mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-11-01 17:08:10 +00:00
2dc26d98cf
The end goal of the current buffer overflow detection work[0] is to gain full compile-time and run-time coverage of all detectable buffer overflows seen via array indexing or memcpy(), memmove(), and memset(). The str*() family of functions already have full coverage. While much of the work for these changes have been on-going for many releases (i.e. 0-element and 1-element array replacements, as well as avoiding false positives and fixing discovered overflows[1]), this series contains the foundational elements of several related buffer overflow detection improvements by providing new common helpers and FORTIFY_SOURCE changes needed to gain the introspection required for compiler visibility into array sizes. Also included are a handful of already Acked instances using the helpers (or related clean-ups), with many more waiting at the ready to be taken via subsystem-specific trees[2]. The new helpers are: - struct_group() for gaining struct member range introspection. - memset_after() and memset_startat() for clearing to the end of structures. - DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in structs. Also included is the beginning of the refactoring of FORTIFY_SOURCE to support memcpy() introspection, fix missing and regressed coverage under GCC, and to prepare to fix the currently broken Clang support. Finishing this work is part of the larger series[0], but depends on all the false positives and buffer overflow bug fixes to have landed already and those that depend on this series to land. As part of the FORTIFY_SOURCE refactoring, a set of both a compile-time and run-time tests are added for FORTIFY_SOURCE and the mem*()-family functions respectively. The compile time tests have found a legitimate (though corner-case) bug[6] already. Please note that the appearance of "panic" and "BUG" in the FORTIFY_SOURCE refactoring are the result of relocating existing code, and no new use of those code-paths are expected nor desired. Finally, there are two tree-wide conversions for 0-element arrays and flexible array unions to gain sane compiler introspection coverage that result in no known object code differences. After this series (and the changes that have now landed via netdev and usb), we are very close to finally being able to build with -Warray-bounds and -Wzero-length-bounds. However, due corner cases in GCC[3] and Clang[4], I have not included the last two patches that turn on these options, as I don't want to introduce any known warnings to the build. Hopefully these can be solved soon. [0] https://lore.kernel.org/lkml/20210818060533.3569517-1-keescook@chromium.org/ [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE [2] https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/ [3] https://lore.kernel.org/lkml/3ab153ec-2798-da4c-f7b1-81b0ac8b0c5b@roeck-us.net/ [4] https://bugs.llvm.org/show_bug.cgi?id=51682 [5] https://lore.kernel.org/lkml/202109051257.29B29745C0@keescook/ [6] https://lore.kernel.org/lkml/20211020200039.170424-1-keescook@chromium.org/ -----BEGIN PGP SIGNATURE----- iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmGAFWcWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJmKFD/45MJdnvW5MhIEeW5tc5UjfcIPS ae+YvlEX/2ZwgSlTxocFVocE6hz7b6eCiX3dSAChPkPxsSfgeiuhjxsU+4ROnELR 04RqTA/rwT6JXfJcXbDPXfxDL4huUkgktAW3m1sT771AZspeap2GrSwFyttlTqKA +kTiZ3lXJVFcw10uyhfp3Lk6eFJxdf5iOjuEou5kBOQfpNKEOduRL2K15hSowOwB lARiAC+HbmN+E+npvDE7YqK4V7ZQ0/dtB0BlfqgTkn1spQz8N21kBAMpegV5vvIk A+qGHc7q2oyk4M14TRTidQHGQ4juW1Kkvq3NV6KzwQIVD+mIfz0ESn3d4tnp28Hk Y+OXTI1BRFlApQU9qGWv33gkNEozeyqMLDRLKhDYRSFPA9UKkpgXQRzeTzoLKyrQ 4B6n5NnUGcu7I6WWhpyZQcZLDsHGyy0vHzjQGs/NXtb1PzXJ5XIGuPdmx9pVMykk IVKnqRcWyGWahfh3asOnoXvdhi1No4NSHQ/ZHfUM+SrIGYjBMaUisw66qm3Fe8ZU lbO2CFkCsfGSoKNPHf0lUEGlkyxAiDolazOfflDNxdzzlZo2X1l/a7O/yoO4Pqul cdL0eDjiNoQ2YR2TSYPnXq5KSL1RI0tlfS8pH8k1hVhZsQx0wpAQ+qki0S+fLePV PdA9XB82G2tmqKc9cQ== =9xbT -----END PGP SIGNATURE----- Merge tag 'overflow-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull overflow updates from Kees Cook: "The end goal of the current buffer overflow detection work[0] is to gain full compile-time and run-time coverage of all detectable buffer overflows seen via array indexing or memcpy(), memmove(), and memset(). The str*() family of functions already have full coverage. While much of the work for these changes have been on-going for many releases (i.e. 0-element and 1-element array replacements, as well as avoiding false positives and fixing discovered overflows[1]), this series contains the foundational elements of several related buffer overflow detection improvements by providing new common helpers and FORTIFY_SOURCE changes needed to gain the introspection required for compiler visibility into array sizes. Also included are a handful of already Acked instances using the helpers (or related clean-ups), with many more waiting at the ready to be taken via subsystem-specific trees[2]. The new helpers are: - struct_group() for gaining struct member range introspection - memset_after() and memset_startat() for clearing to the end of structures - DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in structs Also included is the beginning of the refactoring of FORTIFY_SOURCE to support memcpy() introspection, fix missing and regressed coverage under GCC, and to prepare to fix the currently broken Clang support. Finishing this work is part of the larger series[0], but depends on all the false positives and buffer overflow bug fixes to have landed already and those that depend on this series to land. As part of the FORTIFY_SOURCE refactoring, a set of both a compile-time and run-time tests are added for FORTIFY_SOURCE and the mem*()-family functions respectively. The compile time tests have found a legitimate (though corner-case) bug[6] already. Please note that the appearance of "panic" and "BUG" in the FORTIFY_SOURCE refactoring are the result of relocating existing code, and no new use of those code-paths are expected nor desired. Finally, there are two tree-wide conversions for 0-element arrays and flexible array unions to gain sane compiler introspection coverage that result in no known object code differences. After this series (and the changes that have now landed via netdev and usb), we are very close to finally being able to build with -Warray-bounds and -Wzero-length-bounds. However, due corner cases in GCC[3] and Clang[4], I have not included the last two patches that turn on these options, as I don't want to introduce any known warnings to the build. Hopefully these can be solved soon" Link: https://lore.kernel.org/lkml/20210818060533.3569517-1-keescook@chromium.org/ [0] Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE [1] Link: https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/ [2] Link: https://lore.kernel.org/lkml/3ab153ec-2798-da4c-f7b1-81b0ac8b0c5b@roeck-us.net/ [3] Link: https://bugs.llvm.org/show_bug.cgi?id=51682 [4] Link: https://lore.kernel.org/lkml/202109051257.29B29745C0@keescook/ [5] Link: https://lore.kernel.org/lkml/20211020200039.170424-1-keescook@chromium.org/ [6] * tag 'overflow-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (30 commits) fortify: strlen: Avoid shadowing previous locals compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer treewide: Replace 0-element memcpy() destinations with flexible arrays treewide: Replace open-coded flex arrays in unions stddef: Introduce DECLARE_FLEX_ARRAY() helper btrfs: Use memset_startat() to clear end of struct string.h: Introduce memset_startat() for wiping trailing members and padding xfrm: Use memset_after() to clear padding string.h: Introduce memset_after() for wiping trailing members/padding lib: Introduce CONFIG_MEMCPY_KUNIT_TEST fortify: Add compile-time FORTIFY_SOURCE tests fortify: Allow strlen() and strnlen() to pass compile-time known lengths fortify: Prepare to improve strnlen() and strlen() warnings fortify: Fix dropped strcpy() compile-time write overflow check fortify: Explicitly disable Clang support fortify: Move remaining fortify helpers into fortify-string.h lib/string: Move helper functions out of string.c compiler_types.h: Remove __compiletime_object_size() cm4000_cs: Use struct_group() to zero struct cm4000_dev region can: flexcan: Use struct_group() to zero struct flexcan_regs regions ...
