From nobody Mon Apr 6 20:10:17 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F6CEECAAA1 for ; Fri, 2 Sep 2022 20:44:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229589AbiIBUoI (ORCPT ); Fri, 2 Sep 2022 16:44:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230137AbiIBUn6 (ORCPT ); Fri, 2 Sep 2022 16:43:58 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E79B2FC314 for ; Fri, 2 Sep 2022 13:43:56 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id m10-20020a17090a730a00b001fa986fd8eeso6618144pjk.0 for ; Fri, 02 Sep 2022 13:43:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date; bh=nXV/kYcxRGP4+PC/wC/E1WmMIMB/DEMUyjUxzaTreGw=; b=cHlmGDucWugffybtU1NXRpK84RfhetNHSyxRNpz4OPVFMNCPebRN6HUazGQvm8DxjM Ca5mMNM8lTvPGRnENwR8gECD6NiKDnXKaP2gbjBA6Inj1r56/1vaqNqDUIMbaxigFFBO AqXXJDP7flKezJmMXtpBKDn54dIz26/0Tg1ck= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=nXV/kYcxRGP4+PC/wC/E1WmMIMB/DEMUyjUxzaTreGw=; b=2JH/y6GHhea+hsGkt0SA8PbYp8qJPBnp/SZprfz0+N806a+k+pmnhodT0NnkpdLpun sZK+vzWnKSvIMD9q1LORU7pfIwSfT6+SMqKBsibCZPyXeUeLFh/c6BhxwjvNsKIVfF5L ZT/TeIt6wPwwOOACuhWdJA4gD0ATQGMMNC5IMO4PxYFEegz7IHgdbtplTjZUhf6EafjV jxhMsNU2v5NVPoAOR/L5lWbJWeihXXPef7pw7afjulHj87SLuaj+Fq5wXyElyF/C86g0 iUm/Zo8G5IhQlnCCAgvZfBmlH6N2NZrLTP4j7ZSXKdJdssiZ8zMBmEIx1a6MdxaBPRVH QHgQ== X-Gm-Message-State: ACgBeo3/eD4tp0/RvxxlW5V77mLw8phkVvP7DcVCbbIP00g69amCK9gF 5iZQYLKrYzXvp0Agiq3b6UNiag== X-Google-Smtp-Source: AA6agR4OTKbaTPmi+l9Osgr3f3/iWEvZcmM5T5mq8YCP3H+BKdqRtF3oXu9Ht4jAVa9+ZFw4qzTJiA== X-Received: by 2002:a17:903:32cd:b0:16f:c31:7034 with SMTP id i13-20020a17090332cd00b0016f0c317034mr36867541plr.126.1662151436441; Fri, 02 Sep 2022 13:43:56 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p5-20020aa79e85000000b0053826eaa1c7sm2242366pfq.22.2022.09.02.13.43.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Sep 2022 13:43:53 -0700 (PDT) From: Kees Cook To: Nick Desaulniers Cc: Kees Cook , Nathan Chancellor , Tom Rix , Andrew Morton , Vlastimil Babka , "Steven Rostedt (Google)" , David Gow , Yury Norov , Masami Hiramatsu , Sander Vanheule , linux-hardening@vger.kernel.org, llvm@lists.linux.dev, Peter Zijlstra , Josh Poimboeuf , Dan Williams , Isabella Basso , Eric Dumazet , Rasmus Villemoes , Eric Biggers , Hannes Reinecke , linux-kernel@vger.kernel.org Subject: [PATCH v2 1/3] fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL Date: Fri, 2 Sep 2022 13:43:49 -0700 Message-Id: <20220902204351.2521805-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220902204351.2521805-1-keescook@chromium.org> References: <20220902204351.2521805-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3151; h=from:subject; bh=DcSHHHF6kn1GliVVBN0Pagg+IpCny/Ui+zrhTxFh/Ig=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjEmsGk86XdtCYEmOQCgPx8egB0fdSS3e9m2VZTI23 uTv0O9uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYxJrBgAKCRCJcvTf3G3AJuYcD/ 46zM6qv3smVwB5rZ2yT5KmQ/6rKo6NAA9bRqTf+cVhi63JuonH9xJUJIGZG+MoTCKjisfYwnMSQzxC JzaNXj7WkEtgdnD0FwG7abuEJKIfgtU0XaT1fFJE99rSCXoGFWzhdvyDwLnhbPqN5xM7bKjP6fs8/i HA4rfsFA2io/zAKOKbS0LcUohuLvzpmhh1FooGaDJNFpmkJEp5NIInreEiryFnGjvFV/9u8ICW8qX0 