* [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
@ 2024-10-17 6:28 kernel test robot
2024-10-17 14:48 ` Fwd: " Paul Moore
0 siblings, 1 reply; 7+ messages in thread
From: kernel test robot @ 2024-10-17 6:28 UTC (permalink / raw)
To: Paul Moore; +Cc: oe-kbuild-all
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: 15e7d45e786a62a211dd0098fee7c57f84f8c681
commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
config: x86_64-randconfig-005-20241017 (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from include/linux/string.h:390,
from include/linux/bitmap.h:13,
from include/linux/cpumask.h:12,
from include/linux/smp.h:13,
from include/linux/lockdep.h:14,
from include/linux/spinlock.h:63,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from kernel/auditsc.c:37:
In function 'sized_strscpy',
inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
293 | __write_overflow();
| ^~~~~~~~~~~~~~~~~~
In function 'sized_strscpy',
inlined from 'audit_signal_info_syscall' at kernel/auditsc.c:2759:3:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
293 | __write_overflow();
| ^~~~~~~~~~~~~~~~~~
vim +/__write_overflow +293 include/linux/fortify-string.h
a28a6e860c6cf2 Francis Laniel 2021-02-25 274
03699f271de1f4 Kees Cook 2022-09-02 275 /* Defined after fortified strnlen() to reuse it. */
e6584c3964f2ff Kees Cook 2023-09-20 276 extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(sized_strscpy);
e6584c3964f2ff Kees Cook 2023-09-20 277 __FORTIFY_INLINE ssize_t sized_strscpy(char * const POS p, const char * const POS q, size_t size)
a28a6e860c6cf2 Francis Laniel 2021-02-25 278 {
a28a6e860c6cf2 Francis Laniel 2021-02-25 279 /* Use string size rather than possible enclosing struct size. */
21a2c74b0a2a78 Kees Cook 2023-04-07 280 const size_t p_size = __member_size(p);
21a2c74b0a2a78 Kees Cook 2023-04-07 281 const size_t q_size = __member_size(q);
21a2c74b0a2a78 Kees Cook 2023-04-07 282 size_t len;
a28a6e860c6cf2 Francis Laniel 2021-02-25 283
a28a6e860c6cf2 Francis Laniel 2021-02-25 284 /* If we cannot get size of p and q default to call strscpy. */
311fb40aa0569a Kees Cook 2022-09-02 285 if (p_size == SIZE_MAX && q_size == SIZE_MAX)
a28a6e860c6cf2 Francis Laniel 2021-02-25 286 return __real_strscpy(p, q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25 287
a28a6e860c6cf2 Francis Laniel 2021-02-25 288 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 289 * If size can be known at compile time and is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25 290 * p_size, generate a compile time write overflow error.
a28a6e860c6cf2 Francis Laniel 2021-02-25 291 */
fa35198f39571b Kees Cook 2022-09-19 292 if (__compiletime_lessthan(p_size, size))
a28a6e860c6cf2 Francis Laniel 2021-02-25 @293 __write_overflow();
a28a6e860c6cf2 Francis Laniel 2021-02-25 294
62e1cbfc5d7953 Kees Cook 2022-10-02 295 /* Short-circuit for compile-time known-safe lengths. */
62e1cbfc5d7953 Kees Cook 2022-10-02 296 if (__compiletime_lessthan(p_size, SIZE_MAX)) {
62e1cbfc5d7953 Kees Cook 2022-10-02 297 len = __compiletime_strlen(q);
62e1cbfc5d7953 Kees Cook 2022-10-02 298
62e1cbfc5d7953 Kees Cook 2022-10-02 299 if (len < SIZE_MAX && __compiletime_lessthan(len, size)) {
62e1cbfc5d7953 Kees Cook 2022-10-02 300 __underlying_memcpy(p, q, len + 1);
62e1cbfc5d7953 Kees Cook 2022-10-02 301 return len;
62e1cbfc5d7953 Kees Cook 2022-10-02 302 }
62e1cbfc5d7953 Kees Cook 2022-10-02 303 }
62e1cbfc5d7953 Kees Cook 2022-10-02 304
a28a6e860c6cf2 Francis Laniel 2021-02-25 305 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 306 * This call protects from read overflow, because len will default to q
a28a6e860c6cf2 Francis Laniel 2021-02-25 307 * length if it smaller than size.
