8sLVb3YH0bGXdlGgmjv7M7bO67cTapCN6ryUGo8LBFSsIB2a/UWP/OVrRvCPixO vr4QsI3xmQwk6grd01qg0tRBUg2SAiq+tmIxvA+ymbeZOCfiGw9MWEkqHLqW04mSX13DLx0nEPTsBG nNspaED0AyhKfnYHUED2f9lu59lSApQ2HkqDudabNbLoY6g9YoD3RrnDv9Iw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In preparation for using Clang's __pass_object_size, add __diagnose_as() attributes to mark the functions as being the same as the indicated builtins. When __daignose_as() is available, Clang will have a more complete ability to apply its own diagnostic analysis to callers of these functions, as if they were the builtins themselves. Without __diagnose_as, Clang's compile time diagnostic messages won't be as precise as they could be, but at least users of older toolchains will still benefit from having fortified routines. Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index f874ada4b9af..db1ad1c1c79a 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -50,7 +50,8 @@ extern char *__underlying_strncpy(char *p, const char *q,= __kernel_size_t size) #define __underlying_strncpy __builtin_strncpy #endif =20 -__FORTIFY_INLINE char *strncpy(char * const p, const char *q, __kernel_siz= e_t size) +__FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3) +char *strncpy(char * const p, const char *q, __kernel_size_t size) { size_t p_size =3D __builtin_object_size(p, 1); =20 @@ -61,7 +62,8 @@ __FORTIFY_INLINE char *strncpy(char * const p, const char= *q, __kernel_size_t si return __underlying_strncpy(p, q, size); } =20 -__FORTIFY_INLINE char *strcat(char * const p, const char *q) +__FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) +char *strcat(char * const p, const char *q) { size_t p_size =3D __builtin_object_size(p, 1); =20 @@ -94,7 +96,8 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * con= st p, __kernel_size_t m } =20 /* defined after fortified strnlen to reuse it. */ -__FORTIFY_INLINE __kernel_size_t strlen(const char * const p) +__FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) +__kernel_size_t strlen(const char * const p) { __kernel_size_t ret; size_t p_size =3D __builtin_object_size(p, 1); @@ -183,7 +186,8 @@ __FORTIFY_INLINE ssize_t strscpy(char * const p, const = char * const q, size_t si } =20 /* defined after fortified strlen and strnlen to reuse them */ -__FORTIFY_INLINE char *strncat(char * const p, const char * const q, __ker= nel_size_t count) +__FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3) +char *strncat(char * const p, const char * const q, __kernel_size_t count) { size_t p_len, copy_len; size_t p_size =3D __builtin_object_size(p, 1); @@ -365,7 +369,8 @@ __FORTIFY_INLINE void *memscan(void * const p, int c, _= _kernel_size_t size) return __real_memscan(p, c, size); } =20 -__FORTIFY_INLINE int memcmp(const void * const p, const void * const q, __= kernel_size_t size) +__FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3) +int memcmp(const void * const p, const void * const q, __kernel_size_t siz= e) { size_t p_size =3D __builtin_object_size(p, 0); size_t q_size =3D __builtin_object_size(q, 0); @@ -381,7 +386,8 @@ __FORTIFY_INLINE int memcmp(const void * const p, const= void * const q, __kernel return __underlying_memcmp(p, q, size); } =20 -__FORTIFY_INLINE void *memchr(const void * const p, int c, __kernel_size_t= size) +__FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3) +void *memchr(const void * const p, int c, __kernel_size_t size) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -417,7 +423,8 @@ __FORTIFY_INLINE void *kmemdup(const void * const p, si= ze_t size, gfp_t gfp) } =20 /* Defined after fortified strlen to reuse it. */ -__FORTIFY_INLINE char *strcpy(char * const p, const char * const q) +__FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) +char *strcpy(char * const p, const char * const q) { size_t p_size =3D __builtin_object_size(p, 1); size_t q_size =3D __builtin_object_size(q, 1); --=20 2.30.2 From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E7ECC433F5 for ; Tue, 8 Feb 2022 22:54:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233443AbiBHWyR (ORCPT ); Tue, 8 Feb 2022 17:54:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232030AbiBHWx4 (ORCPT ); Tue, 8 Feb 2022 17:53:56 -0500 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB910C0612C3 for ; Tue, 8 Feb 2022 14:53:54 -0800 (PST) Received: by mail-pj1-x102a.google.com with SMTP id qe15so513902pjb.3 for ; Tue, 08 Feb 2022 14:53:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=u/PVhh2GGyEZ/OpySoYuE0Voq9bNBLeTXsuiI5yskHY=; b=ZmzxPMF6hBbzUNNzlgL6cg7rdtNMhqny9ks5UBnjgosAkl9T3gHUY4pLvcjQUIykVG xgZH2BNzHJ2VsxUcBoFK5r/TS3Avs2olzzWfMX0FhY++VPdu/VedLwWRFs4f8+3ijpnu 4WSBhQnELzGzsTJ51tb/vR7jxubPqsnTZrQEI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=u/PVhh2GGyEZ/OpySoYuE0Voq9bNBLeTXsuiI5yskHY=; b=jhNIxf5mdhYIDlvcBxHyAg3Giw8nxHoZ+rZlvHsPRoVqdtc79gijYcOx+Lucgz7HMm af1iOwyVZyY/JZpOJsbOE4VgyckwxbUS9jHk5dE6za44wHENU6v8yeEKlHnQr6tAHwxW e+2apFGIet5N5oxYGygeYxxUJNBEndLF1kNjC1bNRC7Fw0XgwAhvbF6t4IUFvKDXXdn2 z4w1u3sGll9ay+soqbdh266YQhLBInDpD+SDrI6agbEsGtYs0hUtpaxsA+9rRLs7bUVV 7SbqBdFoFFjFtHhmJqwxrnUbWTgTNbB6L0hQZoAwVbJYnPYSJlHuaQRHoZ/nMfahtLFl WJjg== X-Gm-Message-State: AOAM532EUDPUmcJ+J8XdZOuaVSXKrRr6kcCcmr3mdJwUVMIh35KDLnJ5 oQLNfI2fNOovPn5v6189sQLEQZidNdHchw== X-Google-Smtp-Source: ABdhPJxxe2mPIAdq1qIBhh/HsddVIVmPauN8pL832p2JJRZVYQZsJyA04rFHJRX7Qa6uaHLpqAStXg== X-Received: by 2002:a17:90b:1b46:: with SMTP id nv6mr206541pjb.105.1644360834076; Tue, 08 Feb 2022 14:53:54 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id pf8sm3953732pjb.20.2022.02.08.14.53.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:53 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , George Burgess IV , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v7 7/8] fortify: Make sure strlen() may still be used as a constant expression Date: Tue, 8 Feb 2022 14:53:49 -0800 Message-Id: <20220208225350.1331628-8-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2075; h=from:subject; bh=x0eO+QDq4SY1xj1KazbfZHej8GhFXPKxChBqWEMgyXk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR98C7j5hKV7f7E3A2woQIyNSxiyRCxHsDAXHnD p1tjCnGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fQAKCRCJcvTf3G3AJqUED/ 4/Uw1zXc3soNRZuOJXIGr0vVZQJi8Zs371ZIAhRPRIej8MJHKof1likyWfRx/uf4cv9zccrOpB7mwW DY5ULp9uEtD9Nh/Z4cyIkNyzDFa/p46H8h5ZVT4y3y9IcpUxMaXU2jJ00aNbNNGgCUOx9XjlBoNjM7 AxvxamkuT5MUywf5+raTMeXktKrC7VffAO1cJyaoXANfCXLs3lH5UceD6pcdzxbn+vz0aQZQhDRwMi CrWoevmY9go+zZEUw+hW4cVW8gmedWQ5RMlnWpzepT/294hza9/XVWQ0ugmewmZD3SJFFr95I+KBq0 pmGtNruHMUVHxGY2iexfwareMdWGUVradhj8JCXNFwiKLMdP54kwA3SIzeIAHE0Aa+IBW55XeWeCa8 SILOWmNX1VvxDgBGX8j9KrumiZT9/C+A6/fj8eMBZbcGn3qcrqoKIW2MFNbzY5NFgUG565yZVWBVuS COPv+WauZVejhzLU+vUQYCQ2vJa+pCyMa9yDiaFLkGNEVjdomfJSEGTez9QHoBP+iDLe5/8SOOeMMK