fortify-string.h source code [linux/include/linux/fortify-string.h]

1	/ SPDX-License-Identifier: GPL-2.0 /
2	#ifndef _LINUX_FORTIFY_STRING_H_
3	#define _LINUX_FORTIFY_STRING_H_
4
5	#include <linux/bug.h>
6	#include <linux/const.h>
7	#include <linux/limits.h>
8
9	#define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable
10	#define __RENAME(x) __asm__(#x)
11
12	void fortify_panic(const char *name) __noreturn __cold;
13	void __read_overflow(void) __compiletime_error("detected read beyond size of object (1st parameter)");
14	void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)");
15	void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?");
16	void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)");
17	void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("detected write beyond size of field (1st parameter); maybe use struct_group()?");
18
19	#define __compiletime_strlen(p) \
20	({ \
21	char __p = (char )(p); \
22	size_t __ret = SIZE_MAX; \
23	const size_t __p_size = __member_size(p); \
24	if (__p_size != SIZE_MAX && \
25	__builtin_constant_p(*__p)) { \
26	size_t __p_len = __p_size - 1; \
27	if (__builtin_constant_p(__p[__p_len]) && \
28	__p[__p_len] == '\0') \
29	__ret = __builtin_strlen(__p); \
30	} \
31	__ret; \
32	})
33
34	#if defined(CONFIG_KASAN_GENERIC) \|\| defined(CONFIG_KASAN_SW_TAGS)
35	extern void __underlying_memchr(const* void p, int* c, __kernel_size_t size) __RENAME(memchr);
36	extern int __underlying_memcmp(const void p, const* void *q, __kernel_size_t size) __RENAME(memcmp);
37	extern void __underlying_memcpy(void* p, const* void *q, __kernel_size_t size) __RENAME(memcpy);
38	extern void __underlying_memmove(void* p, const* void *q, __kernel_size_t size) __RENAME(memmove);
39	extern void __underlying_memset(void* p, int* c, __kernel_size_t size) __RENAME(memset);
40	extern char __underlying_strcat(char* p, const* char *q) __RENAME(strcat);
41	extern char __underlying_strcpy(char* p, const* char *q) __RENAME(strcpy);
42	extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
43	extern char __underlying_strncat(char* p, const* char *q, __kernel_size_t count) __RENAME(strncat);
44	extern char __underlying_strncpy(char* p, const* char *q, __kernel_size_t size) __RENAME(strncpy);
45	#else
46
47	#if defined(__SANITIZE_MEMORY__)
48	/*
49	* For KMSAN builds all memcpy/memset/memmove calls should be replaced by the
50	* corresponding __msan_XXX functions.
51	*/
52	#include <linux/kmsan_string.h>
53	#define __underlying_memcpy __msan_memcpy
54	#define __underlying_memmove __msan_memmove
55	#define __underlying_memset __msan_memset
56	#else
57	#define __underlying_memcpy __builtin_memcpy
58	#define __underlying_memmove __builtin_memmove
59	#define __underlying_memset __builtin_memset
60	#endif
61
62	#define __underlying_memchr __builtin_memchr
63	#define __underlying_memcmp __builtin_memcmp
64	#define __underlying_strcat __builtin_strcat
65	#define __underlying_strcpy __builtin_strcpy
66	#define __underlying_strlen __builtin_strlen
67	#define __underlying_strncat __builtin_strncat
68	#define __underlying_strncpy __builtin_strncpy
69	#endif
70
71	/**
72	* unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking
73	*
74	* @dst: Destination memory address to write to
75	* @src: Source memory address to read from
76	* @bytes: How many bytes to write to @dst from @src
77	* @justification: Free-form text or comment describing why the use is needed
78	*
79	* This should be used for corner cases where the compiler cannot do the
80	* right thing, or during transitions between APIs, etc. It should be used
81	* very rarely, and includes a place for justification detailing where bounds
82	* checking has happened, and why existing solutions cannot be employed.
