1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _LINUX_FORTIFY_STRING_H_ 3 #define _LINUX_FORTIFY_STRING_H_ 4 5 #include <linux/bug.h> 6 #include <linux/const.h> 7 #include <linux/limits.h> 8 9 #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable 10 #define __RENAME(x) __asm__(#x) 11 12 void fortify_panic(const char *name) __noreturn __cold; 13 void __read_overflow(void) __compiletime_error("detected read beyond size of object (1st parameter)"); 14 void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); 15 void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?"); 16 void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)"); 17 void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("detected write beyond size of field (1st parameter); maybe use struct_group()?"); 18 19 #define __compiletime_strlen(p) \ 20 ({ \ 21 unsigned char *__p = (unsigned char *)(p); \ 22 size_t __ret = SIZE_MAX; \ 23 size_t __p_size = __builtin_object_size(p, 1); \ 24 if (__p_size != SIZE_MAX && \ 25 __builtin_constant_p(*__p)) { \ 26 size_t __p_len = __p_size - 1; \ 27 if (__builtin_constant_p(__p[__p_len]) && \ 28 __p[__p_len] == '\0') \ 29 __ret = __builtin_strlen(__p); \ 30 } \ 31 __ret; \ 32 }) 33 34 #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) 35 extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); 36 extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); 37 extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy); 38 extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove); 39 extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset); 40 extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat); 41 extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy); 42 extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen); 43 extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat); 44 extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy); 45 #else 46 #define __underlying_memchr __builtin_memchr 47 #define __underlying_memcmp __builtin_memcmp 48 #define __underlying_memcpy __builtin_memcpy 49 #define __underlying_memmove __builtin_memmove 50 #define __underlying_memset __builtin_memset 51 #define __underlying_strcat __builtin_strcat 52 #define __underlying_strcpy __builtin_strcpy 53 #define __underlying_strlen __builtin_strlen 54 #define __underlying_strncat __builtin_strncat 55 #define __underlying_strncpy __builtin_strncpy 56 #endif 57 58 /** 59 * unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking 60 * 61 * @dst: Destination memory address to write to 62 * @src: Source memory address to read from 63 * @bytes: How many bytes to write to @dst from @src 64 * @justification: Free-form text or comment describing why the use is needed 65 * 66 * This should be used for corner cases where the compiler cannot do the 67 * right thing, or during transitions between APIs, etc. It should be used 68 * very rarely, and includes a place for justification detailing where bounds 69 * checking has happened, and why existing solutions cannot be employed. 70 */ 71 #define unsafe_memcpy(dst, src, bytes, justification) \ 72 __underlying_memcpy(dst, src, bytes) 73 74 /* 75 * Clang's use of __builtin_object_size() within inlines needs hinting via 76 * __pass_object_size(). The preference is to only ever use type 1 (member 77 * size, rather than struct size), but there remain some stragglers using 78 * type 0 that will be converted in the future. 79 */ 80 #define POS __pass_object_size(1) 81 #define POS0 __pass_object_size(0) 82 83 /** 84 * strncpy - Copy a string to memory with non-guaranteed NUL padding 85 * 86 * @p: pointer to destination of copy 87 * @q: pointer to NUL-terminated source string to copy 88 * @size: bytes to write at @p 89 * 90 * If strlen(@q) >= @size, the copy of @q will stop after @size bytes, 91 * and @p will NOT be NUL-terminated 92 * 93 * If strlen(@q) < @size, following the copy of @q, trailing NUL bytes 94 * will be written to @p until @size total bytes have been written. 95 * 96 * Do not use this function. While FORTIFY_SOURCE tries to avoid 97 * over-reads of @q, it cannot defend against writing unterminated 98 * results to @p. Using strncpy() remains ambiguous and fragile. 