393 lines
7.8 KiB
C
393 lines
7.8 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Optimized string functions
|
|
*
|
|
* S390 version
|
|
* Copyright IBM Corp. 2004
|
|
* Author(s): Martin Schwidefsky (schwidefsky@de.ibm.com)
|
|
*/
|
|
|
|
#define IN_ARCH_STRING_C 1
|
|
#ifndef __NO_FORTIFY
|
|
# define __NO_FORTIFY
|
|
#endif
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/string.h>
|
|
#include <linux/export.h>
|
|
|
|
/*
|
|
* Helper functions to find the end of a string
|
|
*/
|
|
static inline char *__strend(const char *s)
|
|
{
|
|
unsigned long e = 0;
|
|
|
|
asm volatile(
|
|
" lghi 0,0\n"
|
|
"0: srst %[e],%[s]\n"
|
|
" jo 0b\n"
|
|
: [e] "+&a" (e), [s] "+&a" (s)
|
|
:
|
|
: "cc", "memory", "0");
|
|
return (char *)e;
|
|
}
|
|
|
|
static inline char *__strnend(const char *s, size_t n)
|
|
{
|
|
const char *p = s + n;
|
|
|
|
asm volatile(
|
|
" lghi 0,0\n"
|
|
"0: srst %[p],%[s]\n"
|
|
" jo 0b\n"
|
|
: [p] "+&d" (p), [s] "+&a" (s)
|
|
:
|
|
: "cc", "memory", "0");
|
|
return (char *)p;
|
|
}
|
|
|
|
/**
|
|
* strlen - Find the length of a string
|
|
* @s: The string to be sized
|
|
*
|
|
* returns the length of @s
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRLEN
|
|
size_t strlen(const char *s)
|
|
{
|
|
return __strend(s) - s;
|
|
}
|
|
EXPORT_SYMBOL(strlen);
|
|
#endif
|
|
|
|
/**
|
|
* strnlen - Find the length of a length-limited string
|
|
* @s: The string to be sized
|
|
* @n: The maximum number of bytes to search
|
|
*
|
|
* returns the minimum of the length of @s and @n
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRNLEN
|
|
size_t strnlen(const char *s, size_t n)
|
|
{
|
|
return __strnend(s, n) - s;
|
|
}
|
|
EXPORT_SYMBOL(strnlen);
|
|
#endif
|
|
|
|
/**
|
|
* strcpy - Copy a %NUL terminated string
|
|
* @dest: Where to copy the string to
|
|
* @src: Where to copy the string from
|
|
*
|
|
* returns a pointer to @dest
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRCPY
|
|
char *strcpy(char *dest, const char *src)
|
|
{
|
|
char *ret = dest;
|
|
|
|
asm volatile(
|
|
" lghi 0,0\n"
|
|
"0: mvst %[dest],%[src]\n"
|
|
" jo 0b\n"
|
|
: [dest] "+&a" (dest), [src] "+&a" (src)
|
|
:
|
|
: "cc", "memory", "0");
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(strcpy);
|
|
#endif
|
|
|
|
/**
|
|
* strlcpy - Copy a %NUL terminated string into a sized buffer
|
|
* @dest: Where to copy the string to
|
|
* @src: Where to copy the string from
|
|
* @size: size of destination buffer
|
|
*
|
|
* Compatible with *BSD: the result is always a valid
|
|
* NUL-terminated string that fits in the buffer (unless,
|
|
* of course, the buffer size is zero). It does not pad
|
|
* out the result like strncpy() does.
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRLCPY
|
|
size_t strlcpy(char *dest, const char *src, size_t size)
|
|
{
|
|
size_t ret = __strend(src) - src;
|
|
|
|
if (size) {
|
|
size_t len = (ret >= size) ? size-1 : ret;
|
|
dest[len] = '\0';
|
|
memcpy(dest, src, len);
|
|
}
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(strlcpy);
|
|
#endif
|
|
|
|
/**
|
|
* strncpy - Copy a length-limited, %NUL-terminated string
|
|
* @dest: Where to copy the string to
|
|
* @src: Where to copy the string from
|
|
* @n: The maximum number of bytes to copy
|
|
*
|
|
* The result is not %NUL-terminated if the source exceeds
|
|
* @n bytes.
