From nobody Tue Apr  7 05:43:38 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 84E87C0502A
	for <linux-kernel@archiver.kernel.org>; Tue, 30 Aug 2022 20:53:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231211AbiH3Uxd (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 30 Aug 2022 16:53:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59860 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230505AbiH3Ux1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Aug 2022 16:53:27 -0400
Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com
 [IPv6:2607:f8b0:4864:20::1149])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CEFC58670D
        for <linux-kernel@vger.kernel.org>;
 Tue, 30 Aug 2022 13:53:25 -0700 (PDT)
Received: by mail-yw1-x1149.google.com with SMTP id
 00721157ae682-33daeaa6b8eso186758307b3.7
        for <linux-kernel@vger.kernel.org>;
 Tue, 30 Aug 2022 13:53:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc;
        bh=5v/uULD38sKMsG6PW3WCi/TldG3Gb7FVbu6pkSQhM+o=;
        b=SS9SACvDbzU1NVjQtI+3FiV/qXJ09D57Q7Esfs1fzYpQOLlB2j5MiVHnLWFXtuvZ6X
         93/Y7XkferOLW6SRzUeTtPRFBWVQ+MLa50xEonH/qbWeXV4bzLe+hikag9gSF2r9Gl1e
         Iv2p0V426xzCrX5/d1FjinL8SW3pZ/fQlOYl9p5/NxChz4cpSsbbcPHJIG6xlXQLdPWu
         3lqT1KsAnbiWld23oOo8L0r8LfQ6XSz0zxJXLX/MUu4Q9CslCLg85cA4MtiP0NoXB6+U
         Ql89HJJC5BVg2i7XB8dtWqhX5UU/u2D36CJZeDtvTnfZwQF1YBbQ4/i23h+ndVG0JUZA
         Q+Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc;
        bh=5v/uULD38sKMsG6PW3WCi/TldG3Gb7FVbu6pkSQhM+o=;
        b=UkNYfCRTkELAha3psyTQcUtKAMJzL8nIB0pIFP7vr/LjpM9WFXOxrwijjLtns2dkVd
         +hMUf7akMdVuBeTFYsIFBhL9Y4vY2q+7v0ygCK7uI09dz/+ubWvPOBV10t0+TVT+sTdN
         CAVFz7BYVIZCw4uFVTMV3XerXGuBESDAnwW3TUkFxqNaZ9Sjd1MbgEElo5KTQaxA4eD+
         PZAEnE3k/I2ZCPCFuDARCBV3DVpGV35UhvoDfJJXM4TQU0AzZJ2d8Cw1D2apqNM8um8s
         FjtXTQmoFU+mxEaWMRpazSikVnQCgGEgNfyFaGHPT9Gs8/CDLoAyiDCmDgdWGL6Y0qsv
         7K7g==
X-Gm-Message-State: ACgBeo1Sq9+qR3fpBC9qYWq8gSLSVpnw+8QVJDEwi4An27nrdf1WpwXx
        /fBLTkcahX6VN3QxztL4R+unGG2nG1Mw8Rm+0aQ=
X-Google-Smtp-Source: 
 AA6agR4oE95bBhsSdIdScCPuED5bUgOLluJDetPQDhXiC2CMIZ2RkmN7Trz5O3XFH2zyMohNmhBoin3YpKWt+WGCqxU=
X-Received: from ndesaulniers1.mtv.corp.google.com
 ([2620:0:100e:712:422b:cadb:302a:7901])
 (user=ndesaulniers job=sendgmr) by 2002:a81:7784:0:b0:33d:ca62:45f5 with SMTP
 id s126-20020a817784000000b0033dca6245f5mr15393337ywc.180.1661892805082; Tue,
 30 Aug 2022 13:53:25 -0700 (PDT)
Date: Tue, 30 Aug 2022 13:53:07 -0700
In-Reply-To: <20220830205309.312864-1-ndesaulniers@google.com>
Mime-Version: 1.0
References: <20220830205309.312864-1-ndesaulniers@google.com>
X-Developer-Key: i=ndesaulniers@google.com; a=ed25519;