99 * Instead, please choose an alternative, so that the expectation 100 * of @p's contents is unambiguous: 101 * 102 * +--------------------+-----------------+------------+ 103 * | @p needs to be: | padded to @size | not padded | 104 * +====================+=================+============+ 105 * | NUL-terminated | strscpy_pad() | strscpy() | 106 * +--------------------+-----------------+------------+ 107 * | not NUL-terminated | strtomem_pad() | strtomem() | 108 * +--------------------+-----------------+------------+ 109 * 110 * Note strscpy*()'s differing return values for detecting truncation, 111 * and strtomem*()'s expectation that the destination is marked with 112 * __nonstring when it is a character array. 113 * 114 */ 115 __FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3) 116 char *strncpy(char * const POS p, const char *q, __kernel_size_t size) 117 { 118 size_t p_size = __builtin_object_size(p, 1); 119 120 if (__builtin_constant_p(size) && p_size < size) 121 __write_overflow(); 122 if (p_size < size) 123 fortify_panic(__func__); 124 return __underlying_strncpy(p, q, size); 125 } 126 127 __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) 128 char *strcat(char * const POS p, const char *q) 129 { 130 size_t p_size = __builtin_object_size(p, 1); 131 132 if (p_size == SIZE_MAX) 133 return __underlying_strcat(p, q); 134 if (strlcat(p, q, p_size) >= p_size) 135 fortify_panic(__func__); 136 return p; 137 } 138 139 extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); 140 __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size_t maxlen) 141 { 142 size_t p_size = __builtin_object_size(p, 1); 143 size_t p_len = __compiletime_strlen(p); 144 size_t ret; 145 146 /* We can take compile-time actions when maxlen is const. */ 147 if (__builtin_constant_p(maxlen) && p_len != SIZE_MAX) { 148 /* If p is const, we can use its compile-time-known len. */ 149 if (maxlen >= p_size) 150 return p_len; 151 } 152 153 /* Do not check characters beyond the end of p. */ 154 ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); 155 if (p_size <= ret && maxlen != ret) 156 fortify_panic(__func__); 157 return ret; 158 } 159 160 /* 161 * Defined after fortified strnlen to reuse it. However, it must still be 162 * possible for strlen() to be used on compile-time strings for use in 163 * static initializers (i.e. as a constant expression). 164 */ 165 #define strlen(p) \ 166 __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ 167 __builtin_strlen(p), __fortify_strlen(p)) 168 __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) 169 __kernel_size_t __fortify_strlen(const char * const POS p) 170 { 171 __kernel_size_t ret; 172 size_t p_size = __builtin_object_size(p, 1); 173 174 /* Give up if we don't know how large p is. */ 175 if (p_size == SIZE_MAX) 176 return __underlying_strlen(p); 177 ret = strnlen(p, p_size); 178 if (p_size <= ret) 179 fortify_panic(__func__); 180 return ret; 181 } 182 183 /* defined after fortified strlen to reuse it */ 184 extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); 185 __FORTIFY_INLINE size_t strlcpy(char * const POS p, const char * const POS q, size_t size) 186 { 187 size_t p_size = __builtin_object_size(p, 1); 188 size_t q_size = __builtin_object_size(q, 1); 189 size_t q_len; /* Full count of source string length. */ 190 size_t len; /* Count of characters going into destination. */ 191 192 if (p_size == SIZE_MAX && q_size == SIZE_MAX) 193 return __real_strlcpy(p, q, size); 194 q_len = strlen(q); 195 len = (q_len >= size) ? size - 1 : q_len; 196 if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) { 197 /* Write size is always larger than destination. */ 198 if (len >= p_size) 199 __write_overflow(); 200 } 201 if (size) { 202 if (len >= p_size) 203 fortify_panic(__func__); 204 __underlying_memcpy(p, q, len); 205 p[len] = '\0'; 206 } 207 return q_len; 208 } 209 210 /* defined after fortified strnlen to reuse it */ 211 extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy); 212 __FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const POS q, size_t size) 213 { 214 size_t len; 215 /* Use string size rather than possible enclosing struct size. */ 216 size_t p_size = __builtin_object_size(p, 1); 217 size_t q_size = __builtin_object_size(q, 1); 218 219 /* If we cannot get size of p and q default to call strscpy. */ 220 if (p_size == SIZE_MAX && q_size == SIZE_MAX) 221 return __real_strscpy(p, q, size); 222 223 /* 224 * If size can be known at compile time and is greater than 225 * p_size, generate a compile time write overflow error. 