1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | #ifndef _LINUX_FORTIFY_STRING_H_ |
3 | #define _LINUX_FORTIFY_STRING_H_ |
4 | |
5 | #include <linux/bug.h> |
6 | #include <linux/const.h> |
7 | #include <linux/limits.h> |
8 | |
9 | #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable |
10 | #define __RENAME(x) __asm__(#x) |
11 | |
12 | void fortify_panic(const char *name) __noreturn __cold; |
13 | void __read_overflow(void) __compiletime_error("detected read beyond size of object (1st parameter)" ); |
14 | void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)" ); |
15 | void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?" ); |
16 | void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)" ); |
17 | void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("detected write beyond size of field (1st parameter); maybe use struct_group()?" ); |
18 | |
19 | #define __compiletime_strlen(p) \ |
20 | ({ \ |
21 | char *__p = (char *)(p); \ |
22 | size_t __ret = SIZE_MAX; \ |
23 | const size_t __p_size = __member_size(p); \ |
24 | if (__p_size != SIZE_MAX && \ |
25 | __builtin_constant_p(*__p)) { \ |
26 | size_t __p_len = __p_size - 1; \ |
27 | if (__builtin_constant_p(__p[__p_len]) && \ |
28 | __p[__p_len] == '\0') \ |
29 | __ret = __builtin_strlen(__p); \ |
30 | } \ |
31 | __ret; \ |
32 | }) |
33 | |
34 | #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) |
35 | extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); |
36 | extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); |
37 | extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy); |
38 | extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove); |
39 | extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset); |
40 | extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat); |
41 | extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy); |
42 | extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen); |
43 | extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat); |
44 | extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy); |
45 | #else |
46 | |
47 | #if defined(__SANITIZE_MEMORY__) |
48 | /* |
49 | * For KMSAN builds all memcpy/memset/memmove calls should be replaced by the |
50 | * corresponding __msan_XXX functions. |
51 | */ |
52 | #include <linux/kmsan_string.h> |
53 | #define __underlying_memcpy __msan_memcpy |
54 | #define __underlying_memmove __msan_memmove |
55 | #define __underlying_memset __msan_memset |
56 | #else |
57 | #define __underlying_memcpy __builtin_memcpy |
58 | #define __underlying_memmove __builtin_memmove |
59 | #define __underlying_memset __builtin_memset |
60 | #endif |
61 | |
62 | #define __underlying_memchr __builtin_memchr |
63 | #define __underlying_memcmp __builtin_memcmp |
64 | #define __underlying_strcat __builtin_strcat |
65 | #define __underlying_strcpy __builtin_strcpy |
66 | #define __underlying_strlen __builtin_strlen |
67 | #define __underlying_strncat __builtin_strncat |
68 | #define __underlying_strncpy __builtin_strncpy |
69 | #endif |
70 | |
71 | /** |
72 | * unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking |
73 | * |
74 | * @dst: Destination memory address to write to |
75 | * @src: Source memory address to read from |
76 | * @bytes: How many bytes to write to @dst from @src |
77 | * @justification: Free-form text or comment describing why the use is needed |
78 | * |
79 | * This should be used for corner cases where the compiler cannot do the |
80 | * right thing, or during transitions between APIs, etc. It should be used |
81 | * very rarely, and includes a place for justification detailing where bounds |
82 | * checking has happened, and why existing solutions cannot be employed. |
83 | */ |
84 | #define unsafe_memcpy(dst, src, bytes, justification) \ |
85 | __underlying_memcpy(dst, src, bytes) |
86 | |
87 | /* |
88 | * Clang's use of __builtin_*object_size() within inlines needs hinting via |
89 | * __pass_*object_size(). The preference is to only ever use type 1 (member |
90 | * size, rather than struct size), but there remain some stragglers using |
91 | * type 0 that will be converted in the future. |
