LCOV - code coverage report
Current view: top level - include/linux - fortify-string.h (source / functions) Hit Total Coverage
Test: fstests of 6.5.0-rc3-djwa @ Mon Jul 31 20:08:17 PDT 2023 Lines: 62 106 58.5 %
Date: 2023-07-31 20:08:17 Functions: 0 0 -

          Line data    Source code
       1             : /* SPDX-License-Identifier: GPL-2.0 */
       2             : #ifndef _LINUX_FORTIFY_STRING_H_
       3             : #define _LINUX_FORTIFY_STRING_H_
       4             : 
       5             : #include <linux/bug.h>
       6             : #include <linux/const.h>
       7             : #include <linux/limits.h>
       8             : 
       9             : #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable
      10             : #define __RENAME(x) __asm__(#x)
      11             : 
      12             : void fortify_panic(const char *name) __noreturn __cold;
      13             : void __read_overflow(void) __compiletime_error("detected read beyond size of object (1st parameter)");
      14             : void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)");
      15             : void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?");
      16             : void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)");
      17             : void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("detected write beyond size of field (1st parameter); maybe use struct_group()?");
      18             : 
      19             : #define __compiletime_strlen(p)                                 \
      20             : ({                                                              \
      21             :         char *__p = (char *)(p);                                \
      22             :         size_t __ret = SIZE_MAX;                                \
      23             :         const size_t __p_size = __member_size(p);               \
      24             :         if (__p_size != SIZE_MAX &&                             \
      25             :             __builtin_constant_p(*__p)) {                       \
      26             :                 size_t __p_len = __p_size - 1;                  \
      27             :                 if (__builtin_constant_p(__p[__p_len]) &&       \
      28             :                     __p[__p_len] == '\0')                       \
      29             :                         __ret = __builtin_strlen(__p);          \
      30             :         }                                                       \
      31             :         __ret;                                                  \
      32             : })
      33             : 
      34             : #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
      35             : extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr);
      36             : extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp);
      37             : extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy);
      38             : extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove);
      39             : extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset);
      40             : extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
      41             : extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
      42             : extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
      43             : extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
      44             : extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
      45             : #else
      46             : 
      47             : #if defined(__SANITIZE_MEMORY__)
      48             : /*
      49             :  * For KMSAN builds all memcpy/memset/memmove calls should be replaced by the
      50             :  * corresponding __msan_XXX functions.
      51             :  */
      52             : #include <linux/kmsan_string.h>
      53             : #define __underlying_memcpy     __msan_memcpy
      54             : #define __underlying_memmove    __msan_memmove
      55             : #define __underlying_memset     __msan_memset
      56             : #else
      57             : #define __underlying_memcpy     __builtin_memcpy
      58             : #define __underlying_memmove    __builtin_memmove
      59             : #define __underlying_memset     __builtin_memset
      60             : #endif
      61             : 
      62             : #define __underlying_memchr     __builtin_memchr
      63             : #define __underlying_memcmp     __builtin_memcmp
      64             : #define __underlying_strcat     __builtin_strcat
      65             : #define __underlying_strcpy     __builtin_strcpy
      66             : #define __underlying_strlen     __builtin_strlen
      67             : #define __underlying_strncat    __builtin_strncat
      68             : #define __underlying_strncpy    __builtin_strncpy
      69             : #endif
      70             : 
      71             : /**
      72             :  * unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking
      73             :  *
      74             :  * @dst: Destination memory address to write to
      75             :  * @src: Source memory address to read from
      76             :  * @bytes: How many bytes to write to @dst from @src
      77             :  * @justification: Free-form text or comment describing why the use is needed
      78             :  *
      79             :  * This should be used for corner cases where the compiler cannot do the
      80             :  * right thing, or during transitions between APIs, etc. It should be used
      81             :  * very rarely, and includes a place for justification detailing where bounds
      82             :  * checking has happened, and why existing solutions cannot be employed.
      83             :  */
      84             : #define unsafe_memcpy(dst, src, bytes, justification)           \
      85             :         __underlying_memcpy(dst, src, bytes)
      86             : 
      87             : /*
      88             :  * Clang's use of __builtin_*object_size() within inlines needs hinting via
      89             :  * __pass_*object_size(). The preference is to only ever use type 1 (member
      90             :  * size, rather than struct size), but there remain some stragglers using
      91             :  * type 0 that will be converted in the future.
      92             :  */
      93             : #if __has_builtin(__builtin_dynamic_object_size)
      94             : #define POS                     __pass_dynamic_object_size(1)
      95             : #define POS0                    __pass_dynamic_object_size(0)
      96             : #define __struct_size(p)        __builtin_dynamic_object_size(p, 0)
      97             : #define __member_size(p)        __builtin_dynamic_object_size(p, 1)
      98             : #else
      99             : #define POS                     __pass_object_size(1)
     100             : #define POS0                    __pass_object_size(0)
     101             : #define __struct_size(p)        __builtin_object_size(p, 0)
     102             : #define __member_size(p)        __builtin_object_size(p, 1)
     103             : #endif
     104             : 
     105             : #define __compiletime_lessthan(bounds, length)  (       \
     106             :         __builtin_constant_p((bounds) < (length)) && \
     107             :         (bounds) < (length)                          \
     108             : )
     109             : 
     110             : /**
     111             :  * strncpy - Copy a string to memory with non-guaranteed NUL padding
     112             :  *
     113             :  * @p: pointer to destination of copy
     114             :  * @q: pointer to NUL-terminated source string to copy
     115             :  * @size: bytes to write at @p
     116             :  *
     117             :  * If strlen(@q) >= @size, the copy of @q will stop after @size bytes,
     118             :  * and @p will NOT be NUL-terminated
     119             :  *
     120             :  * If strlen(@q) < @size, following the copy of @q, trailing NUL bytes
     121             :  * will be written to @p until @size total bytes have been written.
     122             :  *
     123             :  * Do not use this function. While FORTIFY_SOURCE tries to avoid
     124             :  * over-reads of @q, it cannot defend against writing unterminated
     125             :  * results to @p. Using strncpy() remains ambiguous and fragile.
     126             :  * Instead, please choose an alternative, so that the expectation
     127             :  * of @p's contents is unambiguous:
     128             :  *
     129             :  * +--------------------+--------------------+------------+
     130             :  * | **p** needs to be: | padded to **size** | not padded |
     131             :  * +====================+====================+============+
     132             :  * |     NUL-terminated | strscpy_pad()      | strscpy()  |
     133             :  * +--------------------+--------------------+------------+
     134             :  * | not NUL-terminated | strtomem_pad()     | strtomem() |
     135             :  * +--------------------+--------------------+------------+
     136             :  *
     137             :  * Note strscpy*()'s differing return values for detecting truncation,
     138             :  * and strtomem*()'s expectation that the destination is marked with
     139             :  * __nonstring when it is a character array.
     140             :  *
     141             :  */
     142             : __FORTIFY_INLINE __diagnose_as(__builtin_strncpy, 1, 2, 3)
     143             : char *strncpy(char * const POS p, const char *q, __kernel_size_t size)
     144             : {
     145   356642367 :         const size_t p_size = __member_size(p);
     146             : 
     147   356642367 :         if (__compiletime_lessthan(p_size, size))
     148           0 :                 __write_overflow();
     149   356642367 :         if (p_size < size)
     150           0 :                 fortify_panic(__func__);
     151   356642367 :         return __underlying_strncpy(p, q, size);
     152             : }
     153             : 
     154             : extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen);
     155             : /**
     156             :  * strnlen - Return bounded count of characters in a NUL-terminated string
     157             :  *
     158             :  * @p: pointer to NUL-terminated string to count.
     159             :  * @maxlen: maximum number of characters to count.
     160             :  *
     161             :  * Returns number of characters in @p (NOT including the final NUL), or
     162             :  * @maxlen, if no NUL has been found up to there.
     163             :  *
     164             :  */
     165             : __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size_t maxlen)
     166             : {
     167    50366223 :         const size_t p_size = __member_size(p);
     168    50335319 :         const size_t p_len = __compiletime_strlen(p);
     169    13628749 :         size_t ret;
     170             : 
     171             :         /* We can take compile-time actions when maxlen is const. */
     172    13628749 :         if (__builtin_constant_p(maxlen) && p_len != SIZE_MAX) {
     173             :                 /* If p is const, we can use its compile-time-known len. */
     174           0 :                 if (maxlen >= p_size)
     175             :                         return p_len;
     176             :         }
     177             : 
     178             :         /* Do not check characters beyond the end of p. */
     179    49586388 :         ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size);
     180    49586720 :         if (p_size <= ret && maxlen != ret)
     181           0 :                 fortify_panic(__func__);
     182             :         return ret;
     183             : }
     184             : 
     185             : /*
     186             :  * Defined after fortified strnlen to reuse it. However, it must still be
     187             :  * possible for strlen() to be used on compile-time strings for use in
     188             :  * static initializers (i.e. as a constant expression).