a28a6e860c6cf2 Francis Laniel 2021-02-25 308 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 309 len = strnlen(q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25 310 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 311 * If len equals size, we will copy only size bytes which leads to
a28a6e860c6cf2 Francis Laniel 2021-02-25 312 * -E2BIG being returned.
a28a6e860c6cf2 Francis Laniel 2021-02-25 313 * Otherwise we will copy len + 1 because of the final '\O'.
a28a6e860c6cf2 Francis Laniel 2021-02-25 314 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 315 len = len == size ? size : len + 1;
a28a6e860c6cf2 Francis Laniel 2021-02-25 316
a28a6e860c6cf2 Francis Laniel 2021-02-25 317 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 318 * Generate a runtime write overflow error if len is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25 319 * p_size.
a28a6e860c6cf2 Francis Laniel 2021-02-25 320 */
3d965b33e40d97 Kees Cook 2023-04-07 321 if (p_size < len)
3d965b33e40d97 Kees Cook 2023-04-07 322 fortify_panic(FORTIFY_FUNC_strscpy, FORTIFY_WRITE, p_size, len, -E2BIG);
a28a6e860c6cf2 Francis Laniel 2021-02-25 323
a28a6e860c6cf2 Francis Laniel 2021-02-25 324 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 325 * We can now safely call vanilla strscpy because we are protected from:
a28a6e860c6cf2 Francis Laniel 2021-02-25 326 * 1. Read overflow thanks to call to strnlen().
a28a6e860c6cf2 Francis Laniel 2021-02-25 327 * 2. Write overflow thanks to above ifs.
a28a6e860c6cf2 Francis Laniel 2021-02-25 328 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 329 return __real_strscpy(p, q, len);
a28a6e860c6cf2 Francis Laniel 2021-02-25 330 }
a28a6e860c6cf2 Francis Laniel 2021-02-25 331
:::::: The code at line 293 was first introduced by commit
:::::: a28a6e860c6cf231cf3c5171c75c342adcd00406 string.h: move fortified functions definitions in a dedicated header.
:::::: TO: Francis Laniel <laniel_francis@privacyrequired.com>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 7+ messages in thread
* Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
2024-10-17 6:28 [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter) kernel test robot
@ 2024-10-17 14:48 ` Paul Moore
2024-10-17 16:07 ` Kees Cook
0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2024-10-17 14:48 UTC (permalink / raw)
To: Yafang Shao, linux-hardening; +Cc: Kees Cook
I'm not sure why the kernel test robot only sent this to me, but this
looks to be a strscpy() issue rather than an audit specific issue.
