2005-04-17 05:20:36 +07:00
|
|
|
#ifndef _LINUX_STRING_H_
|
|
|
|
#define _LINUX_STRING_H_
|
|
|
|
|
|
|
|
|
|
|
|
#include <linux/compiler.h> /* for inline */
|
|
|
|
#include <linux/types.h> /* for size_t */
|
|
|
|
#include <linux/stddef.h> /* for NULL */
|
2009-03-06 23:21:46 +07:00
|
|
|
#include <stdarg.h>
|
2012-10-13 16:46:48 +07:00
|
|
|
#include <uapi/linux/string.h>
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2006-03-24 18:18:42 +07:00
|
|
|
extern char *strndup_user(const char __user *, long);
|
2009-04-01 05:23:16 +07:00
|
|
|
extern void *memdup_user(const void __user *, size_t);
|
2015-12-24 12:06:05 +07:00
|
|
|
extern void *memdup_user_nul(const void __user *, size_t);
|
2006-03-24 18:18:42 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/*
|
|
|
|
* Include machine specific inline routines
|
|
|
|
*/
|
|
|
|
#include <asm/string.h>
|
|
|
|
|
|
|
|
#ifndef __HAVE_ARCH_STRCPY
|
|
|
|
extern char * strcpy(char *,const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRNCPY
|
|
|
|
extern char * strncpy(char *,const char *, __kernel_size_t);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRLCPY
|
|
|
|
size_t strlcpy(char *, const char *, size_t);
|
|
|
|
#endif
|
2015-04-29 23:52:04 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRSCPY
|
|
|
|
ssize_t __must_check strscpy(char *, const char *, size_t);
|
|
|
|
#endif
|
2005-04-17 05:20:36 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRCAT
|
|
|
|
extern char * strcat(char *, const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRNCAT
|
|
|
|
extern char * strncat(char *, const char *, __kernel_size_t);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRLCAT
|
|
|
|
extern size_t strlcat(char *, const char *, __kernel_size_t);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRCMP
|
|
|
|
extern int strcmp(const char *,const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRNCMP
|
|
|
|
extern int strncmp(const char *,const char *,__kernel_size_t);
|
|
|
|
#endif
|
2007-03-29 15:18:42 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRCASECMP
|
|
|
|
extern int strcasecmp(const char *s1, const char *s2);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRNCASECMP
|
|
|
|
extern int strncasecmp(const char *s1, const char *s2, size_t n);
|
|
|
|
#endif
|
2005-04-17 05:20:36 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRCHR
|
|
|
|
extern char * strchr(const char *,int);
|
|
|
|
#endif
|
2014-03-15 00:00:14 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRCHRNUL
|
|
|
|
extern char * strchrnul(const char *,int);
|
|
|
|
#endif
|
2005-04-17 05:20:36 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRNCHR
|
|
|
|
extern char * strnchr(const char *, size_t, int);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRRCHR
|
|
|
|
extern char * strrchr(const char *,int);
|
|
|
|
#endif
|
2009-12-15 09:01:04 +07:00
|
|
|
extern char * __must_check skip_spaces(const char *);
|
2009-12-15 09:01:15 +07:00
|
|
|
|
|
|
|
extern char *strim(char *);
|
|
|
|
|
|
|
|
static inline __must_check char *strstrip(char *str)
|
|
|
|
{
|
|
|
|
return strim(str);
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRSTR
|
2010-01-14 09:53:55 +07:00
|
|
|
extern char * strstr(const char *, const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRNSTR
|
|
|
|
extern char * strnstr(const char *, const char *, size_t);
|
2005-04-17 05:20:36 +07:00
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRLEN
|
|
|
|
extern __kernel_size_t strlen(const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRNLEN
|
|
|
|
extern __kernel_size_t strnlen(const char *,__kernel_size_t);
|
|
|
|
#endif
|
2006-04-11 12:53:57 +07:00
|
|
|
#ifndef __HAVE_ARCH_STRPBRK
|
|
|
|
