From: Kees Cook <keescook@chromium.org>
To: Mark Rutland <mark.rutland@arm.com>
Cc: linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 06/17] fortify: Detect struct member overflows in memcpy() at compile-time
Date: Thu, 16 Dec 2021 10:00:09 -0800 [thread overview]
Message-ID: <202112160942.01254B408@keescook> (raw)
In-Reply-To: <YbseKuBwHEfvzykO@FVFF77S0Q05N>
On Thu, Dec 16, 2021 at 11:08:26AM +0000, Mark Rutland wrote:
> On Mon, Dec 13, 2021 at 02:33:20PM -0800, Kees Cook wrote:
> > memcpy() is dead; long live memcpy()
> >
> > tl;dr: In order to eliminate a large class of common buffer overflow
> > flaws that continue to persist in the kernel, have memcpy() (under
> > CONFIG_FORTIFY_SOURCE) perform bounds checking of the destination struct
> > member when they have a known size. This would have caught all of the
> > memcpy()-related buffer write overflow flaws identified in at least the
> > last three years.
> >
>
> Hi Kees,
>
> Since there's a *lot* of context below, it's very easy to miss some key details
> (e.g. that the compile-time warnings are limited to W=1 builds). It would be
> really nice if the summary above could say something like:
Hm, I do need to write a better summary! I think there's still some
misunderstanding, and I will attempt some clarity here... :)
>
> This patch makes it possible to detect when memcpy() of a struct member may
> go past the bounds of that member. When CONFIG_FORTIFY_SOURCE=y, runtime
> checks are always emitted where the compiler cannot guarantee a memcpy() is
> safely bounded, and compile-time warnings are enabled for W=1 builds.
For GCC and Clang 14, compile-time _write_ overflow warnings are meant
to be emitted under FORTIFY_SOURCE. _read_ overflow warnings are meant
to be emitted under FORTIFY_SOURCE + W=1 (or when the same statement
also has a write overflow).
>
> This catches a large class of common buffer overflow flaws, and would have
> caught all of the memcpy()-related buffer write overflow flaws identified in
> the last three years.
>
> As an aside, since W=1 is chock-full of (IMO useless) warnings, is there any
> way to enable *just* the FORTIFY_SOURCE warnings?
To see them all (i.e. not shove some into W=1), you can remove the "W=1
or write overflow" part of the read overflow test in fortify-string.h.
e.g.:
- if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || p_size_field < size) &&
- q_size_field < size)
+ if (q_size_field < size)
> I had a go at testing this on arm64, and could get build-time warnings from GCC
> 11.1.0, but not from Clang 13.0.0.
This is correct and expected due to Clang 13's lack of support for
compiletime_warning().
> No relevant warnings, but code was generated for runtime warnings:
>
> | 0000000000000000 <foo_copy>:
> | 0: d503233f paciasp
> | 4: a9bf7bfd stp x29, x30, [sp, #-16]!
> | 8: 910003fd mov x29, sp
> | c: 52800080 mov w0, #0x4 // #4
> | 10: 52800101 mov w1, #0x8 // #8
> | 14: 94000000 bl 0 <__write_overflow_field>
> | 18: 52800080 mov w0, #0x4 // #4
> | 1c: 52800101 mov w1, #0x8 // #8
> | 20: 94000000 bl 0 <__read_overflow2_field>
> | 24: 90000008 adrp x8, 8 <foo_copy+0x8>
> | 28: f9400108 ldr x8, [x8]
> | 2c: 90000009 adrp x9, 0 <foo_copy>
> | 30: f9000128 str x8, [x9]
> | 34: a8c17bfd ldp x29, x30, [sp], #16
> | 38: d50323bf autiasp
> | 3c: d65f03c0 ret
>
> Have I misunderstood how that's meant to work, or am I doing something wrong?
The generally stated requirement from Linus for these kinds of
kernel changes was to never break the build (i.e. we cannot use
compiletime_error() -- which Clang 13 falls back to with a link-time
failure).
Since this phase of the series is only compile-time warnings (not the
run-time warnings), it's rather a no-op for Clang 13. However, the final
patch in the series brings the earlier ("mode 0") FORTIFY behaviors to
Clang finally.
Clang 14 implements compiletime_warning(), so in that situation, the
warnings appear.
It's a pretty wacky Venn Diagram, and I will attempt to include some
sort of illustration for it, as the behavioral differences are complex.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2021-12-16 18:00 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-13 22:33 [PATCH 00/17] Enable strict compile-time memcpy() fortify checks Kees Cook
2021-12-13 22:33 ` [PATCH 01/17] KVM: x86: Replace memset() "optimization" with normal per-field writes Kees Cook
2021-12-13 22:33 ` [PATCH 02/17] net/mlx5e: Avoid field-overflowing memcpy() Kees Cook
2021-12-13 22:33 ` [PATCH 03/17] net/mlx5e: Use struct_group() for memcpy() region Kees Cook
2021-12-13 22:33 ` [PATCH 04/17] media: omap3isp: " Kees Cook
2021-12-13 22:33 ` [PATCH 05/17] sata_fsl: " Kees Cook
2021-12-13 22:33 ` [PATCH 06/17] fortify: Detect struct member overflows in memcpy() at compile-time Kees Cook
2021-12-16 11:08 ` Mark Rutland
2021-12-16 11:21 ` Mark Rutland
2021-12-16 18:00 ` Kees Cook [this message]
2021-12-17 13:34 ` Mark Rutland
2021-12-13 22:33 ` [PATCH 07/17] fortify: Detect struct member overflows in memmove() " Kees Cook
2021-12-13 22:33 ` [PATCH 08/17] ath11k: Use memset_startat() for clearing queue descriptors Kees Cook
2021-12-14 6:02 ` Kalle Valo
2021-12-14 15:46 ` Kalle Valo
2021-12-14 17:05 ` Kees Cook
2021-12-16 13:50 ` Kalle Valo
2021-12-13 22:33 ` [PATCH 09/17] RDMA/mlx5: Use memset_after() to zero struct mlx5_ib_mr Kees Cook
2021-12-13 22:33 ` [PATCH 10/17] drbd: Use struct_group() to zero algs Kees Cook
2021-12-13 22:33 ` [PATCH 11/17] dm integrity: Use struct_group() to zero struct journal_sector Kees Cook
2021-12-13 22:33 ` [PATCH 12/17] iw_cxgb4: Use memset_startat() for cpl_t5_pass_accept_rpl Kees Cook
2021-12-13 22:33 ` [PATCH 13/17] intel_th: msu: Use memset_startat() for clearing hw header Kees Cook
2021-12-13 22:33 ` [PATCH 14/17] IB/mthca: Use memset_startat() for clearing mpt_entry Kees Cook
2021-12-13 22:33 ` [PATCH 15/17] scsi: lpfc: Use struct_group() to initialize struct lpfc_cgn_info Kees Cook
2021-12-13 22:33 ` [PATCH 16/17] fortify: Detect struct member overflows in memset() at compile-time Kees Cook
2021-12-13 22:33 ` [PATCH 17/17] fortify: Work around Clang inlining bugs Kees Cook
2021-12-15 0:26 ` [PATCH 00/17] Enable strict compile-time memcpy() fortify checks Jason Gunthorpe
2021-12-17 4:04 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202112160942.01254B408@keescook \
--to=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox