[PATCH v2 1/3] fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL

From: Kees Cook
Date: Fri Sep 02 2022 - 16:44:10 EST

Next message: Kees Cook: "[PATCH v2 3/3] fortify: Use SIZE_MAX instead of (size_t)-1"
Previous message: Kees Cook: "[PATCH v2 2/3] fortify: Add KUnit test for FORTIFY_SOURCE internals"
In reply to: David Gow: "Re: [PATCH v2 2/3] fortify: Add KUnit test for FORTIFY_SOURCE internals"
Next in thread: Nick Desaulniers: "Re: [PATCH v2 1/3] fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe
a runtime panic while running Android's Compatibility Test Suite's (CTS)
android.hardware.input.cts.tests. This is stemming from a strlen()
call in hidinput_allocate().

__compiletime_strlen() is implemented in terms of __builtin_object_size(),
then does an array access to check for NUL-termination. A quirk of
__builtin_object_size() is that for strings whose values are runtime
dependent, __builtin_object_size(str, 1 or 0) returns the maximum size
of possible values when those sizes are determinable at compile time.
Example:

static const char *v = "FOO BAR";
static const char *y = "FOO BA";
unsigned long x (int z) {
// Returns 8, which is:
// max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))
return __builtin_object_size(z ? v : y, 1);
}

So when FORTIFY_SOURCE is enabled, the current implementation of
__compiletime_strlen() will try to access beyond the end of y at runtime
using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.

hidinput_allocate() has a local C string whose value is control flow
dependent on a switch statement, so __builtin_object_size(str, 1)
evaluates to the maximum string length, making all other cases fault on
the last character check. hidinput_allocate() could be cleaned up to
avoid runtime calls to strlen() since the local variable can only have
literal values, so there's no benefit to trying to fortify the strlen
call site there.

Perform a __builtin_constant_p() check against index 0 earlier in the
macro to filter out the control-flow-dependant case. Add a KUnit test
for checking the expected behavioral characteristics of FORTIFY_SOURCE
internals.

Cc: Nathan Chancellor <nathan@xxxxxxxxxx>
Cc: Tom Rix <trix@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Vlastimil Babka <vbabka@xxxxxxx>
Cc: "Steven Rostedt (Google)" <rostedt@xxxxxxxxxxx>
Cc: David Gow <davidgow@xxxxxxxxxx>
Cc: Yury Norov <yury.norov@xxxxxxxxx>
Cc: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
Cc: Sander Vanheule <sander@xxxxxxxxxxxxx>
Cc: linux-hardening@xxxxxxxxxxxxxxx
Cc: llvm@xxxxxxxxxxxxxxx
Co-developed-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
Signed-off-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
include/linux/fortify-string.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index eed2119b23c5..07d5d1921eff 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -19,7 +19,8 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
unsigned char *__p = (unsigned char *)(p); \
size_t __ret = (size_t)-1; \
size_t __p_size = __builtin_object_size(p, 1); \
- if (__p_size != (size_t)-1) { \
+ if (__p_size != (size_t)-1 && \
+ __builtin_constant_p(*__p)) { \
size_t __p_len = __p_size - 1; \
if (__builtin_constant_p(__p[__p_len]) && \
__p[__p_len] == '\0') \
--
2.34.1

Next message: Kees Cook: "[PATCH v2 3/3] fortify: Use SIZE_MAX instead of (size_t)-1"
Previous message: Kees Cook: "[PATCH v2 2/3] fortify: Add KUnit test for FORTIFY_SOURCE internals"
In reply to: David Gow: "Re: [PATCH v2 2/3] fortify: Add KUnit test for FORTIFY_SOURCE internals"
Next in thread: Nick Desaulniers: "Re: [PATCH v2 1/3] fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]