83	*/
84	#define unsafe_memcpy(dst, src, bytes, justification) \
85	__underlying_memcpy(dst, src, bytes)
86
87	/*
88	* Clang's use of __builtin_*object_size() within inlines needs hinting via
89	* __pass_*object_size(). The preference is to only ever use type 1 (member
90	* size, rather than struct size), but there remain some stragglers using
91	* type 0 that will be converted in the future.
92	*/
93	#if __has_builtin(__builtin_dynamic_object_size)
94	#define POS __pass_dynamic_object_size(1)
95	#define POS0 __pass_dynamic_object_size(0)
96	#else
97	#define POS __pass_object_size(1)
98	#define POS0 __pass_object_size(0)
99	#endif
100
101	#define __compiletime_lessthan(bounds, length) ( \
102	__builtin_constant_p((bounds) < (length)) && \
103	(bounds) < (length) \
104	)
105
106	/**
107	* strncpy - Copy a string to memory with non-guaranteed NUL padding
108	*
109	* @p: pointer to destination of copy
110	* @q: pointer to NUL-terminated source string to copy
111	* @size: bytes to write at @p
112	*
113	* If strlen(@q) >= @size, the copy of @q will stop after @size bytes,
114	* and @p will NOT be NUL-terminated
115	*
116	* If strlen(@q) < @size, following the copy of @q, trailing NUL bytes
117	* will be written to @p until @size total bytes have been written.
118	*
119	* Do not use this function. While FORTIFY_SOURCE tries to avoid
120	* over-reads of @q, it cannot defend against writing unterminated
121	* results to @p. Using strncpy() remains ambiguous and fragile.
122	* Instead, please choose an alternative, so that the expectation
123	* of @p's contents is unambiguous:
124	*
125	* +--------------------+--------------------+------------+
126	* \| p needs to be: \| padded to size \| not padded \|
127	* +====================+====================+============+
128	* \| NUL-terminated \| strscpy_pad() \| strscpy() \|
129	* +--------------------+--------------------+------------+
130	* \| not NUL-terminated \| strtomem_pad() \| strtomem() \|
131	* +--------------------+--------------------+------------+
132	*
133	* Note strscpy*()'s differing return values for detecting truncation,
134	* and strtomem*()'s expectation that the destination is marked with
135	* __nonstring when it is a character array.
136	*
137	*/
138	__FORTIFY_INLINE __diagnose_as(__builtin_strncpy, `1`, `2`, `3`)
139	char strncpy(char* * const POS p, const char *q, __kernel_size_t size)
140	{
141	const size_t p_size = __member_size(p);
142
143	if (__compiletime_lessthan(p_size, size))
144	__write_overflow();
145	if (p_size < size)
146	fortify_panic(name: __func__);
147	return __underlying_strncpy(p, q, size);
148	}
149
150	extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen);
151	/**
152	* strnlen - Return bounded count of characters in a NUL-terminated string
153	*
154	* @p: pointer to NUL-terminated string to count.
155	* @maxlen: maximum number of characters to count.
156	*
157	* Returns number of characters in @p (NOT including the final NUL), or
158	* @maxlen, if no NUL has been found up to there.
159	*
160	*/
161	__FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size_t maxlen)
162	{
163	const size_t p_size = __member_size(p);
164	const size_t p_len = __compiletime_strlen(p);
165	size_t ret;
166
167	/ We can take compile-time actions when maxlen is const. /
168	if (__builtin_constant_p(maxlen) && p_len != SIZE_MAX) {
169	/ If p is const, we can use its compile-time-known len. /
170	if (maxlen >= p_size)
171	return p_len;
172	}
173
174	/ Do not check characters beyond the end of p. /
175	ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size);
176	if (p_size <= ret && maxlen != ret)
177	fortify_panic(name: __func__);
178	return ret;
179	}
180
181	/*
182	* Defined after fortified strnlen to reuse it. However, it must still be
183	* possible for strlen() to be used on compile-time strings for use in
184	* static initializers (i.e. as a constant expression).
185	*/
186	/**
187	* strlen - Return count of characters in a NUL-terminated string
188	*
189	* @p: pointer to NUL-terminated string to count.