92 | */ |
93 | #if __has_builtin(__builtin_dynamic_object_size) |
94 | #define POS __pass_dynamic_object_size(1) |
95 | #define POS0 __pass_dynamic_object_size(0) |
96 | #else |
97 | #define POS __pass_object_size(1) |
98 | #define POS0 __pass_object_size(0) |
99 | #endif |
100 | |
101 | #define __compiletime_lessthan(bounds, length) ( \ |
102 | __builtin_constant_p((bounds) < (length)) && \ |
103 | (bounds) < (length) \ |
104 | ) |
105 | |
106 | /** |
107 | * strncpy - Copy a string to memory with non-guaranteed NUL padding |
108 | * |
109 | * @p: pointer to destination of copy |
110 | * @q: pointer to NUL-terminated source string to copy |
111 | * @size: bytes to write at @p |
112 | * |
113 | * If strlen(@q) >= @size, the copy of @q will stop after @size bytes, |
114 | * and @p will NOT be NUL-terminated |
115 | * |
116 | * If strlen(@q) < @size, following the copy of @q, trailing NUL bytes |
117 | * will be written to @p until @size total bytes have been written. |
118 | * |
119 | * Do not use this function. While FORTIFY_SOURCE tries to avoid |
120 | * over-reads of @q, it cannot defend against writing unterminated |
121 | * results to @p. Using strncpy() remains ambiguous and fragile. |
122 | * Instead, please choose an alternative, so that the expectation |
123 | * of @p's contents is unambiguous: |
124 | * |
125 | * +--------------------+--------------------+------------+ |
126 | * | **p** needs to be: | padded to **size** | not padded | |
127 | * +====================+====================+============+ |
128 | * | NUL-terminated | strscpy_pad() | strscpy() | |
129 | * +--------------------+--------------------+------------+ |
130 | * | not NUL-terminated | strtomem_pad() | strtomem() | |
131 | * +--------------------+--------------------+------------+ |
132 | * |
133 | * Note strscpy*()'s differing return values for detecting truncation, |
134 | * and strtomem*()'s expectation that the destination is marked with |
135 | * __nonstring when it is a character array. |
136 | * |
137 | */ |
138 | __FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3) |
139 | char *strncpy(char * const POS p, const char *q, __kernel_size_t size) |
140 | { |
141 | const size_t p_size = __member_size(p); |
142 | |
143 | if (__compiletime_lessthan(p_size, size)) |
144 | __write_overflow(); |
145 | if (p_size < size) |
146 | fortify_panic(name: __func__); |
147 | return __underlying_strncpy(p, q, size); |
148 | } |
149 | |
150 | extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); |
151 | /** |
152 | * strnlen - Return bounded count of characters in a NUL-terminated string |
153 | * |
154 | * @p: pointer to NUL-terminated string to count. |
155 | * @maxlen: maximum number of characters to count. |
156 | * |
157 | * Returns number of characters in @p (NOT including the final NUL), or |
158 | * @maxlen, if no NUL has been found up to there. |
159 | * |
160 | */ |
161 | __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size_t maxlen) |
162 | { |
163 | const size_t p_size = __member_size(p); |
164 | const size_t p_len = __compiletime_strlen(p); |
165 | size_t ret; |
166 | |
167 | /* We can take compile-time actions when maxlen is const. */ |
168 | if (__builtin_constant_p(maxlen) && p_len != SIZE_MAX) { |
169 | /* If p is const, we can use its compile-time-known len. */ |
170 | if (maxlen >= p_size) |
171 | return p_len; |
172 | } |
173 | |
174 | /* Do not check characters beyond the end of p. */ |
175 | ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); |
176 | if (p_size <= ret && maxlen != ret) |
177 | fortify_panic(name: __func__); |
178 | return ret; |
179 | } |
180 | |
181 | /* |
182 | * Defined after fortified strnlen to reuse it. However, it must still be |
183 | * possible for strlen() to be used on compile-time strings for use in |
184 | * static initializers (i.e. as a constant expression). |
185 | */ |
186 | /** |
187 | * strlen - Return count of characters in a NUL-terminated string |
188 | * |
189 | * @p: pointer to NUL-terminated string to count. |
190 | * |
191 | * Do not use this function unless the string length is known at |
