* [PATCH 2/2] kasan: use fortified strings for hwaddress sanitizer [not found] <20211013150025.2875883-1-arnd@kernel.org> @ 2021-10-13 15:00 ` Arnd Bergmann 2021-10-18 19:57 ` Kees Cook 0 siblings, 1 reply; 3+ messages in thread From: Arnd Bergmann @ 2021-10-13 15:00 UTC (permalink / raw) To: linux-hardening, Kees Cook, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, kasan-dev Cc: Arnd Bergmann, Nathan Chancellor, Nick Desaulniers, Kees Cook, Miguel Ojeda, Sami Tolvanen, Marco Elver, Masahiro Yamada, Ard Biesheuvel, linux-kernel, llvm From: Arnd Bergmann <arnd@arndb.de> GCC has separate macros for -fsanitize=kernel-address and -fsanitize=kernel-hwaddress, and the check in the arm64 string.h gets this wrong, which leads to string functions not getting fortified with gcc. The newly added tests find this: warning: unsafe memchr() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memchr.c warning: unsafe memchr_inv() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memchr_inv.c warning: unsafe memcmp() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memcmp.c warning: unsafe memscan() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memscan.c warning: unsafe memcmp() usage lacked '__read_overflow2' warning in /git/arm-soc/lib/test_fortify/read_overflow2-memcmp.c warning: unsafe memcpy() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memcpy.c warning: unsafe memmove() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memmove.c warning: unsafe memcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memcpy.c warning: unsafe memmove() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memmove.c warning: unsafe memset() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memset.c warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy-lit.c warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy.c warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy-src.c warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy.c warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy-src.c warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy.c warning: unsafe strscpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strscpy.c Add a workaround to include/linux/compiler_types.h so we always define __SANITIZE_ADDRESS__ for either mode, as we already do for clang. Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- include/linux/compiler_types.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index aad6f6408bfa..2f2776fffefe 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -178,6 +178,13 @@ struct ftrace_likely_data { */ #define noinline_for_stack noinline +/* + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel + */ +#ifdef __SANITIZE_HWADDRESS__ +#define __SANITIZE_ADDRESS__ +#endif + /* * Sanitizer helper attributes: Because using __always_inline and * __no_sanitize_* conflict, provide helper attributes that will either expand -- 2.29.2 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] kasan: use fortified strings for hwaddress sanitizer 2021-10-13 15:00 ` [PATCH 2/2] kasan: use fortified strings for hwaddress sanitizer Arnd Bergmann @ 2021-10-18 19:57 ` Kees Cook 2021-10-18 20:09 ` Arnd Bergmann 0 siblings, 1 reply; 3+ messages in thread From: Kees Cook @ 2021-10-18 19:57 UTC (permalink / raw) To: Arnd Bergmann Cc: linux-hardening, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, kasan-dev, Arnd Bergmann, Nathan Chancellor, Nick Desaulniers, Miguel Ojeda, Sami Tolvanen, Marco Elver, Masahiro Yamada, Ard Biesheuvel, linux-kernel, llvm On Wed, Oct 13, 2021 at 05:00:06PM +0200, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > GCC has separate macros for -fsanitize=kernel-address and > -fsanitize=kernel-hwaddress, and the check in the arm64 string.h > gets this wrong, which leads to string functions not getting > fortified with gcc. The newly added tests find this: > > warning: unsafe memchr() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memchr.c > warning: unsafe memchr_inv() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memchr_inv.c > warning: unsafe memcmp() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memcmp.c > warning: unsafe memscan() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memscan.c > warning: unsafe memcmp() usage lacked '__read_overflow2' warning in /git/arm-soc/lib/test_fortify/read_overflow2-memcmp.c > warning: unsafe memcpy() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memcpy.c > warning: unsafe memmove() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memmove.c > warning: unsafe memcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memcpy.c > warning: unsafe memmove() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memmove.c > warning: unsafe memset() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memset.c > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy-lit.c > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy.c > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy-src.c > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy.c > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy-src.c > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy.c > warning: unsafe strscpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strscpy.c > What is the build config that trips these warnings? In trying to understand this, I see in arch/arm64/include/asm/string.h: #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ !defined(__SANITIZE_ADDRESS__) other architectures (like arm32) do: #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__) so it's okay because it's not getting touched by the hwaddress sanitizer? e.g. I see: config CC_HAS_KASAN_GENERIC def_bool $(cc-option, -fsanitize=kernel-address) config CC_HAS_KASAN_SW_TAGS def_bool $(cc-option, -fsanitize=kernel-hwaddress) > Add a workaround