jQRNsTRh/oUF/wY0O25PWfyGOHq+pdb2z54/j+NOAWzjvSC09LbnOygH+6S692/psVAj5EggYDO/jF f8Lnz+jjlp/EVUqaYqsolrBOll6bfzSPd0c2Ot/oNu0XcyCyDA88YD64pWvgJCl/kXs3Vi05qm2hKW rfGR2CUtas8Cde1LUKAq9J7g4RNLjvGpZFXPMdB2K2uNw3BrNl0AmxaxJuT96wAAi2Ugv6MuSu8It7 Pbll63lCPLIlUSq9WOFBnKwgmbE0EqA3Z+f7s2i68q+8cLdESF7EDzMJYLkY+oKbrUin5IwJsrNMx5 aYmXCyvApdqpJQxT0ApO0GH7YxI0gTCLPb62iCjDvlsyb4ekhTCgPwxydRAx6fujxccIrOhnhVCAMV +WTnx3IlX62a2AP+WQ7hZQiKnc4G2GYlnWz1ydiMrJAX0gNyARjrGALryXSA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" With CONFIG_FORTIFY=3Dy and CONFIG_UBSAN_LOCAL_BOUNDS=3Dy enabled, we obser= ve a runtime panic while running Android's Compatibility Test Suite's (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate(). __compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example: static const char *v =3D "FOO BAR"; static const char *y =3D "FOO BA"; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); } So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there's no benefit to trying to fortify the strlen call site there. Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals. Cc: Nathan Chancellor Cc: Tom Rix Cc: Andrew Morton Cc: Vlastimil Babka Cc: "Steven Rostedt (Google)" Cc: David Gow Cc: Yury Norov Cc: Masami Hiramatsu Cc: Sander Vanheule Cc: linux-hardening@vger.kernel.org Cc: llvm@lists.linux.dev Co-developed-by: Nick Desaulniers Signed-off-by: Nick Desaulniers Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers Tested-by: Android Treehugger Robot --- include/linux/fortify-string.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index eed2119b23c5..07d5d1921eff 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -19,7 +19,8 @@ void __write_overflow_field(size_t avail, size_t wanted) = __compiletime_warning(" unsigned char *__p =3D (unsigned char *)(p); \ size_t __ret =3D (size_t)-1; \ size_t __p_size =3D __builtin_object_size(p, 1); \ - if (__p_size !=3D (size_t)-1) { \ + if (__p_size !=3D (size_t)-1 && \ + __builtin_constant_p(*__p)) { \ size_t __p_len =3D __p_size - 1; \ if (__builtin_constant_p(__p[__p_len]) && \ __p[__p_len] =3D=3D '\0') \ --=20 2.34.1 From nobody Mon Apr 6 20:10:17 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23E33C6FA83 for ; Fri, 2 Sep 2022 20:44:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230231AbiIBUoF (ORCPT ); Fri, 2 Sep 2022 16:44:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230075AbiIBUn5 (ORCPT ); Fri, 2 Sep 2022 16:43:57 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 467CFFC30C for ; Fri, 2 Sep 2022 13:43:56 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id mj6so3100684pjb.1 for ; Fri, 02 Sep 2022 13:43:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date; bh=11eq7C02DkLHkN1mpM6ixOmAQBAalq2XQGnZ/0wFgUE=; b=YekDNkaDEXx3tOwqZSpb28rswmxi6VukTDlHFMFbuzo4drdNePzLNrvB8BSgxPbwzr Sw7t3v65kjlbaJcfVwI/9f7FEpNB5AvNv9+V0DRA6TDdmhZVKwto4ecN+D4Vakhbors0 O4diPe0rk0iti//UvXUxKbvepriRjKqo7GO44= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=11eq7C02DkLHkN1mpM6ixOmAQBAalq2XQGnZ/0wFgUE=; b=ESLqqOrobN3AYJ9pGL5A4XKst6v2RIlJ+ll0IvmbRauMTetLfe1QzmBZSEq92I5WUo