192 | * compile-time. When @p is unterminated, this function may crash |
193 | * or return unexpected counts that could lead to memory content |
194 | * exposures. Prefer strnlen(). |
195 | * |
196 | * Returns number of characters in @p (NOT including the final NUL). |
197 | * |
198 | */ |
199 | #define strlen(p) \ |
200 | __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \ |
201 | __builtin_strlen(p), __fortify_strlen(p)) |
202 | __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1) |
203 | __kernel_size_t __fortify_strlen(const char * const POS p) |
204 | { |
205 | const size_t p_size = __member_size(p); |
206 | __kernel_size_t ret; |
207 | |
208 | /* Give up if we don't know how large p is. */ |
209 | if (p_size == SIZE_MAX) |
210 | return __underlying_strlen(p); |
211 | ret = strnlen(p, maxlen: p_size); |
212 | if (p_size <= ret) |
213 | fortify_panic(name: __func__); |
214 | return ret; |
215 | } |
216 | |
217 | /* Defined after fortified strlen() to reuse it. */ |
218 | extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); |
219 | /** |
220 | * strlcpy - Copy a string into another string buffer |
221 | * |
222 | * @p: pointer to destination of copy |
223 | * @q: pointer to NUL-terminated source string to copy |
224 | * @size: maximum number of bytes to write at @p |
225 | * |
226 | * If strlen(@q) >= @size, the copy of @q will be truncated at |
227 | * @size - 1 bytes. @p will always be NUL-terminated. |
228 | * |
229 | * Do not use this function. While FORTIFY_SOURCE tries to avoid |
230 | * over-reads when calculating strlen(@q), it is still possible. |
231 | * Prefer strscpy(), though note its different return values for |
232 | * detecting truncation. |
233 | * |
234 | * Returns total number of bytes written to @p, including terminating NUL. |
235 | * |
236 | */ |
237 | __FORTIFY_INLINE size_t strlcpy(char * const POS p, const char * const POS q, size_t size) |
238 | { |
239 | const size_t p_size = __member_size(p); |
240 | const size_t q_size = __member_size(q); |
241 | size_t q_len; /* Full count of source string length. */ |
242 | size_t len; /* Count of characters going into destination. */ |
243 | |
244 | if (p_size == SIZE_MAX && q_size == SIZE_MAX) |
245 | return __real_strlcpy(p, q, size); |
246 | q_len = strlen(q); |
247 | len = (q_len >= size) ? size - 1 : q_len; |
248 | if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) { |
249 | /* Write size is always larger than destination. */ |
250 | if (len >= p_size) |
251 | __write_overflow(); |
252 | } |
253 | if (size) { |
254 | if (len >= p_size) |
255 | fortify_panic(name: __func__); |
256 | __underlying_memcpy(p, q, len); |
257 | p[len] = '\0'; |
258 | } |
259 | return q_len; |
260 | } |
261 | |
262 | /* Defined after fortified strnlen() to reuse it. */ |
263 | extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy); |
264 | /** |
265 | * strscpy - Copy a C-string into a sized buffer |
266 | * |
267 | * @p: Where to copy the string to |
268 | * @q: Where to copy the string from |
269 | * @size: Size of destination buffer |
270 | * |
271 | * Copy the source string @q, or as much of it as fits, into the destination |
272 | * @p buffer. The behavior is undefined if the string buffers overlap. The |
273 | * destination @p buffer is always NUL terminated, unless it's zero-sized. |
274 | * |
275 | * Preferred to strlcpy() since the API doesn't require reading memory |
276 | * from the source @q string beyond the specified @size bytes, and since |
277 | * the return value is easier to error-check than strlcpy()'s. |
278 | * In addition, the implementation is robust to the string changing out |
279 | * from underneath it, unlike the current strlcpy() implementation. |
280 | * |
281 | * Preferred to strncpy() since it always returns a valid string, and |
282 | * doesn't unnecessarily force the tail of the destination buffer to be |
283 | * zero padded. If padding is desired please use strscpy_pad(). |
284 | * |
285 | * Returns the number of characters copied in @p (not including the |
286 | * trailing %NUL) or -E2BIG if @size is 0 or the copy of @q was truncated. |
287 | */ |
