1. Patchew
  2. linux
  3. View series

[PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available

Kees Cook posted 4 patches 3 years, 6 months ago 
arch/x86/xen/enlighten_pv.c         |   3 +-
drivers/misc/lkdtm/heap.c           |   1 +
include/linux/compiler_attributes.h |   5 ++
include/linux/fortify-string.h      | 125 ++++++++++++++++------------
4 files changed, 81 insertions(+), 53 deletions(-)
[PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available
Posted by Kees Cook 3 years, 6 months ago 
Hi,

This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
size checking from GCC and Clang's __builtin_dynamic_object_size(), which
the compilers can track either via code flow or from __alloc_size() hints.

Thanks,

-Kees

Kees Cook (4):
  x86/entry: Work around Clang __bdos() bug
  fortify: Explicitly check bounds are compile-time constants
  fortify: Convert to struct vs member helpers
  fortify: Use __builtin_dynamic_object_size() when available

 arch/x86/xen/enlighten_pv.c         |   3 +-
 drivers/misc/lkdtm/heap.c           |   1 +
 include/linux/compiler_attributes.h |   5 ++
 include/linux/fortify-string.h      | 125 ++++++++++++++++------------
 4 files changed, 81 insertions(+), 53 deletions(-)

-- 
2.34.1
Re: [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available
Posted by Siddhesh Poyarekar 3 years, 6 months ago 
On 2022-09-20 15:21, Kees Cook wrote:
> Hi,
> 
> This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
> size checking from GCC and Clang's __builtin_dynamic_object_size(), which
> the compilers can track either via code flow or from __alloc_size() hints.
> 

FTR, I ran a linux build using gcc with allyesconfig and 
fortify-metrics[1] to get a sense of how much object size coverage would 
improve with __builtin_dynamic_object_size.  With a total of 3,877 
__builtin_object_size calls, about 11.37% succeed in getting a result 
that is not (size_t)-1.  If they were replaced by 
__builtin_dynamic_object_size as this patch proposes, the success rate 
improves to 16.25%, which is a ~1.4x improvement.

This is a decent improvement by itself but it can be amplified further 
by adding __attribute__((access (...)))[2] to function prototypes and 
definitions, especially for functions that take in buffers and their 
sizes as arguments since __builtin_dynamic_object_size in gcc is capable 
of recognizing that and using it for object size determination (and 
hence to fortify calls) within those functions.

Thanks,
Sid

[1] https://github.com/siddhesh/fortify-metrics
[2] https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html
Re: [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available
Posted by Kees Cook 3 years, 6 months ago 
On Thu, Sep 22, 2022 at 04:26:54PM -0400, Siddhesh Poyarekar wrote:
> On 2022-09-20 15:21, Kees Cook wrote:
> > Hi,
> > 
> > This adjusts CONFIG_FORTIFY_SOURCE's coverage to include greater runtime
> > size checking from GCC and Clang's __builtin_dynamic_object_size(), which
> > the compilers can track either via code flow or from __alloc_size() hints.
> > 
> 
> FTR, I ran a linux build using gcc with allyesconfig and fortify-metrics[1]
> to get a sense of how much object size coverage would improve with
> __builtin_dynamic_object_size.  With a total of 3,877 __builtin_object_size
> calls, about 11.37% succeed in getting a result that is not (size_t)-1.  If
> they were replaced by __builtin_dynamic_object_size as this patch proposes,
> the success rate improves to 16.25%, which is a ~1.4x improvement.

Thanks for check that! Yeah, a 40% increase in coverage is nice. :0

> This is a decent improvement by itself but it can be amplified further by
> adding __attribute__((access (...)))[2] to function prototypes and
> definitions, especially for functions that take in buffers and their sizes
> as arguments since __builtin_dynamic_object_size in gcc is capable of
> recognizing that and using it for object size determination (and hence to
> fortify calls) within those functions.

Yeah, this could be another interest set of additions. It seems like it
might be more "coder friendly" if, in the future that has the
__element_count__ attribute, it could be used in function parameters
too, like:

If we had:

int do_something(struct context *ctx, u32 *data, int count)

this seems less easy to read to me:

int __access(read_write, 2, 3) do_something(struct context *ctx, u32 *data, int count)

as this seems more readable to me, though I guess the access-mode
information is lost:

int do_something(struct context *ctx, u32 * __element_count(count) data, int count)

But yes, this would be excellent to start adding!

-Kees

-- 
Kees Cook
Re: [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available
Posted by Siddhesh Poyarekar 3 years, 6 months ago 
On 2022-09-22 20:20, Kees Cook wrote:
> Yeah, this could be another interest set of additions. It seems like it
> might be more "coder friendly" if, in the future that has the
> __element_count__ attribute, it could be used in function parameters
> too, like:
> 
> If we had:
> 
> int do_something(struct context *ctx, u32 *data, int count)
> 
> this seems less easy to read to me:
> 
> int __access(read_write, 2, 3) do_something(struct context *ctx, u32 *data, int count)
> 
> as this seems more readable to me, though I guess the access-mode
> information is lost:
> 
> int do_something(struct context *ctx, u32 * __element_count(count) data, int count)

It doesn't *have* to lose access mode info:

int do_something(struct context *ctx,
		 u32 * __element_count(count, __read_only__) data,
		 int count)
{
...
}

where omitting the access mode could imply __read_write__.

Thanks,
Sid

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.