 pk=lvO/pmg+aaCb6dPhyGC1GyOCvPueDrrc8Zeso5CaGKE=
X-Developer-Signature: v=1; a=ed25519-sha256; t=1661892789; l=3598;
 i=ndesaulniers@google.com; s=20211004; h=from:subject;
 bh=FqEu/v2r7QzyhMZ+aKgXq/vN9XM6LoTxDIw9cP7G/EQ=;
 b=gjQOE8Flfs4jPPc0zq1aAHXUiYKr0bq9gXdpXuj1sxS/j6umW+wG0AxfG9aN1eUi5IiBKiNCzvOS
 AbdniodNBrjpabk0YC0HNqMXXwo1xbVr1piJvMVBUhy3+S42e8YU
X-Mailer: git-send-email 2.37.2.672.g94769d06f0-goog
Message-ID: <20220830205309.312864-2-ndesaulniers@google.com>
Subject: [PATCH 1/3] fortify: use __builtin_dynamic_object_size in
 __compiletime_strlen
From: Nick Desaulniers <ndesaulniers@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Nathan Chancellor <nathan@kernel.org>, Tom Rix <trix@redhat.com>,
        linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
        llvm@lists.linux.dev, Jiri Kosina <jikos@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        linux-input@vger.kernel.org,
        Masahiro Yamada <masahiroy@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

With CONFIG_FORTIFY=3Dy and CONFIG_UBSAN_LOCAL_BOUNDS=3Dy enabled, we
observe a runtime panic while running Android's Compatibility Test
Suite's (CTS) android.hardware.input.cts.tests.  This is stemming from a
strlen() call in hidinput_allocate().

__compiletime_strlen is implemented in terms of __builtin_object_size(),
then does an array access to check for NUL-termination. A quirk of
__builtin_object_size() is that for strings whose values are runtime
dependent, __builtin_object_size(str, 1 or 0) returns the maximum size
of possible values when those sizes are determinable at compile time.
Example:

  static const char *v =3D "FOO BAR";
  static const char *y =3D "FOO BA";
  unsigned long x (int z) {
      // Returns 8, which is:
      // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))
      return __builtin_object_size(z ? v : y, 1);
  }

So when FORTIFY is enabled, the current implementation of
__compiletime_strlen will try to access beyond the end of y at runtime
using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.

hidinput_allocate() has a local C string whose value is control flow
dependent on a switch statement, so __builtin_object_size(str, 1)
evaluates to the maximum string length, making all other cases fault on
the last character check. hidinput_allocate() could be cleaned up to
avoid runtime calls to strlen() since the local variable can only have
literal values, so there's no benefit to trying to fortify the strlen
call site there.

Add a Kconfig check for __builtin_dynamic_object_size(), then use that
when available (gcc-12+, all supported versions of clang) which avoids
this surprising behavior.