288 | __FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const POS q, size_t size) |
289 | { |
290 | /* Use string size rather than possible enclosing struct size. */ |
291 | const size_t p_size = __member_size(p); |
292 | const size_t q_size = __member_size(q); |
293 | size_t len; |
294 | |
295 | /* If we cannot get size of p and q default to call strscpy. */ |
296 | if (p_size == SIZE_MAX && q_size == SIZE_MAX) |
297 | return __real_strscpy(p, q, size); |
298 | |
299 | /* |
300 | * If size can be known at compile time and is greater than |
301 | * p_size, generate a compile time write overflow error. |
302 | */ |
303 | if (__compiletime_lessthan(p_size, size)) |
304 | __write_overflow(); |
305 | |
306 | /* Short-circuit for compile-time known-safe lengths. */ |
307 | if (__compiletime_lessthan(p_size, SIZE_MAX)) { |
308 | len = __compiletime_strlen(q); |
309 | |
310 | if (len < SIZE_MAX && __compiletime_lessthan(len, size)) { |
311 | __underlying_memcpy(p, q, len + 1); |
312 | return len; |
313 | } |
314 | } |
315 | |
316 | /* |
317 | * This call protects from read overflow, because len will default to q |
318 | * length if it smaller than size. |
319 | */ |
320 | len = strnlen(p: q, maxlen: size); |
321 | /* |
322 | * If len equals size, we will copy only size bytes which leads to |
323 | * -E2BIG being returned. |
324 | * Otherwise we will copy len + 1 because of the final '\O'. |
325 | */ |
326 | len = len == size ? size : len + 1; |
327 | |
328 | /* |
329 | * Generate a runtime write overflow error if len is greater than |
330 | * p_size. |
331 | */ |
332 | if (len > p_size) |
333 | fortify_panic(name: __func__); |
334 | |
335 | /* |
336 | * We can now safely call vanilla strscpy because we are protected from: |
337 | * 1. Read overflow thanks to call to strnlen(). |
338 | * 2. Write overflow thanks to above ifs. |
339 | */ |
340 | return __real_strscpy(p, q, len); |
341 | } |
342 | |
343 | /* Defined after fortified strlen() to reuse it. */ |
344 | extern size_t __real_strlcat(char *p, const char *q, size_t avail) __RENAME(strlcat); |
345 | /** |
346 | * strlcat - Append a string to an existing string |
347 | * |
348 | * @p: pointer to %NUL-terminated string to append to |
349 | * @q: pointer to %NUL-terminated string to append from |
350 | * @avail: Maximum bytes available in @p |
351 | * |
352 | * Appends %NUL-terminated string @q after the %NUL-terminated |
353 | * string at @p, but will not write beyond @avail bytes total, |
354 | * potentially truncating the copy from @q. @p will stay |
355 | * %NUL-terminated only if a %NUL already existed within |
356 | * the @avail bytes of @p. If so, the resulting number of |
357 | * bytes copied from @q will be at most "@avail - strlen(@p) - 1". |
358 | * |
359 | * Do not use this function. While FORTIFY_SOURCE tries to avoid |
360 | * read and write overflows, this is only possible when the sizes |
361 | * of @p and @q are known to the compiler. Prefer building the |
362 | * string with formatting, via scnprintf(), seq_buf, or similar. |
363 | * |
364 | * Returns total bytes that _would_ have been contained by @p |
365 | * regardless of truncation, similar to snprintf(). If return |
366 | * value is >= @avail, the string has been truncated. |
367 | * |
368 | */ |
369 | __FORTIFY_INLINE |
370 | size_t strlcat(char * const POS p, const char * const POS q, size_t avail) |
371 | { |
372 | const size_t p_size = __member_size(p); |
373 | const size_t q_size = __member_size(q); |
374 | size_t p_len, copy_len; |
375 | size_t actual, wanted; |
376 | |
377 | /* Give up immediately if both buffer sizes are unknown. */ |
378 | if (p_size == SIZE_MAX && q_size == SIZE_MAX) |
379 | return __real_strlcat(p, q, avail); |
380 | |
381 | p_len = strnlen(p, maxlen: avail); |
382 | copy_len = strlen(q); |
383 | wanted = actual = p_len + copy_len; |
384 | |
385 | /* Cannot append any more: report truncation. */ |
386 | if (avail <= p_len) |
387 | return wanted; |
388 | |
389 | /* Give up if string is already overflowed. */ |
390 | if (p_size <= p_len) |
391 | fortify_panic(name: __func__); |
392 | |
393 | if (actual >= avail) { |
