1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _LINUX_FORTIFY_STRING_H_ 3 #define _LINUX_FORTIFY_STRING_H_ 4 5 #include <linux/bitfield.h> 6 #include <linux/bug.h> 7 #include <linux/const.h> 8 #include <linux/limits.h> 9 10 #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable 11 #define __RENAME(x) __asm__(#x) 12 13 #define FORTIFY_REASON_DIR(r) FIELD_GET(BIT(0), r) 14 #define FORTIFY_REASON_FUNC(r) FIELD_GET(GENMASK(7, 1), r) 15 #define FORTIFY_REASON(func, write) (FIELD_PREP(BIT(0), write) | \ 16 FIELD_PREP(GENMASK(7, 1), func)) 17 18 /* Overridden by KUnit tests. */ 19 #ifndef fortify_panic 20 # define fortify_panic(func, write, avail, size, retfail) \ 21 __fortify_panic(FORTIFY_REASON(func, write), avail, size) 22 #endif 23 #ifndef fortify_warn_once 24 # define fortify_warn_once(x...) WARN_ONCE(x) 25 #endif 26 27 #define FORTIFY_READ 0 28 #define FORTIFY_WRITE 1 29 30 #define EACH_FORTIFY_FUNC(macro) \ 31 macro(strncpy), \ 32 macro(strnlen), \ 33 macro(strlen), \ 34 macro(strscpy), \ 35 macro(strlcat), \ 36 macro(strcat), \ 37 macro(strncat), \ 38 macro(memset), \ 39 macro(memcpy), \ 40 macro(memmove), \ 41 macro(memscan), \ 42 macro(memcmp), \ 43 macro(memchr), \ 44 macro(memchr_inv), \ 45 macro(kmemdup), \ 46 macro(strcpy), \ 47 macro(UNKNOWN), 48 49 #define MAKE_FORTIFY_FUNC(func) FORTIFY_FUNC_##func 50 51 enum fortify_func { 52 EACH_FORTIFY_FUNC(MAKE_FORTIFY_FUNC) 53 }; 54 55 void __fortify_report(const u8 reason, const size_t avail, const size_t size); 56 void __fortify_panic(const u8 reason, const size_t avail, const size_t size) __cold __noreturn; 57 void __read_overflow(void) __compiletime_error("detected read beyond size of object (1st parameter)"); 58 void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)"); 59 void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?"); 60 void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)"); 61 void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("detected write beyond size of field (1st parameter); maybe use struct_group()?"); 62 63 #define __compiletime_strlen(p) \ 64 ({ \ 65 char *__p = (char *)(p); \ 66 size_t __ret = SIZE_MAX; \ 67 const size_t __p_size = __member_size(p); \ 68 if (__p_size != SIZE_MAX && \ 69 __builtin_constant_p(*__p)) { \ 70 size_t __p_len = __p_size - 1; \ 71 if (__builtin_constant_p(__p[__p_len]) && \ 72 __p[__p_len] == '\0') \ 73 __ret = __builtin_strlen(__p); \ 74 } \ 75 __ret; \ 76 }) 77 78 #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) 79 extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); 80 extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); 81 extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy); 82 extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove); 83 extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset); 84 extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat); 85 extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy); 86 extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen); 87 extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat); 88 extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy); 89 #else 90 91 #if defined(__SANITIZE_MEMORY__) 92 /* 93 * For KMSAN builds all memcpy/memset/memmove calls should be replaced by the 94 * corresponding __msan_XXX functions. 