Skip to content

Commit

Permalink
Merge tag 'overflow-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/…
Browse files Browse the repository at this point in the history
…kernel/git/kees/linux

Pull overflow updates from Kees Cook:
 "The end goal of the current buffer overflow detection work[0] is to
  gain full compile-time and run-time coverage of all detectable buffer
  overflows seen via array indexing or memcpy(), memmove(), and
  memset(). The str*() family of functions already have full coverage.

  While much of the work for these changes have been on-going for many
  releases (i.e. 0-element and 1-element array replacements, as well as
  avoiding false positives and fixing discovered overflows[1]), this
  series contains the foundational elements of several related buffer
  overflow detection improvements by providing new common helpers and
  FORTIFY_SOURCE changes needed to gain the introspection required for
  compiler visibility into array sizes. Also included are a handful of
  already Acked instances using the helpers (or related clean-ups), with
  many more waiting at the ready to be taken via subsystem-specific
  trees[2].

  The new helpers are:

   - struct_group() for gaining struct member range introspection

   - memset_after() and memset_startat() for clearing to the end of
     structures

   - DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in
     structs

  Also included is the beginning of the refactoring of FORTIFY_SOURCE to
  support memcpy() introspection, fix missing and regressed coverage
  under GCC, and to prepare to fix the currently broken Clang support.
  Finishing this work is part of the larger series[0], but depends on
  all the false positives and buffer overflow bug fixes to have landed
  already and those that depend on this series to land.

  As part of the FORTIFY_SOURCE refactoring, a set of both a
  compile-time and run-time tests are added for FORTIFY_SOURCE and the
  mem*()-family functions respectively. The compile time tests have
  found a legitimate (though corner-case) bug[6] already.

  Please note that the appearance of "panic" and "BUG" in the
  FORTIFY_SOURCE refactoring are the result of relocating existing code,
  and no new use of those code-paths are expected nor desired.

  Finally, there are two tree-wide conversions for 0-element arrays and
  flexible array unions to gain sane compiler introspection coverage
  that result in no known object code differences.

  After this series (and the changes that have now landed via netdev and
  usb), we are very close to finally being able to build with
  -Warray-bounds and -Wzero-length-bounds.

  However, due corner cases in GCC[3] and Clang[4], I have not included
  the last two patches that turn on these options, as I don't want to
  introduce any known warnings to the build. Hopefully these can be
  solved soon"

Link: https://lore.kernel.org/lkml/[email protected]/ [0]
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE [1]
Link: https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/ [2]
Link: https://lore.kernel.org/lkml/[email protected]/ [3]
Link: https://bugs.llvm.org/show_bug.cgi?id=51682 [4]
Link: https://lore.kernel.org/lkml/202109051257.29B29745C0@keescook/ [5]
Link: https://lore.kernel.org/lkml/[email protected]/ [6]

* tag 'overflow-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (30 commits)
  fortify: strlen: Avoid shadowing previous locals
  compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer
  treewide: Replace 0-element memcpy() destinations with flexible arrays
  treewide: Replace open-coded flex arrays in unions
  stddef: Introduce DECLARE_FLEX_ARRAY() helper
  btrfs: Use memset_startat() to clear end of struct
  string.h: Introduce memset_startat() for wiping trailing members and padding
  xfrm: Use memset_after() to clear padding
  string.h: Introduce memset_after() for wiping trailing members/padding
  lib: Introduce CONFIG_MEMCPY_KUNIT_TEST
  fortify: Add compile-time FORTIFY_SOURCE tests
  fortify: Allow strlen() and strnlen() to pass compile-time known lengths
  fortify: Prepare to improve strnlen() and strlen() warnings
  fortify: Fix dropped strcpy() compile-time write overflow check
  fortify: Explicitly disable Clang support
  fortify: Move remaining fortify helpers into fortify-string.h
  lib/string: Move helper functions out of string.c
  compiler_types.h: Remove __compiletime_object_size()
  cm4000_cs: Use struct_group() to zero struct cm4000_dev region
  can: flexcan: Use struct_group() to zero struct flexcan_regs regions
  ...
  • Loading branch information
torvalds committed Nov 2, 2021
2 parents f594e28 + 95cadae commit 2dc26d9
Show file tree
Hide file tree
Showing 76 changed files with 1,160 additions and 446 deletions.
9 changes: 9 additions & 0 deletions MAINTAINERS
Original file line number Diff line number Diff line change
Expand Up @@ -7341,6 +7341,15 @@ L: [email protected]
S: Maintained
F: drivers/net/ethernet/nvidia/*