190	*
191	* Do not use this function unless the string length is known at
192	* compile-time. When @p is unterminated, this function may crash
193	* or return unexpected counts that could lead to memory content
194	* exposures. Prefer strnlen().
195	*
196	* Returns number of characters in @p (NOT including the final NUL).
197	*
198	*/
199	#define strlen(p) \
200	__builtin_choose_expr(__is_constexpr(__builtin_strlen(p)), \
201	__builtin_strlen(p), __fortify_strlen(p))
202	__FORTIFY_INLINE __diagnose_as(__builtin_strlen, `1`)
203	__kernel_size_t __fortify_strlen(const char * const POS p)
204	{
205	const size_t p_size = __member_size(p);
206	__kernel_size_t ret;
207
208	/ Give up if we don't know how large p is. /
209	if (p_size == SIZE_MAX)
210	return __underlying_strlen(p);
211	ret = strnlen(p, maxlen: p_size);
212	if (p_size <= ret)
213	fortify_panic(name: __func__);
214	return ret;
215	}
216
217	/ Defined after fortified strlen() to reuse it. /
218	extern size_t __real_strlcpy(char , const* char *, size_t) __RENAME(strlcpy);
219	/**
220	* strlcpy - Copy a string into another string buffer
221	*
222	* @p: pointer to destination of copy
223	* @q: pointer to NUL-terminated source string to copy
224	* @size: maximum number of bytes to write at @p
225	*
226	* If strlen(@q) >= @size, the copy of @q will be truncated at
227	* @size - 1 bytes. @p will always be NUL-terminated.
228	*
229	* Do not use this function. While FORTIFY_SOURCE tries to avoid
230	* over-reads when calculating strlen(@q), it is still possible.
231	* Prefer strscpy(), though note its different return values for
232	* detecting truncation.
233	*
234	* Returns total number of bytes written to @p, including terminating NUL.
235	*
236	*/
237	__FORTIFY_INLINE size_t strlcpy(char * const POS p, const char * const POS q, size_t size)
238	{
239	const size_t p_size = __member_size(p);
240	const size_t q_size = __member_size(q);
241	size_t q_len; / Full count of source string length. /
242	size_t len; / Count of characters going into destination. /
243
244	if (p_size == SIZE_MAX && q_size == SIZE_MAX)
245	return __real_strlcpy(p, q, size);
246	q_len = strlen(q);
247	len = (q_len >= size) ? size - `1` : q_len;
248	if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) {
249	/ Write size is always larger than destination. /
250	if (len >= p_size)
251	__write_overflow();
252	}
253	if (size) {
254	if (len >= p_size)
255	fortify_panic(name: __func__);
256	__underlying_memcpy(p, q, len);
257	p[len] = `'\0'`;
258	}
259	return q_len;
260	}
261
262	/ Defined after fortified strnlen() to reuse it. /
263	extern ssize_t __real_strscpy(char , const* char *, size_t) __RENAME(strscpy);
264	/**
265	* strscpy - Copy a C-string into a sized buffer
266	*
267	* @p: Where to copy the string to
268	* @q: Where to copy the string from
269	* @size: Size of destination buffer
270	*
271	* Copy the source string @q, or as much of it as fits, into the destination
272	* @p buffer. The behavior is undefined if the string buffers overlap. The
273	* destination @p buffer is always NUL terminated, unless it's zero-sized.
274	*
275	* Preferred to strlcpy() since the API doesn't require reading memory
276	* from the source @q string beyond the specified @size bytes, and since
277	* the return value is easier to error-check than strlcpy()'s.
278	* In addition, the implementation is robust to the string changing out
279	* from underneath it, unlike the current strlcpy() implementation.
280	*
281	* Preferred to strncpy() since it always returns a valid string, and
282	* doesn't unnecessarily force the tail of the destination buffer to be
283	* zero padded. If padding is desired please use strscpy_pad().
284	*
285	* Returns the number of characters copied in @p (not including the
286	* trailing %NUL) or -E2BIG if @size is 0 or the copy of @q was truncated.