226 */ 227 if (__builtin_constant_p(size) && size > p_size) 228 __write_overflow(); 229 230 /* 231 * This call protects from read overflow, because len will default to q 232 * length if it smaller than size. 233 */ 234 len = strnlen(q, size); 235 /* 236 * If len equals size, we will copy only size bytes which leads to 237 * -E2BIG being returned. 238 * Otherwise we will copy len + 1 because of the final '\O'. 239 */ 240 len = len == size ? size : len + 1; 241 242 /* 243 * Generate a runtime write overflow error if len is greater than 244 * p_size. 245 */ 246 if (len > p_size) 247 fortify_panic(__func__); 248 249 /* 250 * We can now safely call vanilla strscpy because we are protected from: 251 * 1. Read overflow thanks to call to strnlen(). 252 * 2. Write overflow thanks to above ifs. 253 */ 254 return __real_strscpy(p, q, len); 255 } 256 257 /* defined after fortified strlen and strnlen to reuse them */ 258 __FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3) 259 char *strncat(char * const POS p, const char * const POS q, __kernel_size_t count) 260 { 261 size_t p_len, copy_len; 262 size_t p_size = __builtin_object_size(p, 1); 263 size_t q_size = __builtin_object_size(q, 1); 264 265 if (p_size == SIZE_MAX && q_size == SIZE_MAX) 266 return __underlying_strncat(p, q, count); 267 p_len = strlen(p); 268 copy_len = strnlen(q, count); 269 if (p_size < p_len + copy_len + 1) 270 fortify_panic(__func__); 271 __underlying_memcpy(p + p_len, q, copy_len); 272 p[p_len + copy_len] = '\0'; 273 return p; 274 } 275 276 __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size, 277 const size_t p_size, 278 const size_t p_size_field) 279 { 280 if (__builtin_constant_p(size)) { 281 /* 282 * Length argument is a constant expression, so we 283 * can perform compile-time bounds checking where 284 * buffer sizes are known. 285 */ 286 287 /* Error when size is larger than enclosing struct. */ 288 if (p_size > p_size_field && p_size < size) 289 __write_overflow(); 290 291 /* Warn when write size is larger than dest field. */ 292 if (p_size_field < size) 293 __write_overflow_field(p_size_field, size); 294 } 295 /* 296 * At this point, length argument may not be a constant expression, 297 * so run-time bounds checking can be done where buffer sizes are 298 * known. (This is not an "else" because the above checks may only 299 * be compile-time warnings, and we want to still warn for run-time 300 * overflows.) 301 */ 302 303 /* 304 * Always stop accesses beyond the struct that contains the 305 * field, when the buffer's remaining size is known. 306 * (The SIZE_MAX test is to optimize away checks where the buffer 307 * lengths are unknown.) 308 */ 309 if (p_size != SIZE_MAX && p_size < size) 310 fortify_panic("memset"); 311 } 312 313 #define __fortify_memset_chk(p, c, size, p_size, p_size_field) ({ \ 314 size_t __fortify_size = (size_t)(size); \ 315 fortify_memset_chk(__fortify_size, p_size, p_size_field), \ 316 __underlying_memset(p, c, __fortify_size); \ 317 }) 318 319 /* 320 * __builtin_object_size() must be captured here to avoid evaluating argument 321 * side-effects further into the macro layers. 322 */ 323 #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ 324 __builtin_object_size(p, 0), __builtin_object_size(p, 1)) 325 326 /* 327 * To make sure the compiler can enforce protection against buffer overflows, 328 * memcpy(), memmove(), and memset() must not be used beyond individual 329 * struct members. If you need to copy across multiple members, please use 330 * struct_group() to create a named mirror of an anonymous struct union. 331 * (e.g. see struct sk_buff.) Read overflow checking is currently only 332 * done when a write overflow is also present, or when building with W=1. 