95 */ 96 #include <linux/kmsan_string.h> 97 #define __underlying_memcpy __msan_memcpy 98 #define __underlying_memmove __msan_memmove 99 #define __underlying_memset __msan_memset 100 #else 101 #define __underlying_memcpy __builtin_memcpy 102 #define __underlying_memmove __builtin_memmove 103 #define __underlying_memset __builtin_memset 104 #endif 105 106 #define __underlying_memchr __builtin_memchr 107 #define __underlying_memcmp __builtin_memcmp 108 #define __underlying_strcat __builtin_strcat 109 #define __underlying_strcpy __builtin_strcpy 110 #define __underlying_strlen __builtin_strlen 111 #define __underlying_strncat __builtin_strncat 112 #define __underlying_strncpy __builtin_strncpy 113 #endif 114 115 /** 116 * unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking 117 * 118 * @dst: Destination memory address to write to 119 * @src: Source memory address to read from 120 * @bytes: How many bytes to write to @dst from @src 121 * @justification: Free-form text or comment describing why the use is needed 122 * 123 * This should be used for corner cases where the compiler cannot do the 124 * right thing, or during transitions between APIs, etc. It should be used 125 * very rarely, and includes a place for justification detailing where bounds 126 * checking has happened, and why existing solutions cannot be employed. 127 */ 128 #define unsafe_memcpy(dst, src, bytes, justification) \ 129 __underlying_memcpy(dst, src, bytes) 130 131 /* 132 * Clang's use of __builtin_*object_size() within inlines needs hinting via 133 * __pass_*object_size(). The preference is to only ever use type 1 (member 134 * size, rather than struct size), but there remain some stragglers using 135 * type 0 that will be converted in the future. 136 */ 137 #if __has_builtin(__builtin_dynamic_object_size) 138 #define POS __pass_dynamic_object_size(1) 139 #define POS0 __pass_dynamic_object_size(0) 140 #else 141 #define POS __pass_object_size(1) 142 #define POS0 __pass_object_size(0) 143 #endif 144 145 #define __compiletime_lessthan(bounds, length) ( \ 146 __builtin_constant_p((bounds) < (length)) && \ 147 (bounds) < (length) \ 148 ) 149 150 /** 151 * strncpy - Copy a string to memory with non-guaranteed NUL padding 152 * 153 * @p: pointer to destination of copy 154 * @q: pointer to NUL-terminated source string to copy 155 * @size: bytes to write at @p 156 * 157 * If strlen(@q) >= @size, the copy of @q will stop after @size bytes, 158 * and @p will NOT be NUL-terminated 159 * 160 * If strlen(@q) < @size, following the copy of @q, trailing NUL bytes 161 * will be written to @p until @size total bytes have been written. 162 * 163 * Do not use this function. While FORTIFY_SOURCE tries to avoid 164 * over-reads of @q, it cannot defend against writing unterminated 165 * results to @p. Using strncpy() remains ambiguous and fragile. 166 * Instead, please choose an alternative, so that the expectation 167 * of @p's contents is unambiguous: 168 * 169 * +--------------------+--------------------+------------+ 170 * | **p** needs to be: | padded to **size** | not padded | 171 * +====================+====================+============+ 172 * | NUL-terminated | strscpy_pad() | strscpy() | 173 * +--------------------+--------------------+------------+ 174 * | not NUL-terminated | strtomem_pad() | strtomem() | 175 * +--------------------+--------------------+------------+ 176 * 177 * Note strscpy*()'s differing return values for detecting truncation, 178 * and strtomem*()'s expectation that the destination is marked with 179 * __nonstring when it is a character array. 180 * 181 */ 182 __FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3) 183 char *strncpy(char * const POS p, const char *q, __kernel_size_t size) 184 { 185 const size_t p_size = __member_size(p); 186 187 if (__compiletime_lessthan(p_size, size)) 188 __write_overflow(); 189 if (p_size < size) 190 fortify_panic(FORTIFY_FUNC_strncpy, FORTIFY_WRITE, p_size, size, p); 191 return __underlying_strncpy(p, q, size); 192 } 193 194 extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); 195 /** 196 * strnlen - Return bounded count of characters in a NUL-terminated string 197 * 198 * @p: pointer to NUL-terminated string to count. 