---------- Forwarded message ---------
From: kernel test robot <lkp@intel.com>
Date: Thu, Oct 17, 2024 at 2:29 AM
Subject: [linux-next:master 4380/4439]
include/linux/fortify-string.h:293:17: error: call to
'__write_overflow' declared with attribute error: detected write
beyond size of object (1st parameter)
To: Paul Moore <paul@paul-moore.com>
Cc: <oe-kbuild-all@lists.linux.dev>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
master
head: 15e7d45e786a62a211dd0098fee7c57f84f8c681
commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
branch 'next' of
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
config: x86_64-randconfig-005-20241017
(https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build):
(https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from include/linux/string.h:390,
from include/linux/bitmap.h:13,
from include/linux/cpumask.h:12,
from include/linux/smp.h:13,
from include/linux/lockdep.h:14,
from include/linux/spinlock.h:63,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from kernel/auditsc.c:37:
In function 'sized_strscpy',
inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
293 | __write_overflow();
| ^~~~~~~~~~~~~~~~~~
In function 'sized_strscpy',
inlined from 'audit_signal_info_syscall' at kernel/auditsc.c:2759:3:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
293 | __write_overflow();
| ^~~~~~~~~~~~~~~~~~
vim +/__write_overflow +293 include/linux/fortify-string.h
a28a6e860c6cf2 Francis Laniel 2021-02-25 274
03699f271de1f4 Kees Cook 2022-09-02 275 /* Defined after
fortified strnlen() to reuse it. */
e6584c3964f2ff Kees Cook 2023-09-20 276 extern ssize_t
__real_strscpy(char *, const char *, size_t) __RENAME(sized_strscpy);
e6584c3964f2ff Kees Cook 2023-09-20 277 __FORTIFY_INLINE
ssize_t sized_strscpy(char * const POS p, const char * const POS q,
size_t size)
a28a6e860c6cf2 Francis Laniel 2021-02-25 278 {
a28a6e860c6cf2 Francis Laniel 2021-02-25 279 /* Use string size
rather than possible enclosing struct size. */
21a2c74b0a2a78 Kees Cook 2023-04-07 280 const size_t p_size =
__member_size(p);
21a2c74b0a2a78 Kees Cook 2023-04-07 281 const size_t q_size =
__member_size(q);
21a2c74b0a2a78 Kees Cook 2023-04-07 282 size_t len;
a28a6e860c6cf2 Francis Laniel 2021-02-25 283
a28a6e860c6cf2 Francis Laniel 2021-02-25 284 /* If we cannot get
size of p and q default to call strscpy. */
311fb40aa0569a Kees Cook 2022-09-02 285 if (p_size == SIZE_MAX
&& q_size == SIZE_MAX)
a28a6e860c6cf2 Francis Laniel 2021-02-25 286 return
__real_strscpy(p, q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25 287
a28a6e860c6cf2 Francis Laniel 2021-02-25 288 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 289 * If size can be
known at compile time and is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25 290 * p_size, generate a
compile time write overflow error.
a28a6e860c6cf2 Francis Laniel 2021-02-25 291 */
fa35198f39571b Kees Cook 2022-09-19 292 if
(__compiletime_lessthan(p_size, size))
a28a6e860c6cf2 Francis Laniel 2021-02-25 @293 __write_overflow();
a28a6e860c6cf2 Francis Laniel 2021-02-25 294
62e1cbfc5d7953 Kees Cook 2022-10-02 295 /* Short-circuit for
compile-time known-safe lengths. */
62e1cbfc5d7953 Kees Cook 2022-10-02 296 if
(__compiletime_lessthan(p_size, SIZE_MAX)) {
62e1cbfc5d7953 Kees Cook 2022-10-02 297 len =
__compiletime_strlen(q);
62e1cbfc5d7953 Kees Cook 2022-10-02 298
62e1cbfc5d7953 Kees Cook 2022-10-02 299 if (len <
SIZE_MAX && __compiletime_lessthan(len, size)) {
62e1cbfc5d7953 Kees Cook 2022-10-02 300
__underlying_memcpy(p, q, len + 1);
62e1cbfc5d7953 Kees Cook 2022-10-02 301 return len;
62e1cbfc5d7953 Kees Cook 2022-10-02 302 }
62e1cbfc5d7953 Kees Cook 2022-10-02 303 }
62e1cbfc5d7953 Kees Cook 2022-10-02 304
a28a6e860c6cf2 Francis Laniel 2021-02-25 305 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 306 * This call protects
from read overflow, because len will default to q
a28a6e860c6cf2 Francis Laniel 2021-02-25 307 * length if it
smaller than size.