FORTIFY_SOURCE
M: Kees Cook <[email protected]>
L: [email protected]
S: Supported
F: include/linux/fortify-string.h
F: lib/test_fortify/*
F: scripts/test_fortify.sh
K: \b__NO_FORTIFY\b

FPGA DFL DRIVERS
M: Wu Hao <[email protected]>
R: Tom Rix <[email protected]>
Expand Down
1 change: 1 addition & 0 deletions arch/arm/boot/compressed/string.c
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
* Small subset of simple string routines
*/

#define __NO_FORTIFY
#include <linux/string.h>

/*
Expand Down
3 changes: 3 additions & 0 deletions arch/s390/lib/string.c
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@
*/

#define IN_ARCH_STRING_C 1
#ifndef __NO_FORTIFY
# define __NO_FORTIFY
#endif

#include <linux/types.h>
#include <linux/string.h>
Expand Down
2 changes: 2 additions & 0 deletions arch/x86/boot/compressed/misc.h
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
#undef CONFIG_KASAN
#undef CONFIG_KASAN_GENERIC

#define __NO_FORTIFY

/* cpu_feature_enabled() cannot be used this early */
#define USE_EARLY_PGTABLE_L5

Expand Down
2 changes: 2 additions & 0 deletions arch/x86/boot/compressed/pgtable_64.c
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
// SPDX-License-Identifier: GPL-2.0
#include "misc.h"
#include <linux/efi.h>
#include <asm/e820/types.h>
#include <asm/processor.h>
Expand Down
1 change: 1 addition & 0 deletions arch/x86/lib/string_32.c
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
* strings.
*/

#define __NO_FORTIFY
#include <linux/string.h>
#include <linux/export.h>

Expand Down
9 changes: 4 additions & 5 deletions drivers/char/pcmcia/cm4000_cs.c
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,9 @@ struct cm4000_dev {
wait_queue_head_t atrq; /* wait for ATR valid */
wait_queue_head_t readq; /* used by write to wake blk.read */

/* warning: do not move this fields.
/* warning: do not move this struct group.
* initialising to zero depends on it - see ZERO_DEV below. */
struct_group(init,
unsigned char atr_csum;
unsigned char atr_len_retry;
unsigned short atr_len;
Expand All @@ -140,12 +141,10 @@ struct cm4000_dev {

struct timer_list timer; /* used to keep monitor running */
int monitor_running;
);
};

#define ZERO_DEV(dev) \
memset(&dev->atr_csum,0, \
sizeof(struct cm4000_dev) - \
offsetof(struct cm4000_dev, atr_csum))
#define ZERO_DEV(dev) memset(&((dev)->init), 0, sizeof((dev)->init))

static struct pcmcia_device *dev_table[CM4000_MAX_DEV];
static struct class *cmm_class;
Expand Down
14 changes: 9 additions & 5 deletions drivers/crypto/chelsio/chcr_crypto.h
Original file line number Diff line number Diff line change
Expand Up @@ -222,8 +222,10 @@ struct chcr_authenc_ctx {
};

struct __aead_ctx {
struct chcr_gcm_ctx gcm[0];
struct chcr_authenc_ctx authenc[];
union {
DECLARE_FLEX_ARRAY(struct chcr_gcm_ctx, gcm);
DECLARE_FLEX_ARRAY(struct chcr_authenc_ctx, authenc);
};
};

struct chcr_aead_ctx {
Expand All @@ -245,9 +247,11 @@ struct hmac_ctx {
};

struct __crypto_ctx {
struct hmac_ctx hmacctx[0];
struct ablk_ctx ablkctx[0];
struct chcr_aead_ctx aeadctx[];
union {
DECLARE_FLEX_ARRAY(struct hmac_ctx, hmacctx);
DECLARE_FLEX_ARRAY(struct ablk_ctx, ablkctx);
DECLARE_FLEX_ARRAY(struct chcr_aead_ctx, aeadctx);
};
};

struct chcr_context {
Expand Down
61 changes: 18 additions & 43 deletions drivers/cxl/cxl.h
Original file line number Diff line number Diff line change
Expand Up @@ -75,52 +75,27 @@ static inline int cxl_hdm_decoder_count(u32 cap_hdr)
#define CXLDEV_MBOX_BG_CMD_STATUS_OFFSET 0x18
#define CXLDEV_MBOX_PAYLOAD_OFFSET 0x20