199 * @maxlen: maximum number of characters to count. 200 * 201 * Returns number of characters in @p (NOT including the final NUL), or 202 * @maxlen, if no NUL has been found up to there. 203 * 204 */ 205 __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size_t maxlen) 206 { 207 const size_t p_size = __member_size(p); 208 const size_t p_len = __compiletime_strlen(p); 209 size_t ret; 210 211 /* We can take compile-time actions when maxlen is const. */ 212 if (__builtin_constant_p(maxlen) && p_len != SIZE_MAX) { 213 /* If p is const, we can use its compile-time-known len. */ 214 if (maxlen >= p_size) 215 return p_len; 216 } 217 218 /* Do not check characters beyond the end of p. */ 219 ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); 220 if (p_size <= ret && maxlen != ret) 221 fortify_panic(FORTIFY_FUNC_strnlen, FORTIFY_READ, p_size, ret + 1, ret); 222 return ret; 223 } 224 225 /* 226 * Defined after fortified strnlen to reuse it. However, it must still be 227 * possible for strlen() to be used on compile-time strings for use in 228 * static initializers (i.e. as a constant expression). 229 */ 230 /** 231 * strlen - Return count of characters in a NUL-terminated string 232 * 233 * @p: pointer to NUL-terminated string to count. 234 * 235 * Do not use this function unless the string length is known at 236 * compile-time. When @p is unterminated, this function may crash 237 * or return unexpected counts that could lead to memory content 238 * exposures. Prefer strnlen(). 239 * 240 * Returns number of characters in @p (NOT including the final NUL). 241 * 242 */ 243 #define strlen(p) \ 244 __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ 245 __builtin_strlen(p), __fortify_strlen(p)) 246 __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) 247 __kernel_size_t __fortify_strlen(const char * const POS p) 248 { 249 const size_t p_size = __member_size(p); 250 __kernel_size_t ret; 251 252 /* Give up if we don't know how large p is. */ 253 if (p_size == SIZE_MAX) 254 return __underlying_strlen(p); 255 ret = strnlen(p, p_size); 256 if (p_size <= ret) 257 fortify_panic(FORTIFY_FUNC_strlen, FORTIFY_READ, p_size, ret + 1, ret); 258 return ret; 259 } 260 261 /* Defined after fortified strnlen() to reuse it. */ 262 extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(sized_strscpy); 263 __FORTIFY_INLINE ssize_t sized_strscpy(char * const POS p, const char * const POS q, size_t size) 264 { 265 /* Use string size rather than possible enclosing struct size. */ 266 const size_t p_size = __member_size(p); 267 const size_t q_size = __member_size(q); 268 size_t len; 269 270 /* If we cannot get size of p and q default to call strscpy. */ 271 if (p_size == SIZE_MAX && q_size == SIZE_MAX) 272 return __real_strscpy(p, q, size); 273 274 /* 275 * If size can be known at compile time and is greater than 276 * p_size, generate a compile time write overflow error. 277 */ 278 if (__compiletime_lessthan(p_size, size)) 279 __write_overflow(); 280 281 /* Short-circuit for compile-time known-safe lengths. */ 282 if (__compiletime_lessthan(p_size, SIZE_MAX)) { 283 len = __compiletime_strlen(q); 284 285 if (len < SIZE_MAX && __compiletime_lessthan(len, size)) { 286 __underlying_memcpy(p, q, len + 1); 287 return len; 288 } 289 } 290 291 /* 292 * This call protects from read overflow, because len will default to q 293 * length if it smaller than size. 294 */ 295 len = strnlen(q, size); 296 /* 297 * If len equals size, we will copy only size bytes which leads to 298 * -E2BIG being returned. 