extern char * strpbrk(const char *,const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRSEP
|
|
|
|
extern char * strsep(char **,const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRSPN
|
|
|
|
extern __kernel_size_t strspn(const char *,const char *);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_STRCSPN
|
|
|
|
extern __kernel_size_t strcspn(const char *,const char *);
|
|
|
|
#endif
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
#ifndef __HAVE_ARCH_MEMSET
|
|
|
|
extern void * memset(void *,int,__kernel_size_t);
|
|
|
|
#endif
|
2017-09-09 06:13:48 +07:00
|
|
|
|
|
|
|
#ifndef __HAVE_ARCH_MEMSET16
|
|
|
|
extern void *memset16(uint16_t *, uint16_t, __kernel_size_t);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef __HAVE_ARCH_MEMSET32
|
|
|
|
extern void *memset32(uint32_t *, uint32_t, __kernel_size_t);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef __HAVE_ARCH_MEMSET64
|
|
|
|
extern void *memset64(uint64_t *, uint64_t, __kernel_size_t);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static inline void *memset_l(unsigned long *p, unsigned long v,
|
|
|
|
__kernel_size_t n)
|
|
|
|
{
|
|
|
|
if (BITS_PER_LONG == 32)
|
|
|
|
return memset32((uint32_t *)p, v, n);
|
|
|
|
else
|
|
|
|
return memset64((uint64_t *)p, v, n);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void *memset_p(void **p, void *v, __kernel_size_t n)
|
|
|
|
{
|
|
|
|
if (BITS_PER_LONG == 32)
|
|
|
|
return memset32((uint32_t *)p, (uintptr_t)v, n);
|
|
|
|
else
|
|
|
|
return memset64((uint64_t *)p, (uintptr_t)v, n);
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
#ifndef __HAVE_ARCH_MEMCPY
|
|
|
|
extern void * memcpy(void *,const void *,__kernel_size_t);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_MEMMOVE
|
|
|
|
extern void * memmove(void *,const void *,__kernel_size_t);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_MEMSCAN
|
|
|
|
extern void * memscan(void *,int,__kernel_size_t);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_MEMCMP
|
|
|
|
extern int memcmp(const void *,const void *,__kernel_size_t);
|
|
|
|
#endif
|
|
|
|
#ifndef __HAVE_ARCH_MEMCHR
|
|
|
|
extern void * memchr(const void *,int,__kernel_size_t);
|
|
|
|
#endif
|
2017-01-14 05:14:23 +07:00
|
|
|
#ifndef __HAVE_ARCH_MEMCPY_MCSAFE
|
|
|
|
static inline __must_check int memcpy_mcsafe(void *dst, const void *src,
|
|
|
|
size_t cnt)
|
|
|
|
{
|
|
|
|
memcpy(dst, src, cnt);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
2017-05-30 02:22:50 +07:00
|
|
|
#ifndef __HAVE_ARCH_MEMCPY_FLUSHCACHE
|
|
|
|
static inline void memcpy_flushcache(void *dst, const void *src, size_t cnt)
|
|
|
|
{
|
|
|
|
memcpy(dst, src, cnt);
|
|
|
|
}
|
|
|
|
#endif
|
2011-11-01 07:08:07 +07:00
|
|
|
void *memchr_inv(const void *s, int c, size_t n);
|
2015-06-26 05:02:22 +07:00
|
|
|
char *strreplace(char *s, char old, char new);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2015-02-14 05:36:24 +07:00
|
|
|
extern void kfree_const(const void *x);
|
|
|
|
|
2016-05-20 07:10:55 +07:00
|
|
|
extern char *kstrdup(const char *s, gfp_t gfp) __malloc;
|
2015-02-14 05:36:24 +07:00
|
|
|
extern const char *kstrdup_const(const char *s, gfp_t gfp);
|
2007-07-18 08:37:02 +07:00
|
|
|
extern char *kstrndup(const char *s, size_t len, gfp_t gfp);
|
[PATCH] kmemdup: introduce
One of idiomatic ways to duplicate a region of memory is
dst = kmalloc(len, GFP_KERNEL);
if (!dst)
return -ENOMEM;
memcpy(dst, src, len);
which is neat code except a programmer needs to write size twice. Which
sometimes leads to mistakes. If len passed to kmalloc is smaller that len
passed to memcpy, it's straight overwrite-beyond-end. If len passed to
memcpy is smaller than len passed to kmalloc, it's either a) legit
behaviour ;-), or b) cloned buffer will contain garbage in second half.