287	*/
288	__FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const POS q, size_t size)
289	{
290	/ Use string size rather than possible enclosing struct size. /
291	const size_t p_size = __member_size(p);
292	const size_t q_size = __member_size(q);
293	size_t len;
294
295	/ If we cannot get size of p and q default to call strscpy. /
296	if (p_size == SIZE_MAX && q_size == SIZE_MAX)
297	return __real_strscpy(p, q, size);
298
299	/*
300	* If size can be known at compile time and is greater than
301	* p_size, generate a compile time write overflow error.
302	*/
303	if (__compiletime_lessthan(p_size, size))
304	__write_overflow();
305
306	/ Short-circuit for compile-time known-safe lengths. /
307	if (__compiletime_lessthan(p_size, SIZE_MAX)) {
308	len = __compiletime_strlen(q);
309
310	if (len < SIZE_MAX && __compiletime_lessthan(len, size)) {
311	__underlying_memcpy(p, q, len + `1`);
312	return len;
313	}
314	}
315
316	/*
317	* This call protects from read overflow, because len will default to q
318	* length if it smaller than size.
319	*/
320	len = strnlen(p: q, maxlen: size);
321	/*
322	* If len equals size, we will copy only size bytes which leads to
323	* -E2BIG being returned.
324	* Otherwise we will copy len + 1 because of the final '\O'.
325	*/
326	len = len == size ? size : len + `1`;
327
328	/*
329	* Generate a runtime write overflow error if len is greater than
330	* p_size.
331	*/
332	if (len > p_size)
333	fortify_panic(name: __func__);
334
335	/*
336	* We can now safely call vanilla strscpy because we are protected from:
337	* 1. Read overflow thanks to call to strnlen().
338	* 2. Write overflow thanks to above ifs.
339	*/
340	return __real_strscpy(p, q, len);
341	}
342
343	/ Defined after fortified strlen() to reuse it. /
344	extern size_t __real_strlcat(char p, const* char *q, size_t avail) __RENAME(strlcat);
345	/**
346	* strlcat - Append a string to an existing string
347	*
348	* @p: pointer to %NUL-terminated string to append to
349	* @q: pointer to %NUL-terminated string to append from
350	* @avail: Maximum bytes available in @p
351	*
352	* Appends %NUL-terminated string @q after the %NUL-terminated
353	* string at @p, but will not write beyond @avail bytes total,
354	* potentially truncating the copy from @q. @p will stay
355	* %NUL-terminated only if a %NUL already existed within
356	* the @avail bytes of @p. If so, the resulting number of
357	* bytes copied from @q will be at most "@avail - strlen(@p) - 1".
358	*
359	* Do not use this function. While FORTIFY_SOURCE tries to avoid
360	* read and write overflows, this is only possible when the sizes
361	* of @p and @q are known to the compiler. Prefer building the
362	* string with formatting, via scnprintf(), seq_buf, or similar.
363	*
364	* Returns total bytes that _would_ have been contained by @p
365	* regardless of truncation, similar to snprintf(). If return
366	* value is >= @avail, the string has been truncated.
367	*
368	*/
369	__FORTIFY_INLINE
370	size_t strlcat(char * const POS p, const char * const POS q, size_t avail)
371	{
372	const size_t p_size = __member_size(p);
373	const size_t q_size = __member_size(q);
374	size_t p_len, copy_len;
375	size_t actual, wanted;
376
377	/ Give up immediately if both buffer sizes are unknown. /
378	if (p_size == SIZE_MAX && q_size == SIZE_MAX)
379	return __real_strlcat(p, q, avail);
380
381	p_len = strnlen(p, maxlen: avail);
382	copy_len = strlen(q);
383	wanted = actual = p_len + copy_len;
384
385	/ Cannot append any more: report truncation. /
386	if (avail <= p_len)
387	return wanted;
388
389	/ Give up if string is already overflowed. /
390	if (p_size <= p_len)
391	fortify_panic(name: __func__);
392
393	if (actual >= avail) {
394	copy_len = avail - p_len - `1`;
395	actual = p_len + copy_len;
396	}
397
398	/ Give up if copy will overflow. /
399	if (p_size <= actual)
400	fortify_panic(name: __func__);
401	__underlying_memcpy(p + p_len, q, copy_len);
402	p[actual] = `'\0'`;
403
404	return wanted;
405	}
406
407	/ Defined after fortified strlcat() to reuse it. /
408	/**
409	* strcat - Append a string to an existing string
410	*
411	* @p: pointer to NUL-terminated string to append to
412	* @q: pointer to NUL-terminated source string to append from
413	*
414	* Do not use this function. While FORTIFY_SOURCE tries to avoid
415	* read and write overflows, this is only possible when the
416	* destination buffer size is known to the compiler. Prefer
417	* building the string with formatting, via scnprintf() or similar.