299 * Otherwise we will copy len + 1 because of the final '\O'. 300 */ 301 len = len == size ? size : len + 1; 302 303 /* 304 * Generate a runtime write overflow error if len is greater than 305 * p_size. 306 */ 307 if (p_size < len) 308 fortify_panic(FORTIFY_FUNC_strscpy, FORTIFY_WRITE, p_size, len, -E2BIG); 309 310 /* 311 * We can now safely call vanilla strscpy because we are protected from: 312 * 1. Read overflow thanks to call to strnlen(). 313 * 2. Write overflow thanks to above ifs. 314 */ 315 return __real_strscpy(p, q, len); 316 } 317 318 /* Defined after fortified strlen() to reuse it. */ 319 extern size_t __real_strlcat(char *p, const char *q, size_t avail) __RENAME(strlcat); 320 /** 321 * strlcat - Append a string to an existing string 322 * 323 * @p: pointer to %NUL-terminated string to append to 324 * @q: pointer to %NUL-terminated string to append from 325 * @avail: Maximum bytes available in @p 326 * 327 * Appends %NUL-terminated string @q after the %NUL-terminated 328 * string at @p, but will not write beyond @avail bytes total, 329 * potentially truncating the copy from @q. @p will stay 330 * %NUL-terminated only if a %NUL already existed within 331 * the @avail bytes of @p. If so, the resulting number of 332 * bytes copied from @q will be at most "@avail - strlen(@p) - 1". 333 * 334 * Do not use this function. While FORTIFY_SOURCE tries to avoid 335 * read and write overflows, this is only possible when the sizes 336 * of @p and @q are known to the compiler. Prefer building the 337 * string with formatting, via scnprintf(), seq_buf, or similar. 338 * 339 * Returns total bytes that _would_ have been contained by @p 340 * regardless of truncation, similar to snprintf(). If return 341 * value is >= @avail, the string has been truncated. 342 * 343 */ 344 __FORTIFY_INLINE 345 size_t strlcat(char * const POS p, const char * const POS q, size_t avail) 346 { 347 const size_t p_size = __member_size(p); 348 const size_t q_size = __member_size(q); 349 size_t p_len, copy_len; 350 size_t actual, wanted; 351 352 /* Give up immediately if both buffer sizes are unknown. */ 353 if (p_size == SIZE_MAX && q_size == SIZE_MAX) 354 return __real_strlcat(p, q, avail); 355 356 p_len = strnlen(p, avail); 357 copy_len = strlen(q); 358 wanted = actual = p_len + copy_len; 359 360 /* Cannot append any more: report truncation. */ 361 if (avail <= p_len) 362 return wanted; 363 364 /* Give up if string is already overflowed. */ 365 if (p_size <= p_len) 366 fortify_panic(FORTIFY_FUNC_strlcat, FORTIFY_READ, p_size, p_len + 1, wanted); 367 368 if (actual >= avail) { 369 copy_len = avail - p_len - 1; 370 actual = p_len + copy_len; 371 } 372 373 /* Give up if copy will overflow. */ 374 if (p_size <= actual) 375 fortify_panic(FORTIFY_FUNC_strlcat, FORTIFY_WRITE, p_size, actual + 1, wanted); 376 __underlying_memcpy(p + p_len, q, copy_len); 377 p[actual] = '\0'; 378 379 return wanted; 380 } 381 382 /* Defined after fortified strlcat() to reuse it. */ 383 /** 384 * strcat - Append a string to an existing string 385 * 386 * @p: pointer to NUL-terminated string to append to 387 * @q: pointer to NUL-terminated source string to append from 388 * 389 * Do not use this function. While FORTIFY_SOURCE tries to avoid 390 * read and write overflows, this is only possible when the 391 * destination buffer size is known to the compiler. Prefer 392 * building the string with formatting, via scnprintf() or similar. 393 * At the very least, use strncat(). 