Suggested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
 include/linux/fortify-string.h | 8 +++++++-
 init/Kconfig                   | 3 +++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 3b401fa0f374..c5adad596a3f 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -14,11 +14,17 @@ void __read_overflow2_field(size_t avail, size_t wanted=
) __compiletime_warning("
 void __write_overflow(void) __compiletime_error("detected write beyond siz=
e of object (1st parameter)");
 void __write_overflow_field(size_t avail, size_t wanted) __compiletime_war=
ning("detected write beyond size of field (1st parameter); maybe use struct=
_group()?");
=20
+#ifdef CONFIG_CC_HAS_BUILTIN_DYNAMIC_OBJECT_SIZE
+#define __object_size __builtin_dynamic_object_size
+#else
+#define __object_size __builtin_object_size
+#endif
+
 #define __compiletime_strlen(p)					\
 ({								\
 	unsigned char *__p =3D (unsigned char *)(p);		\
 	size_t __ret =3D (size_t)-1;				\
-	size_t __p_size =3D __builtin_object_size(p, 1);		\
+	size_t __p_size =3D __object_size(p, 1);			\
 	if (__p_size !=3D (size_t)-1) {				\
 		size_t __p_len =3D __p_size - 1;			\
 		if (__builtin_constant_p(__p[__p_len]) &&	\
diff --git a/init/Kconfig b/init/Kconfig
index 532362fcfe31..87dd31aa54ad 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -876,6 +876,9 @@ config ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
 config CC_HAS_INT128
 	def_bool !$(cc-option,$(m64-flag) -D__SIZEOF_INT128__=3D0) && 64BIT
=20
+config CC_HAS_BUILTIN_DYNAMIC_OBJECT_SIZE
+	def_bool !CC_IS_GCC || GCC_VERSION >=3D 120000
+
 config CC_IMPLICIT_FALLTHROUGH
 	string
 	default "-Wimplicit-fallthrough=3D5" if CC_IS_GCC && $(cc-option,-Wimplic=
it-fallthrough=3D5)
--=20
2.37.2.672.g94769d06f0-goog
From nobody Tue Apr  7 05:43:38 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2F800ECAAD5
	for <linux-kernel@archiver.kernel.org>; Tue, 30 Aug 2022 20:53:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231281AbiH3Uxh (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 30 Aug 2022 16:53:37 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59874 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230517AbiH3Ux3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Aug 2022 16:53:29 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51A4D6FA33
        for <linux-kernel@vger.kernel.org>;
 Tue, 30 Aug 2022 13:53:28 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 k13-20020a056902024d00b0066fa7f50b97so618382ybs.6
        for <linux-kernel@vger.kernel.org>;
 Tue, 30 Aug 2022 13:53:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc;
        bh=XFDa6KTgHv01kWZj/Seua+4bvIrhtY4bUBF4MqV18nA=;
        b=H/B4/YP2EStOk1wApV/pkDl/3ocH+jW86m+kMjqfupJWEDtKmPbguzigbJi+iehwck
         u9h5UmeiZ/Y+6U08FR95+SJ7+0ggp3YI2ohxn+VjcC942GXqmQ9+b423Jryg/I9Bw8DH
         Nmy/gDoVn6i983bEcz+TiD844qnzMB73YjVfbRWjysYPxBrCGezlLiaMb168Glsm6M3b
         9PdqLGnY46ud8nEh+o9MNo2n0kVJdg2rnI4dBoZ75Z7ugj1cQCeQ6SyPegmpqMElKe1M