a28a6e860c6cf2 Francis Laniel 2021-02-25 308 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 309 len = strnlen(q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25 310 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 311 * If len equals size,
we will copy only size bytes which leads to
a28a6e860c6cf2 Francis Laniel 2021-02-25 312 * -E2BIG being returned.
a28a6e860c6cf2 Francis Laniel 2021-02-25 313 * Otherwise we will
copy len + 1 because of the final '\O'.
a28a6e860c6cf2 Francis Laniel 2021-02-25 314 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 315 len = len == size ?
size : len + 1;
a28a6e860c6cf2 Francis Laniel 2021-02-25 316
a28a6e860c6cf2 Francis Laniel 2021-02-25 317 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 318 * Generate a runtime
write overflow error if len is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25 319 * p_size.
a28a6e860c6cf2 Francis Laniel 2021-02-25 320 */
3d965b33e40d97 Kees Cook 2023-04-07 321 if (p_size < len)
3d965b33e40d97 Kees Cook 2023-04-07 322
fortify_panic(FORTIFY_FUNC_strscpy, FORTIFY_WRITE, p_size, len,
-E2BIG);
a28a6e860c6cf2 Francis Laniel 2021-02-25 323
a28a6e860c6cf2 Francis Laniel 2021-02-25 324 /*
a28a6e860c6cf2 Francis Laniel 2021-02-25 325 * We can now safely
call vanilla strscpy because we are protected from:
a28a6e860c6cf2 Francis Laniel 2021-02-25 326 * 1. Read overflow
thanks to call to strnlen().
a28a6e860c6cf2 Francis Laniel 2021-02-25 327 * 2. Write overflow
thanks to above ifs.
a28a6e860c6cf2 Francis Laniel 2021-02-25 328 */
a28a6e860c6cf2 Francis Laniel 2021-02-25 329 return
__real_strscpy(p, q, len);
a28a6e860c6cf2 Francis Laniel 2021-02-25 330 }
a28a6e860c6cf2 Francis Laniel 2021-02-25 331
:::::: The code at line 293 was first introduced by commit
:::::: a28a6e860c6cf231cf3c5171c75c342adcd00406 string.h: move
fortified functions definitions in a dedicated header.
:::::: TO: Francis Laniel <laniel_francis@privacyrequired.com>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
--
paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
2024-10-17 14:48 ` Fwd: " Paul Moore
@ 2024-10-17 16:07 ` Kees Cook
2024-10-17 16:23 ` Kees Cook
0 siblings, 1 reply; 7+ messages in thread
From: Kees Cook @ 2024-10-17 16:07 UTC (permalink / raw)
To: Paul Moore; +Cc: Yafang Shao, linux-hardening
On Thu, Oct 17, 2024 at 10:48:04AM -0400, Paul Moore wrote:
> I'm not sure why the kernel test robot only sent this to me, but this
> looks to be a strscpy() issue rather than an audit specific issue.
>
> ---------- Forwarded message ---------
> From: kernel test robot <lkp@intel.com>
> Date: Thu, Oct 17, 2024 at 2:29 AM
> Subject: [linux-next:master 4380/4439]
> include/linux/fortify-string.h:293:17: error: call to
> '__write_overflow' declared with attribute error: detected write
> beyond size of object (1st parameter)
> To: Paul Moore <paul@paul-moore.com>
> Cc: <oe-kbuild-all@lists.linux.dev>
>
>
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> master
> head: 15e7d45e786a62a211dd0098fee7c57f84f8c681
> commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
> branch 'next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
> config: x86_64-randconfig-005-20241017
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
> compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
> reproduce (this is a W=1 build):
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
> In file included from include/linux/string.h:390,
> from include/linux/bitmap.h:13,
> from include/linux/cpumask.h:12,
> from include/linux/smp.h:13,
> from include/linux/lockdep.h:14,
> from include/linux/spinlock.h:63,
> from include/linux/wait.h:9,
> from include/linux/wait_bit.h:8,
> from include/linux/fs.h:6,
> from kernel/auditsc.c:37:
> In function 'sized_strscpy',
> inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
> >> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
> 293 | __write_overflow();
> | ^~~~~~~~~~~~~~~~~~
This is a compile-time bounds check. Let's take a look:
void __audit_ptrace(struct task_struct *t)
{
struct audit_context *context = audit_context();
...