394 * 395 * Returns @p. 396 * 397 */ 398 __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) 399 char *strcat(char * const POS p, const char *q) 400 { 401 const size_t p_size = __member_size(p); 402 const size_t wanted = strlcat(p, q, p_size); 403 404 if (p_size <= wanted) 405 fortify_panic(FORTIFY_FUNC_strcat, FORTIFY_WRITE, p_size, wanted + 1, p); 406 return p; 407 } 408 409 /** 410 * strncat - Append a string to an existing string 411 * 412 * @p: pointer to NUL-terminated string to append to 413 * @q: pointer to source string to append from 414 * @count: Maximum bytes to read from @q 415 * 416 * Appends at most @count bytes from @q (stopping at the first 417 * NUL byte) after the NUL-terminated string at @p. @p will be 418 * NUL-terminated. 419 * 420 * Do not use this function. While FORTIFY_SOURCE tries to avoid 421 * read and write overflows, this is only possible when the sizes 422 * of @p and @q are known to the compiler. Prefer building the 423 * string with formatting, via scnprintf() or similar. 424 * 425 * Returns @p. 426 * 427 */ 428 /* Defined after fortified strlen() and strnlen() to reuse them. */ 429 __FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3) 430 char *strncat(char * const POS p, const char * const POS q, __kernel_size_t count) 431 { 432 const size_t p_size = __member_size(p); 433 const size_t q_size = __member_size(q); 434 size_t p_len, copy_len, total; 435 436 if (p_size == SIZE_MAX && q_size == SIZE_MAX) 437 return __underlying_strncat(p, q, count); 438 p_len = strlen(p); 439 copy_len = strnlen(q, count); 440 total = p_len + copy_len + 1; 441 if (p_size < total) 442 fortify_panic(FORTIFY_FUNC_strncat, FORTIFY_WRITE, p_size, total, p); 443 __underlying_memcpy(p + p_len, q, copy_len); 444 p[p_len + copy_len] = '\0'; 445 return p; 446 } 447 448 __FORTIFY_INLINE bool fortify_memset_chk(__kernel_size_t size, 449 const size_t p_size, 450 const size_t p_size_field) 451 { 452 if (__builtin_constant_p(size)) { 453 /* 454 * Length argument is a constant expression, so we 455 * can perform compile-time bounds checking where 456 * buffer sizes are also known at compile time. 457 */ 458 459 /* Error when size is larger than enclosing struct. */ 460 if (__compiletime_lessthan(p_size_field, p_size) && 461 __compiletime_lessthan(p_size, size)) 462 __write_overflow(); 463 464 /* Warn when write size is larger than dest field. */ 465 if (__compiletime_lessthan(p_size_field, size)) 466 __write_overflow_field(p_size_field, size); 467 } 468 /* 469 * At this point, length argument may not be a constant expression, 470 * so run-time bounds checking can be done where buffer sizes are 471 * known. (This is not an "else" because the above checks may only 472 * be compile-time warnings, and we want to still warn for run-time 473 * overflows.) 474 */ 475 476 /* 477 * Always stop accesses beyond the struct that contains the 478 * field, when the buffer's remaining size is known. 479 * (The SIZE_MAX test is to optimize away checks where the buffer 480 * lengths are unknown.) 481 */ 482 if (p_size != SIZE_MAX && p_size < size) 483 fortify_panic(FORTIFY_FUNC_memset, FORTIFY_WRITE, p_size, size, true); 484 return false; 485 } 486 487 #define __fortify_memset_chk(p, c, size, p_size, p_size_field) ({ \ 488 size_t __fortify_size = (size_t)(size); \ 489 fortify_memset_chk(__fortify_size, p_size, p_size_field), \ 490 __underlying_memset(p, c, __fortify_size); \ 491 }) 492 493 /* 494 * __struct_size() vs __member_size() must be captured here to avoid 495 * evaluating argument side-effects further into the macro layers. 