333 * 334 * Mitigation coverage matrix 335 * Bounds checking at: 336 * +-------+-------+-------+-------+ 337 * | Compile time | Run time | 338 * memcpy() argument sizes: | write | read | write | read | 339 * dest source length +-------+-------+-------+-------+ 340 * memcpy(known, known, constant) | y | y | n/a | n/a | 341 * memcpy(known, unknown, constant) | y | n | n/a | V | 342 * memcpy(known, known, dynamic) | n | n | B | B | 343 * memcpy(known, unknown, dynamic) | n | n | B | V | 344 * memcpy(unknown, known, constant) | n | y | V | n/a | 345 * memcpy(unknown, unknown, constant) | n | n | V | V | 346 * memcpy(unknown, known, dynamic) | n | n | V | B | 347 * memcpy(unknown, unknown, dynamic) | n | n | V | V | 348 * +-------+-------+-------+-------+ 349 * 350 * y = perform deterministic compile-time bounds checking 351 * n = cannot perform deterministic compile-time bounds checking 352 * n/a = no run-time bounds checking needed since compile-time deterministic 353 * B = can perform run-time bounds checking (currently unimplemented) 354 * V = vulnerable to run-time overflow (will need refactoring to solve) 355 * 356 */ 357 __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size, 358 const size_t p_size, 359 const size_t q_size, 360 const size_t p_size_field, 361 const size_t q_size_field, 362 const char *func) 363 { 364 if (__builtin_constant_p(size)) { 365 /* 366 * Length argument is a constant expression, so we 367 * can perform compile-time bounds checking where 368 * buffer sizes are known. 369 */ 370 371 /* Error when size is larger than enclosing struct. */ 372 if (p_size > p_size_field && p_size < size) 373 __write_overflow(); 374 if (q_size > q_size_field && q_size < size) 375 __read_overflow2(); 376 377 /* Warn when write size argument larger than dest field. */ 378 if (p_size_field < size) 379 __write_overflow_field(p_size_field, size); 380 /* 381 * Warn for source field over-read when building with W=1 382 * or when an over-write happened, so both can be fixed at 383 * the same time. 384 */ 385 if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || p_size_field < size) && 386 q_size_field < size) 387 __read_overflow2_field(q_size_field, size); 388 } 389 /* 390 * At this point, length argument may not be a constant expression, 391 * so run-time bounds checking can be done where buffer sizes are 392 * known. (This is not an "else" because the above checks may only 393 * be compile-time warnings, and we want to still warn for run-time 394 * overflows.) 395 */ 396 397 /* 398 * Always stop accesses beyond the struct that contains the 399 * field, when the buffer's remaining size is known. 400 * (The SIZE_MAX test is to optimize away checks where the buffer 401 * lengths are unknown.) 402 */ 403 if ((p_size != SIZE_MAX && p_size < size) || 404 (q_size != SIZE_MAX && q_size < size)) 405 fortify_panic(func); 406 407 /* 408 * Warn when writing beyond destination field size. 409 * 410 * We must ignore p_size_field == 0 for existing 0-element 411 * fake flexible arrays, until they are all converted to 412 * proper flexible arrays. 413 * 414 * The implementation of __builtin_object_size() behaves 415 * like sizeof() when not directly referencing a flexible 416 * array member, which means there will be many bounds checks 417 * that will appear at run-time, without a way for them to be 418 * detected at compile-time (as can be done when the destination 419 * is specifically the flexible array member). 420 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 421 */ 422 if (p_size_field != 0 && p_size_field != SIZE_MAX && 423 p_size != p_size_field && p_size_field < size) 424 return true; 425 426 return false; 427 } 428 429 #define __fortify_memcpy_chk(p, q, size, p_size, q_size, \ 430 p_size_field, q_size_field, op) ({ \ 431 size_t __fortify_size = (size_t)(size); \ 432 WARN_ONCE(fortify_memcpy_chk(__fortify_size, p_size, q_size, \ 433 p_size_field, q_size_field, #op), \ 434 #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \ 435 __fortify_size, \ 436 "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \ 437 p_size_field); \ 438 __underlying_##op(p, q, __fortify_size); \ 439 }) 440 441 /* 442 * Notes about compile-time buffer size detection: 443 * 444 * With these types... 