strscpy(context->target_comm, t->comm);
struct audit_context {
...
char target_comm[TASK_COMM_LEN];
struct task_struct {
...
char comm[TASK_COMM_LEN];
So this should be impossible, since the strscpy() check is:
#define __member_size(p) __builtin_object_size(p, 1)
...
#define __compiletime_lessthan(bounds, length) ( \
__builtin_constant_p((bounds) < (length)) && \
(bounds) < (length) \
)
...
const size_t p_size = __member_size(p);
...
if (__compiletime_lessthan(p_size, size))
__write_overflow();
This test should resolve to:
if (TASK_COMM_LEN < TASK_COMM_LEN)
__write_overflow();
I can reproduce this with the randconfig linked above, but not with
allmodconfig nor defconfig+CONFIG_FORTIFY_SOURCE.
Something in the .config is causing the error. (!?) I will start a
CONFIG bisect...
--
Kees Cook
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
2024-10-17 16:07 ` Kees Cook
@ 2024-10-17 16:23 ` Kees Cook
2024-10-17 16:48 ` Kees Cook
0 siblings, 1 reply; 7+ messages in thread
From: Kees Cook @ 2024-10-17 16:23 UTC (permalink / raw)
To: Paul Moore; +Cc: Yafang Shao, linux-hardening
On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> Something in the .config is causing the error. (!?) I will start a
> CONFIG bisect...
Well, I did a code bisect first, and it reported this which makes _no_
sense:
8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")
O_o
--
Kees Cook
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
2024-10-17 16:23 ` Kees Cook
@ 2024-10-17 16:48 ` Kees Cook
2024-10-17 18:00 ` Kees Cook
0 siblings, 1 reply; 7+ messages in thread
From: Kees Cook @ 2024-10-17 16:48 UTC (permalink / raw)
To: Paul Moore; +Cc: Yafang Shao, linux-hardening
On Thu, Oct 17, 2024 at 09:23:25AM -0700, Kees Cook wrote:
> On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> > Something in the .config is causing the error. (!?) I will start a
> > CONFIG bisect...
>
> Well, I did a code bisect first, and it reported this which makes _no_
> sense:
> 8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")
>
> O_o
Looks like a GCC inlining bug. If I query the size of the destination
buffer before calling strscpy the warning magically vanishes. :|
Lovely. I will see if I can construct a work-around.
--
Kees Cook
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
2024-10-17 16:48 ` Kees Cook
@ 2024-10-17 18:00 ` Kees Cook
2024-10-21 3:48 ` Yafang Shao
0 siblings, 1 reply; 7+ messages in thread
From: Kees Cook @ 2024-10-17 18:00 UTC (permalink / raw)
To: Paul Moore; +Cc: Yafang Shao, linux-hardening
On Thu, Oct 17, 2024 at 09:48:18AM -0700, Kees Cook wrote:
> On Thu, Oct 17, 2024 at 09:23:25AM -0700, Kees Cook wrote:
> > On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> > > Something in the .config is causing the error. (!?) I will start a
> > > CONFIG bisect...
> >
> > Well, I did a code bisect first, and it reported this which makes _no_
> > sense:
> > 8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")
> >
> > O_o
>
> Looks like a GCC inlining bug. If I query the size of the destination
> buffer before calling strscpy the warning magically vanishes. :|
>
> Lovely. I will see if I can construct a work-around.
