From: Kees Cook <keescook@chromium.org>
To: Conor Dooley <conor@kernel.org>
Cc: "Paul Walmsley" <paul.walmsley@sifive.com>,
"Thorsten Leemhuis" <linux@leemhuis.info>,
"Joan Bruguera Micó" <joanbrugueram@gmail.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Conor Dooley" <conor.dooley@microchip.com>,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Alyssa Ross" <hi@alyssa.is>,
"Heiko Stuebner" <heiko.stuebner@vrull.eu>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] riscv/purgatory: Do not use fortified string functions
Date: Wed, 31 May 2023 19:51:10 -0700 [thread overview]
Message-ID: <202305311950.EFFD6521@keescook> (raw)
In-Reply-To: <20230531-abruptly-settling-f9852f408dcd@spud>
On Wed, May 31, 2023 at 11:37:20PM +0100, Conor Dooley wrote:
> Hey Kees,
>
> On Tue, May 30, 2023 at 05:34:04PM -0700, Kees Cook wrote:
> > With the addition of -fstrict-flex-arrays=3, struct sha256_state's
> > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE:
> >
> > struct sha256_state {
> > u32 state[SHA256_DIGEST_SIZE / 4];
> > u64 count;
> > u8 buf[SHA256_BLOCK_SIZE];
> > };
> >
> > This means that the memcpy() calls with "buf" as a destination in
> > sha256.c's code will attempt to perform run-time bounds checking, which
> > could lead to calling missing functions, specifically a potential
> > WARN_ONCE, which isn't callable from purgatory.
> >
> > Reported-by: Thorsten Leemhuis <linux@leemhuis.info>
> > Closes: https://lore.kernel.org/lkml/175578ec-9dec-7a9c-8d3a-43f24ff86b92@leemhuis.info/
> > Bisected-by: "Joan Bruguera Micó" <joanbrugueram@gmail.com>
> > Fixes: df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3")
> > Cc: Paul Walmsley <paul.walmsley@sifive.com>
> > Cc: Palmer Dabbelt <palmer@dabbelt.com>
> > Cc: Albert Ou <aou@eecs.berkeley.edu>
> > Cc: Masahiro Yamada <masahiroy@kernel.org>
> > Cc: Conor Dooley <conor.dooley@microchip.com>
> > Cc: Nick Desaulniers <ndesaulniers@google.com>
> > Cc: Alyssa Ross <hi@alyssa.is>
> > Cc: Heiko Stuebner <heiko.stuebner@vrull.eu>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: linux-riscv@lists.infradead.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
>
> Perhaps this is indicative of other issues in RISC-V land, but
> allmodconfig complains about this patch:
>
> ../lib/string.c:17: warning: "__NO_FORTIFY" redefined
> ../lib/string.c:17:9: warning: preprocessor token __NO_FORTIFY redefined
Argh, thanks. My compile test clearly failed. I'll fix this up.
-Kees
>
> > ---
> > arch/riscv/purgatory/Makefile | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/arch/riscv/purgatory/Makefile b/arch/riscv/purgatory/Makefile
> > index 5730797a6b40..11f4c275f141 100644
> > --- a/arch/riscv/purgatory/Makefile
> > +++ b/arch/riscv/purgatory/Makefile
> > @@ -31,9 +31,9 @@ $(obj)/strncmp.o: $(srctree)/arch/riscv/lib/strncmp.S FORCE
> > $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE
> > $(call if_changed_rule,cc_o_c)
> >
> > -CFLAGS_sha256.o := -D__DISABLE_EXPORTS
> > -CFLAGS_string.o := -D__DISABLE_EXPORTS
> > -CFLAGS_ctype.o := -D__DISABLE_EXPORTS
> > +CFLAGS_sha256.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY
> > +CFLAGS_string.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY
> > +CFLAGS_ctype.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY
> >
> > # When linking purgatory.ro with -r unresolved symbols are not checked,
> > # also link a purgatory.chk binary without -r to check for unresolved symbols.