Slight trolling of commit lists shows several duplications bugs
done exactly because of diverged lenghts:
Linux:
[CRYPTO]: Fix memcpy/memset args.
[PATCH] memcpy/memset fixes
OpenBSD:
kerberosV/src/lib/asn1: der_copy.c:1.4
If programmer is given only one place to play with lengths, I believe, such
mistakes could be avoided.
With kmemdup, the snippet above will be rewritten as:
dst = kmemdup(src, len, GFP_KERNEL);
if (!dst)
return -ENOMEM;
This also leads to smaller code (kzalloc effect). Quick grep shows
200+ places where kmemdup() can be used.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-01 13:27:20 +07:00
|
|
|
extern void *kmemdup(const void *src, size_t len, gfp_t gfp);
|
2017-07-04 23:25:02 +07:00
|
|
|
extern char *kmemdup_nul(const char *s, size_t len, gfp_t gfp);
|
2005-06-23 14:09:02 +07:00
|
|
|
|
2007-07-18 08:37:02 +07:00
|
|
|
extern char **argv_split(gfp_t gfp, const char *str, int *argcp);
|
|
|
|
extern void argv_free(char **argv);
|
|
|
|
|
2008-05-01 18:34:42 +07:00
|
|
|
extern bool sysfs_streq(const char *s1, const char *s2);
|
2016-03-18 04:22:50 +07:00
|
|
|
extern int kstrtobool(const char *s, bool *res);
|
|
|
|
static inline int strtobool(const char *s, bool *res)
|
|
|
|
{
|
|
|
|
return kstrtobool(s, res);
|
|
|
|
}
|
2008-05-01 18:34:42 +07:00
|
|
|
|
2016-03-18 04:22:14 +07:00
|
|
|
int match_string(const char * const *array, size_t n, const char *string);
|
2017-03-21 18:56:46 +07:00
|
|
|
int __sysfs_match_string(const char * const *array, size_t n, const char *s);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* sysfs_match_string - matches given string in an array
|
|
|
|
* @_a: array of strings
|
|
|
|
* @_s: string to match with
|
|
|
|
*
|
|
|
|
* Helper for __sysfs_match_string(). Calculates the size of @a automatically.
|
|
|
|
*/
|
|
|
|
#define sysfs_match_string(_a, _s) __sysfs_match_string(_a, ARRAY_SIZE(_a), _s)
|
2016-03-18 04:22:14 +07:00
|
|
|
|
2009-03-06 23:21:46 +07:00
|
|
|
#ifdef CONFIG_BINARY_PRINTF
|
|
|
|
int vbin_printf(u32 *bin_buf, size_t size, const char *fmt, va_list args);
|
|
|
|
int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf);
|
|
|
|
int bprintf(u32 *bin_buf, size_t size, const char *fmt, ...) __printf(3, 4);
|
|
|
|
#endif
|
|
|
|
|
2008-07-24 11:26:44 +07:00
|
|
|
extern ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos,
|
2014-08-27 10:16:35 +07:00
|
|
|
const void *from, size_t available);
|
2008-07-24 11:26:44 +07:00
|
|
|
|
2009-04-01 02:05:36 +07:00
|
|
|
/**
|
|
|
|
* strstarts - does @str start with @prefix?
|
|
|
|
* @str: string to examine
|
|
|
|
* @prefix: prefix to look for.
|
|
|
|
*/
|
|
|
|
static inline bool strstarts(const char *str, const char *prefix)
|
|
|
|
{
|
|
|
|
return strncmp(str, prefix, strlen(prefix)) == 0;
|
|
|
|
}
|
2012-07-31 04:40:55 +07:00
|
|
|
|
2014-08-27 10:16:35 +07:00
|
|
|
size_t memweight(const void *ptr, size_t bytes);
|
|
|
|
void memzero_explicit(void *s, size_t count);
|
2012-07-31 04:40:55 +07:00
|
|
|
|
2012-12-18 07:01:18 +07:00
|
|
|
/**
|
|
|
|
* kbasename - return the last part of a pathname.
|
|
|
|
*
|
|
|
|
* @path: path to extract the filename from.
|
|
|
|
*/
|
|
|
|
static inline const char *kbasename(const char *path)
|
|
|
|
{
|
|
|
|
const char *tail = strrchr(path, '/');
|
|
|
|
return tail ? tail + 1 : path;
|
|
|
|
}
|
|
|
|
|
include/linux/string.h: add the option of fortified string.h functions
This adds support for compiling with a rough equivalent to the glibc
_FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
overflow checks for string.h functions when the compiler determines the
size of the source or destination buffer at compile-time. Unlike glibc,
it covers buffer reads in addition to writes.