to include/linux/compiler_types.h so we always > define __SANITIZE_ADDRESS__ for either mode, as we already do > for clang. Where is the clang work-around? (Or is this a statement that clang, under -fsanitize=kernel-hwaddress, already sets __SANITIZE_ADDRESS__ by default? > > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > include/linux/compiler_types.h | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h > index aad6f6408bfa..2f2776fffefe 100644 > --- a/include/linux/compiler_types.h > +++ b/include/linux/compiler_types.h > @@ -178,6 +178,13 @@ struct ftrace_likely_data { > */ > #define noinline_for_stack noinline > > +/* > + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel > + */ > +#ifdef __SANITIZE_HWADDRESS__ > +#define __SANITIZE_ADDRESS__ > +#endif Should this go into compiler-gcc.h instead? > + > /* > * Sanitizer helper attributes: Because using __always_inline and > * __no_sanitize_* conflict, provide helper attributes that will either expand > -- > 2.29.2 > -- Kees Cook ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] kasan: use fortified strings for hwaddress sanitizer 2021-10-18 19:57 ` Kees Cook @ 2021-10-18 20:09 ` Arnd Bergmann 0 siblings, 0 replies; 3+ messages in thread From: Arnd Bergmann @ 2021-10-18 20:09 UTC (permalink / raw) To: Kees Cook Cc: linux-hardening, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, kasan-dev, Arnd Bergmann, Nathan Chancellor, Nick Desaulniers, Miguel Ojeda, Sami Tolvanen, Marco Elver, Masahiro Yamada, Ard Biesheuvel, Linux Kernel Mailing List, llvm On Mon, Oct 18, 2021 at 9:57 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Oct 13, 2021 at 05:00:06PM +0200, Arnd Bergmann wrote: > > From: Arnd Bergmann <arnd@arndb.de> > > > > GCC has separate macros for -fsanitize=kernel-address and > > -fsanitize=kernel-hwaddress, and the check in the arm64 string.h > > gets this wrong, which leads to string functions not getting > > fortified with gcc. The newly added tests find this: > > > > warning: unsafe memchr() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memchr.c > > warning: unsafe memchr_inv() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memchr_inv.c > > warning: unsafe memcmp() usage lacked '__read_overflow' warning in /git/arm-soc/lib/test_fortify/read_overflow-memcmp.c > > warning: unsafe memscan() usage lacked '__read_overflow' symbol in /git/arm-soc/lib/test_fortify/read_overflow-memscan.c > > warning: unsafe memcmp() usage lacked '__read_overflow2' warning in /git/arm-soc/lib/test_fortify/read_overflow2-memcmp.c > > warning: unsafe memcpy() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memcpy.c > > warning: unsafe memmove() usage lacked '__read_overflow2' symbol in /git/arm-soc/lib/test_fortify/read_overflow2-memmove.c > > warning: unsafe memcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memcpy.c > > warning: unsafe memmove() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memmove.c > > warning: unsafe memset() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-memset.c > > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy-lit.c > > warning: unsafe strcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strcpy.c > > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy-src.c > > warning: unsafe strlcpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strlcpy.c > > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy-src.c > > warning: unsafe strncpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strncpy.c > > warning: unsafe strscpy() usage lacked '__write_overflow' symbol in /git/arm-soc/lib/test_fortify/write_overflow-strscpy.c > > > > What is the build config that trips these warnings? It's a randconfig build, I've uploaded one .config to https://pastebin.com/raw/4TKB9mhs, but I have other ones if you can't reproduce with that one. > In trying to understand this, I see in arch/arm64/include/asm/string.h: > > #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ > !defined(__SANITIZE_ADDRESS__) > > other architectures (like arm32) do: > > #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__) Yes, that is exactly the thing that goes wrong. With clang, __SANITIZE_ADDRESS__ gets set here, but gcc sets __SANITIZE_HWADDRESS__ instead for CONFIG_KASAN_SW_TAGS, so the condition is always true. > > Add a workaround to include/linux/compiler_types.h so we always > > define __SANITIZE_ADDRESS__ for either mode, as we already do > > for clang. > > Where is the clang work-around? (Or is this a statement that clang, > under -fsanitize=kernel-hwaddress, already sets __SANITIZE_ADDRESS__ by > default? I mean this snippet: #if __has_feature(address_sanitizer) || __has_feature(hwaddress_sanitizer) /* Emulate GCC's __SANITIZE_ADDRESS__ flag */ #define __SANITIZE_ADDRESS__ #endif Without that, clang sets neither __SANITIZE_ADDRESS__ nor __SANITIZE_HWADDRESS__ > > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h > > index aad6f6408bfa..2f2776fffefe 100644 > > --- a/include/linux/compiler_types.h > > +++ b/include/linux/compiler_types.h > > @@ -178,6 +178,13 @@ struct ftrace_likely_data { > > */ > > #define noinline_for_stack noinline > > > > +/* > > + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel > > + */ > > +#ifdef __SANITIZE_HWADDRESS__ > > +#define __SANITIZE_ADDRESS__ > > +#endif > > Should this go into compiler-gcc.h instead? Yes, that might be clearer, but the effect is the same, as no other compiler defines those macros. Arnd ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-18 20:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20211013150025.2875883-1-arnd@kernel.org>
2021-10-13 15:00 ` [PATCH 2/2] kasan: use fortified strings for hwaddress sanitizer Arnd Bergmann
2021-10-18 19:57 ` Kees Cook
2021-10-18 20:09 ` Arnd Bergmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox