[PATCH] string: use __builtin_memcpy() in strlcpy/strlcat
1 view
Skip to first unread message
Alexander Potapenko
Apr 24, 2023, 7:23:19 AM4/24/23
to gli...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, ak...@linux-foundation.org, el...@google.com, dvy...@google.com, kasa...@googlegroups.com, an...@kernel.org, ndesau...@google.com, nat...@kernel.org
lib/string.c is built with -ffreestanding, which prevents the compiler
from replacing certain functions with calls to their library versions.
On the other hand, this also prevents Clang and GCC from instrumenting
calls to memcpy() when building with KASAN, KCSAN or KMSAN:
- KASAN normally replaces memcpy() with __asan_memcpy() with the
additional cc-param,asan-kernel-mem-intrinsic-prefix=1;
- KCSAN and KMSAN replace memcpy() with __tsan_memcpy() and
__msan_memcpy() by default.
To let the tools catch memory accesses from strlcpy/strlcat, replace
the calls to memcpy() with __builtin_memcpy(), which KASAN, KCSAN and
KMSAN are able to replace even in -ffreestanding mode.
This preserves the behavior in normal builds (__builtin_memcpy() ends up
being replaced with memcpy()), and does not introduce new instrumentation
in unwanted places, as strlcpy/strlcat are already instrumented.
Suggested-by: Marco Elver <el...@google.com>
Signed-off-by: Alexander Potapenko <gli...@google.com>
Link: https://lore.kernel.org/all/20230224085942....@google.com/
---
lib/string.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/string.c b/lib/string.c
index 3d55ef8901068..be26623953d2e 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -110,7 +110,7 @@ size_t strlcpy(char *dest, const char *src, size_t size)
if (size) {
size_t len = (ret >= size) ? size - 1 : ret;
- memcpy(dest, src, len);
+ __builtin_memcpy(dest, src, len);
dest[len] = '\0';
}
return ret;
@@ -260,7 +260,7 @@ size_t strlcat(char *dest, const char *src, size_t count)
count -= dsize;
if (len >= count)
len = count-1;
- memcpy(dest, src, len);
+ __builtin_memcpy(dest, src, len);
dest[len] = 0;
return res;
}
--
2.40.0.634.g4ca3ef3211-goog
from replacing certain functions with calls to their library versions.
On the other hand, this also prevents Clang and GCC from instrumenting
calls to memcpy() when building with KASAN, KCSAN or KMSAN:
- KASAN normally replaces memcpy() with __asan_memcpy() with the
additional cc-param,asan-kernel-mem-intrinsic-prefix=1;
- KCSAN and KMSAN replace memcpy() with __tsan_memcpy() and
__msan_memcpy() by default.
To let the tools catch memory accesses from strlcpy/strlcat, replace
the calls to memcpy() with __builtin_memcpy(), which KASAN, KCSAN and
KMSAN are able to replace even in -ffreestanding mode.
This preserves the behavior in normal builds (__builtin_memcpy() ends up
being replaced with memcpy()), and does not introduce new instrumentation
in unwanted places, as strlcpy/strlcat are already instrumented.
Suggested-by: Marco Elver <el...@google.com>
Signed-off-by: Alexander Potapenko <gli...@google.com>
Link: https://lore.kernel.org/all/20230224085942....@google.com/
---
lib/string.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/string.c b/lib/string.c
index 3d55ef8901068..be26623953d2e 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -110,7 +110,7 @@ size_t strlcpy(char *dest, const char *src, size_t size)
if (size) {
size_t len = (ret >= size) ? size - 1 : ret;
- memcpy(dest, src, len);
+ __builtin_memcpy(dest, src, len);
dest[len] = '\0';
}
return ret;
@@ -260,7 +260,7 @@ size_t strlcat(char *dest, const char *src, size_t count)
count -= dsize;
if (len >= count)
len = count-1;
- memcpy(dest, src, len);
+ __builtin_memcpy(dest, src, len);
dest[len] = 0;
return res;
}
--
2.40.0.634.g4ca3ef3211-goog
Marco Elver
Apr 24, 2023, 8:40:10 AM4/24/23
to Alexander Potapenko, linux-...@vger.kernel.org, linu...@kvack.org, ak...@linux-foundation.org, dvy...@google.com, kasa...@googlegroups.com, an...@kernel.org, ndesau...@google.com, nat...@kernel.org
On Mon, 24 Apr 2023 at 13:23, Alexander Potapenko <gli...@google.com> wrote:
>
> lib/string.c is built with -ffreestanding, which prevents the compiler
> from replacing certain functions with calls to their library versions.
>
> On the other hand, this also prevents Clang and GCC from instrumenting
> calls to memcpy() when building with KASAN, KCSAN or KMSAN:
> - KASAN normally replaces memcpy() with __asan_memcpy() with the
> additional cc-param,asan-kernel-mem-intrinsic-prefix=1;
> - KCSAN and KMSAN replace memcpy() with __tsan_memcpy() and
> __msan_memcpy() by default.