GNU C __builtin_*_chk intrinsics are avoided because they would force a
much more complex implementation. They aren't designed to detect read
overflows and offer no real benefit when using an implementation based
on inline checks. Inline checks don't add up to much code size and
allow full use of the regular string intrinsics while avoiding the need
for a bunch of _chk functions and per-arch assembly to avoid wrapper
overhead.
This detects various overflows at compile-time in various drivers and
some non-x86 core kernel code. There will likely be issues caught in
regular use at runtime too.
Future improvements left out of initial implementation for simplicity,
as it's all quite optional and can be done incrementally:
* Some of the fortified string functions (strncpy, strcat), don't yet
place a limit on reads from the source based on __builtin_object_size of
the source buffer.
* Extending coverage to more string functions like strlcat.
* It should be possible to optionally use __builtin_object_size(x, 1) for
some functions (C strings) to detect intra-object overflows (like
glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
approach to avoid likely compatibility issues.
* The compile-time checks should be made available via a separate config
option which can be enabled by default (or always enabled) once enough
time has passed to get the issues it catches fixed.
Kees said:
"This is great to have. While it was out-of-tree code, it would have
blocked at least CVE-2016-3858 from being exploitable (improper size
argument to strlcpy()). I've sent a number of fixes for
out-of-bounds-reads that this detected upstream already"
[arnd@arndb.de: x86: fix fortified memcpy]
Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
[keescook@chromium.org: avoid panic() in favor of BUG()]
Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
[keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-13 04:36:10 +07:00
|
|
|
#define __FORTIFY_INLINE extern __always_inline __attribute__((gnu_inline))
|
|
|
|
#define __RENAME(x) __asm__(#x)
|
|
|
|
|
|
|
|
void fortify_panic(const char *name) __noreturn __cold;
|
|
|
|
void __read_overflow(void) __compiletime_error("detected read beyond size of object passed as 1st parameter");
|
|
|
|
void __read_overflow2(void) __compiletime_error("detected read beyond size of object passed as 2nd parameter");
|
2017-08-15 03:12:38 +07:00
|
|
|
void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter");
|
include/linux/string.h: add the option of fortified string.h functions
This adds support for compiling with a rough equivalent to the glibc
_FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
overflow checks for string.h functions when the compiler determines the
size of the source or destination buffer at compile-time. Unlike glibc,
it covers buffer reads in addition to writes.
GNU C __builtin_*_chk intrinsics are avoided because they would force a
much more complex implementation. They aren't designed to detect read
overflows and offer no real benefit when using an implementation based
on inline checks. Inline checks don't add up to much code size and
allow full use of the regular string intrinsics while avoiding the need
for a bunch of _chk functions and per-arch assembly to avoid wrapper
overhead.
This detects various overflows at compile-time in various drivers and
some non-x86 core kernel code. There will likely be issues caught in
regular use at runtime too.
Future improvements left out of initial implementation for simplicity,
as it's all quite optional and can be done incrementally:
* Some of the fortified string functions (strncpy, strcat), don't yet
place a limit on reads from the source based on __builtin_object_size of
the source buffer.
* Extending coverage to more string functions like strlcat.
* It should be possible to optionally use __builtin_object_size(x, 1) for
some functions (C strings) to detect intra-object overflows (like
glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
approach to avoid likely compatibility issues.
* The compile-time checks should be made available via a separate config
option which can be enabled by default (or always enabled) once enough
time has passed to get the issues it catches fixed.