ZJ4sYpUKufPja+UGwdx5KBwqmImWNgKF/yeM+oDdwXFeiH6MJjEp112rEYHn1bMX1l2FVej25gREpG FWj1bEtWcTrSgU19gsQPV0/++Q6E2IX6XbOiT6cdN7+NGmEdLuEfEdcem+pQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In preparation for enabling Clang FORTIFY_SOURCE support, redefine strlen() as a macro that tests for being a constant expression so that strlen() can still be used in static initializers, which is lost when adding __pass_object_size and __overloadable. An example of this usage can be seen here: https://lore.kernel.org/all/202201252321.dRmWZ8wW-lkp@intel.com/ Notably, this constant expression feature of strlen() is not available for architectures that build with -ffreestanding. This means the kernel currently does not universally expect strlen() to be used this way, but since there _are_ some build configurations that depend on it, retain the characteristic for Clang FORTIFY_SOURCE builds too. Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index db1ad1c1c79a..f77cf22e2d60 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -2,6 +2,8 @@ #ifndef _LINUX_FORTIFY_STRING_H_ #define _LINUX_FORTIFY_STRING_H_ =20 +#include + #define __FORTIFY_INLINE extern __always_inline __gnu_inline #define __RENAME(x) __asm__(#x) =20 @@ -95,9 +97,16 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * co= nst p, __kernel_size_t m return ret; } =20 -/* defined after fortified strnlen to reuse it. */ +/* + * Defined after fortified strnlen to reuse it. However, it must still be + * possible for strlen() to be used on compile-time strings for use in + * static initializers (i.e. as a constant expression). + */ +#define strlen(p) \ + __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ + __builtin_strlen(p), __fortify_strlen(p)) __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) -__kernel_size_t strlen(const char * const p) +__kernel_size_t __fortify_strlen(const char * const p) { __kernel_size_t ret; size_t p_size =3D __builtin_object_size(p, 1); --=20 2.30.2 From nobody Sun Jun 28 10:41:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE607C433F5 for ; Tue, 8 Feb 2022 22:54:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233582AbiBHWyV (ORCPT ); Tue, 8 Feb 2022 17:54:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54596 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232177AbiBHWx5 (ORCPT ); Tue, 8 Feb 2022 17:53:57 -0500 Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E272C06157A for ; Tue, 8 Feb 2022 14:53:54 -0800 (PST) Received: by mail-pf1-x436.google.com with SMTP id n32so969122pfv.11 for ; Tue, 08 Feb 2022 14:53:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9sVLGd3S3hpSXrZdoRFA0QjyWECsB9TYAsxBeYdirN0=; b=YqoIIyzseoGSPcv7FL6A6h01aqPwXRCsO84PlVeGmajFks963GlOJjVQ0/JGMWi47c VC86+pEokZY00s7D1fH3PuP00UcSxmGpIht5Ns7Dy/7zrIYGVLciyWsLX+xewbE3sBgd y4g1JKCvODDshLkNRuoI/BvyVt+c8NvCcPtPY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9sVLGd3S3hpSXrZdoRFA0QjyWECsB9TYAsxBeYdirN0=; b=tif2Oi+Ky+jbUikg51TvdU3QPMVLdoXS6Md72i83CHkxeMU4KYN/NVDC37IC5OJYrh 68z6ajtafVKO4Zr54X7MrIH54EXOwI5Lg1yPkqhu/+Lh1AijES3yjqljZSBK/TTMGcWQ JgGV0KjLYLjC/VzoD7olBCDlesJfhBNYDfE8clz8iztxy0BSu7TWZZjPlo7EI0Z4N/k4 CTjm4K4CaKP5O7nnTU6qb/y22w03iYK0A7UrzdT4Le4q4RBjYloCBxK0tk2+CvhuoeYv y4DibdPem5DSAukKh2W3MPJ0h678325NN93rw/tVwdtzSK72KvfDEdJioWZWKl2qoykd ya5A== X-Gm-Message-State: AOAM5335ilenmjhvubcN48ld/vnCtJDlG6sNP2D2WeKLd7M0ENBVzrUt 79t5/HFG26VToJAmyBp638jdvQ== X-Google-Smtp-Source: ABdhPJxEfKSmXhSY/48RY2PDraUGw/3L4r/JNoZQUDXTm9s2ZtSrysey8gycYfV/H8ugh2H8dkd8Yw== X-Received: by 2002:a63:1d4a:: with SMTP id d10mr5304377pgm.92.1644360833859; Tue, 08 Feb 2022 14:53:53 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x7sm11834105pgr.87.2022.02.08.14.53.