| Message ID | 20230424112313.3408363-1-glider@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2677040vqo;
Mon, 24 Apr 2023 04:40:08 -0700 (PDT)
X-Google-Smtp-Source:
AKy350ZH9TZ9Rd4diQ46vE6s15i+QJoTqqVWjMIqW3X18vHEw4nVVSyY7QZc4ZyOTaRgOjlf5rR1
X-Received: by 2002:a17:90b:38c4:b0:23f:6830:568e with SMTP id
nn4-20020a17090b38c400b0023f6830568emr13625102pjb.8.1682336407818;
Mon, 24 Apr 2023 04:40:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682336407; cv=none;
d=google.com; s=arc-20160816;
b=LLtqeM/ymkkIupogRi2g/U9bMCeJ/+l3+Pti0mc25JHOzokhsHj1hUJsthKGqTNNb3
R6Y6kLSlbuLIOcc+o39mtBGIj1ophrk3pTXu5R0Zo/7JRtrZwEhz3OINvjadVwnlcm02
suWw4q/P5A8nE5VNNe4DiZIoR2FCOT4qhV+tnLQF+u3/6u5sio3BDnR8qJRdZaaufait
iwFIgO7dhwsfg+EvZVu+5/hid9BhRqjaf4t3t2zHbcfEvaAvftRvj37LFrUzp4H0SeUP
e5cDS08aTpdsbEeLIMURJcliaTfS+FnSJbaiFvJowmMoSzzwHytDQSR5a0t6nZRK+nnU
BCog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
:dkim-signature;
bh=klWy9eDeY9DLyh7eLsNz2mZGZzQpgILthmxtoxhfJPs=;
b=ApUbygmXyRZSAU/Qe8fWM+ltOQvQkLCoK9mqXrd+6kpv5E9VSi6GwU0GoXQZQYxEC4
+V4ei3X1NccZM/K0+uXN1xu7j/bgDa+EjfILuBVLaIWRlPI84qmgOVGwhvZ2AD7BOw1Z
wE0UnlNimR3FxFIRNtnINW3+wDF/GuS9mp8+FnjiDPB3PyybITDNbYF++XD+BrPJ/27z
EmkWoZc5iRDH35RM2i0mXyFq7Afwz3Ny6uHD/oSdT2v6sfcXyILr4x3QcwrSbIIDw3rX
eQvNArfqZp7uO4SqQ8yRSGty+mV73bMQgD7qmZ+i7s8zi419E3gnq6CiDYH5vFt94gIu
In+g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=mxilGFIr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
88-20020a17090a09e100b00247ad11b6d3si11551408pjo.88.2023.04.24.04.39.55;
Mon, 24 Apr 2023 04:40:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=mxilGFIr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231669AbjDXLXX (ORCPT <rfc822;zxc52fgh@gmail.com> + 99 others);
Mon, 24 Apr 2023 07:23:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58736 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231398AbjDXLXU (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 24 Apr 2023 07:23:20 -0400
Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com
[IPv6:2a00:1450:4864:20::649])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09E243C2D
for <linux-kernel@vger.kernel.org>;
Mon, 24 Apr 2023 04:23:19 -0700 (PDT)
Received: by mail-ej1-x649.google.com with SMTP id
a640c23a62f3a-94f5a1fa123so444049066b.0
for <linux-kernel@vger.kernel.org>;
Mon, 24 Apr 2023 04:23:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20221208; t=1682335397; x=1684927397;
h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
:date:message-id:reply-to;
bh=klWy9eDeY9DLyh7eLsNz2mZGZzQpgILthmxtoxhfJPs=;
b=mxilGFIr6qGQEG87YfDW5J2uPJURyiX6HOl+bYW2jIP+y/R1nS+GY4Tsz7SEqVu3q8
iNJGENUs/fkJ3IN1UwEagRLu2Wi5OlRC7rePMrAw9JGnYNxTomfP2wZYgrHfuGSVXj0Y
My7mMOBWyZgKnguCH465dASmx7AqHjBBQXnDDJ6xM8msgN/Bxd5IwFfe3kkS94UhaNDT
ovYKX+1R9as8Iuam+OMrwLCe8BgEP8G/RFnQhSpzLFDHuuiZ2oIpxdscyG/kGa/yyo//
aJ1odHmuhZRINrZ++FlEeC5GrfKHmpwy4EZmvKhYlXcIjy27ObQZLdGXel85oh9qehA+
izyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682335397; x=1684927397;
h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=klWy9eDeY9DLyh7eLsNz2mZGZzQpgILthmxtoxhfJPs=;
b=gj67UZzyHRv5hub0tlk8sXFjay3dSNxLgMNG8QP1qZfX/qeQHkUHy0CiQYwEfBY/Ai
wNyj1wh5Y7/RtN+MO6JC6Du3qglbcGAVSk9Dn9IpwBi+2X69wBzsXPN7P3tKlIHG0TdV
prQGBabU1B3vE5Xv+NJMTjSq8qYuZwxmDiD8xey8KKtMSAW1dHkHPsgcWV7CmHxdNAbH
wMJwRzebY97EisKt980k3vPqa3nt5jnXjzQ5U3ztnK0tiy0dVriqKARv0lCs18YR/aIJ
WuVZvHBHIjuZzifDrBIiEET+tYPo3NlbRewAq5wlbmhNnDfxcpFU9j7EnvokQbEx7E9M
BPZQ==
X-Gm-Message-State: AAQBX9ento78FlEHobE32QQcZKPk58J9UVECPpoquv39BS2W2oDswXz1
OQfWYhyKBt78VmmEzA+rgVkTyQ1hPkQ=
X-Received: from glider.muc.corp.google.com
([2a00:79e0:9c:201:ae04:112a:7904:fef5])
(user=glider job=sendgmr) by 2002:a17:906:eb1a:b0:94f:c72:1de0 with SMTP id
mb26-20020a170906eb1a00b0094f0c721de0mr3297825ejb.14.1682335397499; Mon, 24
Apr 2023 04:23:17 -0700 (PDT)
Date: Mon, 24 Apr 2023 13:23:13 +0200
Mime-Version: 1.0
X-Mailer: git-send-email 2.40.0.634.g4ca3ef3211-goog
Message-ID: <20230424112313.3408363-1-glider@google.com>