Kees said:
"This is great to have. While it was out-of-tree code, it would have
blocked at least CVE-2016-3858 from being exploitable (improper size
argument to strlcpy()). I've sent a number of fixes for
out-of-bounds-reads that this detected upstream already"
[arnd@arndb.de: x86: fix fortified memcpy]
Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
[keescook@chromium.org: avoid panic() in favor of BUG()]
Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
[keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-13 04:36:10 +07:00
|
|
|
void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter");
|
|
|
|
|
|
|
|
#if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
|
|
|
|
__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (__builtin_constant_p(size) && p_size < size)
|
|
|
|
__write_overflow();
|
|
|
|
if (p_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __builtin_strncpy(p, q, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
__FORTIFY_INLINE char *strcat(char *p, const char *q)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (p_size == (size_t)-1)
|
|
|
|
return __builtin_strcat(p, q);
|
|
|
|
if (strlcat(p, q, p_size) >= p_size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return p;
|
|
|
|
}
|
|
|
|
|
|
|
|
__FORTIFY_INLINE __kernel_size_t strlen(const char *p)
|
|
|
|
{
|
|
|
|
__kernel_size_t ret;
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (p_size == (size_t)-1)
|
|
|
|
return __builtin_strlen(p);
|
|
|
|
ret = strnlen(p, p_size);
|
|
|
|
if (p_size <= ret)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen);
|
|
|
|
__FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
__kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size);
|
|
|
|
if (p_size <= ret && maxlen != ret)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* defined after fortified strlen to reuse it */
|
|
|
|
extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy);
|
|
|
|
__FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
|
|
|
|
{
|
|
|
|
size_t ret;
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
size_t q_size = __builtin_object_size(q, 0);
|
|
|
|
if (p_size == (size_t)-1 && q_size == (size_t)-1)
|
|
|
|
return __real_strlcpy(p, q, size);
|
|
|
|
ret = strlen(q);
|
|
|
|
if (size) {
|
|
|
|
size_t len = (ret >= size) ? size - 1 : ret;
|
|
|
|
if (__builtin_constant_p(len) && len >= p_size)
|
|
|
|
__write_overflow();
|
|
|
|
if (len >= p_size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
__builtin_memcpy(p, q, len);
|
|
|
|
p[len] = '\0';
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* defined after fortified strlen and strnlen to reuse them */
|
|
|
|
__FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
|
|
|
|
{
|
|
|
|
size_t p_len, copy_len;
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
size_t q_size = __builtin_object_size(q, 0);
|
|
|
|
if (p_size == (size_t)-1 && q_size == (size_t)-1)
|
|
|
|
return __builtin_strncat(p, q, count);
|
|
|
|
p_len = strlen(p);
|
|
|
|
copy_len = strnlen(q, count);
|
|
|
|
if (p_size < p_len + copy_len + 1)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
__builtin_memcpy(p + p_len, q, copy_len);
|
|
|
|
p[p_len + copy_len] = '\0';
|
|
|
|
return p;
|
|
|
|
}
|
|
|
|
|
|
|
|
__FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (__builtin_constant_p(size) && p_size < size)
|
|
|
|
__write_overflow();
|
|
|
|
if (p_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __builtin_memset(p, c, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
__FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
size_t q_size = __builtin_object_size(q, 0);
|
|
|
|
if (__builtin_constant_p(size)) {
|
|
|
|
if (p_size < size)
|
|
|
|
__write_overflow();
|
|
|
|
if (q_size < size)
|
|
|
|
__read_overflow2();
|
|
|
|
}
|
|
|
|
if (p_size < size || q_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __builtin_memcpy(p, q, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
__FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
size_t q_size = __builtin_object_size(q, 0);
|
|
|
|
if (__builtin_constant_p(size)) {
|
|
|
|
if (p_size < size)
|
|
|
|
__write_overflow();
|
|
|
|
if (q_size < size)
|
|
|
|
__read_overflow2();
|
|
|
|
}
|
|
|
|
if (p_size < size || q_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __builtin_memmove(p, q, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
|
|
|
|
__FORTIFY_INLINE void *memscan(void *p, int c, __kernel_size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (__builtin_constant_p(size) && p_size < size)
|
|
|
|
__read_overflow();
|
|
|
|
if (p_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __real_memscan(p, c, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
__FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
size_t q_size = __builtin_object_size(q, 0);