         +rMINy5wZ5pu9cglimln6dYGIAYENa0SCx9A2BZPqNWLYjctHkCijB6mTLtH5V3pVUsE
         2rhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc;
        bh=XFDa6KTgHv01kWZj/Seua+4bvIrhtY4bUBF4MqV18nA=;
        b=nOtKe+V9o3mA7foQpsw5qQAEKyV17JUzXB4KtAHIs/W+uGJKhfFuJUjhKza/E4i+eX
         8ryPhFQ0r+5eBiByrKSmiQH6/GQYqSMZRmpS2EC4QUJVfMF02C79Y8bbm49fA7eH4z4O
         bzL2edEmomB7INqIrb7ctR6rMrcX7034FTqs14TZuoSy3xGvMlLbvTIGSXWbcjUHJvXq
         lNtWnM9bbSeWRW+DrH/yKd0gv3SRPr69CupcOKJXPivM4HHsfz7g12JYupXZy/r6/YY1
         tZeMnatBTQT8MvKO4q/GgW1/STH5tx5ZiywDvJR1AbJU6w2F1uLUnFbI+m/zVB3Ox6nr
         PV1Q==
X-Gm-Message-State: ACgBeo0P2EvSjMLJ1k3giiPxmrdfvMnO9OOIurxstld5XF/VhXn9o3q3
        xRw5Yc0Y1oQ/++NjcoAjdA7C3qf7GEaQ0rimdho=
X-Google-Smtp-Source: 
 AA6agR5MMFcErFPh2qkaMkboWUbEABQ2QTTx3nnDWp3MZ+MbGpJqYtn/MroTOeI5lVbS/eEQRx5QJrTFkWBl2XP+U5s=
X-Received: from ndesaulniers1.mtv.corp.google.com
 ([2620:0:100e:712:422b:cadb:302a:7901])
 (user=ndesaulniers job=sendgmr) by 2002:a81:a0c1:0:b0:33d:c846:7ba3 with SMTP
 id x184-20020a81a0c1000000b0033dc8467ba3mr14975364ywg.204.1661892807644; Tue,
 30 Aug 2022 13:53:27 -0700 (PDT)
Date: Tue, 30 Aug 2022 13:53:08 -0700
In-Reply-To: <20220830205309.312864-1-ndesaulniers@google.com>
Mime-Version: 1.0
References: <20220830205309.312864-1-ndesaulniers@google.com>
X-Developer-Key: i=ndesaulniers@google.com; a=ed25519;
 pk=lvO/pmg+aaCb6dPhyGC1GyOCvPueDrrc8Zeso5CaGKE=
X-Developer-Signature: v=1; a=ed25519-sha256; t=1661892789; l=1585;
 i=ndesaulniers@google.com; s=20211004; h=from:subject;
 bh=IpcxEkpuMMXQt20IrbYrIKIderc1sjTmTpdDaYMsgqY=;
 b=5UP9/drrcNhfbuFf03VKoWmjREqkPFx9i+kfQjvqhjtKvuKmzjRZk/w2179sfrlEIphxWP9p6wch
 l2mCKGd7B1MgkjXr9TDikSaAARw/UmnmsNn9QyWCNAJ05V7TTxe4
X-Mailer: git-send-email 2.37.2.672.g94769d06f0-goog
Message-ID: <20220830205309.312864-3-ndesaulniers@google.com>
Subject: [PATCH 2/3] fortify: cosmetic cleanups to __compiletime_strlen
From: Nick Desaulniers <ndesaulniers@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Nathan Chancellor <nathan@kernel.org>, Tom Rix <trix@redhat.com>,
        linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
        llvm@lists.linux.dev, Jiri Kosina <jikos@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        linux-input@vger.kernel.org,
        Masahiro Yamada <masahiroy@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Two things I noticed in __compiletime_strlen:
1. A temporary, __p, is created+used to avoid repeated side effects from
   multiple evaluation of the macro parameter, but the macro parameter
   was being used accidentally in __builtin_object_size.
2. The temporary has a curious signedness and const-less qualification.
   Just use __auto_type.
3. (size_t)-1 is perhaps more readable as -1UL.
4. __p_size =3D=3D -1UL when __builtin_object_size can't evaluate the
   object size at compile time. We could just reuse __ret and use one
   less variable here.

Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Reported-by: kernel test robot <lkp@intel.com>
---
 include/linux/fortify-string.h | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index c5adad596a3f..aaf73575050f 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -22,11 +22,10 @@ void __write_overflow_field(size_t avail, size_t wanted=
) __compiletime_warning("
=20
 #define __compiletime_strlen(p)					\
 ({								\
-	unsigned char *__p =3D (unsigned char *)(p);		\
-	size_t __ret =3D (size_t)-1;				\
-	size_t __p_size =3D __object_size(p, 1);			\
-	if (__p_size !=3D (size_t)-1) {				\
-		size_t __p_len =3D __p_size - 1;			\
+	__auto_type __p =3D (p);					\
+	size_t __ret =3D __object_size(__p, 1);			\
+	if (__ret !=3D -1UL) {					\
+		size_t __p_len =3D __ret - 1;			\
 		if (__builtin_constant_p(__p[__p_len]) &&	\
 		    __p[__p_len] =3D=3D '\0')			\
 			__ret =3D __builtin_strlen(__p);		\
--=20
2.37.2.672.g94769d06f0-goog
From nobody Tue Apr  7 05:43:38 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9BA40ECAAD5
	for <linux-kernel@archiver.kernel.org>; Tue, 30 Aug 2022 20:53:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231373AbiH3Uxn (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 30 Aug 2022 16:53:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59970 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231208AbiH3Uxc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Aug 2022 16:53:32 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1289F8672B
        for <linux-kernel@vger.kernel.org>;
 Tue, 30 Aug 2022 13:53:30 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 n18-20020a25d612000000b0069661a1dc48so632399ybg.20
        for <linux-kernel@vger.kernel.org>;
 Tue, 30 Aug 2022 13:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc;
        bh=tq1rGOekL7pxfkbRlGyK3KX3p9F0Zh08RbUI+01hRUg=;
        b=GaJO4twNi//joTXJTPWxgSzYipFe8SFbxE0TwPATGPceoH0L9qw6PxWyI4VePZPq22
         e0Kx5DlnOZ7JYvnNrtLs7c/gccDFrFqH/bMNpKQLRVXJ9g6os3iC/o9t1mXE1kRQLLUz
         oRj8T3mCI5ec4vl+nnlV15HA1hZ9gk5icQj/vRm0N/S3b2WPboC0BUV+XN5EMheZxU0q
         gVfO/xXSOSmXN0EJjQ0iN+pv4vkQmGIze5WY78Zfc8JyC12/NLeWaLxmJEzzSD+jkBA/
         g23gNH82+6WH4A50GMfM2p+TTtZti14jjyClR0qHMvv+fqKmKhdUkYhPayGwHf/sblLW
         J64w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc;
        bh=tq1rGOekL7pxfkbRlGyK3KX3p9F0Zh08RbUI+01hRUg=;
        b=BQJTksKwieTvOSfxeofz/LxNAiSc2Ng0bXpHUh0j+/OICYVM/pr0i9Z+SNDdbPH9NW
         L5m59T4mKeh9Jz3+L0dRiS7C5Qxe7CswBMGv+sSI01sWI5VTcGBY2XC3kdl/d2aX/lTT
         Q6T1cKhAQSyxjBqoz6WlilAgVzFKdZcjgAf6kDihYxv8kAfcp/EWS2Zkv/Ck3maGLoQV
         q4SPaz2oM30Q+WsHxVaGOOWt12RO+Yd9l+dLln4XlN03JQuP+yfaFaueLOPq1TY7FeDF
         7ygUDp9PVfFsblhAdCweYv7jefFocIPmbZXEFcfbWkJbT3vl0ZlCUYo3KjjkeLotp0oQ
         g46w==
X-Gm-Message-State: ACgBeo0xGTGwRMwBZhOuCuyMz24LzpNeYjrsUeHd+wmW+R37kkx7ktoh
        4Lo2esHM0GrH7t9xw0t62bcWytitHCIwDphHUIk=
X-Google-Smtp-Source: 
 AA6agR4dBFylOu7ENF0OBdRcDD8jqjP5h6mT6knhTjUUE0aN3cOZzhxPvL1PJy8o3v6+fD7gA3xIeJWHSV8Fb9bzdbU=
X-Received: from ndesaulniers1.mtv.corp.google.com
 ([2620:0:100e:712:422b:cadb:302a:7901])
 (user=ndesaulniers job=sendgmr) by 2002:a25:e045:0:b0:695:8c84:830e with SMTP
 id x66-20020a25e045000000b006958c84830emr13699876ybg.391.1661892810159; Tue,
 30 Aug 2022 13:53:30 -0700 (PDT)
Date: Tue, 30 Aug 2022 13:53:09 -0700
In-Reply-To: <20220830205309.312864-1-ndesaulniers@google.com>
Mime-Version: 1.0