Subject: [PATCH] string: use __builtin_memcpy() in strlcpy/strlcat
From: Alexander Potapenko <glider@google.com>
To: glider@google.com
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
akpm@linux-foundation.org, elver@google.com, dvyukov@google.com,
kasan-dev@googlegroups.com, andy@kernel.org,
ndesaulniers@google.com, nathan@kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1764057581346458414?=
X-GMAIL-MSGID: =?utf-8?q?1764057581346458414?=
|
| Series |
string: use __builtin_memcpy() in strlcpy/strlcat
|
|
Commit Message
Alexander Potapenko
April 24, 2023, 11:23 a.m. UTC
lib/string.c is built with -ffreestanding, which prevents the compiler
from replacing certain functions with calls to their library versions.
On the other hand, this also prevents Clang and GCC from instrumenting
calls to memcpy() when building with KASAN, KCSAN or KMSAN:
- KASAN normally replaces memcpy() with __asan_memcpy() with the
additional cc-param,asan-kernel-mem-intrinsic-prefix=1;
- KCSAN and KMSAN replace memcpy() with __tsan_memcpy() and
__msan_memcpy() by default.
To let the tools catch memory accesses from strlcpy/strlcat, replace
the calls to memcpy() with __builtin_memcpy(), which KASAN, KCSAN and
KMSAN are able to replace even in -ffreestanding mode.
This preserves the behavior in normal builds (__builtin_memcpy() ends up
being replaced with memcpy()), and does not introduce new instrumentation
in unwanted places, as strlcpy/strlcat are already instrumented.
Suggested-by: Marco Elver <elver@google.com>
Signed-off-by: Alexander Potapenko <glider@google.com>
Link: https://lore.kernel.org/all/20230224085942.1791837-1-elver@google.com/
---
lib/string.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Mon, 24 Apr 2023 at 13:23, Alexander Potapenko <glider@google.com> wrote: > > lib/string.c is built with -ffreestanding, which prevents the compiler > from replacing certain functions with calls to their library versions. > > On the other hand, this also prevents Clang and GCC from instrumenting > calls to memcpy() when building with KASAN, KCSAN or KMSAN: > - KASAN normally replaces memcpy() with __asan_memcpy() with the > additional cc-param,asan-kernel-mem-intrinsic-prefix=1; > - KCSAN and KMSAN replace memcpy() with __tsan_memcpy() and > __msan_memcpy() by default. > > To let the tools catch memory accesses from strlcpy/strlcat, replace > the calls to memcpy() with __builtin_memcpy(), which KASAN, KCSAN and > KMSAN are able to replace even in -ffreestanding mode. > > This preserves the behavior in normal builds (__builtin_memcpy() ends up > being replaced with memcpy()), and does not introduce new instrumentation > in unwanted places, as strlcpy/strlcat are already instrumented. > > Suggested-by: Marco Elver <elver@google.com> > Signed-off-by: Alexander Potapenko <glider@google.com> > Link: https://lore.kernel.org/all/20230224085942.1791837-1-elver@google.com/ Reviewed-by: Marco Elver <elver@google.com> Looks reasonable. > --- > lib/string.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lib/string.c b/lib/string.c > index 3d55ef8901068..be26623953d2e 100644 > --- a/lib/string.c > +++ b/lib/string.c > @@ -110,7 +110,7 @@ size_t strlcpy(char *dest, const char *src, size_t size) > > if (size) { > size_t len = (ret >= size) ? size - 1 : ret; > - memcpy(dest, src, len); > + __builtin_memcpy(dest, src, len); > dest[len] = '\0'; > } > return ret; > @@ -260,7 +260,7 @@ size_t strlcat(char *dest, const char *src, size_t count) > count -= dsize; > if (len >= count) > len = count-1; > - memcpy(dest, src, len); > + __builtin_memcpy(dest, src, len); > dest[len] = 0; > return res; > } > -- > 2.40.0.634.g4ca3ef3211-goog >
