[linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[kernel test robot]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head:   15e7d45e786a62a211dd0098fee7c57f84f8c681
commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
config: x86_64-randconfig-005-20241017 (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/

All errors (new ones prefixed by >>):

   In file included from include/linux/string.h:390,
                    from include/linux/bitmap.h:13,
                    from include/linux/cpumask.h:12,
                    from include/linux/smp.h:13,
                    from include/linux/lockdep.h:14,
                    from include/linux/spinlock.h:63,
                    from include/linux/wait.h:9,
                    from include/linux/wait_bit.h:8,
                    from include/linux/fs.h:6,
                    from kernel/auditsc.c:37:
   In function 'sized_strscpy',
       inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
     293 |                 __write_overflow();
         |                 ^~~~~~~~~~~~~~~~~~
   In function 'sized_strscpy',
       inlined from 'audit_signal_info_syscall' at kernel/auditsc.c:2759:3:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
     293 |                 __write_overflow();
         |                 ^~~~~~~~~~~~~~~~~~


vim +/__write_overflow +293 include/linux/fortify-string.h

a28a6e860c6cf2 Francis Laniel 2021-02-25  274  
03699f271de1f4 Kees Cook      2022-09-02  275  /* Defined after fortified strnlen() to reuse it. */
e6584c3964f2ff Kees Cook      2023-09-20  276  extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(sized_strscpy);
e6584c3964f2ff Kees Cook      2023-09-20  277  __FORTIFY_INLINE ssize_t sized_strscpy(char * const POS p, const char * const POS q, size_t size)
a28a6e860c6cf2 Francis Laniel 2021-02-25  278  {
a28a6e860c6cf2 Francis Laniel 2021-02-25  279  	/* Use string size rather than possible enclosing struct size. */
21a2c74b0a2a78 Kees Cook      2023-04-07  280  	const size_t p_size = __member_size(p);
21a2c74b0a2a78 Kees Cook      2023-04-07  281  	const size_t q_size = __member_size(q);
21a2c74b0a2a78 Kees Cook      2023-04-07  282  	size_t len;
a28a6e860c6cf2 Francis Laniel 2021-02-25  283  
a28a6e860c6cf2 Francis Laniel 2021-02-25  284  	/* If we cannot get size of p and q default to call strscpy. */
311fb40aa0569a Kees Cook      2022-09-02  285  	if (p_size == SIZE_MAX && q_size == SIZE_MAX)
a28a6e860c6cf2 Francis Laniel 2021-02-25  286  		return __real_strscpy(p, q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25  287  
a28a6e860c6cf2 Francis Laniel 2021-02-25  288  	/*
a28a6e860c6cf2 Francis Laniel 2021-02-25  289  	 * If size can be known at compile time and is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25  290  	 * p_size, generate a compile time write overflow error.
a28a6e860c6cf2 Francis Laniel 2021-02-25  291  	 */
fa35198f39571b Kees Cook      2022-09-19  292  	if (__compiletime_lessthan(p_size, size))
a28a6e860c6cf2 Francis Laniel 2021-02-25 @293  		__write_overflow();
a28a6e860c6cf2 Francis Laniel 2021-02-25  294  
62e1cbfc5d7953 Kees Cook      2022-10-02  295  	/* Short-circuit for compile-time known-safe lengths. */
62e1cbfc5d7953 Kees Cook      2022-10-02  296  	if (__compiletime_lessthan(p_size, SIZE_MAX)) {
62e1cbfc5d7953 Kees Cook      2022-10-02  297  		len = __compiletime_strlen(q);
62e1cbfc5d7953 Kees Cook      2022-10-02  298  
62e1cbfc5d7953 Kees Cook      2022-10-02  299  		if (len < SIZE_MAX && __compiletime_lessthan(len, size)) {
62e1cbfc5d7953 Kees Cook      2022-10-02  300  			__underlying_memcpy(p, q, len + 1);
62e1cbfc5d7953 Kees Cook      2022-10-02  301  			return len;
62e1cbfc5d7953 Kees Cook      2022-10-02  302  		}
62e1cbfc5d7953 Kees Cook      2022-10-02  303  	}
62e1cbfc5d7953 Kees Cook      2022-10-02  304  
a28a6e860c6cf2 Francis Laniel 2021-02-25  305  	/*
a28a6e860c6cf2 Francis Laniel 2021-02-25  306  	 * This call protects from read overflow, because len will default to q
a28a6e860c6cf2 Francis Laniel 2021-02-25  307  	 * length if it smaller than size.
a28a6e860c6cf2 Francis Laniel 2021-02-25  308  	 */
a28a6e860c6cf2 Francis Laniel 2021-02-25  309  	len = strnlen(q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25  310  	/*
a28a6e860c6cf2 Francis Laniel 2021-02-25  311  	 * If len equals size, we will copy only size bytes which leads to
a28a6e860c6cf2 Francis Laniel 2021-02-25  312  	 * -E2BIG being returned.
a28a6e860c6cf2 Francis Laniel 2021-02-25  313  	 * Otherwise we will copy len + 1 because of the final '\O'.
a28a6e860c6cf2 Francis Laniel 2021-02-25  314  	 */
a28a6e860c6cf2 Francis Laniel 2021-02-25  315  	len = len == size ? size : len + 1;
a28a6e860c6cf2 Francis Laniel 2021-02-25  316  
a28a6e860c6cf2 Francis Laniel 2021-02-25  317  	/*
a28a6e860c6cf2 Francis Laniel 2021-02-25  318  	 * Generate a runtime write overflow error if len is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25  319  	 * p_size.
a28a6e860c6cf2 Francis Laniel 2021-02-25  320  	 */
3d965b33e40d97 Kees Cook      2023-04-07  321  	if (p_size < len)
3d965b33e40d97 Kees Cook      2023-04-07  322  		fortify_panic(FORTIFY_FUNC_strscpy, FORTIFY_WRITE, p_size, len, -E2BIG);
a28a6e860c6cf2 Francis Laniel 2021-02-25  323  
a28a6e860c6cf2 Francis Laniel 2021-02-25  324  	/*
a28a6e860c6cf2 Francis Laniel 2021-02-25  325  	 * We can now safely call vanilla strscpy because we are protected from:
a28a6e860c6cf2 Francis Laniel 2021-02-25  326  	 * 1. Read overflow thanks to call to strnlen().
a28a6e860c6cf2 Francis Laniel 2021-02-25  327  	 * 2. Write overflow thanks to above ifs.
a28a6e860c6cf2 Francis Laniel 2021-02-25  328  	 */
a28a6e860c6cf2 Francis Laniel 2021-02-25  329  	return __real_strscpy(p, q, len);
a28a6e860c6cf2 Francis Laniel 2021-02-25  330  }
a28a6e860c6cf2 Francis Laniel 2021-02-25  331  