496 */ 497 #ifndef CONFIG_KMSAN 498 #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ 499 __struct_size(p), __member_size(p)) 500 #endif 501 502 /* 503 * To make sure the compiler can enforce protection against buffer overflows, 504 * memcpy(), memmove(), and memset() must not be used beyond individual 505 * struct members. If you need to copy across multiple members, please use 506 * struct_group() to create a named mirror of an anonymous struct union. 507 * (e.g. see struct sk_buff.) Read overflow checking is currently only 508 * done when a write overflow is also present, or when building with W=1. 509 * 510 * Mitigation coverage matrix 511 * Bounds checking at: 512 * +-------+-------+-------+-------+ 513 * | Compile time | Run time | 514 * memcpy() argument sizes: | write | read | write | read | 515 * dest source length +-------+-------+-------+-------+ 516 * memcpy(known, known, constant) | y | y | n/a | n/a | 517 * memcpy(known, unknown, constant) | y | n | n/a | V | 518 * memcpy(known, known, dynamic) | n | n | B | B | 519 * memcpy(known, unknown, dynamic) | n | n | B | V | 520 * memcpy(unknown, known, constant) | n | y | V | n/a | 521 * memcpy(unknown, unknown, constant) | n | n | V | V | 522 * memcpy(unknown, known, dynamic) | n | n | V | B | 523 * memcpy(unknown, unknown, dynamic) | n | n | V | V | 524 * +-------+-------+-------+-------+ 525 * 526 * y = perform deterministic compile-time bounds checking 527 * n = cannot perform deterministic compile-time bounds checking 528 * n/a = no run-time bounds checking needed since compile-time deterministic 529 * B = can perform run-time bounds checking (currently unimplemented) 530 * V = vulnerable to run-time overflow (will need refactoring to solve) 531 * 532 */ 533 __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size, 534 const size_t p_size, 535 const size_t q_size, 536 const size_t p_size_field, 537 const size_t q_size_field, 538 const u8 func) 539 { 540 if (__builtin_constant_p(size)) { 541 /* 542 * Length argument is a constant expression, so we 543 * can perform compile-time bounds checking where 544 * buffer sizes are also known at compile time. 545 */ 546 547 /* Error when size is larger than enclosing struct. */ 548 if (__compiletime_lessthan(p_size_field, p_size) && 549 __compiletime_lessthan(p_size, size)) 550 __write_overflow(); 551 if (__compiletime_lessthan(q_size_field, q_size) && 552 __compiletime_lessthan(q_size, size)) 553 __read_overflow2(); 554 555 /* Warn when write size argument larger than dest field. */ 556 if (__compiletime_lessthan(p_size_field, size)) 557 __write_overflow_field(p_size_field, size); 558 /* 559 * Warn for source field over-read when building with W=1 560 * or when an over-write happened, so both can be fixed at 561 * the same time. 562 */ 563 if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || 564 __compiletime_lessthan(p_size_field, size)) && 565 __compiletime_lessthan(q_size_field, size)) 566 __read_overflow2_field(q_size_field, size); 567 } 568 /* 569 * At this point, length argument may not be a constant expression, 570 * so run-time bounds checking can be done where buffer sizes are 571 * known. (This is not an "else" because the above checks may only 572 * be compile-time warnings, and we want to still warn for run-time 573 * overflows.) 574 */ 575 576 /* 577 * Always stop accesses beyond the struct that contains the 578 * field, when the buffer's remaining size is known. 579 * (The SIZE_MAX test is to optimize away checks where the buffer 580 * lengths are unknown.) 581 */ 582 if (p_size != SIZE_MAX && p_size < size) 583 fortify_panic(func, FORTIFY_WRITE, p_size, size, true); 584 else if (q_size != SIZE_MAX && q_size < size) 585 fortify_panic(func, FORTIFY_READ, p_size, size, true); 586 587 /* 588 * Warn when writing beyond destination field size. 589 * 590 * We must ignore p_size_field == 0 for existing 0-element 591 * fake flexible arrays, until they are all converted to 592 * proper flexible arrays. 