2008-10-23 12:26:29 +07:00
|
|
|
#ifndef _ASM_X86_STRING_64_H
|
|
|
|
|
#define _ASM_X86_STRING_64_H
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
|
#ifdef __KERNEL__
|
2016-09-02 01:39:33 +07:00
|
|
|
#include <linux/jump_label.h>
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2008-03-23 15:03:34 +07:00
|
|
|
/* Written 2002 by Andi Kleen */
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2008-03-23 15:03:34 +07:00
|
|
|
/* Only used for special circumstances. Stolen from i386/string.h */
|
|
|
|
|
static __always_inline void *__inline_memcpy(void *to, const void *from, size_t n)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2008-03-23 15:03:34 +07:00
|
|
|
unsigned long d0, d1, d2;
|
|
|
|
|
asm volatile("rep ; movsl\n\t"
|
|
|
|
|
"testb $2,%b4\n\t"
|
|
|
|
|
"je 1f\n\t"
|
|
|
|
|
"movsw\n"
|
|
|
|
|
"1:\ttestb $1,%b4\n\t"
|
|
|
|
|
"je 2f\n\t"
|
|
|
|
|
"movsb\n"
|
|
|
|
|
"2:"
|
|
|
|
|
: "=&c" (d0), "=&D" (d1), "=&S" (d2)
|
|
|
|
|
: "0" (n / 4), "q" (n), "1" ((long)to), "2" ((long)from)
|
|
|
|
|
: "memory");
|
|
|
|
|
return to;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Even with __builtin_ the compiler may decide to use the out of line
|
|
|
|
|
function. */
|
|
|
|
|
|
|
|
|
|
#define __HAVE_ARCH_MEMCPY 1
|
2015-10-16 18:28:53 +07:00
|
|
|
extern void *memcpy(void *to, const void *from, size_t len);
|
2015-02-14 05:39:56 +07:00
|
|
|
extern void *__memcpy(void *to, const void *from, size_t len);
|
|
|
|
|
|
include/linux/string.h: add the option of fortified string.h functions
This adds support for compiling with a rough equivalent to the glibc
_FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
overflow checks for string.h functions when the compiler determines the
size of the source or destination buffer at compile-time. Unlike glibc,
it covers buffer reads in addition to writes.
GNU C __builtin_*_chk intrinsics are avoided because they would force a
much more complex implementation. They aren't designed to detect read
overflows and offer no real benefit when using an implementation based
on inline checks. Inline checks don't add up to much code size and
allow full use of the regular string intrinsics while avoiding the need
for a bunch of _chk functions and per-arch assembly to avoid wrapper
overhead.
This detects various overflows at compile-time in various drivers and
some non-x86 core kernel code. There will likely be issues caught in
regular use at runtime too.
Future improvements left out of initial implementation for simplicity,
as it's all quite optional and can be done incrementally:
* Some of the fortified string functions (strncpy, strcat), don't yet
place a limit on reads from the source based on __builtin_object_size of
the source buffer.
* Extending coverage to more string functions like strlcat.
* It should be possible to optionally use __builtin_object_size(x, 1) for
some functions (C strings) to detect intra-object overflows (like
glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
approach to avoid likely compatibility issues.
* The compile-time checks should be made available via a separate config
option which can be enabled by default (or always enabled) once enough
time has passed to get the issues it catches fixed.
Kees said:
"This is great to have. While it was out-of-tree code, it would have
blocked at least CVE-2016-3858 from being exploitable (improper size
argument to strlcpy()). I've sent a number of fixes for
out-of-bounds-reads that this detected upstream already"
[arnd@arndb.de: x86: fix fortified memcpy]
Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
[keescook@chromium.org: avoid panic() in favor of BUG()]
Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
[keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-13 04:36:10 +07:00
|
|
|
#ifndef CONFIG_FORTIFY_SOURCE
|
2008-04-04 05:53:23 +07:00
|
|
|
#ifndef CONFIG_KMEMCHECK
|
2015-10-16 18:28:53 +07:00
|
|
|
#if (__GNUC__ == 4 && __GNUC_MINOR__ < 3) || __GNUC__ < 4
|
2008-03-23 15:03:34 +07:00
|
|
|
#define memcpy(dst, src, len) \
|
|
|
|
|
({ \
|
|
|
|
|
size_t __len = (len); \
|
|
|
|
|
void *__ret; \
|
|
|
|
|
if (__builtin_constant_p(len) && __len >= 64) \
|
|
|
|
|
__ret = __memcpy((dst), (src), __len); \
|
|
|
|
|
else \
|
|
|
|
|
__ret = __builtin_memcpy((dst), (src), __len); \
|
|
|
|
|
__ret; \
|
|
|
|
|
})
|
2007-07-21 22:09:58 +07:00
|
|
|
#endif
|
2008-04-04 05:53:23 +07:00
|
|
|
#else
|
|
|
|
|
/*
|
|
|
|
|
* kmemcheck becomes very happy if we use the REP instructions unconditionally,
|
|
|
|
|
* because it means that we know both memory operands in advance.