F0w9uGdk6NLsWM+h5CHA1G2xL1yFGokBI39FWwVzmcW3oExnzUuJwUUqvMHQ7WL+JiWV MRRzNMoWaRiKTd0ZbDjMsp3KlyyA9z90n51DflKtdZp5ajsKhGOYiO8R9hRzFFxF8sZo 1EjJcPueZzomQ+l0AVBVQbllpm2IyUnAtDdAEkl4rwXvvphMbsfy6IQDLbGPsqlOgMIr S7I0fmKlnr/GLWzyRl6lIiJtKbqFw07BLhIFKwiJ7iY713Ehso5cI8CJalDjOxfRgHYH t68Q== X-Gm-Message-State: ACgBeo2vTnbhuQu9Eb31IAGdOqDTqk6yngrVvJoMcFN5fjhod8x6Gd6M v1Y8iM2WUNyXac54NS8QL0pKhg== X-Google-Smtp-Source: AA6agR5EIIBM1SzL1l5QK6QislgosQ1gopreWOv6IaGskuQlsesx6oKdIhDCE2fIibxIAgqPEIXrqw== X-Received: by 2002:a17:903:11c7:b0:170:cde7:d24a with SMTP id q7-20020a17090311c700b00170cde7d24amr37435905plh.91.1662151435118; Fri, 02 Sep 2022 13:43:55 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j4-20020a170902da8400b0017297a6b39dsm2107978plx.265.2022.09.02.13.43.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Sep 2022 13:43:53 -0700 (PDT) From: Kees Cook To: Nick Desaulniers Cc: Kees Cook , Nathan Chancellor , Tom Rix , Andrew Morton , Vlastimil Babka , "Steven Rostedt (Google)" , David Gow , Yury Norov , Masami Hiramatsu , Sander Vanheule , linux-hardening@vger.kernel.org, llvm@lists.linux.dev, Peter Zijlstra , Josh Poimboeuf , Dan Williams , Isabella Basso , Eric Dumazet , Rasmus Villemoes , Eric Biggers , Hannes Reinecke , linux-kernel@vger.kernel.org Subject: [PATCH v2 2/3] fortify: Add KUnit test for FORTIFY_SOURCE internals Date: Fri, 2 Sep 2022 13:43:50 -0700 Message-Id: <20220902204351.2521805-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220902204351.2521805-1-keescook@chromium.org> References: <20220902204351.2521805-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5052; h=from:subject; bh=EhBou5R7iywWQm92DBW52vtC8yIHPBoPeRV2MePXGPs=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjEmsHkVjN+RQcAgkUEMuTHUDCp68OjSiaM44cDvJo 0E3u/CSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYxJrBwAKCRCJcvTf3G3AJmN5EA Cd3Ipn2P0PeDGd5LAmQjiUDnlS0Rd4tQKQ4Hpmk59gXWJs4yTG9tpBJBVeWrRgWXVGNEaa1b3GOWzU TSj/pa/BUlkoIGHep9AuZHfO97eaDz8d5RY9K6QSd/RmE+oZ7netglOF7KQxHvAeyTseNR+xkEeuLc Y8GxSowoYzISzgA3+giN4pHHZ9D+ekb7wk+L/YR/wYP1MF9OLvz8Y8AMk76urAPTp381TfOhW+p81S jI53/LMHNwGwIWxBCM3b/+6582Zpu2916LHtYdx+oIn7HyApPNyZeGadvilheiUVFLzG93/wD/kvLR l4ZnJzecvKIr/kAVRCpmk3t2CXc4ONOkiyvTAdV4NwLeJa3HJY7AfBePRfZ8C2kSDqq6uVMBbXvtUV dC5OrQlIUIxHOs3HFTr3ZC/K7LRzPfRGpVeq8DkCaQuwKmQB5s5qkKOI2jmvr28hrGv6JHS6eAHHSE E4KZaWI3/blzV/kUHE3k8DNaO2B7lLnkk1ypltg/uWJzw4odve2oRl24DBGYDzU0bkK4ZdRJLMDfju cX8sQU+3Dt8iVag+HGm001Y9aLpFZhjfSwrDCErbmgzXTEMwOgD2PcSquny73x2ncADSz4nWuEwUtB SMEIa7Zh02gVoAKaBia2CgBDLpYddX6HlaGfh5Qy47K5Ko/Ftxs7YSJR4fuA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add lib/fortify_kunit.c KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals. Cc: Nick Desaulniers Cc: Nathan Chancellor Cc: Tom Rix Cc: Andrew Morton Cc: Vlastimil Babka Cc: "Steven Rostedt (Google)" Cc: David Gow Cc: Yury Norov Cc: Masami Hiramatsu Cc: Sander Vanheule Cc: linux-hardening@vger.kernel.org Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook Reviewed-by: David Gow --- MAINTAINERS | 1 + lib/Kconfig.debug | 9 ++++++ lib/Makefile | 1 + lib/fortify_kunit.c | 77 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 88 insertions(+) create mode 100644 lib/fortify_kunit.c diff --git a/MAINTAINERS b/MAINTAINERS index 9d7f64dc0efe..640115472199 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -8002,6 +8002,7 @@ L: linux-hardening@vger.kernel.org S: Supported T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-ne= xt/hardening F: include/linux/fortify-string.h +F: lib/fortify_kunit.c F: lib/test_fortify/* F: scripts/test_fortify.sh K: \b__NO_FORTIFY\b diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 36455953d306..1f267c0ddffd 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2542,6 +2542,15 @@ config STACKINIT_KUNIT_TEST CONFIG_GCC_PLUGIN_STRUCTLEAK, CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF, or CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL. =20 +config FORTIFY_KUNIT_TEST + tristate "Test fortified str*() and mem*() function internals at runtime"= if !KUNIT_ALL_TESTS + depends on KUNIT && FORTIFY_SOURCE + default KUNIT_ALL_TESTS + help + Builds unit tests for checking internals of FORTIFY_SOURCE as used + by the str*() and mem*() family of functions. For testing runtime + traps of FORTIFY_SOURCE, see LKDTM's "FORTIFY_*" tests. + config TEST_UDELAY tristate "udelay test driver" help diff --git a/lib/Makefile b/lib/Makefile index f545140ed9e7..4ee1ceae945a 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -381,6 +381,7 @@ obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) +=3D is_signed_= type_kunit.o obj-$(CONFIG_OVERFLOW_KUNIT_TEST) +=3D overflow_kunit.o CFLAGS_stackinit_kunit.o +=3D $(call cc-disable-warning, switch-unreachabl= e) obj-$(CONFIG_STACKINIT_KUNIT_TEST) +=3D stackinit_kunit.o +obj-$(CONFIG_FORTIFY_KUNIT_TEST) +=3D fortify_kunit.o =20 obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) +=3D devmem_is_allowed.o =20 diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c new file mode 100644 index 000000000000..4d7930b65107 --- /dev/null +++ b/lib/fortify_kunit.c @@ -0,0 +1,77 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Runtime test cases for CONFIG_FORTIFY_SOURCE that aren't expected to + * Oops th kernel on success. (For those, see drivers/misc/lkdtm/fortify.c) + * + * For corner cases with UBSAN, try testing with: + * + * ./tools/testing/kunit/kunit.py run --arch=3Dx86_64 \ + * --kconfig_add CONFIG_FORTIFY_SOURCE=3Dy \ + * --kconfig_add CONFIG_UBSAN=3Dy \ + * --kconfig_add CONFIG_UBSAN_TRAP=3Dy \ + * --kconfig_add CONFIG_UBSAN_BOUNDS=3Dy \ + * --kconfig_add CONFIG_UBSAN_LOCAL_BOUNDS=3Dy \ + * --make_options LLVM=3D1 fortify + */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include +#include + +static const char array_of_10[] =3D "this is 10"; +static const char *ptr_of_11 =3D "this is 11!"; +static char array_unknown[] =3D "compiler thinks I might change"; + +static void known_sizes_test(struct kunit *test) +{ + KUNIT_EXPECT_EQ(test, __compiletime_strlen("88888888"), 8); + KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_of_10), 