593 * 594 * The implementation of __builtin_*object_size() behaves 595 * like sizeof() when not directly referencing a flexible 596 * array member, which means there will be many bounds checks 597 * that will appear at run-time, without a way for them to be 598 * detected at compile-time (as can be done when the destination 599 * is specifically the flexible array member). 600 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 601 */ 602 if (p_size_field != 0 && p_size_field != SIZE_MAX && 603 p_size != p_size_field && p_size_field < size) 604 return true; 605 606 return false; 607 } 608 609 #define __fortify_memcpy_chk(p, q, size, p_size, q_size, \ 610 p_size_field, q_size_field, op) ({ \ 611 const size_t __fortify_size = (size_t)(size); \ 612 const size_t __p_size = (p_size); \ 613 const size_t __q_size = (q_size); \ 614 const size_t __p_size_field = (p_size_field); \ 615 const size_t __q_size_field = (q_size_field); \ 616 fortify_warn_once(fortify_memcpy_chk(__fortify_size, __p_size, \ 617 __q_size, __p_size_field, \ 618 __q_size_field, FORTIFY_FUNC_ ##op), \ 619 #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \ 620 __fortify_size, \ 621 "field \"" #p "\" at " FILE_LINE, \ 622 __p_size_field); \ 623 __underlying_##op(p, q, __fortify_size); \ 624 }) 625 626 /* 627 * Notes about compile-time buffer size detection: 628 * 629 * With these types... 630 * 631 * struct middle { 632 * u16 a; 633 * u8 middle_buf[16]; 634 * int b; 635 * }; 636 * struct end { 637 * u16 a; 638 * u8 end_buf[16]; 639 * }; 640 * struct flex { 641 * int a; 642 * u8 flex_buf[]; 643 * }; 644 * 645 * void func(TYPE *ptr) { ... } 646 * 647 * Cases where destination size cannot be currently detected: 648 * - the size of ptr's object (seemingly by design, gcc & clang fail): 649 * __builtin_object_size(ptr, 1) == SIZE_MAX 650 * - the size of flexible arrays in ptr's obj (by design, dynamic size): 651 * __builtin_object_size(ptr->flex_buf, 1) == SIZE_MAX 652 * - the size of ANY array at the end of ptr's obj (gcc and clang bug): 653 * __builtin_object_size(ptr->end_buf, 1) == SIZE_MAX 654 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 655 * 656 * Cases where destination size is currently detected: 657 * - the size of non-array members within ptr's object: 658 * __builtin_object_size(ptr->a, 1) == 2 659 * - the size of non-flexible-array in the middle of ptr's obj: 660 * __builtin_object_size(ptr->middle_buf, 1) == 16 661 * 662 */ 663 664 /* 665 * __struct_size() vs __member_size() must be captured here to avoid 666 * evaluating argument side-effects further into the macro layers. 667 */ 668 #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \ 669 __struct_size(p), __struct_size(q), \ 670 __member_size(p), __member_size(q), \ 671 memcpy) 672 #define memmove(p, q, s) __fortify_memcpy_chk(p, q, s, \ 673 __struct_size(p), __struct_size(q), \ 674 __member_size(p), __member_size(q), \ 675 memmove) 676 677 extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan); 678 __FORTIFY_INLINE void *memscan(void * const POS0 p, int c, __kernel_size_t size) 679 { 680 const size_t p_size = __struct_size(p); 681 682 if (__compiletime_lessthan(p_size, size)) 683 __read_overflow(); 684 if (p_size < size) 685 fortify_panic(FORTIFY_FUNC_memscan, FORTIFY_READ, p_size, size, NULL); 686 return __real_memscan(p, c, size); 687 } 688 689 __FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3) 690 int memcmp(const void * const POS0 p, const void * const POS0 