From: Kees Cook <keescook@chromium.org>
To: Nick Desaulniers <ndesaulniers@google.com>
Cc: George Burgess IV <gbiv@google.com>,
Miguel Ojeda <ojeda@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
llvm@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v6 1/4] Compiler Attributes: Add __pass_object_size for Clang
Date: Thu, 3 Feb 2022 12:58:17 -0800 [thread overview]
Message-ID: <202202031247.4F3AC598@keescook> (raw)
In-Reply-To: <CAKwvOdmzdQ+X2BsUbuVBWzFtaE2Vst4=ihNNR=LmOdozqQ5Ukg@mail.gmail.com>
On Thu, Feb 03, 2022 at 12:18:24PM -0800, Nick Desaulniers wrote:
> On Thu, Feb 3, 2022 at 9:33 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > In order to gain greater visibility to type information when using
> > __builtin_object_size(), Clang has a function attribute "pass_object_size"
> > that will make size information available for marked arguments in
> > a function by way of implicit additional function arguments that are
> > then wired up the __builtin_object_size().
> >
> > This is needed to implement FORTIFY_SOURCE in Clang, as a workaround
> > to Clang's __builtin_object_size() having limited visibility[1] into types
> > across function calls (even inlines).
> >
> > Since any usage must also be const, include it in the macro.
>
> I really don't like hiding the qualifier in the argument-attribute
> macro like that. I'd rather we be more explicit about changing the
> function interfaces in include/linux/fortify-string.h.
It seemed redundant to have it separate when it would always be needed.
In v5 I had the const in the BOS (now POS) macro, but realized that this
was silly since it would always need to be that way for __pos.
> For instance, in patch 4/4, let's take a look at this hunk:
>
> -__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
> ...
> +__FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3)
> +char *strncpy(char * POS p, const char *q, __kernel_size_t size)
>
> manually expanded, this has changed the qualifiers on the type of the
> first parameter from `char *` to `char * const`.
Yup, that's expected, and I wanted to tie it strictly to the expansion
of __pass_object_size since otherwise GCC would gain the "const" bit
(which technically shouldn't matter, but this whole series has been
nothing but corner case after corner case, and I didn't want to risk
another one).
> I think it might be helpful to quote the docs
> (https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size)
>
> >> Additionally, any parameter that pass_object_size is applied to must be marked const at its function’s definition.
>
> One thing that's concerning to me is though:
>
> >> It is an error to take the address of a function with pass_object_size on any of its parameters.
>
> Surely the kernel has indirect calls to some of these functions
> somewhere? Is that just an issue for C++ name-mangling perhaps?
AFAIU, this shouldn't be a problem for any of these. Nothing is trying
to take memcpy, memset, etc by address. The macro-ified version of this
change proved that out. :)
--
Kees Cook
next prev parent reply other threads:[~2022-02-03 20:58 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-03 17:33 [PATCH v6 0/4] fortify: Add Clang support Kees Cook
2022-02-03 17:33 ` [PATCH v6 1/4] Compiler Attributes: Add __pass_object_size for Clang Kees Cook
2022-02-03 20:18 ` Nick Desaulniers
2022-02-03 20:58 ` Kees Cook [this message]
2022-02-03 22:01 ` Nick Desaulniers
2022-02-04 0:29 ` Kees Cook
2022-02-03 17:33 ` [PATCH v6 2/4] Compiler Attributes: Add __overloadable " Kees Cook
2022-02-03 20:26 ` Nick Desaulniers
2022-02-03 21:04 ` Kees Cook
2022-02-03 22:11 ` Nick Desaulniers
2022-02-04 0:26 ` Kees Cook
2022-02-04 0:58 ` Nick Desaulniers
2022-02-04 1:07 ` Miguel Ojeda
2022-02-03 17:33 ` [PATCH v6 3/4] Compiler Attributes: Add __diagnose_as " Kees Cook
2022-02-03 20:28 ` Nick Desaulniers
2022-02-03 17:33 ` [PATCH v6 4/4] fortify: Add Clang support Kees Cook
2022-02-03 20:37 ` Nick Desaulniers
2022-02-03 21:26 ` Kees Cook
2022-02-03 17:47 ` [PATCH v6 0/4] " Miguel Ojeda
2022-02-03 19:57 ` Kees Cook
2022-02-03 21:12 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202202031247.4F3AC598@keescook \
--to=keescook@chromium.org \
--cc=gbiv@google.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.