References: <20220830205309.312864-1-ndesaulniers@google.com>
X-Developer-Key: i=ndesaulniers@google.com; a=ed25519;
 pk=lvO/pmg+aaCb6dPhyGC1GyOCvPueDrrc8Zeso5CaGKE=
X-Developer-Signature: v=1; a=ed25519-sha256; t=1661892789; l=2526;
 i=ndesaulniers@google.com; s=20211004; h=from:subject;
 bh=NiERkNadHhm2EwGjNfh56GkMuWFz22MOk8ubAMworHM=;
 b=4b7CW2eRyGqCrk6jxunZg73/YfTFIUeBxElVhLch0T+D+wwOAD/cx2kmbruA1JucDblnRonezs2R
 HQgCnOf3AdtnhlBZTKh6bVxdD5ErMKT/fpOPkr/AzBgtE5AHXXTq
X-Mailer: git-send-email 2.37.2.672.g94769d06f0-goog
Message-ID: <20220830205309.312864-4-ndesaulniers@google.com>
Subject: [PATCH 3/3] HID: avoid runtime call to strlen
From: Nick Desaulniers <ndesaulniers@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Nathan Chancellor <nathan@kernel.org>, Tom Rix <trix@redhat.com>,
        linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
        llvm@lists.linux.dev, Jiri Kosina <jikos@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        linux-input@vger.kernel.org,
        Masahiro Yamada <masahiroy@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

While looking into a CONFIG_FORTIFY=3Dy related bug, I noticed that
hid_allocate calls strlen() on a local C string variable. This variable
can only have literal string values. There is no benefit to having
FORTIFY have this be a checked strlen call, because these are literal
values.  By calling strlen() explicitly in the branches of a switch, the
compiler can evaluate strlen("literal value") at compile time, rather
than at runtime.

Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
 drivers/hid/hid-input.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 48c1c02c69f4..9ad3cc88c26b 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1922,12 +1922,15 @@ static struct hid_input *hidinput_allocate(struct h=
id_device *hid,
 		switch (application) {
 		case HID_GD_KEYBOARD:
 			suffix =3D "Keyboard";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_GD_KEYPAD:
 			suffix =3D "Keypad";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_GD_MOUSE:
 			suffix =3D "Mouse";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_DG_PEN:
 			/*
@@ -1938,36 +1941,44 @@ static struct hid_input *hidinput_allocate(struct h=
id_device *hid,
 			 * will have to change it and the test suite will not be happy.
 			 */
 			suffix =3D "Stylus";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_DG_STYLUS:
 			suffix =3D "Pen";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_DG_TOUCHSCREEN:
 			suffix =3D "Touchscreen";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_DG_TOUCHPAD:
 			suffix =3D "Touchpad";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_GD_SYSTEM_CONTROL:
 			suffix =3D "System Control";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_CP_CONSUMER_CONTROL:
 			suffix =3D "Consumer Control";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_GD_WIRELESS_RADIO_CTLS:
 			suffix =3D "Wireless Radio Control";
+			suffix_len =3D strlen(suffix);
 			break;
 		case HID_GD_SYSTEM_MULTIAXIS:
 			suffix =3D "System Multi Axis";
+			suffix_len =3D strlen(suffix);
 			break;
 		default:
+			suffix_len =3D 0;
 			break;
 		}
 	}
=20
 	if (suffix) {
 		name_len =3D strlen(hid->name);
-		suffix_len =3D strlen(suffix);
 		if ((name_len < suffix_len) ||
 		    strcmp(hid->name + name_len - suffix_len, suffix)) {
 			hidinput->name =3D kasprintf(GFP_KERNEL, "%s %s",
--=20
2.37.2.672.g94769d06f0-goog