#define CXL_COMPONENT_REGS() \
void __iomem *hdm_decoder

#define CXL_DEVICE_REGS() \
void __iomem *status; \
void __iomem *mbox; \
void __iomem *memdev

/* See note for 'struct cxl_regs' for the rationale of this organization */
/*
* CXL_COMPONENT_REGS - Common set of CXL Component register block base pointers
* @hdm_decoder: CXL 2.0 8.2.5.12 CXL HDM Decoder Capability Structure
*/
struct cxl_component_regs {
CXL_COMPONENT_REGS();
};

/* See note for 'struct cxl_regs' for the rationale of this organization */
/*
* CXL_DEVICE_REGS - Common set of CXL Device register block base pointers
* @status: CXL 2.0 8.2.8.3 Device Status Registers
* @mbox: CXL 2.0 8.2.8.4 Mailbox Registers
* @memdev: CXL 2.0 8.2.8.5 Memory Device Registers
*/
struct cxl_device_regs {
CXL_DEVICE_REGS();
};

/*
* Note, the anonymous union organization allows for per
* register-block-type helper routines, without requiring block-type
* agnostic code to include the prefix.
* Using struct_group() allows for per register-block-type helper routines,
* without requiring block-type agnostic code to include the prefix.
*/
struct cxl_regs {
union {
struct {
CXL_COMPONENT_REGS();
};
struct cxl_component_regs component;
};
union {
struct {
CXL_DEVICE_REGS();
};
struct cxl_device_regs device_regs;
};
/*
* Common set of CXL Component register block base pointers
* @hdm_decoder: CXL 2.0 8.2.5.12 CXL HDM Decoder Capability Structure
*/
struct_group_tagged(cxl_component_regs, component,
void __iomem *hdm_decoder;
);
/*
* Common set of CXL Device register block base pointers
* @status: CXL 2.0 8.2.8.3 Device Status Registers
* @mbox: CXL 2.0 8.2.8.4 Mailbox Registers
* @memdev: CXL 2.0 8.2.8.5 Memory Device Registers
*/
struct_group_tagged(cxl_device_regs, device_regs,
void __iomem *status, *mbox, *memdev;
);
};

struct cxl_reg_map {
Expand Down
27 changes: 14 additions & 13 deletions drivers/gpu/drm/mga/mga_ioc32.c
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,18 @@
typedef struct drm32_mga_init {
int func;
u32 sarea_priv_offset;
int chipset;
int sgram;
unsigned int maccess;
unsigned int fb_cpp;
unsigned int front_offset, front_pitch;
unsigned int back_offset, back_pitch;
unsigned int depth_cpp;
unsigned int depth_offset, depth_pitch;
unsigned int texture_offset[MGA_NR_TEX_HEAPS];
unsigned int texture_size[MGA_NR_TEX_HEAPS];
struct_group(always32bit,
int chipset;
int sgram;
unsigned int maccess;
unsigned int fb_cpp;
unsigned int front_offset, front_pitch;
unsigned int back_offset, back_pitch;
unsigned int depth_cpp;
unsigned int depth_offset, depth_pitch;
unsigned int texture_offset[MGA_NR_TEX_HEAPS];
unsigned int texture_size[MGA_NR_TEX_HEAPS];
);
u32 fb_offset;
u32 mmio_offset;
u32 status_offset;
Expand All @@ -67,9 +69,8 @@ static int compat_mga_init(struct file *file, unsigned int cmd,

init.func = init32.func;
init.sarea_priv_offset = init32.sarea_priv_offset;
memcpy(&init.chipset, &init32.chipset,
offsetof(drm_mga_init_t, fb_offset) -
offsetof(drm_mga_init_t, chipset));
memcpy(&init.always32bit, &init32.always32bit,
sizeof(init32.always32bit));
init.fb_offset = init32.fb_offset;
init.mmio_offset = init32.mmio_offset;
init.status_offset = init32.status_offset;
Expand Down
14 changes: 8 additions & 6 deletions drivers/hid/hid-cp2112.c
Original file line number Diff line number Diff line change
Expand Up @@ -129,10 +129,12 @@ struct cp2112_xfer_status_report {