> > --
> > 2.34.1
> >
> >
> > _______________________________________________
> > linux-riscv mailing list
> > linux-riscv@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/linux-riscv
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Conor Dooley <conor@kernel.org>
Cc: "Paul Walmsley" <paul.walmsley@sifive.com>,
"Thorsten Leemhuis" <linux@leemhuis.info>,
"Joan Bruguera Micó" <joanbrugueram@gmail.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Conor Dooley" <conor.dooley@microchip.com>,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Alyssa Ross" <hi@alyssa.is>,
"Heiko Stuebner" <heiko.stuebner@vrull.eu>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] riscv/purgatory: Do not use fortified string functions
Date: Wed, 31 May 2023 19:51:10 -0700 [thread overview]
Message-ID: <202305311950.EFFD6521@keescook> (raw)
In-Reply-To: <20230531-abruptly-settling-f9852f408dcd@spud>
On Wed, May 31, 2023 at 11:37:20PM +0100, Conor Dooley wrote:
> Hey Kees,
>
> On Tue, May 30, 2023 at 05:34:04PM -0700, Kees Cook wrote:
> > With the addition of -fstrict-flex-arrays=3, struct sha256_state's
> > trailing array is no longer ignored by CONFIG_FORTIFY_SOURCE:
> >
> > struct sha256_state {
> > u32 state[SHA256_DIGEST_SIZE / 4];
> > u64 count;
> > u8 buf[SHA256_BLOCK_SIZE];
> > };
> >
> > This means that the memcpy() calls with "buf" as a destination in
> > sha256.c's code will attempt to perform run-time bounds checking, which
> > could lead to calling missing functions, specifically a potential
> > WARN_ONCE, which isn't callable from purgatory.
> >
> > Reported-by: Thorsten Leemhuis <linux@leemhuis.info>
> > Closes: https://lore.kernel.org/lkml/175578ec-9dec-7a9c-8d3a-43f24ff86b92@leemhuis.info/
> > Bisected-by: "Joan Bruguera Micó" <joanbrugueram@gmail.com>
> > Fixes: df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3")
> > Cc: Paul Walmsley <paul.walmsley@sifive.com>
> > Cc: Palmer Dabbelt <palmer@dabbelt.com>
> > Cc: Albert Ou <aou@eecs.berkeley.edu>
> > Cc: Masahiro Yamada <masahiroy@kernel.org>
> > Cc: Conor Dooley <conor.dooley@microchip.com>
> > Cc: Nick Desaulniers <ndesaulniers@google.com>
> > Cc: Alyssa Ross <hi@alyssa.is>
> > Cc: Heiko Stuebner <heiko.stuebner@vrull.eu>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: linux-riscv@lists.infradead.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
>
> Perhaps this is indicative of other issues in RISC-V land, but
> allmodconfig complains about this patch:
>
> ../lib/string.c:17: warning: "__NO_FORTIFY" redefined
> ../lib/string.c:17:9: warning: preprocessor token __NO_FORTIFY redefined
Argh, thanks. My compile test clearly failed. I'll fix this up.
-Kees
>
> > ---
> > arch/riscv/purgatory/Makefile | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/arch/riscv/purgatory/Makefile b/arch/riscv/purgatory/Makefile
> > index 5730797a6b40..11f4c275f141 100644
> > --- a/arch/riscv/purgatory/Makefile
> > +++ b/arch/riscv/purgatory/Makefile
> > @@ -31,9 +31,9 @@ $(obj)/strncmp.o: $(srctree)/arch/riscv/lib/strncmp.S FORCE
> > $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE
> > $(call if_changed_rule,cc_o_c)
> >
> > -CFLAGS_sha256.o := -D__DISABLE_EXPORTS
> > -CFLAGS_string.o := -D__DISABLE_EXPORTS
> > -CFLAGS_ctype.o := -D__DISABLE_EXPORTS
> > +CFLAGS_sha256.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY
> > +CFLAGS_string.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY
> > +CFLAGS_ctype.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY
> >
> > # When linking purgatory.ro with -r unresolved symbols are not checked,
> > # also link a purgatory.chk binary without -r to check for unresolved symbols.
> > --
> > 2.34.1
> >
> >
> > _______________________________________________
> > linux-riscv mailing list
> > linux-riscv@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/linux-riscv
--
Kees Cook
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2023-06-01 2:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-31 0:34 [PATCH] riscv/purgatory: Do not use fortified string functions Kees Cook
2023-05-31 0:34 ` Kees Cook
2023-05-31 22:37 ` Conor Dooley
2023-05-31 22:37 ` Conor Dooley
2023-06-01 2:51 ` Kees Cook [this message]
2023-06-01 2:51 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202305311950.EFFD6521@keescook \
--to=keescook@chromium.org \
--cc=aou@eecs.berkeley.edu \
--cc=conor.dooley@microchip.com \
--cc=conor@kernel.org \
--cc=gustavoars@kernel.org \
--cc=heiko.stuebner@vrull.eu \
--cc=hi@alyssa.is \
--cc=joanbrugueram@gmail.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux@leemhuis.info \
--cc=masahiroy@kernel.org \
--cc=ndesaulniers@google.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.