394 | copy_len = avail - p_len - 1; |
395 | actual = p_len + copy_len; |
396 | } |
397 | |
398 | /* Give up if copy will overflow. */ |
399 | if (p_size <= actual) |
400 | fortify_panic(name: __func__); |
401 | __underlying_memcpy(p + p_len, q, copy_len); |
402 | p[actual] = '\0'; |
403 | |
404 | return wanted; |
405 | } |
406 | |
407 | /* Defined after fortified strlcat() to reuse it. */ |
408 | /** |
409 | * strcat - Append a string to an existing string |
410 | * |
411 | * @p: pointer to NUL-terminated string to append to |
412 | * @q: pointer to NUL-terminated source string to append from |
413 | * |
414 | * Do not use this function. While FORTIFY_SOURCE tries to avoid |
415 | * read and write overflows, this is only possible when the |
416 | * destination buffer size is known to the compiler. Prefer |
417 | * building the string with formatting, via scnprintf() or similar. |
418 | * At the very least, use strncat(). |
419 | * |
420 | * Returns @p. |
421 | * |
422 | */ |
423 | __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2) |
424 | char *strcat(char * const POS p, const char *q) |
425 | { |
426 | const size_t p_size = __member_size(p); |
427 | |
428 | if (strlcat(p, q, avail: p_size) >= p_size) |
429 | fortify_panic(name: __func__); |
430 | return p; |
431 | } |
432 | |
433 | /** |
434 | * strncat - Append a string to an existing string |
435 | * |
436 | * @p: pointer to NUL-terminated string to append to |
437 | * @q: pointer to source string to append from |
438 | * @count: Maximum bytes to read from @q |
439 | * |
440 | * Appends at most @count bytes from @q (stopping at the first |
441 | * NUL byte) after the NUL-terminated string at @p. @p will be |
442 | * NUL-terminated. |
443 | * |
444 | * Do not use this function. While FORTIFY_SOURCE tries to avoid |
445 | * read and write overflows, this is only possible when the sizes |
446 | * of @p and @q are known to the compiler. Prefer building the |
447 | * string with formatting, via scnprintf() or similar. |
448 | * |
449 | * Returns @p. |
450 | * |
451 | */ |
452 | /* Defined after fortified strlen() and strnlen() to reuse them. */ |
453 | __FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3) |
454 | char *strncat(char * const POS p, const char * const POS q, __kernel_size_t count) |
455 | { |
456 | const size_t p_size = __member_size(p); |
457 | const size_t q_size = __member_size(q); |
458 | size_t p_len, copy_len; |
459 | |
460 | if (p_size == SIZE_MAX && q_size == SIZE_MAX) |
461 | return __underlying_strncat(p, q, count); |
462 | p_len = strlen(p); |
463 | copy_len = strnlen(p: q, maxlen: count); |
464 | if (p_size < p_len + copy_len + 1) |
465 | fortify_panic(name: __func__); |
466 | __underlying_memcpy(p + p_len, q, copy_len); |
467 | p[p_len + copy_len] = '\0'; |
468 | return p; |
469 | } |
470 | |
471 | __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size, |
472 | const size_t p_size, |
473 | const size_t p_size_field) |
474 | { |
475 | if (__builtin_constant_p(size)) { |
476 | /* |
477 | * Length argument is a constant expression, so we |
478 | * can perform compile-time bounds checking where |
479 | * buffer sizes are also known at compile time. |
480 | */ |
481 | |
482 | /* Error when size is larger than enclosing struct. */ |
483 | if (__compiletime_lessthan(p_size_field, p_size) && |
484 | __compiletime_lessthan(p_size, size)) |
485 | __write_overflow(); |
486 | |
487 | /* Warn when write size is larger than dest field. */ |
488 | if (__compiletime_lessthan(p_size_field, size)) |
489 | __write_overflow_field(avail: p_size_field, wanted: size); |
490 | } |
491 | /* |
492 | * At this point, length argument may not be a constant expression, |
493 | * so run-time bounds checking can be done where buffer sizes are |
494 | * known. (This is not an "else" because the above checks may only |
495 | * be compile-time warnings, and we want to still warn for run-time |
496 | * overflows.) |
497 | */ |
498 | |
499 | /* |
500 | * Always stop accesses beyond the struct that contains the |
501 | * field, when the buffer's remaining size is known. |
502 | * (The SIZE_MAX test is to optimize away checks where the buffer |