418	* At the very least, use strncat().
419	*
420	* Returns @p.
421	*
422	*/
423	__FORTIFY_INLINE __diagnose_as(__builtin_strcat, `1`, `2`)
424	char strcat(char* * const POS p, const char *q)
425	{
426	const size_t p_size = __member_size(p);
427
428	if (strlcat(p, q, avail: p_size) >= p_size)
429	fortify_panic(name: __func__);
430	return p;
431	}
432
433	/**
434	* strncat - Append a string to an existing string
435	*
436	* @p: pointer to NUL-terminated string to append to
437	* @q: pointer to source string to append from
438	* @count: Maximum bytes to read from @q
439	*
440	* Appends at most @count bytes from @q (stopping at the first
441	* NUL byte) after the NUL-terminated string at @p. @p will be
442	* NUL-terminated.
443	*
444	* Do not use this function. While FORTIFY_SOURCE tries to avoid
445	* read and write overflows, this is only possible when the sizes
446	* of @p and @q are known to the compiler. Prefer building the
447	* string with formatting, via scnprintf() or similar.
448	*
449	* Returns @p.
450	*
451	*/
452	/ Defined after fortified strlen() and strnlen() to reuse them. /
453	__FORTIFY_INLINE __diagnose_as(__builtin_strncat, `1`, `2`, `3`)
454	char strncat(char* * const POS p, const char * const POS q, __kernel_size_t count)
455	{
456	const size_t p_size = __member_size(p);
457	const size_t q_size = __member_size(q);
458	size_t p_len, copy_len;
459
460	if (p_size == SIZE_MAX && q_size == SIZE_MAX)
461	return __underlying_strncat(p, q, count);
462	p_len = strlen(p);
463	copy_len = strnlen(p: q, maxlen: count);
464	if (p_size < p_len + copy_len + `1`)
465	fortify_panic(name: __func__);
466	__underlying_memcpy(p + p_len, q, copy_len);
467	p[p_len + copy_len] = `'\0'`;
468	return p;
469	}
470
471	__FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size,
472	const size_t p_size,
473	const size_t p_size_field)
474	{
475	if (__builtin_constant_p(size)) {
476	/*
477	* Length argument is a constant expression, so we
478	* can perform compile-time bounds checking where
479	* buffer sizes are also known at compile time.
480	*/
481
482	/ Error when size is larger than enclosing struct. /
483	if (__compiletime_lessthan(p_size_field, p_size) &&
484	__compiletime_lessthan(p_size, size))
485	__write_overflow();
486
487	/ Warn when write size is larger than dest field. /
488	if (__compiletime_lessthan(p_size_field, size))
489	__write_overflow_field(avail: p_size_field, wanted: size);
490	}
491	/*
492	* At this point, length argument may not be a constant expression,
493	* so run-time bounds checking can be done where buffer sizes are
494	* known. (This is not an "else" because the above checks may only
495	* be compile-time warnings, and we want to still warn for run-time
496	* overflows.)
497	*/
498
499	/*
500	* Always stop accesses beyond the struct that contains the
501	* field, when the buffer's remaining size is known.
502	* (The SIZE_MAX test is to optimize away checks where the buffer
503	* lengths are unknown.)