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 14:53:53 -0800 (PST) From: Kees Cook To: Kees Cook Cc: Miguel Ojeda , Nick Desaulniers , Nathan Chancellor , George Burgess IV , llvm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v7 8/8] fortify: Add Clang support Date: Tue, 8 Feb 2022 14:53:50 -0800 Message-Id: <20220208225350.1331628-9-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220208225350.1331628-1-keescook@chromium.org> References: <20220208225350.1331628-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=8812; h=from:subject; bh=fIf6mUSCigQxrAs+E1mY8zvWz+tdZkkTQBiz3BhDWtA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBiAvR9/eZjsKhDyevtWY2mDEJ+KjV5UgezsRwwfgdM M/64MMOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYgL0fQAKCRCJcvTf3G3AJj0UD/ 4/SZy2w4IFtKkgrhXJK9Ifp0l9Sztc+AxHSe04qMIxeXVKLmt+es0pUnqFrhTh81ER1HUmiN8tZZFA AyahKMHDtUAO+wKa3JEE9GdiHU3CeI7wGsrY6wvDfhWBDhyY0kqgQIhfavxukKnsQdB7+55r7p64Tx DEdhl5cQR60gzKjwkOyMFLI1z4yZqyCxPm764ap+wWac2/uOWxwoyrtdUiyiK9XO8Ax1K89tW5mDvK j/Ut+i11Kq1NzLwKqwSAusj9QPZUrr4c6ugKk9VZAl2GGv5CJPdTLFnnmzOKSpjRRyIVOeK9H8qGLt NhpR7azMx76eNvT0BQAOIVeFhIJb7gBmjQMMxBaAuSFWU9DAbl60wGfnLmrl+pEQ3PiLKP+YdX050v ueaiHcOYLuS2CBt9a/9ZC6I55fg15ubAWvLw0dF3Hdn9/Q43MkoD6oC26/bv+Or2pji1f2YZIbtyvk msrTnckxiZ6IWvUxYU58+Lphg7R02O5DadwM5K/E/dUkXIBjfUTIKllAg2iQX3VToDwKPusPTmISTi jMAsEYmAuM14tVHhz5RaTHVYGdMFMh1+QRTSgO4soNQ+aJW2TaJAuQT0DoxuN6tNcMY84iar/tSTFl gDatIcAunlq6kLlzXr4So8GjlThxTKcSFMy19Di9SY3exXZ2SWA/31bxw1JA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Enable FORTIFY_SOURCE support for Clang: Use the new __pass_object_size and __overloadable attributes so that Clang will have appropriate visibility into argument sizes such that __builtin_object_size(p, 1) will behave correctly. Additional details available here: https://github.com/llvm/llvm-project/issues/53516 https://github.com/ClangBuiltLinux/linux/issues/1401 A bug with __builtin_constant_p() of globally defined variables was fixed in Clang 13 (and backported to 12.0.1), so FORTIFY support must depend on that version or later. Additional details here: https://bugs.llvm.org/show_bug.cgi?id=3D41459 commit a52f8a59aef4 ("fortify: Explicitly disable Clang support") A bug with Clang's -mregparm=3D3 and -m32 makes some builtins unusable, so removing -ffreestanding (to gain the needed libcall optimizations with Clang) cannot be done. Without the libcall optimizations, Clang cannot provide appropriate FORTIFY coverage, so it must be disabled for CONFIG_X86_32. Additional details here; https://github.com/llvm/llvm-project/issues/53645 Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: George Burgess IV Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 40 ++++++++++++++++++++++------------ security/Kconfig | 5 +++-- 2 files changed, 29 insertions(+), 16 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index f77cf22e2d60..295637a66c46 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -4,7 +4,7 @@ =20 #include =20 -#define __FORTIFY_INLINE extern __always_inline __gnu_inline +#define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable #define __RENAME(x) __asm__(#x) =20 void fortify_panic(const char *name) __noreturn __cold; @@ -52,8 +52,17 @@ extern char *__underlying_strncpy(char *p, const char *q= , __kernel_size_t size) #define __underlying_strncpy __builtin_strncpy #endif =20 +/* + * Clang's use of __builtin_object_size() within inlines needs hinting via + * __pass_object_size(). The preference is to only ever use type 1 (member + * size, rather than struct size), but there remain some stragglers using + * type 0 that will be converted in the future. + */ +#define POS __pass_object_size(1) +#define POS0 __pass_object_size(0) + __FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3) -char *strncpy(char * const p, const char *q, __kernel_size_t size) +char *strncpy(char * const POS p, const char *q, __kernel_size_t size) { size_t p_size =3D __builtin_object_size(p, 1); =20 @@ -65,7 +74,7 @@ char *strncpy(char * const p, const char *q, __kernel_siz= e_t size) } =20 __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) -char *strcat(char * const p, const char *q) +char *strcat(char * const POS p, const char *q) { size_t p_size =3D __builtin_object_size(p, 1); =20 @@ -77,7 +86,7 @@ char *strcat(char * const p, const char *q) } =20 extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __REN= AME(strnlen); -__FORTIFY_INLINE __kernel_size_t strnlen(const char * const p, __kernel_si= ze_t maxlen) +__FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kerne= l_size_t maxlen) { size_t p_size =3D __builtin_object_size(p, 1); size_t p_len =3D __compiletime_strlen(p); @@ -106,7 +115,7 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * c= onst p, __kernel_size_t m __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ __builtin_strlen(p), __fortify_strlen(p)) __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) -__kernel_size_t __fortify_strlen(const char * const p) +__kernel_size_t __fortify_strlen(const char * const POS p) { __kernel_size_t ret; size_t p_size =3D __builtin_object_size(p, 1); @@ -122,7 +131,7 @@ __kernel_size_t __fortify_strlen(const char * const p) =20 /* defined after fortified strlen to reuse it */ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcp= y); -__FORTIFY_INLINE size_t strlcpy(char * const p, const char * const q, size= _t size) +__FORTIFY_INLINE size_t strlcpy(char * const POS p, const char * const POS= q, size_t size) { size_t p_size =3D __builtin_object_size(p, 1); size_t q_size =3D __builtin_object_size(q, 1); @@ -149,7 +158,7 @@ __FORTIFY_INLINE size_t strlcpy(char * const p, const c= har * const q, size_t siz =20 /* defined after fortified strnlen to reuse it */ extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strsc= py); -__FORTIFY_INLINE ssize_t strscpy(char * const p, const char * const q, siz= e_t size) +__FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const PO= S q, size_t size) { size_t len; /* Use string size rather than possible enclosing struct size. */ @@ -196,7 +205,7 @@ __FORTIFY_INLINE ssize_t strscpy(char * const p, const = char * const q, size_t si =20 /* defined after fortified strlen and strnlen to reuse them */ __FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3) -char *strncat(char * const p, const char * const