503 | * lengths are unknown.) |
504 | */ |
505 | if (p_size != SIZE_MAX && p_size < size) |
506 | fortify_panic(name: "memset" ); |
507 | } |
508 | |
509 | #define __fortify_memset_chk(p, c, size, p_size, p_size_field) ({ \ |
510 | size_t __fortify_size = (size_t)(size); \ |
511 | fortify_memset_chk(__fortify_size, p_size, p_size_field), \ |
512 | __underlying_memset(p, c, __fortify_size); \ |
513 | }) |
514 | |
515 | /* |
516 | * __struct_size() vs __member_size() must be captured here to avoid |
517 | * evaluating argument side-effects further into the macro layers. |
518 | */ |
519 | #ifndef CONFIG_KMSAN |
520 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ |
521 | __struct_size(p), __member_size(p)) |
522 | #endif |
523 | |
524 | /* |
525 | * To make sure the compiler can enforce protection against buffer overflows, |
526 | * memcpy(), memmove(), and memset() must not be used beyond individual |
527 | * struct members. If you need to copy across multiple members, please use |
528 | * struct_group() to create a named mirror of an anonymous struct union. |
529 | * (e.g. see struct sk_buff.) Read overflow checking is currently only |
530 | * done when a write overflow is also present, or when building with W=1. |
531 | * |
532 | * Mitigation coverage matrix |
533 | * Bounds checking at: |
534 | * +-------+-------+-------+-------+ |
535 | * | Compile time | Run time | |
536 | * memcpy() argument sizes: | write | read | write | read | |
537 | * dest source length +-------+-------+-------+-------+ |
538 | * memcpy(known, known, constant) | y | y | n/a | n/a | |
539 | * memcpy(known, unknown, constant) | y | n | n/a | V | |
540 | * memcpy(known, known, dynamic) | n | n | B | B | |
541 | * memcpy(known, unknown, dynamic) | n | n | B | V | |
542 | * memcpy(unknown, known, constant) | n | y | V | n/a | |
543 | * memcpy(unknown, unknown, constant) | n | n | V | V | |
544 | * memcpy(unknown, known, dynamic) | n | n | V | B | |
545 | * memcpy(unknown, unknown, dynamic) | n | n | V | V | |
546 | * +-------+-------+-------+-------+ |
547 | * |
548 | * y = perform deterministic compile-time bounds checking |
549 | * n = cannot perform deterministic compile-time bounds checking |
550 | * n/a = no run-time bounds checking needed since compile-time deterministic |
551 | * B = can perform run-time bounds checking (currently unimplemented) |
552 | * V = vulnerable to run-time overflow (will need refactoring to solve) |
553 | * |
554 | */ |
555 | __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size, |
556 | const size_t p_size, |
557 | const size_t q_size, |
558 | const size_t p_size_field, |
559 | const size_t q_size_field, |
560 | const char *func) |
561 | { |
562 | if (__builtin_constant_p(size)) { |
563 | /* |
564 | * Length argument is a constant expression, so we |
565 | * can perform compile-time bounds checking where |
566 | * buffer sizes are also known at compile time. |
567 | */ |
568 | |
569 | /* Error when size is larger than enclosing struct. */ |
570 | if (__compiletime_lessthan(p_size_field, p_size) && |
571 | __compiletime_lessthan(p_size, size)) |
572 | __write_overflow(); |
573 | if (__compiletime_lessthan(q_size_field, q_size) && |
574 | __compiletime_lessthan(q_size, size)) |
575 | __read_overflow2(); |
576 | |
577 | /* Warn when write size argument larger than dest field. */ |
578 | if (__compiletime_lessthan(p_size_field, size)) |
579 | __write_overflow_field(avail: p_size_field, wanted: size); |
580 | /* |
581 | * Warn for source field over-read when building with W=1 |
582 | * or when an over-write happened, so both can be fixed at |
583 | * the same time. |
584 | */ |
585 | if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || |
586 | __compiletime_lessthan(p_size_field, size)) && |
587 | __compiletime_lessthan(q_size_field, size)) |
588 | __read_overflow2_field(avail: q_size_field, wanted: size); |
589 | } |
590 | /* |
591 | * At this point, length argument may not be a constant expression, |
592 | * so run-time bounds checking can be done where buffer sizes are |
593 | * known. (This is not an "else" because the above checks may only |