:::::: The code at line 293 was first introduced by commit
:::::: a28a6e860c6cf231cf3c5171c75c342adcd00406 string.h: move fortified functions definitions in a dedicated header.

:::::: TO: Francis Laniel <laniel_francis@privacyrequired.com>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[Paul Moore]

I'm not sure why the kernel test robot only sent this to me, but this
looks to be a strscpy() issue rather than an audit specific issue.

---------- Forwarded message ---------
From: kernel test robot <lkp@intel.com>
Date: Thu, Oct 17, 2024 at 2:29 AM
Subject: [linux-next:master 4380/4439]
include/linux/fortify-string.h:293:17: error: call to
'__write_overflow' declared with attribute error: detected write
beyond size of object (1st parameter)
To: Paul Moore <paul@paul-moore.com>
Cc: <oe-kbuild-all@lists.linux.dev>


tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
master
head:   15e7d45e786a62a211dd0098fee7c57f84f8c681
commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
branch 'next' of
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
config: x86_64-randconfig-005-20241017
(https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build):
(https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/

All errors (new ones prefixed by >>):

   In file included from include/linux/string.h:390,
                    from include/linux/bitmap.h:13,
                    from include/linux/cpumask.h:12,
                    from include/linux/smp.h:13,
                    from include/linux/lockdep.h:14,
                    from include/linux/spinlock.h:63,
                    from include/linux/wait.h:9,
                    from include/linux/wait_bit.h:8,
                    from include/linux/fs.h:6,
                    from kernel/auditsc.c:37:
   In function 'sized_strscpy',
       inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
     293 |                 __write_overflow();
         |                 ^~~~~~~~~~~~~~~~~~
   In function 'sized_strscpy',
       inlined from 'audit_signal_info_syscall' at kernel/auditsc.c:2759:3:
>> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
     293 |                 __write_overflow();
         |                 ^~~~~~~~~~~~~~~~~~