504	*/
505	if (p_size != SIZE_MAX && p_size < size)
506	fortify_panic(name: "memset");
507	}
508
509	#define __fortify_memset_chk(p, c, size, p_size, p_size_field) ({ \
510	size_t __fortify_size = (size_t)(size); \
511	fortify_memset_chk(__fortify_size, p_size, p_size_field), \
512	__underlying_memset(p, c, __fortify_size); \
513	})
514
515	/*
516	* __struct_size() vs __member_size() must be captured here to avoid
517	* evaluating argument side-effects further into the macro layers.
518	*/
519	#ifndef CONFIG_KMSAN
520	#define memset(p, c, s) __fortify_memset_chk(p, c, s, \
521	__struct_size(p), __member_size(p))
522	#endif
523
524	/*
525	* To make sure the compiler can enforce protection against buffer overflows,
526	* memcpy(), memmove(), and memset() must not be used beyond individual
527	* struct members. If you need to copy across multiple members, please use
528	* struct_group() to create a named mirror of an anonymous struct union.
529	* (e.g. see struct sk_buff.) Read overflow checking is currently only
530	* done when a write overflow is also present, or when building with W=1.
531	*
532	* Mitigation coverage matrix
533	* Bounds checking at:
534	* +-------+-------+-------+-------+
535	* \| Compile time \| Run time \|
536	* memcpy() argument sizes: \| write \| read \| write \| read \|
537	* dest source length +-------+-------+-------+-------+
538	* memcpy(known, known, constant) \| y \| y \| n/a \| n/a \|
539	* memcpy(known, unknown, constant) \| y \| n \| n/a \| V \|
540	* memcpy(known, known, dynamic) \| n \| n \| B \| B \|
541	* memcpy(known, unknown, dynamic) \| n \| n \| B \| V \|
542	* memcpy(unknown, known, constant) \| n \| y \| V \| n/a \|
543	* memcpy(unknown, unknown, constant) \| n \| n \| V \| V \|
544	* memcpy(unknown, known, dynamic) \| n \| n \| V \| B \|
545	* memcpy(unknown, unknown, dynamic) \| n \| n \| V \| V \|
546	* +-------+-------+-------+-------+
547	*
548	* y = perform deterministic compile-time bounds checking
549	* n = cannot perform deterministic compile-time bounds checking
550	* n/a = no run-time bounds checking needed since compile-time deterministic
551	* B = can perform run-time bounds checking (currently unimplemented)
552	* V = vulnerable to run-time overflow (will need refactoring to solve)
553	*
554	*/
555	__FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
556	const size_t p_size,
557	const size_t q_size,
558	const size_t p_size_field,
559	const size_t q_size_field,
560	const char *func)
561	{
562	if (__builtin_constant_p(size)) {
563	/*
564	* Length argument is a constant expression, so we
565	* can perform compile-time bounds checking where
566	* buffer sizes are also known at compile time.
567	*/
568
569	/ Error when size is larger than enclosing struct. /
570	if (__compiletime_lessthan(p_size_field, p_size) &&
571	__compiletime_lessthan(p_size, size))
572	__write_overflow();
573	if (__compiletime_lessthan(q_size_field, q_size) &&
574	__compiletime_lessthan(q_size, size))
575	__read_overflow2();
576
577	/ Warn when write size argument larger than dest field. /
578	if (__compiletime_lessthan(p_size_field, size))
579	__write_overflow_field(avail: p_size_field, wanted: size);
580	/*
581	* Warn for source field over-read when building with W=1
582	* or when an over-write happened, so both can be fixed at
583	* the same time.
584	*/
585	if ((IS_ENABLED(KBUILD_EXTRA_WARN1) \|\|
586	__compiletime_lessthan(p_size_field, size)) &&
587	__compiletime_lessthan(q_size_field, size))
588	__read_overflow2_field(avail: q_size_field, wanted: size);
589	}
590	/*
591	* At this point, length argument may not be a constant expression,
592	* so run-time bounds checking can be done where buffer sizes are
593	* known. (This is not an "else" because the above checks may only
594	* be compile-time warnings, and we want to still warn for run-time
595	* overflows.)
596	*/
597
598	/*
599	* Always stop accesses beyond the struct that contains the
600	* field, when the buffer's remaining size is known.
601	* (The SIZE_MAX test is to optimize away checks where the buffer
602	* lengths are unknown.)