594 | * be compile-time warnings, and we want to still warn for run-time |
595 | * overflows.) |
596 | */ |
597 | |
598 | /* |
599 | * Always stop accesses beyond the struct that contains the |
600 | * field, when the buffer's remaining size is known. |
601 | * (The SIZE_MAX test is to optimize away checks where the buffer |
602 | * lengths are unknown.) |
603 | */ |
604 | if ((p_size != SIZE_MAX && p_size < size) || |
605 | (q_size != SIZE_MAX && q_size < size)) |
606 | fortify_panic(name: func); |
607 | |
608 | /* |
609 | * Warn when writing beyond destination field size. |
610 | * |
611 | * We must ignore p_size_field == 0 for existing 0-element |
612 | * fake flexible arrays, until they are all converted to |
613 | * proper flexible arrays. |
614 | * |
615 | * The implementation of __builtin_*object_size() behaves |
616 | * like sizeof() when not directly referencing a flexible |
617 | * array member, which means there will be many bounds checks |
618 | * that will appear at run-time, without a way for them to be |
619 | * detected at compile-time (as can be done when the destination |
620 | * is specifically the flexible array member). |
621 | * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 |
622 | */ |
623 | if (p_size_field != 0 && p_size_field != SIZE_MAX && |
624 | p_size != p_size_field && p_size_field < size) |
625 | return true; |
626 | |
627 | return false; |
628 | } |
629 | |
630 | #define __fortify_memcpy_chk(p, q, size, p_size, q_size, \ |
631 | p_size_field, q_size_field, op) ({ \ |
632 | const size_t __fortify_size = (size_t)(size); \ |
633 | const size_t __p_size = (p_size); \ |
634 | const size_t __q_size = (q_size); \ |
635 | const size_t __p_size_field = (p_size_field); \ |
636 | const size_t __q_size_field = (q_size_field); \ |
637 | WARN_ONCE(fortify_memcpy_chk(__fortify_size, __p_size, \ |
638 | __q_size, __p_size_field, \ |
639 | __q_size_field, #op), \ |
640 | #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \ |
641 | __fortify_size, \ |
642 | "field \"" #p "\" at " FILE_LINE, \ |
643 | __p_size_field); \ |
644 | __underlying_##op(p, q, __fortify_size); \ |
645 | }) |
646 | |
647 | /* |
648 | * Notes about compile-time buffer size detection: |
649 | * |
650 | * With these types... |
651 | * |
652 | * struct middle { |
653 | * u16 a; |
654 | * u8 middle_buf[16]; |
655 | * int b; |
656 | * }; |
657 | * struct end { |
658 | * u16 a; |
659 | * u8 end_buf[16]; |
660 | * }; |
661 | * struct flex { |
662 | * int a; |
663 | * u8 flex_buf[]; |
664 | * }; |
665 | * |
666 | * void func(TYPE *ptr) { ... } |
667 | * |
668 | * Cases where destination size cannot be currently detected: |
669 | * - the size of ptr's object (seemingly by design, gcc & clang fail): |
670 | * __builtin_object_size(ptr, 1) == SIZE_MAX |
671 | * - the size of flexible arrays in ptr's obj (by design, dynamic size): |
672 | * __builtin_object_size(ptr->flex_buf, 1) == SIZE_MAX |
673 | * - the size of ANY array at the end of ptr's obj (gcc and clang bug): |
674 | * __builtin_object_size(ptr->end_buf, 1) == SIZE_MAX |
675 | * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 |
676 | * |
677 | * Cases where destination size is currently detected: |
678 | * - the size of non-array members within ptr's object: |
679 | * __builtin_object_size(ptr->a, 1) == 2 |
680 | * - the size of non-flexible-array in the middle of ptr's obj: |
681 | * __builtin_object_size(ptr->middle_buf, 1) == 16 |
682 | * |
683 | */ |
684 | |
685 | /* |
686 | * __struct_size() vs __member_size() must be captured here to avoid |
687 | * evaluating argument side-effects further into the macro layers. |
688 | */ |
689 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \ |
690 | __struct_size(p), __struct_size(q), \ |
691 | __member_size(p), __member_size(q), \ |
692 | memcpy) |
693 | #define memmove(p, q, s) __fortify_memcpy_chk(p, q, s, \ |
694 | __struct_size(p), __struct_size(q), \ |
695 | __member_size(p), __member_size(q), \ |
696 | memmove) |
697 | |
698 | extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan); |
699 | __FORTIFY_INLINE void *memscan(void * const POS0 p, int c, __kernel_size_t size) |