|
|
|
|
|
*/
|
|
|
|
|
#define memcpy(dst, src, len) __inline_memcpy((dst), (src), (len))
|
|
|
|
|
#endif
|
include/linux/string.h: add the option of fortified string.h functions
This adds support for compiling with a rough equivalent to the glibc
_FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
overflow checks for string.h functions when the compiler determines the
size of the source or destination buffer at compile-time. Unlike glibc,
it covers buffer reads in addition to writes.
GNU C __builtin_*_chk intrinsics are avoided because they would force a
much more complex implementation. They aren't designed to detect read
overflows and offer no real benefit when using an implementation based
on inline checks. Inline checks don't add up to much code size and
allow full use of the regular string intrinsics while avoiding the need
for a bunch of _chk functions and per-arch assembly to avoid wrapper
overhead.
This detects various overflows at compile-time in various drivers and
some non-x86 core kernel code. There will likely be issues caught in
regular use at runtime too.
Future improvements left out of initial implementation for simplicity,
as it's all quite optional and can be done incrementally:
* Some of the fortified string functions (strncpy, strcat), don't yet
place a limit on reads from the source based on __builtin_object_size of
the source buffer.
* Extending coverage to more string functions like strlcat.
* It should be possible to optionally use __builtin_object_size(x, 1) for
some functions (C strings) to detect intra-object overflows (like
glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
approach to avoid likely compatibility issues.
* The compile-time checks should be made available via a separate config
option which can be enabled by default (or always enabled) once enough
time has passed to get the issues it catches fixed.
Kees said:
"This is great to have. While it was out-of-tree code, it would have
blocked at least CVE-2016-3858 from being exploitable (improper size
argument to strlcpy()). I've sent a number of fixes for
out-of-bounds-reads that this detected upstream already"
[arnd@arndb.de: x86: fix fortified memcpy]
Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
[keescook@chromium.org: avoid panic() in favor of BUG()]
Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
[keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-13 04:36:10 +07:00
|
|
|
#endif /* !CONFIG_FORTIFY_SOURCE */
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
|
#define __HAVE_ARCH_MEMSET
|
2006-03-25 22:29:49 +07:00
|
|
|
void *memset(void *s, int c, size_t n);
|
2015-02-14 05:39:56 +07:00
|
|
|
void *__memset(void *s, int c, size_t n);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
|
#define __HAVE_ARCH_MEMMOVE
|
2008-03-23 15:03:34 +07:00
|
|
|
void *memmove(void *dest, const void *src, size_t count);
|
2015-02-14 05:39:56 +07:00
|
|
|
void *__memmove(void *dest, const void *src, size_t count);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2008-03-23 15:03:34 +07:00
|
|
|
int memcmp(const void *cs, const void *ct, size_t count);
|
|
|
|
|
size_t strlen(const char *s);
|
|
|
|
|
char *strcpy(char *dest, const char *src);
|
|
|
|
|
char *strcat(char *dest, const char *src);
|
|
|
|
|
int strcmp(const char *cs, const char *ct);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2015-02-14 05:39:56 +07:00
|
|
|
#if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* For files that not instrumented (e.g. mm/slub.c) we
|
|
|
|
|
* should use not instrumented version of mem* functions.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#undef memcpy
|
|
|
|
|
#define memcpy(dst, src, len) __memcpy(dst, src, len)
|
|
|
|
|
#define memmove(dst, src, len) __memmove(dst, src, len)
|
|
|
|
|
#define memset(s, c, n) __memset(s, c, n)
|
include/linux/string.h: add the option of fortified string.h functions
This adds support for compiling with a rough equivalent to the glibc
_FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
overflow checks for string.h functions when the compiler determines the
size of the source or destination buffer at compile-time. Unlike glibc,
it covers buffer reads in addition to writes.