603	*/
604	if ((p_size != SIZE_MAX && p_size < size) \|\|
605	(q_size != SIZE_MAX && q_size < size))
606	fortify_panic(name: func);
607
608	/*
609	* Warn when writing beyond destination field size.
610	*
611	* We must ignore p_size_field == 0 for existing 0-element
612	* fake flexible arrays, until they are all converted to
613	* proper flexible arrays.
614	*
615	* The implementation of __builtin_*object_size() behaves
616	* like sizeof() when not directly referencing a flexible
617	* array member, which means there will be many bounds checks
618	* that will appear at run-time, without a way for them to be
619	* detected at compile-time (as can be done when the destination
620	* is specifically the flexible array member).
621	* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832
622	*/
623	if (p_size_field != `0` && p_size_field != SIZE_MAX &&
624	p_size != p_size_field && p_size_field < size)
625	return true;
626
627	return false;
628	}
629
630	#define __fortify_memcpy_chk(p, q, size, p_size, q_size, \
631	p_size_field, q_size_field, op) ({ \
632	const size_t __fortify_size = (size_t)(size); \
633	const size_t __p_size = (p_size); \
634	const size_t __q_size = (q_size); \
635	const size_t __p_size_field = (p_size_field); \
636	const size_t __q_size_field = (q_size_field); \
637	WARN_ONCE(fortify_memcpy_chk(__fortify_size, __p_size, \
638	__q_size, __p_size_field, \
639	__q_size_field, #op), \
640	#op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \
641	__fortify_size, \
642	"field \"" #p "\" at " FILE_LINE, \
643	__p_size_field); \
644	__underlying_##op(p, q, __fortify_size); \
645	})
646
647	/*
648	* Notes about compile-time buffer size detection:
649	*
650	* With these types...
651	*
652	* struct middle {
653	* u16 a;
654	* u8 middle_buf[16];
655	* int b;
656	* };
657	* struct end {
658	* u16 a;
659	* u8 end_buf[16];
660	* };
661	* struct flex {
662	* int a;
663	* u8 flex_buf[];
664	* };
665	*
666	* void func(TYPE *ptr) { ... }
667	*
668	* Cases where destination size cannot be currently detected:
669	* - the size of ptr's object (seemingly by design, gcc & clang fail):
670	* __builtin_object_size(ptr, 1) == SIZE_MAX
671	* - the size of flexible arrays in ptr's obj (by design, dynamic size):
672	* __builtin_object_size(ptr->flex_buf, 1) == SIZE_MAX
673	* - the size of ANY array at the end of ptr's obj (gcc and clang bug):
674	* __builtin_object_size(ptr->end_buf, 1) == SIZE_MAX
675	* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836
676	*
677	* Cases where destination size is currently detected:
678	* - the size of non-array members within ptr's object:
679	* __builtin_object_size(ptr->a, 1) == 2
680	* - the size of non-flexible-array in the middle of ptr's obj:
681	* __builtin_object_size(ptr->middle_buf, 1) == 16
682	*
683	*/
684
685	/*
686	* __struct_size() vs __member_size() must be captured here to avoid
687	* evaluating argument side-effects further into the macro layers.