|
|
|
|
if (__builtin_constant_p(size)) {
|
|
|
|
if (p_size < size)
|
|
|
|
__read_overflow();
|
|
|
|
if (q_size < size)
|
|
|
|
__read_overflow2();
|
|
|
|
}
|
|
|
|
if (p_size < size || q_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __builtin_memcmp(p, q, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
__FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (__builtin_constant_p(size) && p_size < size)
|
|
|
|
__read_overflow();
|
|
|
|
if (p_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __builtin_memchr(p, c, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
|
|
|
|
__FORTIFY_INLINE void *memchr_inv(const void *p, int c, size_t size)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (__builtin_constant_p(size) && p_size < size)
|
|
|
|
__read_overflow();
|
|
|
|
if (p_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __real_memchr_inv(p, c, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup);
|
|
|
|
__FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
if (__builtin_constant_p(size) && p_size < size)
|
|
|
|
__read_overflow();
|
|
|
|
if (p_size < size)
|
|
|
|
fortify_panic(__func__);
|
|
|
|
return __real_kmemdup(p, size, gfp);
|
|
|
|
}
|
2017-07-15 04:28:12 +07:00
|
|
|
|
|
|
|
/* defined after fortified strlen and memcpy to reuse them */
|
|
|
|
__FORTIFY_INLINE char *strcpy(char *p, const char *q)
|
|
|
|
{
|
|
|
|
size_t p_size = __builtin_object_size(p, 0);
|
|
|
|
size_t q_size = __builtin_object_size(q, 0);
|
|
|
|
if (p_size == (size_t)-1 && q_size == (size_t)-1)
|
|
|
|
return __builtin_strcpy(p, q);
|
|
|
|
memcpy(p, q, strlen(q) + 1);
|
|
|
|
return p;
|
|
|
|
}
|
|
|
|
|
include/linux/string.h: add the option of fortified string.h functions
This adds support for compiling with a rough equivalent to the glibc
_FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
overflow checks for string.h functions when the compiler determines the
size of the source or destination buffer at compile-time. Unlike glibc,
it covers buffer reads in addition to writes.
GNU C __builtin_*_chk intrinsics are avoided because they would force a
much more complex implementation. They aren't designed to detect read
overflows and offer no real benefit when using an implementation based
on inline checks. Inline checks don't add up to much code size and
allow full use of the regular string intrinsics while avoiding the need
for a bunch of _chk functions and per-arch assembly to avoid wrapper
overhead.
This detects various overflows at compile-time in various drivers and
some non-x86 core kernel code. There will likely be issues caught in
regular use at runtime too.
Future improvements left out of initial implementation for simplicity,
as it's all quite optional and can be done incrementally:
* Some of the fortified string functions (strncpy, strcat), don't yet
place a limit on reads from the source based on __builtin_object_size of
the source buffer.
* Extending coverage to more string functions like strlcat.
* It should be possible to optionally use __builtin_object_size(x, 1) for
some functions (C strings) to detect intra-object overflows (like
glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
approach to avoid likely compatibility issues.
* The compile-time checks should be made available via a separate config
option which can be enabled by default (or always enabled) once enough
time has passed to get the issues it catches fixed.
Kees said:
"This is great to have. While it was out-of-tree code, it would have
blocked at least CVE-2016-3858 from being exploitable (improper size
argument to strlcpy()). I've sent a number of fixes for
out-of-bounds-reads that this detected upstream already"
[arnd@arndb.de: x86: fix fortified memcpy]
Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
[keescook@chromium.org: avoid panic() in favor of BUG()]
Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
[keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-13 04:36:10 +07:00
|
|
|
#endif
|
|
|
|
|
2017-08-15 03:12:38 +07:00
|
|
|
/**
|
|
|
|
* memcpy_and_pad - Copy one buffer to another with padding
|
|
|
|
* @dest: Where to copy to
|
|
|
|
* @dest_len: The destination buffer size
|
|
|
|
* @src: Where to copy from
|
|
|
|
* @count: The number of bytes to copy
|
|
|
|
* @pad: Character to use for padding if space is left in destination.
|
|
|
|
*/
|
2017-09-06 19:36:57 +07:00
|
|
|
static inline void memcpy_and_pad(void *dest, size_t dest_len,
|
|
|
|
const void *src, size_t count, int pad)
|
2017-08-15 03:12:38 +07:00
|
|
|
{
|
|
|
|
if (dest_len > count) {
|
|
|
|
memcpy(dest, src, count);
|
|
|
|
memset(dest + count, pad, dest_len - count);
|
|
|
|
} else
|
|
|
|
memcpy(dest, src, dest_len);
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
#endif /* _LINUX_STRING_H_ */
|