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRNCPY
|
|
char *strncpy(char *dest, const char *src, size_t n)
|
|
{
|
|
size_t len = __strnend(src, n) - src;
|
|
memset(dest + len, 0, n - len);
|
|
memcpy(dest, src, len);
|
|
return dest;
|
|
}
|
|
EXPORT_SYMBOL(strncpy);
|
|
#endif
|
|
|
|
/**
|
|
* strcat - Append one %NUL-terminated string to another
|
|
* @dest: The string to be appended to
|
|
* @src: The string to append to it
|
|
*
|
|
* returns a pointer to @dest
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRCAT
|
|
char *strcat(char *dest, const char *src)
|
|
{
|
|
unsigned long dummy = 0;
|
|
char *ret = dest;
|
|
|
|
asm volatile(
|
|
" lghi 0,0\n"
|
|
"0: srst %[dummy],%[dest]\n"
|
|
" jo 0b\n"
|
|
"1: mvst %[dummy],%[src]\n"
|
|
" jo 1b\n"
|
|
: [dummy] "+&a" (dummy), [dest] "+&a" (dest), [src] "+&a" (src)
|
|
:
|
|
: "cc", "memory", "0");
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(strcat);
|
|
#endif
|
|
|
|
/**
|
|
* strlcat - Append a length-limited, %NUL-terminated string to another
|
|
* @dest: The string to be appended to
|
|
* @src: The string to append to it
|
|
* @n: The size of the destination buffer.
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRLCAT
|
|
size_t strlcat(char *dest, const char *src, size_t n)
|
|
{
|
|
size_t dsize = __strend(dest) - dest;
|
|
size_t len = __strend(src) - src;
|
|
size_t res = dsize + len;
|
|
|
|
if (dsize < n) {
|
|
dest += dsize;
|
|
n -= dsize;
|
|
if (len >= n)
|
|
len = n - 1;
|
|
dest[len] = '\0';
|
|
memcpy(dest, src, len);
|
|
}
|
|
return res;
|
|
}
|
|
EXPORT_SYMBOL(strlcat);
|
|
#endif
|
|
|
|
/**
|
|
* strncat - Append a length-limited, %NUL-terminated string to another
|
|
* @dest: The string to be appended to
|
|
* @src: The string to append to it
|
|
* @n: The maximum numbers of bytes to copy
|
|
*
|
|
* returns a pointer to @dest
|
|
*
|
|
* Note that in contrast to strncpy, strncat ensures the result is
|
|
* terminated.
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRNCAT
|
|
char *strncat(char *dest, const char *src, size_t n)
|
|
{
|
|
size_t len = __strnend(src, n) - src;
|
|
char *p = __strend(dest);
|
|
|
|
p[len] = '\0';
|
|
memcpy(p, src, len);
|
|
return dest;
|
|
}
|
|
EXPORT_SYMBOL(strncat);
|
|
#endif
|
|
|
|
/**
|
|
* strcmp - Compare two strings
|
|
* @s1: One string
|
|
* @s2: Another string
|
|
*
|
|
* returns 0 if @s1 and @s2 are equal,
|
|
* < 0 if @s1 is less than @s2
|
|
* > 0 if @s1 is greater than @s2
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRCMP
|
|
int strcmp(const char *s1, const char *s2)
|
|
{
|
|
int ret = 0;
|
|
|
|
asm volatile(
|
|
" lghi 0,0\n"
|
|
"0: clst %[s1],%[s2]\n"
|
|
" jo 0b\n"
|
|
" je 1f\n"
|
|
" ic %[ret],0(%[s1])\n"
|
|
" ic 0,0(%[s2])\n"
|
|
" sr %[ret],0\n"
|
|
"1:"
|
|
: [ret] "+&d" (ret), [s1] "+&a" (s1), [s2] "+&a" (s2)
|
|
:
|
|
: "cc", "memory", "0");
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(strcmp);
|
|
#endif
|
|
|
|
/**
|
|
* strrchr - Find the last occurrence of a character in a string
|
|
* @s: The string to be searched
|