struct cp2112_string_report {
u8 dummy; /* force .string to be aligned */
u8 report; /* CP2112_*_STRING */
u8 length; /* length in bytes of everyting after .report */
u8 type; /* USB_DT_STRING */
wchar_t string[30]; /* UTF16_LITTLE_ENDIAN string */
struct_group_attr(contents, __packed,
u8 report; /* CP2112_*_STRING */
u8 length; /* length in bytes of everything after .report */
u8 type; /* USB_DT_STRING */
wchar_t string[30]; /* UTF16_LITTLE_ENDIAN string */
);
} __packed;

/* Number of times to request transfer status before giving up waiting for a
Expand Down Expand Up @@ -986,8 +988,8 @@ static ssize_t pstr_show(struct device *kdev,
u8 length;
int ret;

ret = cp2112_hid_get(hdev, attr->report, &report.report,
sizeof(report) - 1, HID_FEATURE_REPORT);
ret = cp2112_hid_get(hdev, attr->report, (u8 *)&report.contents,
sizeof(report.contents), HID_FEATURE_REPORT);
if (ret < 3) {
hid_err(hdev, "error reading %s string: %d\n", kattr->attr.name,
ret);
Expand Down
2 changes: 1 addition & 1 deletion drivers/hid/hid-roccat-kone.c
Original file line number Diff line number Diff line change
Expand Up @@ -857,7 +857,7 @@ static int kone_raw_event(struct hid_device *hdev, struct hid_report *report,
memcpy(&kone->last_mouse_event, event,
sizeof(struct kone_mouse_event));
else
memset(&event->tilt, 0, 5);
memset(&event->wipe, 0, sizeof(event->wipe));

kone_keep_values_up_to_date(kone, event);

Expand Down
12 changes: 7 additions & 5 deletions drivers/hid/hid-roccat-kone.h
Original file line number Diff line number Diff line change
Expand Up @@ -152,11 +152,13 @@ struct kone_mouse_event {
uint16_t x;
uint16_t y;
uint8_t wheel; /* up = 1, down = -1 */
uint8_t tilt; /* right = 1, left = -1 */
uint8_t unknown;
uint8_t event;
uint8_t value; /* press = 0, release = 1 */
uint8_t macro_key; /* 0 to 8 */
struct_group(wipe,
uint8_t tilt; /* right = 1, left = -1 */
uint8_t unknown;
uint8_t event;
uint8_t value; /* press = 0, release = 1 */
uint8_t macro_key; /* 0 to 8 */
);
} __attribute__ ((__packed__));

enum kone_mouse_events {
Expand Down
9 changes: 6 additions & 3 deletions drivers/iommu/amd/init.c
Original file line number Diff line number Diff line change
Expand Up @@ -121,8 +121,10 @@ struct ivhd_entry {
u8 type;
u16 devid;
u8 flags;
u32 ext;
u32 hidh;
struct_group(ext_hid,
u32 ext;
u32 hidh;
);
u64 cid;
u8 uidf;
u8 uidl;
Expand Down Expand Up @@ -1377,7 +1379,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
break;
}

memcpy(hid, (u8 *)(&e->ext), ACPIHID_HID_LEN - 1);
BUILD_BUG_ON(sizeof(e->ext_hid) != ACPIHID_HID_LEN - 1);
memcpy(hid, &e->ext_hid, ACPIHID_HID_LEN - 1);
hid[ACPIHID_HID_LEN - 1] = '\0';

if (!(*hid)) {
Expand Down
3 changes: 2 additions & 1 deletion drivers/macintosh/smu.c
Original file line number Diff line number Diff line change
Expand Up @@ -848,7 +848,8 @@ int smu_queue_i2c(struct smu_i2c_cmd *cmd)
cmd->read = cmd->info.devaddr & 0x01;
switch(cmd->info.type) {
case SMU_I2C_TRANSFER_SIMPLE:
memset(&cmd->info.sublen, 0, 4);
cmd->info.sublen = 0;
memset(cmd->info.subaddr, 0, sizeof(cmd->info.subaddr));
break;
case SMU_I2C_TRANSFER_COMBINED:
cmd->info.devaddr &= 0xfe;
Expand Down
Loading

0 comments on commit 2dc26d9

Please sign in to comment.