On Mon, Apr 24, 2023 at 01:23:13PM +0200, Alexander Potapenko wrote: > lib/string.c is built with -ffreestanding, which prevents the compiler > from replacing certain functions with calls to their library versions. > > On the other hand, this also prevents Clang and GCC from instrumenting > calls to memcpy() when building with KASAN, KCSAN or KMSAN: > - KASAN normally replaces memcpy() with __asan_memcpy() with the > additional cc-param,asan-kernel-mem-intrinsic-prefix=1; > - KCSAN and KMSAN replace memcpy() with __tsan_memcpy() and > __msan_memcpy() by default. > > To let the tools catch memory accesses from strlcpy/strlcat, replace > the calls to memcpy() with __builtin_memcpy(), which KASAN, KCSAN and > KMSAN are able to replace even in -ffreestanding mode. > > This preserves the behavior in normal builds (__builtin_memcpy() ends up > being replaced with memcpy()), and does not introduce new instrumentation > in unwanted places, as strlcpy/strlcat are already instrumented. > > Suggested-by: Marco Elver <elver@google.com> > Signed-off-by: Alexander Potapenko <glider@google.com> > Link: https://lore.kernel.org/all/20230224085942.1791837-1-elver@google.com/ > --- > lib/string.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lib/string.c b/lib/string.c > index 3d55ef8901068..be26623953d2e 100644 > --- a/lib/string.c > +++ b/lib/string.c > @@ -110,7 +110,7 @@ size_t strlcpy(char *dest, const char *src, size_t size) > > if (size) { > size_t len = (ret >= size) ? size - 1 : ret; > - memcpy(dest, src, len); > + __builtin_memcpy(dest, src, len); > dest[len] = '\0'; > } > return ret; > @@ -260,7 +260,7 @@ size_t strlcat(char *dest, const char *src, size_t count) > count -= dsize; > if (len >= count) > len = count-1; > - memcpy(dest, src, len); > + __builtin_memcpy(dest, src, len); > dest[len] = 0; > return res; I *think* this isn't a problem for CONFIG_FORTIFY, since these will be replaced and checked separately -- but it still seems strange that you need to explicitly use __builtin_memcpy. Does this end up changing fortify coverage?
> > I *think* this isn't a problem for CONFIG_FORTIFY, since these will be > replaced and checked separately -- but it still seems strange that you > need to explicitly use __builtin_memcpy. > > Does this end up changing fortify coverage? Is fortify relevant here? Note that the whole file is compiled with __NO_FORTIFY.
On Wed, May 10, 2023 at 9:48 AM Alexander Potapenko <glider@google.com> wrote: > > > > On Fri, Apr 28, 2023 at 3:48 PM Alexander Potapenko <glider@google.com> wrote: >> >> > I *think* this isn't a problem for CONFIG_FORTIFY, since these will be >> > replaced and checked separately -- but it still seems strange that you >> > need to explicitly use __builtin_memcpy. >> > > Or did you mean we'd better use __underlying_memcpy() here instead? I am a bit puzzled. Kees told me offline that the patch in question is fine. @Andrew, would it be possible to queue it for 6.4? -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Liana Sebastian Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
On Fri, Apr 28, 2023 at 03:48:28PM +0200, Alexander Potapenko wrote: > > > > I *think* this isn't a problem for CONFIG_FORTIFY, since these will be > > replaced and checked separately -- but it still seems strange that you > > need to explicitly use __builtin_memcpy. > > > > Does this end up changing fortify coverage? > > Is fortify relevant here? Note that the whole file is compiled with > __NO_FORTIFY. Yeah, agreed. I think I was just curious if that got verified. I'm good with this. Acked-by: Kees Cook <keescook@chromium.org>
diff --git a/lib/string.c b/lib/string.c index 3d55ef8901068..be26623953d2e 100644 --- a/lib/string.c +++ b/lib/string.c @@ -110,7 +110,7 @@ size_t strlcpy(char *dest, const char *src, size_t size) if (size) { size_t len = (ret >= size) ? size - 1 : ret; - memcpy(dest, src, len); + __builtin_memcpy(dest, src, len); dest[len] = '\0'; } return ret; @@ -260,7 +260,7 @@ size_t strlcat(char *dest, const char *src, size_t count) count -= dsize; if (len >= count) len = count-1; - memcpy(dest, src, len); + __builtin_memcpy(dest, src, len); dest[len] = 0; return res; }