GNU C __builtin_*_chk intrinsics are avoided because they would force a
much more complex implementation. They aren't designed to detect read
overflows and offer no real benefit when using an implementation based
on inline checks. Inline checks don't add up to much code size and
allow full use of the regular string intrinsics while avoiding the need
for a bunch of _chk functions and per-arch assembly to avoid wrapper
overhead.
This detects various overflows at compile-time in various drivers and
some non-x86 core kernel code. There will likely be issues caught in
regular use at runtime too.
Future improvements left out of initial implementation for simplicity,
as it's all quite optional and can be done incrementally:
* Some of the fortified string functions (strncpy, strcat), don't yet
place a limit on reads from the source based on __builtin_object_size of
the source buffer.
* Extending coverage to more string functions like strlcat.
* It should be possible to optionally use __builtin_object_size(x, 1) for
some functions (C strings) to detect intra-object overflows (like
glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
approach to avoid likely compatibility issues.
* The compile-time checks should be made available via a separate config
option which can be enabled by default (or always enabled) once enough
time has passed to get the issues it catches fixed.
Kees said:
"This is great to have. While it was out-of-tree code, it would have
blocked at least CVE-2016-3858 from being exploitable (improper size
argument to strlcpy()). I've sent a number of fixes for
out-of-bounds-reads that this detected upstream already"
[arnd@arndb.de: x86: fix fortified memcpy]
Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
[keescook@chromium.org: avoid panic() in favor of BUG()]
Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
[keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-13 04:36:10 +07:00
|
|
|
|
|
|
|
|
#ifndef __NO_FORTIFY
|
|
|
|
|
#define __NO_FORTIFY /* FORTIFY_SOURCE uses __builtin_memcpy, etc. */
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-02-14 05:39:56 +07:00
|
|
|
#endif
|
|
|
|
|
|
2017-01-14 05:14:23 +07:00
|
|
|
#define __HAVE_ARCH_MEMCPY_MCSAFE 1
|
2016-09-02 01:39:33 +07:00
|
|
|
__must_check int memcpy_mcsafe_unrolled(void *dst, const void *src, size_t cnt);
|
2016-09-02 01:39:33 +07:00
|
|
|
DECLARE_STATIC_KEY_FALSE(mcsafe_key);
|
|
|
|
|
|
2016-02-19 02:47:26 +07:00
|
|
|
/**
|
|
|
|
|
* memcpy_mcsafe - copy memory with indication if a machine check happened
|
|
|
|
|
*
|
|
|
|
|
* @dst: destination address
|
|
|
|
|
* @src: source address
|
|
|
|
|
* @cnt: number of bytes to copy
|
|
|
|
|
*
|
|
|
|
|
* Low level memory copy function that catches machine checks
|
2016-09-02 01:39:33 +07:00
|
|
|
* We only call into the "safe" function on systems that can
|
|
|
|
|
* actually do machine check recovery. Everyone else can just
|
|
|
|
|
* use memcpy().
|
2016-02-19 02:47:26 +07:00
|
|
|
*
|
2016-03-15 05:33:39 +07:00
|
|
|
* Return 0 for success, -EFAULT for fail
|
2016-02-19 02:47:26 +07:00
|
|
|
*/
|
2016-09-02 01:39:33 +07:00
|
|
|
static __always_inline __must_check int
|
|
|
|
|
memcpy_mcsafe(void *dst, const void *src, size_t cnt)
|
|
|
|
|
{
|
|
|
|
|
#ifdef CONFIG_X86_MCE
|
|
|
|
|
if (static_branch_unlikely(&mcsafe_key))
|
|
|
|
|
return memcpy_mcsafe_unrolled(dst, src, cnt);
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
memcpy(dst, src, cnt);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2016-02-19 02:47:26 +07:00
|
|
|
|
2017-05-30 02:22:50 +07:00
|
|
|
#ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE
|
|
|
|
|
#define __HAVE_ARCH_MEMCPY_FLUSHCACHE 1
|
|
|
|
|
void memcpy_flushcache(void *dst, const void *src, size_t cnt);
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
|
|
2008-10-23 12:26:29 +07:00
|
|
|
#endif /* _ASM_X86_STRING_64_H */
|