vim +/__write_overflow +293 include/linux/fortify-string.h

a28a6e860c6cf2 Francis Laniel 2021-02-25  274
03699f271de1f4 Kees Cook      2022-09-02  275  /* Defined after
fortified strnlen() to reuse it. */
e6584c3964f2ff Kees Cook      2023-09-20  276  extern ssize_t
__real_strscpy(char *, const char *, size_t) __RENAME(sized_strscpy);
e6584c3964f2ff Kees Cook      2023-09-20  277  __FORTIFY_INLINE
ssize_t sized_strscpy(char * const POS p, const char * const POS q,
size_t size)
a28a6e860c6cf2 Francis Laniel 2021-02-25  278  {
a28a6e860c6cf2 Francis Laniel 2021-02-25  279   /* Use string size
rather than possible enclosing struct size. */
21a2c74b0a2a78 Kees Cook      2023-04-07  280   const size_t p_size =
__member_size(p);
21a2c74b0a2a78 Kees Cook      2023-04-07  281   const size_t q_size =
__member_size(q);
21a2c74b0a2a78 Kees Cook      2023-04-07  282   size_t len;
a28a6e860c6cf2 Francis Laniel 2021-02-25  283
a28a6e860c6cf2 Francis Laniel 2021-02-25  284   /* If we cannot get
size of p and q default to call strscpy. */
311fb40aa0569a Kees Cook      2022-09-02  285   if (p_size == SIZE_MAX
&& q_size == SIZE_MAX)
a28a6e860c6cf2 Francis Laniel 2021-02-25  286           return
__real_strscpy(p, q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25  287
a28a6e860c6cf2 Francis Laniel 2021-02-25  288   /*
a28a6e860c6cf2 Francis Laniel 2021-02-25  289    * If size can be
known at compile time and is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25  290    * p_size, generate a
compile time write overflow error.
a28a6e860c6cf2 Francis Laniel 2021-02-25  291    */
fa35198f39571b Kees Cook      2022-09-19  292   if
(__compiletime_lessthan(p_size, size))
a28a6e860c6cf2 Francis Laniel 2021-02-25 @293           __write_overflow();
a28a6e860c6cf2 Francis Laniel 2021-02-25  294
62e1cbfc5d7953 Kees Cook      2022-10-02  295   /* Short-circuit for
compile-time known-safe lengths. */
62e1cbfc5d7953 Kees Cook      2022-10-02  296   if
(__compiletime_lessthan(p_size, SIZE_MAX)) {
62e1cbfc5d7953 Kees Cook      2022-10-02  297           len =
__compiletime_strlen(q);
62e1cbfc5d7953 Kees Cook      2022-10-02  298
62e1cbfc5d7953 Kees Cook      2022-10-02  299           if (len <
SIZE_MAX && __compiletime_lessthan(len, size)) {
62e1cbfc5d7953 Kees Cook      2022-10-02  300
__underlying_memcpy(p, q, len + 1);
62e1cbfc5d7953 Kees Cook      2022-10-02  301                   return len;
62e1cbfc5d7953 Kees Cook      2022-10-02  302           }
62e1cbfc5d7953 Kees Cook      2022-10-02  303   }
62e1cbfc5d7953 Kees Cook      2022-10-02  304
a28a6e860c6cf2 Francis Laniel 2021-02-25  305   /*
a28a6e860c6cf2 Francis Laniel 2021-02-25  306    * This call protects
from read overflow, because len will default to q
a28a6e860c6cf2 Francis Laniel 2021-02-25  307    * length if it
smaller than size.
a28a6e860c6cf2 Francis Laniel 2021-02-25  308    */
a28a6e860c6cf2 Francis Laniel 2021-02-25  309   len = strnlen(q, size);
a28a6e860c6cf2 Francis Laniel 2021-02-25  310   /*
a28a6e860c6cf2 Francis Laniel 2021-02-25  311    * If len equals size,
we will copy only size bytes which leads to
a28a6e860c6cf2 Francis Laniel 2021-02-25  312    * -E2BIG being returned.
a28a6e860c6cf2 Francis Laniel 2021-02-25  313    * Otherwise we will
copy len + 1 because of the final '\O'.
a28a6e860c6cf2 Francis Laniel 2021-02-25  314    */
a28a6e860c6cf2 Francis Laniel 2021-02-25  315   len = len == size ?
size : len + 1;
a28a6e860c6cf2 Francis Laniel 2021-02-25  316
a28a6e860c6cf2 Francis Laniel 2021-02-25  317   /*
a28a6e860c6cf2 Francis Laniel 2021-02-25  318    * Generate a runtime
write overflow error if len is greater than
a28a6e860c6cf2 Francis Laniel 2021-02-25  319    * p_size.
a28a6e860c6cf2 Francis Laniel 2021-02-25  320    */
3d965b33e40d97 Kees Cook      2023-04-07  321   if (p_size < len)
3d965b33e40d97 Kees Cook      2023-04-07  322
fortify_panic(FORTIFY_FUNC_strscpy, FORTIFY_WRITE, p_size, len,
-E2BIG);
a28a6e860c6cf2 Francis Laniel 2021-02-25  323
a28a6e860c6cf2 Francis Laniel 2021-02-25  324   /*
a28a6e860c6cf2 Francis Laniel 2021-02-25  325    * We can now safely
call vanilla strscpy because we are protected from:
a28a6e860c6cf2 Francis Laniel 2021-02-25  326    * 1. Read overflow
thanks to call to strnlen().
a28a6e860c6cf2 Francis Laniel 2021-02-25  327    * 2. Write overflow
thanks to above ifs.
a28a6e860c6cf2 Francis Laniel 2021-02-25  328    */
a28a6e860c6cf2 Francis Laniel 2021-02-25  329   return
__real_strscpy(p, q, len);
a28a6e860c6cf2 Francis Laniel 2021-02-25  330  }
a28a6e860c6cf2 Francis Laniel 2021-02-25  331