10); + KUNIT_EXPECT_EQ(test, __compiletime_strlen(ptr_of_11), 11); + + KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_unknown), SIZE_MAX); + /* Externally defined and dynamically sized string pointer: */ + KUNIT_EXPECT_EQ(test, __compiletime_strlen(saved_command_line), SIZE_MAX); +} + +/* This is volatile so the optimizer can't perform DCE below. */ +static volatile int pick; + +/* Not inline to keep optimizer from figuring out which string we want. */ +static noinline size_t want_minus_one(int pick) +{ + const char *str; + + switch (pick) { + case 1: + str =3D "4444"; + break; + case 2: + str =3D "333"; + break; + default: + str =3D "1"; + break; + } + return __compiletime_strlen(str); +} + +static void control_flow_split_test(struct kunit *test) +{ + KUNIT_EXPECT_EQ(test, want_minus_one(pick), SIZE_MAX); +} + +static struct kunit_case fortify_test_cases[] =3D { + KUNIT_CASE(known_sizes_test), + KUNIT_CASE(control_flow_split_test), + {} +}; + +static struct kunit_suite fortify_test_suite =3D { + .name =3D "fortify", + .test_cases =3D fortify_test_cases, +}; + +kunit_test_suite(fortify_test_suite); + +MODULE_LICENSE("GPL"); --=20 2.34.1 From nobody Mon Apr 6 20:10:17 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7391ECAAA1 for ; Fri, 2 Sep 2022 20:44:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230280AbiIBUoL (ORCPT ); Fri, 2 Sep 2022 16:44:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230178AbiIBUn6 (ORCPT ); Fri, 2 Sep 2022 16:43:58 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82927FBA50 for ; Fri, 2 Sep 2022 13:43:57 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id 199so3034948pfz.2 for ; Fri, 02 Sep 2022 13:43:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date; bh=GpdR6dhKOYDIHWBT59g1Wvjno+duAayEnuXKzDvi7Ds=; b=h749UXyzLbcoxluZ9NcjTjAgLd1HqAnSuGDh0as6NFUu5+tf/+dIsD3GaQHzP85DCQ 09TV1a6urYRynR0mKtclPQQbcxqeEKPmeDNKC4wGNBbIW07+epZ5tIBpNYrPTpzFC2TJ x48QAdCJADJFdnY5OKcR4y54nPl9qtoP2R10U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=GpdR6dhKOYDIHWBT59g1Wvjno+duAayEnuXKzDvi7Ds=; b=0KeCuaVCFo5o4lov0WuviqyWpF/VXrHEW27JB57NOR0R51dxvOTR9T4/kHrHwJ9Tm3 cf0nLXW4xj9Rcw7UZxG/gfx7/V6AsXcHf/5B3Ns1znSJlUJWzm9VDIUZuiOkkc0Muw5l EU8LKulUP6DDep0ZicpHyWUG08iHcxE5+aIYEg/SlthG4TWUhkPqSEEeMekI6eT8lj3G jxh20Qf1tw4JZ0yKR9uC7nvypWdu1mHNeoqA4beVcwkcDm7G/znMWYI2LHilcbx5A5aj f1q2meuI0tc+RAf54fKp90jfB87RzJkSBJ/vBU8PZmPxYqghQolHBqlxwKccDDaxE7zr vneg== X-Gm-Message-State: ACgBeo17XirB2ZeCE+4TUX7ToyODwdOWKq8vh0AHjRjQD8EcsPVAnl7l fDol/eBm/o/eeqEBkH8DmQWLOA== X-Google-Smtp-Source: AA6agR5IhZwbrCaOXKK1TWm9SsIGoXh0AjdQgm3ck3mlstEsQ9cd19CWxuvtbfxICBszMpFtEUiUXw== X-Received: by 2002:a63:5616:0:b0:42b:689e:5166 with SMTP id k22-20020a635616000000b0042b689e5166mr31058897pgb.385.1662151436997; Fri, 02 Sep 2022 13:43:56 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k1-20020aa79981000000b005380bbac1ccsm2261188pfh.167.2022.09.02.13.43.