I am extremely bothered that this fixes it:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bc052b4b5a1d..891f4294361d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2728,8 +2728,8 @@ void __audit_ptrace(struct task_struct *t)
context->target_auid = audit_get_loginuid(t);
context->target_uid = task_uid(t);
context->target_sessionid = audit_get_sessionid(t);
- security_task_getlsmprop_obj(t, &context->target_ref);
strscpy(context->target_comm, t->comm);
+ security_task_getlsmprop_obj(t, &context->target_ref);
}
/**
@@ -2755,8 +2755,8 @@ int audit_signal_info_syscall(struct task_struct *t)
ctx->target_auid = audit_get_loginuid(t);
ctx->target_uid = t_uid;
ctx->target_sessionid = audit_get_sessionid(t);
- security_task_getlsmprop_obj(t, &ctx->target_ref);
strscpy(ctx->target_comm, t->comm);
+ security_task_getlsmprop_obj(t, &ctx->target_ref);
return 0;
}
I will continue trying to figure out why GCC is getting confused here,
but in the meantime, perhaps this is a viable workaround?
--
Kees Cook
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
2024-10-17 18:00 ` Kees Cook
@ 2024-10-21 3:48 ` Yafang Shao
0 siblings, 0 replies; 7+ messages in thread
From: Yafang Shao @ 2024-10-21 3:48 UTC (permalink / raw)
To: Kees Cook; +Cc: Paul Moore, linux-hardening
On Fri, Oct 18, 2024 at 2:00 AM Kees Cook <kees@kernel.org> wrote:
>
> On Thu, Oct 17, 2024 at 09:48:18AM -0700, Kees Cook wrote:
> > On Thu, Oct 17, 2024 at 09:23:25AM -0700, Kees Cook wrote:
> > > On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> > > > Something in the .config is causing the error. (!?) I will start a
> > > > CONFIG bisect...
> > >
> > > Well, I did a code bisect first, and it reported this which makes _no_
> > > sense:
> > > 8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")
> > >
> > > O_o
> >
> > Looks like a GCC inlining bug. If I query the size of the destination
> > buffer before calling strscpy the warning magically vanishes. :|
> >
> > Lovely. I will see if I can construct a work-around.
>
> I am extremely bothered that this fixes it:
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index bc052b4b5a1d..891f4294361d 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2728,8 +2728,8 @@ void __audit_ptrace(struct task_struct *t)
> context->target_auid = audit_get_loginuid(t);
> context->target_uid = task_uid(t);
> context->target_sessionid = audit_get_sessionid(t);
> - security_task_getlsmprop_obj(t, &context->target_ref);
> strscpy(context->target_comm, t->comm);
> + security_task_getlsmprop_obj(t, &context->target_ref);
> }
>
> /**
> @@ -2755,8 +2755,8 @@ int audit_signal_info_syscall(struct task_struct *t)
> ctx->target_auid = audit_get_loginuid(t);
> ctx->target_uid = t_uid;
> ctx->target_sessionid = audit_get_sessionid(t);
> - security_task_getlsmprop_obj(t, &ctx->target_ref);
> strscpy(ctx->target_comm, t->comm);
> + security_task_getlsmprop_obj(t, &ctx->target_ref);
> return 0;
> }
>
>
> I will continue trying to figure out why GCC is getting confused here,
> but in the meantime, perhaps this is a viable workaround?
Thank you for the analysis. I was able to reproduce the issue with GCC
11 and confirmed that your change resolves it. While this does appear
to be a GCC bug, identifying the root cause may not be
straightforward. I agree that a workaround is the best approach for
now.
Feel free to include your change.
Tested-by: Yafang Shao <laoar.shao@gmail.com>
--
Regards
Yafang
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-10-21 3:48 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-17 6:28 [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter) kernel test robot
2024-10-17 14:48 ` Fwd: " Paul Moore
2024-10-17 16:07 ` Kees Cook
2024-10-17 16:23 ` Kees Cook
2024-10-17 16:48 ` Kees Cook
2024-10-17 18:00 ` Kees Cook
2024-10-21 3:48 ` Yafang Shao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.