[PATCH] lkdtm/fortify: Drop unneeded FORTIFY_STR_OBJECT test

[PATCH] lkdtm/fortify: Drop unneeded FORTIFY_STR_OBJECT test

[Kees Cook]

The str* family of fortified functions all use member-sized limits
for a while now, so the FORTIFY_STR_OBJECT test is redundant to
FORTIFY_STR_MEMBER. While here, replace the strncpy() use with strscpy(),
as strncpy() is being removed.

Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/lkdtm/fortify.c            | 36 +++++--------------------
 tools/testing/selftests/lkdtm/tests.txt |  1 -
 2 files changed, 6 insertions(+), 31 deletions(-)

diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
index 00ed2147113e..7615a02dfc47 100644
--- a/drivers/misc/lkdtm/fortify.c
+++ b/drivers/misc/lkdtm/fortify.c
@@ -10,30 +10,6 @@
 
 static volatile int fortify_scratch_space;
 
-static void lkdtm_FORTIFY_STR_OBJECT(void)
-{
-	struct target {
-		char a[10];
-		int foo;
-	} target[3] = {};
-	/*
-	 * Using volatile prevents the compiler from determining the value of
-	 * 'size' at compile time. Without that, we would get a compile error
-	 * rather than a runtime error.
-	 */
-	volatile int size = 20;
-
-	pr_info("trying to strcmp() past the end of a struct\n");
-
-	strncpy(target[0].a, target[1].a, size);
-
-	/* Store result to global to prevent the code from being eliminated */
-	fortify_scratch_space = target[0].a[3];
-
-	pr_err("FAIL: fortify did not block a strncpy() object write overflow!\n");
-	pr_expected_config(CONFIG_FORTIFY_SOURCE);
-}
-
 static void lkdtm_FORTIFY_STR_MEMBER(void)
 {
 	struct target {
@@ -47,22 +23,23 @@ static void lkdtm_FORTIFY_STR_MEMBER(void)
 	if (!src)
 		return;
 
+	/* 15 bytes: past end of a[] but not target. */
 	strscpy(src, "over ten bytes", size);
 	size = strlen(src) + 1;
 
-	pr_info("trying to strncpy() past the end of a struct member...\n");
+	pr_info("trying to strscpy() past the end of a struct member...\n");
 
 	/*
-	 * strncpy(target.a, src, 20); will hit a compile error because the
-	 * compiler knows at build time that target.a < 20 bytes. Use a
+	 * strscpy(target.a, src, 15); will hit a compile error because the
+	 * compiler knows at build time that target.a < 15 bytes. Use a
 	 * volatile to force a runtime error.
 	 */
-	strncpy(target.a, src, size);
+	strscpy(target.a, src, size);
 
 	/* Store result to global to prevent the code from being eliminated */
 	fortify_scratch_space = target.a[3];
 
-	pr_err("FAIL: fortify did not block a strncpy() struct member write overflow!\n");
+	pr_err("FAIL: fortify did not block a strscpy() struct member write overflow!\n");
 	pr_expected_config(CONFIG_FORTIFY_SOURCE);
 
 	kfree(src);
@@ -210,7 +187,6 @@ static void lkdtm_FORTIFY_STRSCPY(void)
 }
 
 static struct crashtype crashtypes[] = {
-	CRASHTYPE(FORTIFY_STR_OBJECT),
 	CRASHTYPE(FORTIFY_STR_MEMBER),
 	CRASHTYPE(FORTIFY_MEM_OBJECT),
 	CRASHTYPE(FORTIFY_MEM_MEMBER),
diff --git a/tools/testing/selftests/lkdtm/tests.txt b/tools/testing/selftests/lkdtm/tests.txt
index e62b85b591be..3245032db34d 100644
--- a/tools/testing/selftests/lkdtm/tests.txt
+++ b/tools/testing/selftests/lkdtm/tests.txt
@@ -82,7 +82,6 @@ STACKLEAK_ERASING OK: the rest of the thread stack is properly erased
 CFI_FORWARD_PROTO
 CFI_BACKWARD call trace:|ok: control flow unchanged
 FORTIFY_STRSCPY detected buffer overflow
-FORTIFY_STR_OBJECT detected buffer overflow
 FORTIFY_STR_MEMBER detected buffer overflow
 FORTIFY_MEM_OBJECT detected buffer overflow
 FORTIFY_MEM_MEMBER detected field-spanning write
-- 
2.34.1