700 | { |
701 | const size_t p_size = __struct_size(p); |
702 | |
703 | if (__compiletime_lessthan(p_size, size)) |
704 | __read_overflow(); |
705 | if (p_size < size) |
706 | fortify_panic(name: __func__); |
707 | return __real_memscan(p, c, size); |
708 | } |
709 | |
710 | __FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3) |
711 | int memcmp(const void * const POS0 p, const void * const POS0 q, __kernel_size_t size) |
712 | { |
713 | const size_t p_size = __struct_size(p); |
714 | const size_t q_size = __struct_size(q); |
715 | |
716 | if (__builtin_constant_p(size)) { |
717 | if (__compiletime_lessthan(p_size, size)) |
718 | __read_overflow(); |
719 | if (__compiletime_lessthan(q_size, size)) |
720 | __read_overflow2(); |
721 | } |
722 | if (p_size < size || q_size < size) |
723 | fortify_panic(name: __func__); |
724 | return __underlying_memcmp(p, q, size); |
725 | } |
726 | |
727 | __FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3) |
728 | void *memchr(const void * const POS0 p, int c, __kernel_size_t size) |
729 | { |
730 | const size_t p_size = __struct_size(p); |
731 | |
732 | if (__compiletime_lessthan(p_size, size)) |
733 | __read_overflow(); |
734 | if (p_size < size) |
735 | fortify_panic(name: __func__); |
736 | return __underlying_memchr(p, c, size); |
737 | } |
738 | |
739 | void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv); |
740 | __FORTIFY_INLINE void *memchr_inv(const void * const POS0 p, int c, size_t size) |
741 | { |
742 | const size_t p_size = __struct_size(p); |
743 | |
744 | if (__compiletime_lessthan(p_size, size)) |
745 | __read_overflow(); |
746 | if (p_size < size) |
747 | fortify_panic(name: __func__); |
748 | return __real_memchr_inv(s: p, c, n: size); |
749 | } |
750 | |
751 | extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup) |
752 | __realloc_size(2); |
753 | __FORTIFY_INLINE void *kmemdup(const void * const POS0 p, size_t size, gfp_t gfp) |
754 | { |
755 | const size_t p_size = __struct_size(p); |
756 | |
757 | if (__compiletime_lessthan(p_size, size)) |
758 | __read_overflow(); |
759 | if (p_size < size) |
760 | fortify_panic(name: __func__); |
761 | return __real_kmemdup(src: p, len: size, gfp); |
762 | } |
763 | |
764 | /** |
765 | * strcpy - Copy a string into another string buffer |
766 | * |
767 | * @p: pointer to destination of copy |
768 | * @q: pointer to NUL-terminated source string to copy |
769 | * |
770 | * Do not use this function. While FORTIFY_SOURCE tries to avoid |
771 | * overflows, this is only possible when the sizes of @q and @p are |
772 | * known to the compiler. Prefer strscpy(), though note its different |
773 | * return values for detecting truncation. |
774 | * |
775 | * Returns @p. |
776 | * |
777 | */ |
778 | /* Defined after fortified strlen to reuse it. */ |
779 | __FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) |
780 | char *strcpy(char * const POS p, const char * const POS q) |
781 | { |
782 | const size_t p_size = __member_size(p); |
783 | const size_t q_size = __member_size(q); |
784 | size_t size; |
785 | |
786 | /* If neither buffer size is known, immediately give up. */ |
787 | if (__builtin_constant_p(p_size) && |
788 | __builtin_constant_p(q_size) && |
789 | p_size == SIZE_MAX && q_size == SIZE_MAX) |
790 | return __underlying_strcpy(p, q); |
791 | size = strlen(q) + 1; |
792 | /* Compile-time check for const size overflow. */ |
793 | if (__compiletime_lessthan(p_size, size)) |
794 | __write_overflow(); |
795 | /* Run-time check for dynamic size overflow. */ |
796 | if (p_size < size) |
797 | fortify_panic(name: __func__); |
798 | __underlying_memcpy(p, q, size); |
799 | return p; |
800 | } |
801 | |
802 | /* Don't use these outside the FORITFY_SOURCE implementation */ |
803 | #undef __underlying_memchr |
804 | #undef __underlying_memcmp |
805 | #undef __underlying_strcat |
806 | #undef __underlying_strcpy |
807 | #undef __underlying_strlen |
808 | #undef __underlying_strncat |
809 | #undef __underlying_strncpy |
810 | |
811 | #undef POS |
812 | #undef POS0 |
813 | |
814 | #endif /* _LINUX_FORTIFY_STRING_H_ */ |
815 | |