445 * 446 * struct middle { 447 * u16 a; 448 * u8 middle_buf[16]; 449 * int b; 450 * }; 451 * struct end { 452 * u16 a; 453 * u8 end_buf[16]; 454 * }; 455 * struct flex { 456 * int a; 457 * u8 flex_buf[]; 458 * }; 459 * 460 * void func(TYPE *ptr) { ... } 461 * 462 * Cases where destination size cannot be currently detected: 463 * - the size of ptr's object (seemingly by design, gcc & clang fail): 464 * __builtin_object_size(ptr, 1) == SIZE_MAX 465 * - the size of flexible arrays in ptr's obj (by design, dynamic size): 466 * __builtin_object_size(ptr->flex_buf, 1) == SIZE_MAX 467 * - the size of ANY array at the end of ptr's obj (gcc and clang bug): 468 * __builtin_object_size(ptr->end_buf, 1) == SIZE_MAX 469 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 470 * 471 * Cases where destination size is currently detected: 472 * - the size of non-array members within ptr's object: 473 * __builtin_object_size(ptr->a, 1) == 2 474 * - the size of non-flexible-array in the middle of ptr's obj: 475 * __builtin_object_size(ptr->middle_buf, 1) == 16 476 * 477 */ 478 479 /* 480 * __builtin_object_size() must be captured here to avoid evaluating argument 481 * side-effects further into the macro layers. 482 */ 483 #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \ 484 __builtin_object_size(p, 0), __builtin_object_size(q, 0), \ 485 __builtin_object_size(p, 1), __builtin_object_size(q, 1), \ 486 memcpy) 487 #define memmove(p, q, s) __fortify_memcpy_chk(p, q, s, \ 488 __builtin_object_size(p, 0), __builtin_object_size(q, 0), \ 489 __builtin_object_size(p, 1), __builtin_object_size(q, 1), \ 490 memmove) 491 492 extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan); 493 __FORTIFY_INLINE void *memscan(void * const POS0 p, int c, __kernel_size_t size) 494 { 495 size_t p_size = __builtin_object_size(p, 0); 496 497 if (__builtin_constant_p(size) && p_size < size) 498 __read_overflow(); 499 if (p_size < size) 500 fortify_panic(__func__); 501 return __real_memscan(p, c, size); 502 } 503 504 __FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3) 505 int memcmp(const void * const POS0 p, const void * const POS0 q, __kernel_size_t size) 506 { 507 size_t p_size = __builtin_object_size(p, 0); 508 size_t q_size = __builtin_object_size(q, 0); 509 510 if (__builtin_constant_p(size)) { 511 if (p_size < size) 512 __read_overflow(); 513 if (q_size < size) 514 __read_overflow2(); 515 } 516 if (p_size < size || q_size < size) 517 fortify_panic(__func__); 518 return __underlying_memcmp(p, q, size); 519 } 520 521 __FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3) 522 void *memchr(const void * const POS0 p, int c, __kernel_size_t size) 523 { 524 size_t p_size = __builtin_object_size(p, 0); 525 526 if (__builtin_constant_p(size) && p_size < size) 527 __read_overflow(); 528 if (p_size < size) 529 fortify_panic(__func__); 530 return __underlying_memchr(p, c, size); 531 } 532 533 void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv); 534 __FORTIFY_INLINE void *memchr_inv(const void * const POS0 p, int c, size_t size) 535 { 536 size_t p_size = __builtin_object_size(p, 0); 537 538 if (__builtin_constant_p(size) && p_size < size) 539 __read_overflow(); 540 if (p_size < size) 541 fortify_panic(__func__); 542 return __real_memchr_inv(p, c, size); 543 } 544 545 extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup); 546 __FORTIFY_INLINE void *kmemdup(const void * const POS0 p, size_t size, gfp_t gfp) 547 { 548 size_t p_size = __builtin_object_size(p, 0); 549 550 if (__builtin_constant_p(size) && p_size < size) 551 __read_overflow(); 552 if (p_size < size) 553 fortify_panic(__func__); 554 return __real_kmemdup(p, size, gfp); 555 } 556 557 /* Defined after fortified strlen to reuse it. */ 558 __FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) 559 char *strcpy(char * const POS p, const char * const POS q) 560 { 561 size_t p_size = __builtin_object_size(p, 1); 562 size_t q_size = __builtin_object_size(q, 1); 563 size_t size; 564 565 /* If neither buffer size is known, immediately give up. */ 566 if (p_size == SIZE_MAX && q_size == SIZE_MAX) 567 return __underlying_strcpy(p, q); 568 size = strlen(q) + 1; 569 /* Compile-time check for const size overflow. */ 570 if (__builtin_constant_p(size) && p_size < size) 571 __write_overflow(); 572 /* Run-time check for dynamic size overflow. */ 573 if (p_size < size) 574 fortify_panic(__func__); 575 __underlying_memcpy(p, q, size); 576 return p; 577 } 578 579 /* Don't use these outside the FORITFY_SOURCE implementation */ 580 #undef __underlying_memchr 581 #undef __underlying_memcmp 582 #undef __underlying_strcat 583 #undef __underlying_strcpy 584 #undef __underlying_strlen 585 #undef __underlying_strncat 586 #undef __underlying_strncpy 587 588 #undef POS 589 #undef POS0 590 591 #endif /* _LINUX_FORTIFY_STRING_H_ */ 592