|
* @c: The character to search for
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRRCHR
|
|
char *strrchr(const char *s, int c)
|
|
{
|
|
ssize_t len = __strend(s) - s;
|
|
|
|
do {
|
|
if (s[len] == (char)c)
|
|
return (char *)s + len;
|
|
} while (--len >= 0);
|
|
return NULL;
|
|
}
|
|
EXPORT_SYMBOL(strrchr);
|
|
#endif
|
|
|
|
static inline int clcle(const char *s1, unsigned long l1,
|
|
const char *s2, unsigned long l2)
|
|
{
|
|
union register_pair r1 = { .even = (unsigned long)s1, .odd = l1, };
|
|
union register_pair r3 = { .even = (unsigned long)s2, .odd = l2, };
|
|
int cc;
|
|
|
|
asm volatile(
|
|
"0: clcle %[r1],%[r3],0\n"
|
|
" jo 0b\n"
|
|
" ipm %[cc]\n"
|
|
" srl %[cc],28\n"
|
|
: [cc] "=&d" (cc), [r1] "+&d" (r1.pair), [r3] "+&d" (r3.pair)
|
|
:
|
|
: "cc", "memory");
|
|
return cc;
|
|
}
|
|
|
|
/**
|
|
* strstr - Find the first substring in a %NUL terminated string
|
|
* @s1: The string to be searched
|
|
* @s2: The string to search for
|
|
*/
|
|
#ifdef __HAVE_ARCH_STRSTR
|
|
char *strstr(const char *s1, const char *s2)
|
|
{
|
|
int l1, l2;
|
|
|
|
l2 = __strend(s2) - s2;
|
|
if (!l2)
|
|
return (char *) s1;
|
|
l1 = __strend(s1) - s1;
|
|
while (l1-- >= l2) {
|
|
int cc;
|
|
|
|
cc = clcle(s1, l2, s2, l2);
|
|
if (!cc)
|
|
return (char *) s1;
|
|
s1++;
|
|
}
|
|
return NULL;
|
|
}
|
|
EXPORT_SYMBOL(strstr);
|
|
#endif
|
|
|
|
/**
|
|
* memchr - Find a character in an area of memory.
|
|
* @s: The memory area
|
|
* @c: The byte to search for
|
|
* @n: The size of the area.
|
|
*
|
|
* returns the address of the first occurrence of @c, or %NULL
|
|
* if @c is not found
|
|
*/
|
|
#ifdef __HAVE_ARCH_MEMCHR
|
|
void *memchr(const void *s, int c, size_t n)
|
|
{
|
|
const void *ret = s + n;
|
|
|
|
asm volatile(
|
|
" lgr 0,%[c]\n"
|
|
"0: srst %[ret],%[s]\n"
|
|
" jo 0b\n"
|
|
" jl 1f\n"
|
|
" la %[ret],0\n"
|
|
"1:"
|
|
: [ret] "+&a" (ret), [s] "+&a" (s)
|
|
: [c] "d" (c)
|
|
: "cc", "memory", "0");
|
|
return (void *) ret;
|
|
}
|
|
EXPORT_SYMBOL(memchr);
|
|
#endif
|
|
|
|
/**
|
|
* memcmp - Compare two areas of memory
|
|
* @s1: One area of memory
|
|
* @s2: Another area of memory
|
|
* @n: The size of the area.
|
|
*/
|
|
#ifdef __HAVE_ARCH_MEMCMP
|
|
int memcmp(const void *s1, const void *s2, size_t n)
|
|
{
|
|
int ret;
|
|
|
|
ret = clcle(s1, n, s2, n);
|
|
if (ret)
|
|
ret = ret == 1 ? -1 : 1;
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(memcmp);
|
|
#endif
|
|
|
|
/**
|
|
* memscan - Find a character in an area of memory.
|
|
* @s: The memory area
|
|
* @c: The byte to search for
|
|
* @n: The size of the area.
|
|
*
|
|
* returns the address of the first occurrence of @c, or 1 byte past
|
|
* the area if @c is not found
|
|
*/
|
|
#ifdef __HAVE_ARCH_MEMSCAN
|
|
void *memscan(void *s, int c, size_t n)
|
|
{
|
|
const void *ret = s + n;
|
|
|
|
asm volatile(
|
|
" lgr 0,%[c]\n"
|
|
"0: srst %[ret],%[s]\n"
|
|
" jo 0b\n"
|
|
: [ret] "+&a" (ret), [s] "+&a" (s)
|
|
: [c] "d" (c)
|
|
: "cc", "memory", "0");
|
|
return (void *)ret;
|
|
}
|
|
EXPORT_SYMBOL(memscan);
|
|
#endif
|