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Sep 2022 13:43:53 -0700 (PDT) From: Kees Cook To: Nick Desaulniers Cc: Kees Cook , linux-hardening@vger.kernel.org, Nathan Chancellor , Tom Rix , Andrew Morton , Vlastimil Babka , "Steven Rostedt (Google)" , David Gow , Yury Norov , Masami Hiramatsu , Sander Vanheule , Peter Zijlstra , Josh Poimboeuf , Dan Williams , Isabella Basso , Eric Dumazet , Rasmus Villemoes , Eric Biggers , Hannes Reinecke , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v2 3/3] fortify: Use SIZE_MAX instead of (size_t)-1 Date: Fri, 2 Sep 2022 13:43:51 -0700 Message-Id: <20220902204351.2521805-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220902204351.2521805-1-keescook@chromium.org> References: <20220902204351.2521805-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4790; h=from:subject; bh=HV5Dy8SZEhq6+/rQqbYutEFxTR8zxek5M5kiisvIgH0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjEmsHLCqUbdwiDj2xEYoNTUzHnhPqUNltCgBybyug nZykpLGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYxJrBwAKCRCJcvTf3G3AJuA8D/ 48wah7w3V7SEe1dfMKosk2R/dJEjm+HloADoGeQcgeJsYUmLb3VdRAyMxQO70fb3fFAy39o4tOwBoV 0jcF/qjB0kiiDz7rcaxgd4uo7AeRFLELhvjvuYAe9/EI/Tt4Ja8dqknh1xtALnbQuLUs1CGc3XSXGY DtcSIHoy+EJ13pdt3x8qfinqRE/my6F0B/x01+qpg6id8Gw7bLinKrzvwiwRfx+QcfwquTpp938j0W dYQma5DIva2bGK9lIrIIXTdXxYBQkKz4C86REXQPnFql+3Xa0JBpNORkKxxzCE9T6TuP/ZJeU4WYU4 NEM/NWTds28XCIZoqqFNQrtbuc368abzR7G5j2/+7wQD+3IbszmmfqVW0SO/UE5h2oFP46FrgtKDtL XNSXnlruH30OGg1cUunNluV62Oefkp0rydIRtoMsRTN359fgVum+FBDjr4kv///t4VVfhohKfEpH2F Pq0RZbO50IWdRvDtFjlRwzjLChWbaEkvz4ktp+Bx6AHOXcEYMPJDcuYmsZj9x51+D2MEoSqu4RrC0S Y1EsCJhMBsavWbzDQAKUN6oZLBWYh+ADgttRwT5s850pn2uDbc3iClEbXV1og9jRzPiKaTmsi3LuhA a2LaW66FJc3yiTixFJzeAP8YRfTsG4bTLFoV3i0cvAsHCqP0pBs6f34W49Xw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Clean up uses of "(size_t)-1" in favor of SIZE_MAX. Cc: linux-hardening@vger.kernel.org Suggested-by: Nick Desaulniers Signed-off-by: Kees Cook Reported-by: kernel test robot --- include/linux/fortify-string.h | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 07d5d1921eff..8f2b6b1cb848 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -17,9 +17,9 @@ void __write_overflow_field(size_t avail, size_t wanted) = __compiletime_warning(" #define __compiletime_strlen(p) \ ({ \ unsigned char *__p =3D (unsigned char *)(p); \ - size_t __ret =3D (size_t)-1; \ + size_t __ret =3D SIZE_MAX; \ size_t __p_size =3D __builtin_object_size(p, 1); \ - if (__p_size !=3D (size_t)-1 && \ + if (__p_size !=3D SIZE_MAX && \ __builtin_constant_p(*__p)) { \ size_t __p_len =3D __p_size - 1; \ if (__builtin_constant_p(__p[__p_len]) && \ @@ -125,7 +125,7 @@ char *strcat(char * const POS p, const char *q) { size_t p_size =3D __builtin_object_size(p, 1); =20 - if (p_size =3D=3D (size_t)-1) + if (p_size =3D=3D SIZE_MAX) return __underlying_strcat(p, q); if (strlcat(p, q, p_size) >=3D p_size) fortify_panic(__func__); @@ -140,7 +140,7 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * c= onst POS p, __kernel_size size_t ret; =20 /* We can take compile-time actions when maxlen is const. */ - if (__builtin_constant_p(maxlen) && p_len !=3D (size_t)-1) { + if (__builtin_constant_p(maxlen) && p_len !=3D SIZE_MAX) { /* If p is const, we can use its compile-time-known len. */ if (maxlen >=3D p_size) return p_len; @@ -168,7 +168,7 @@ __kernel_size_t __fortify_strlen(const char * const POS= p) size_t p_size =3D __builtin_object_size(p, 1); =20 /* Give up if we don't know how large p is. */ - if (p_size =3D=3D (size_t)-1) + if (p_size =3D=3D SIZE_MAX) return __underlying_strlen(p); ret =3D strnlen(p, p_size); if (p_size <=3D ret) @@ -185,7 +185,7 @@ __FORTIFY_INLINE size_t strlcpy(char * const POS p, con= st char * const POS q, si size_t q_len; /* Full count of source string length. */ size_t len; /* Count of characters going into destination. */ =20 - if (p_size =3D=3D (size_t)-1 && q_size =3D=3D (size_t)-1) + if (p_size =3D=3D SIZE_MAX && q_size =3D=3D SIZE_MAX) return __real_strlcpy(p, q, size); q_len =3D strlen(q); len =3D (q_len >=3D size) ? size - 1 : q_len; @@ -213,7 +213,7 @@ __FORTIFY_INLINE ssize_t strscpy(char * const POS p, co= nst char * const POS q, s size_t q_size =3D __builtin_object_size(q, 1); =20 /* If we cannot get size of p and q default to call strscpy. */ - if (p_size =3D=3D (size_t) -1 && q_size =3D=3D (size_t) -1) + if (p_size =3D=3D SIZE_MAX && q_size =3D=3D SIZE_MAX) return __real_strscpy(p, q, size); =20 /* @@ -258,7 +258,7 @@ char *strncat(char * const POS p, const char * const PO= S q, __kernel_size_t coun size_t p_size =3D __builtin_object_size(p, 1); size_t q_size =3D __builtin_object_size(q, 1); =20 - if (p_size =3D=3D (size_t)-1 && q_size =3D=3D (size_t)-1) + if (p_size =3D=3D SIZE_MAX && q_size =3D=3D SIZE_MAX) return __underlying_strncat(p, q, count); p_len =3D strlen(p); copy_len =3D strnlen(q, count); @@ -299,10 +299,10 @@ __FORTIFY_INLINE void fortify_memset_chk(__kernel_siz= e_t size, /* * Always stop accesses beyond the struct that contains the * field, when the buffer's remaining size is known. - * (The -1 test is to optimize away checks where the buffer + * (The SIZE_MAX test is to optimize away checks where the buffer * lengths are unknown.) */ - if (p_size !=3D (size_t)(-1) && p_size < size) + if (p_size !=3D SIZE_MAX && p_size < size) fortify_panic("memset"); } =20 @@ -393,11 +393,11 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_siz= e_t size, /* * Always stop accesses beyond the struct that contains the * field, when the buffer's remaining size is known. - * (The -1 test is to optimize away checks where the buffer + * (The SIZE_MAX test is to optimize away checks where the buffer * lengths are unknown.) */ - if ((p_size !=3D (size_t)(-1) && p_size < size) || - (q_size !=3D (size_t)(-1) && q_size < size)) + if ((p_size !=3D SIZE_MAX && p_size < size) || + (q_size !=3D SIZE_MAX && q_size < size)) fortify_panic(func); } =20 @@ -496,7 +496,7 @@ char *strcpy(char * const POS p, const char * const POS= q) size_t size; =20 /* If neither buffer size is known, immediately give up. */ - if (p_size =3D=3D (size_t)-1 && q_size =3D=3D (size_t)-1) + if (p_size =3D=3D SIZE_MAX && q_size =3D=3D SIZE_MAX) return __underlying_strcpy(p, q); size =3D strlen(q) + 1; /* Compile-time check for const size overflow. */ --=20 2.34.1