:::::: The code at line 293 was first introduced by commit
:::::: a28a6e860c6cf231cf3c5171c75c342adcd00406 string.h: move
fortified functions definitions in a dedicated header.

:::::: TO: Francis Laniel <laniel_francis@privacyrequired.com>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki


-- 
paul-moore.com

Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[Kees Cook]

On Thu, Oct 17, 2024 at 10:48:04AM -0400, Paul Moore wrote:
> I'm not sure why the kernel test robot only sent this to me, but this
> looks to be a strscpy() issue rather than an audit specific issue.
> 
> ---------- Forwarded message ---------
> From: kernel test robot <lkp@intel.com>
> Date: Thu, Oct 17, 2024 at 2:29 AM
> Subject: [linux-next:master 4380/4439]
> include/linux/fortify-string.h:293:17: error: call to
> '__write_overflow' declared with attribute error: detected write
> beyond size of object (1st parameter)
> To: Paul Moore <paul@paul-moore.com>
> Cc: <oe-kbuild-all@lists.linux.dev>
> 
> 
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> master
> head:   15e7d45e786a62a211dd0098fee7c57f84f8c681
> commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
> branch 'next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
> config: x86_64-randconfig-005-20241017
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/config)
> compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
> reproduce (this is a W=1 build):
> (https://download.01.org/0day-ci/archive/20241017/202410171420.1V00ICVG-lkp@intel.com/reproduce)
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/
> 
> All errors (new ones prefixed by >>):
> 
>    In file included from include/linux/string.h:390,
>                     from include/linux/bitmap.h:13,
>                     from include/linux/cpumask.h:12,
>                     from include/linux/smp.h:13,
>                     from include/linux/lockdep.h:14,
>                     from include/linux/spinlock.h:63,
>                     from include/linux/wait.h:9,
>                     from include/linux/wait_bit.h:8,
>                     from include/linux/fs.h:6,
>                     from kernel/auditsc.c:37:
>    In function 'sized_strscpy',
>        inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
> >> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)
>      293 |                 __write_overflow();
>          |                 ^~~~~~~~~~~~~~~~~~

This is a compile-time bounds check. Let's take a look:

void __audit_ptrace(struct task_struct *t)
{
        struct audit_context *context = audit_context();
	...
        strscpy(context->target_comm, t->comm);


struct audit_context {
	...
        char                target_comm[TASK_COMM_LEN];

struct task_struct {
	...
        char                            comm[TASK_COMM_LEN];

So this should be impossible, since the strscpy() check is:

#define __member_size(p)        __builtin_object_size(p, 1)
...
#define __compiletime_lessthan(bounds, length)  (       \
        __builtin_constant_p((bounds) < (length)) &&    \
        (bounds) < (length)                             \
)
...
        const size_t p_size = __member_size(p);
	...
        if (__compiletime_lessthan(p_size, size))
                __write_overflow();

This test should resolve to:

	if (TASK_COMM_LEN < TASK_COMM_LEN)
                __write_overflow();

I can reproduce this with the randconfig linked above, but not with
allmodconfig nor defconfig+CONFIG_FORTIFY_SOURCE.

Something in the .config is causing the error. (!?) I will start a
CONFIG bisect...

-- 
Kees Cook

Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[Kees Cook]

On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> Something in the .config is causing the error. (!?) I will start a
> CONFIG bisect...

Well, I did a code bisect first, and it reported this which makes _no_
sense:
8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")

O_o

-- 
Kees Cook

Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[Kees Cook]

On Thu, Oct 17, 2024 at 09:23:25AM -0700, Kees Cook wrote:
> On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> > Something in the .config is causing the error. (!?) I will start a
> > CONFIG bisect...
> 
> Well, I did a code bisect first, and it reported this which makes _no_
> sense:
> 8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")
> 
> O_o

Looks like a GCC inlining bug. If I query the size of the destination
buffer before calling strscpy the warning magically vanishes. :|

Lovely. I will see if I can construct a work-around.