688	*/
689	#define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
690	__struct_size(p), __struct_size(q), \
691	__member_size(p), __member_size(q), \
692	memcpy)
693	#define memmove(p, q, s) __fortify_memcpy_chk(p, q, s, \
694	__struct_size(p), __struct_size(q), \
695	__member_size(p), __member_size(q), \
696	memmove)
697
698	extern void __real_memscan(void* , int*, __kernel_size_t) __RENAME(memscan);
699	__FORTIFY_INLINE void memscan(void* * const POS0 p, int c, __kernel_size_t size)
700	{
701	const size_t p_size = __struct_size(p);
702
703	if (__compiletime_lessthan(p_size, size))
704	__read_overflow();
705	if (p_size < size)
706	fortify_panic(name: __func__);
707	return __real_memscan(p, c, size);
708	}
709
710	__FORTIFY_INLINE __diagnose_as(__builtin_memcmp, `1`, `2`, `3`)
711	int memcmp(const void * const POS0 p, const void * const POS0 q, __kernel_size_t size)
712	{
713	const size_t p_size = __struct_size(p);
714	const size_t q_size = __struct_size(q);
715
716	if (__builtin_constant_p(size)) {
717	if (__compiletime_lessthan(p_size, size))
718	__read_overflow();
719	if (__compiletime_lessthan(q_size, size))
720	__read_overflow2();
721	}
722	if (p_size < size \|\| q_size < size)
723	fortify_panic(name: __func__);
724	return __underlying_memcmp(p, q, size);
725	}
726
727	__FORTIFY_INLINE __diagnose_as(__builtin_memchr, `1`, `2`, `3`)
728	void memchr(const* void * const POS0 p, int c, __kernel_size_t size)
729	{
730	const size_t p_size = __struct_size(p);
731
732	if (__compiletime_lessthan(p_size, size))
733	__read_overflow();
734	if (p_size < size)
735	fortify_panic(name: __func__);
736	return __underlying_memchr(p, c, size);
737	}
738
739	void __real_memchr_inv(const* void s, int* c, size_t n) __RENAME(memchr_inv);
740	__FORTIFY_INLINE void memchr_inv(const* void * const POS0 p, int c, size_t size)
741	{
742	const size_t p_size = __struct_size(p);
743
744	if (__compiletime_lessthan(p_size, size))
745	__read_overflow();
746	if (p_size < size)
747	fortify_panic(name: __func__);
748	return __real_memchr_inv(s: p, c, n: size);
749	}
750
751	extern void __real_kmemdup(const* void *src, size_t len, gfp_t gfp) __RENAME(kmemdup)
752	__realloc_size(`2`);
753	__FORTIFY_INLINE void kmemdup(const* void * const POS0 p, size_t size, gfp_t gfp)
754	{
755	const size_t p_size = __struct_size(p);
756
757	if (__compiletime_lessthan(p_size, size))
758	__read_overflow();
759	if (p_size < size)
760	fortify_panic(name: __func__);
761	return __real_kmemdup(src: p, len: size, gfp);
762	}
763
764	/**
765	* strcpy - Copy a string into another string buffer
766	*
767	* @p: pointer to destination of copy
768	* @q: pointer to NUL-terminated source string to copy
769	*
770	* Do not use this function. While FORTIFY_SOURCE tries to avoid
771	* overflows, this is only possible when the sizes of @q and @p are
772	* known to the compiler. Prefer strscpy(), though note its different
773	* return values for detecting truncation.
774	*
775	* Returns @p.
776	*
777	*/
778	/ Defined after fortified strlen to reuse it. /
779	__FORTIFY_INLINE __diagnose_as(__builtin_strcpy, `1`, `2`)
780	char strcpy(char* * const POS p, const char * const POS q)
781	{
782	const size_t p_size = __member_size(p);
783	const size_t q_size = __member_size(q);
784	size_t size;
785
786	/ If neither buffer size is known, immediately give up. /
787	if (__builtin_constant_p(p_size) &&
788	__builtin_constant_p(q_size) &&
789	p_size == SIZE_MAX && q_size == SIZE_MAX)
790	return __underlying_strcpy(p, q);
791	size = strlen(q) + `1`;
792	/ Compile-time check for const size overflow. /
793	if (__compiletime_lessthan(p_size, size))
794	__write_overflow();
795	/ Run-time check for dynamic size overflow. /
796	if (p_size < size)
797	fortify_panic(name: __func__);
798	__underlying_memcpy(p, q, size);
799	return p;
800	}
801
802	/ Don't use these outside the FORITFY_SOURCE implementation /
803	#undef __underlying_memchr
804	#undef __underlying_memcmp
805	#undef __underlying_strcat
806	#undef __underlying_strcpy
807	#undef __underlying_strlen
808	#undef __underlying_strncat
809	#undef __underlying_strncpy
810
811	#undef POS
812	#undef POS0
813
814	#endif /* _LINUX_FORTIFY_STRING_H_ */
815

source code of linux/include/linux/fortify-string.h