q, __kernel_size_t size) 691 { 692 const size_t p_size = __struct_size(p); 693 const size_t q_size = __struct_size(q); 694 695 if (__builtin_constant_p(size)) { 696 if (__compiletime_lessthan(p_size, size)) 697 __read_overflow(); 698 if (__compiletime_lessthan(q_size, size)) 699 __read_overflow2(); 700 } 701 if (p_size < size) 702 fortify_panic(FORTIFY_FUNC_memcmp, FORTIFY_READ, p_size, size, INT_MIN); 703 else if (q_size < size) 704 fortify_panic(FORTIFY_FUNC_memcmp, FORTIFY_READ, q_size, size, INT_MIN); 705 return __underlying_memcmp(p, q, size); 706 } 707 708 __FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3) 709 void *memchr(const void * const POS0 p, int c, __kernel_size_t size) 710 { 711 const size_t p_size = __struct_size(p); 712 713 if (__compiletime_lessthan(p_size, size)) 714 __read_overflow(); 715 if (p_size < size) 716 fortify_panic(FORTIFY_FUNC_memchr, FORTIFY_READ, p_size, size, NULL); 717 return __underlying_memchr(p, c, size); 718 } 719 720 void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv); 721 __FORTIFY_INLINE void *memchr_inv(const void * const POS0 p, int c, size_t size) 722 { 723 const size_t p_size = __struct_size(p); 724 725 if (__compiletime_lessthan(p_size, size)) 726 __read_overflow(); 727 if (p_size < size) 728 fortify_panic(FORTIFY_FUNC_memchr_inv, FORTIFY_READ, p_size, size, NULL); 729 return __real_memchr_inv(p, c, size); 730 } 731 732 extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup_noprof) 733 __realloc_size(2); 734 __FORTIFY_INLINE void *kmemdup_noprof(const void * const POS0 p, size_t size, gfp_t gfp) 735 { 736 const size_t p_size = __struct_size(p); 737 738 if (__compiletime_lessthan(p_size, size)) 739 __read_overflow(); 740 if (p_size < size) 741 fortify_panic(FORTIFY_FUNC_kmemdup, FORTIFY_READ, p_size, size, 742 __real_kmemdup(p, 0, gfp)); 743 return __real_kmemdup(p, size, gfp); 744 } 745 #define kmemdup(...) alloc_hooks(kmemdup_noprof(__VA_ARGS__)) 746 747 /** 748 * strcpy - Copy a string into another string buffer 749 * 750 * @p: pointer to destination of copy 751 * @q: pointer to NUL-terminated source string to copy 752 * 753 * Do not use this function. While FORTIFY_SOURCE tries to avoid 754 * overflows, this is only possible when the sizes of @q and @p are 755 * known to the compiler. Prefer strscpy(), though note its different 756 * return values for detecting truncation. 757 * 758 * Returns @p. 759 * 760 */ 761 /* Defined after fortified strlen to reuse it. */ 762 __FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) 763 char *strcpy(char * const POS p, const char * const POS q) 764 { 765 const size_t p_size = __member_size(p); 766 const size_t q_size = __member_size(q); 767 size_t size; 768 769 /* If neither buffer size is known, immediately give up. */ 770 if (__builtin_constant_p(p_size) && 771 __builtin_constant_p(q_size) && 772 p_size == SIZE_MAX && q_size == SIZE_MAX) 773 return __underlying_strcpy(p, q); 774 size = strlen(q) + 1; 775 /* Compile-time check for const size overflow. */ 776 if (__compiletime_lessthan(p_size, size)) 777 __write_overflow(); 778 /* Run-time check for dynamic size overflow. */ 779 if (p_size < size) 780 fortify_panic(FORTIFY_FUNC_strcpy, FORTIFY_WRITE, p_size, size, p); 781 __underlying_memcpy(p, q, size); 782 return p; 783 } 784 785 /* Don't use these outside the FORITFY_SOURCE implementation */ 786 #undef __underlying_memchr 787 #undef __underlying_memcmp 788 #undef __underlying_strcat 789 #undef __underlying_strcpy 790 #undef __underlying_strlen 791 #undef __underlying_strncat 792 #undef __underlying_strncpy 793 794 #undef POS 795 #undef POS0 796 797 #endif /* _LINUX_FORTIFY_STRING_H_ */ 798