q, __kernel_size_t count) +char *strncat(char * const POS p, const char * const POS q, __kernel_size_= t count) { size_t p_len, copy_len; size_t p_size =3D __builtin_object_size(p, 1); @@ -367,7 +376,7 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_= t size, memmove) =20 extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan= ); -__FORTIFY_INLINE void *memscan(void * const p, int c, __kernel_size_t size) +__FORTIFY_INLINE void *memscan(void * const POS0 p, int c, __kernel_size_t= size) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -379,7 +388,7 @@ __FORTIFY_INLINE void *memscan(void * const p, int c, _= _kernel_size_t size) } =20 __FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3) -int memcmp(const void * const p, const void * const q, __kernel_size_t siz= e) +int memcmp(const void * const POS0 p, const void * const POS0 q, __kernel_= size_t size) { size_t p_size =3D __builtin_object_size(p, 0); size_t q_size =3D __builtin_object_size(q, 0); @@ -396,7 +405,7 @@ int memcmp(const void * const p, const void * const q, = __kernel_size_t size) } =20 __FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3) -void *memchr(const void * const p, int c, __kernel_size_t size) +void *memchr(const void * const POS0 p, int c, __kernel_size_t size) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -408,7 +417,7 @@ void *memchr(const void * const p, int c, __kernel_size= _t size) } =20 void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_in= v); -__FORTIFY_INLINE void *memchr_inv(const void * const p, int c, size_t size) +__FORTIFY_INLINE void *memchr_inv(const void * const POS0 p, int c, size_t= size) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -420,7 +429,7 @@ __FORTIFY_INLINE void *memchr_inv(const void * const p,= int c, size_t size) } =20 extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENA= ME(kmemdup); -__FORTIFY_INLINE void *kmemdup(const void * const p, size_t size, gfp_t gf= p) +__FORTIFY_INLINE void *kmemdup(const void * const POS0 p, size_t size, gfp= _t gfp) { size_t p_size =3D __builtin_object_size(p, 0); =20 @@ -433,7 +442,7 @@ __FORTIFY_INLINE void *kmemdup(const void * const p, si= ze_t size, gfp_t gfp) =20 /* Defined after fortified strlen to reuse it. */ __FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) -char *strcpy(char * const p, const char * const q) +char *strcpy(char * const POS p, const char * const POS q) { size_t p_size =3D __builtin_object_size(p, 1); size_t q_size =3D __builtin_object_size(q, 1); @@ -462,4 +471,7 @@ char *strcpy(char * const p, const char * const q) #undef __underlying_strncat #undef __underlying_strncpy =20 +#undef POS +#undef POS0 + #endif /* _LINUX_FORTIFY_STRING_H_ */ diff --git a/security/Kconfig b/security/Kconfig index 0b847f435beb..1d2d71cc1f36 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -177,9 +177,10 @@ config HARDENED_USERCOPY_PAGESPAN config FORTIFY_SOURCE bool "Harden common str/mem functions against buffer overflows" depends on ARCH_HAS_FORTIFY_SOURCE - # https://bugs.llvm.org/show_bug.cgi?id=3D50322 # https://bugs.llvm.org/show_bug.cgi?id=3D41459 - depends on !CC_IS_CLANG + depends on !CC_IS_CLANG || CLANG_VERSION >=3D 120001 + # https://github.com/llvm/llvm-project/issues/53645 + depends on !CC_IS_CLANG || !X86_32 help Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. --=20 2.30.2