-- 
Kees Cook

Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[Kees Cook]

On Thu, Oct 17, 2024 at 09:48:18AM -0700, Kees Cook wrote:
> On Thu, Oct 17, 2024 at 09:23:25AM -0700, Kees Cook wrote:
> > On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> > > Something in the .config is causing the error. (!?) I will start a
> > > CONFIG bisect...
> > 
> > Well, I did a code bisect first, and it reported this which makes _no_
> > sense:
> > 8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")
> > 
> > O_o
> 
> Looks like a GCC inlining bug. If I query the size of the destination
> buffer before calling strscpy the warning magically vanishes. :|
> 
> Lovely. I will see if I can construct a work-around.

I am extremely bothered that this fixes it:

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bc052b4b5a1d..891f4294361d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2728,8 +2728,8 @@ void __audit_ptrace(struct task_struct *t)
 	context->target_auid = audit_get_loginuid(t);
 	context->target_uid = task_uid(t);
 	context->target_sessionid = audit_get_sessionid(t);
-	security_task_getlsmprop_obj(t, &context->target_ref);
 	strscpy(context->target_comm, t->comm);
+	security_task_getlsmprop_obj(t, &context->target_ref);
 }
 
 /**
@@ -2755,8 +2755,8 @@ int audit_signal_info_syscall(struct task_struct *t)
 		ctx->target_auid = audit_get_loginuid(t);
 		ctx->target_uid = t_uid;
 		ctx->target_sessionid = audit_get_sessionid(t);
-		security_task_getlsmprop_obj(t, &ctx->target_ref);
 		strscpy(ctx->target_comm, t->comm);
+		security_task_getlsmprop_obj(t, &ctx->target_ref);
 		return 0;
 	}
 

I will continue trying to figure out why GCC is getting confused here,
but in the meantime, perhaps this is a viable workaround?

-- 
Kees Cook

Re: Fwd: [linux-next:master 4380/4439] include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter)

[Yafang Shao]

On Fri, Oct 18, 2024 at 2:00 AM Kees Cook <kees@kernel.org> wrote:
>
> On Thu, Oct 17, 2024 at 09:48:18AM -0700, Kees Cook wrote:
> > On Thu, Oct 17, 2024 at 09:23:25AM -0700, Kees Cook wrote:
> > > On Thu, Oct 17, 2024 at 09:07:13AM -0700, Kees Cook wrote:
> > > > Something in the .config is causing the error. (!?) I will start a
> > > > CONFIG bisect...
> > >
> > > Well, I did a code bisect first, and it reported this which makes _no_
> > > sense:
> > > 8afd8c8faa24 ("lsm: remove lsm_prop scaffolding")
> > >
> > > O_o
> >
> > Looks like a GCC inlining bug. If I query the size of the destination
> > buffer before calling strscpy the warning magically vanishes. :|
> >
> > Lovely. I will see if I can construct a work-around.
>
> I am extremely bothered that this fixes it:
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index bc052b4b5a1d..891f4294361d 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2728,8 +2728,8 @@ void __audit_ptrace(struct task_struct *t)
>         context->target_auid = audit_get_loginuid(t);
>         context->target_uid = task_uid(t);
>         context->target_sessionid = audit_get_sessionid(t);
> -       security_task_getlsmprop_obj(t, &context->target_ref);
>         strscpy(context->target_comm, t->comm);
> +       security_task_getlsmprop_obj(t, &context->target_ref);
>  }
>
>  /**
> @@ -2755,8 +2755,8 @@ int audit_signal_info_syscall(struct task_struct *t)
>                 ctx->target_auid = audit_get_loginuid(t);
>                 ctx->target_uid = t_uid;
>                 ctx->target_sessionid = audit_get_sessionid(t);
> -               security_task_getlsmprop_obj(t, &ctx->target_ref);
>                 strscpy(ctx->target_comm, t->comm);
> +               security_task_getlsmprop_obj(t, &ctx->target_ref);
>                 return 0;
>         }
>
>
> I will continue trying to figure out why GCC is getting confused here,
> but in the meantime, perhaps this is a viable workaround?

Thank you for the analysis. I was able to reproduce the issue with GCC
11 and confirmed that your change resolves it. While this does appear
to be a GCC bug, identifying the root cause may not be
straightforward. I agree that a workaround is the best approach for
now.

Feel free to include your change.

Tested-by: Yafang Shao <laoar.shao@gmail.com>


--
Regards
Yafang