>
> To let the tools catch memory accesses from strlcpy/strlcat, replace
> the calls to memcpy() with __builtin_memcpy(), which KASAN, KCSAN and
> KMSAN are able to replace even in -ffreestanding mode.
>
> This preserves the behavior in normal builds (__builtin_memcpy() ends up
> being replaced with memcpy()), and does not introduce new instrumentation
> in unwanted places, as strlcpy/strlcat are already instrumented.
>
> Suggested-by: Marco Elver <el...@google.com>
> Signed-off-by: Alexander Potapenko <gli...@google.com>
> Link: https://lore.kernel.org/all/20230224085942....@google.com/
Reviewed-by: Marco Elver <el...@google.com>
>
> lib/string.c is built with -ffreestanding, which prevents the compiler
> from replacing certain functions with calls to their library versions.
>
> On the other hand, this also prevents Clang and GCC from instrumenting
> calls to memcpy() when building with KASAN, KCSAN or KMSAN:
> - KASAN normally replaces memcpy() with __asan_memcpy() with the
> additional cc-param,asan-kernel-mem-intrinsic-prefix=1;
> - KCSAN and KMSAN replace memcpy() with __tsan_memcpy() and
> __msan_memcpy() by default.
>
> To let the tools catch memory accesses from strlcpy/strlcat, replace
> the calls to memcpy() with __builtin_memcpy(), which KASAN, KCSAN and
> KMSAN are able to replace even in -ffreestanding mode.
>
> This preserves the behavior in normal builds (__builtin_memcpy() ends up
> being replaced with memcpy()), and does not introduce new instrumentation
> in unwanted places, as strlcpy/strlcat are already instrumented.
>
> Suggested-by: Marco Elver <el...@google.com>
> Signed-off-by: Alexander Potapenko <gli...@google.com>
> Link: https://lore.kernel.org/all/20230224085942....@google.com/
Looks reasonable.
Kees Cook
Apr 24, 2023, 12:24:54 PM4/24/23
to Alexander Potapenko, linux-...@vger.kernel.org, linu...@kvack.org, ak...@linux-foundation.org, el...@google.com, dvy...@google.com, kasa...@googlegroups.com, an...@kernel.org, ndesau...@google.com, nat...@kernel.org
replaced and checked separately -- but it still seems strange that you
need to explicitly use __builtin_memcpy.
Does this end up changing fortify coverage?
--
Kees Cook
Alexander Potapenko
Apr 28, 2023, 9:49:09 AM4/28/23
to Kees Cook, linux-...@vger.kernel.org, linu...@kvack.org, ak...@linux-foundation.org, el...@google.com, dvy...@google.com, kasa...@googlegroups.com, an...@kernel.org, ndesau...@google.com, nat...@kernel.org
>
> I *think* this isn't a problem for CONFIG_FORTIFY, since these will be
> replaced and checked separately -- but it still seems strange that you
> need to explicitly use __builtin_memcpy.
>
> Does this end up changing fortify coverage?
Is fortify relevant here? Note that the whole file is compiled with
> I *think* this isn't a problem for CONFIG_FORTIFY, since these will be
> replaced and checked separately -- but it still seems strange that you
> need to explicitly use __builtin_memcpy.
>
> Does this end up changing fortify coverage?
__NO_FORTIFY.
Alexander Potapenko
May 10, 2023, 3:49:22 AM5/10/23
to Kees Cook, linux-...@vger.kernel.org, linu...@kvack.org, ak...@linux-foundation.org, el...@google.com, dvy...@google.com, kasa...@googlegroups.com, an...@kernel.org, ndesau...@google.com, nat...@kernel.org
On Fri, Apr 28, 2023 at 3:48 PM Alexander Potapenko <gli...@google.com> wrote:
>FORTIFY_SOURCE glidear
> I *think* this isn't a problem for CONFIG_FORTIFY, since these will be
> replaced and checked separately -- but it still seems strange that you
> need to explicitly use __builtin_memcpy.
Or did you mean we'd better use __underlying_memcpy() here instead? I am a bit puzzled.
Kees Cook
May 10, 2023, 12:07:52 PM5/10/23
to Alexander Potapenko, linux-...@vger.kernel.org, linu...@kvack.org, ak...@linux-foundation.org, el...@google.com, dvy...@google.com, kasa...@googlegroups.com, an...@kernel.org, ndesau...@google.com, nat...@kernel.org
with this.
Acked-by: Kees Cook <kees...@chromium.org>
--
Kees Cook
Alexander Potapenko
May 10, 2023, 12:08:23 PM5/10/23
to Kees Cook, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, el...@google.com, dvy...@google.com, kasa...@googlegroups.com, an...@kernel.org, ndesau...@google.com, nat...@kernel.org
@Andrew, would it be possible to queue it for 6.4?
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Reply all
Reply to author
Forward
0 new messages