     189             :  */
     190             : /**
     191             :  * strlen - Return count of characters in a NUL-terminated string
     192             :  *
     193             :  * @p: pointer to NUL-terminated string to count.
     194             :  *
     195             :  * Do not use this function unless the string length is known at
     196             :  * compile-time. When @p is unterminated, this function may crash
     197             :  * or return unexpected counts that could lead to memory content
     198             :  * exposures. Prefer strnlen().
     199             :  *
     200             :  * Returns number of characters in @p (NOT including the final NUL).
     201             :  *
     202             :  */
     203             : #define strlen(p)                                                       \
     204             :         __builtin_choose_expr(__is_constexpr(__builtin_strlen(p)),      \
     205             :                 __builtin_strlen(p), __fortify_strlen(p))
     206             : __FORTIFY_INLINE __diagnose_as(__builtin_strlen, 1)
     207             : __kernel_size_t __fortify_strlen(const char * const POS p)
     208             : {
     209  2757367124 :         const size_t p_size = __member_size(p);
     210  2757367124 :         __kernel_size_t ret;
     211             : 
     212             :         /* Give up if we don't know how large p is. */
     213  2757367124 :         if (p_size == SIZE_MAX)
     214  2756587290 :                 return __underlying_strlen(p);
     215      779835 :         ret = strnlen(p, p_size);
     216      779835 :         if (p_size <= ret)
     217           0 :                 fortify_panic(__func__);
     218             :         return ret;
     219             : }
     220             : 
     221             : /* Defined after fortified strlen() to reuse it. */
     222             : extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy);
     223             : /**
     224             :  * strlcpy - Copy a string into another string buffer
     225             :  *
     226             :  * @p: pointer to destination of copy
     227             :  * @q: pointer to NUL-terminated source string to copy
     228             :  * @size: maximum number of bytes to write at @p
     229             :  *
     230             :  * If strlen(@q) >= @size, the copy of @q will be truncated at
     231             :  * @size - 1 bytes. @p will always be NUL-terminated.
     232             :  *
     233             :  * Do not use this function. While FORTIFY_SOURCE tries to avoid
     234             :  * over-reads when calculating strlen(@q), it is still possible.
     235             :  * Prefer strscpy(), though note its different return values for
     236             :  * detecting truncation.
     237             :  *
     238             :  * Returns total number of bytes written to @p, including terminating NUL.
     239             :  *
     240             :  */
     241             : __FORTIFY_INLINE size_t strlcpy(char * const POS p, const char * const POS q, size_t size)
     242             : {
     243             :         const size_t p_size = __member_size(p);
     244             :         const size_t q_size = __member_size(q);
     245             :         size_t q_len;   /* Full count of source string length. */
     246             :         size_t len;     /* Count of characters going into destination. */
     247             : 
     248             :         if (p_size == SIZE_MAX && q_size == SIZE_MAX)
     249             :                 return __real_strlcpy(p, q, size);
     250             :         q_len = strlen(q);
     251             :         len = (q_len >= size) ? size - 1 : q_len;
     252             :         if (__builtin_constant_p(size) && __builtin_constant_p(q_len) && size) {
     253             :                 /* Write size is always larger than destination. */
     254             :                 if (len >= p_size)
     255             :                         __write_overflow();
     256             :         }
     257             :         if (size) {
     258             :                 if (len >= p_size)
     259             :                         fortify_panic(__func__);
     260             :                 __underlying_memcpy(p, q, len);
     261             :                 p[len] = '\0';
     262             :         }
     263             :         return q_len;
     264             : }
     265             : 
     266             : /* Defined after fortified strnlen() to reuse it. */
     267             : extern ssize_t __real_strscpy(char *, const char *, size_t) __RENAME(strscpy);
     268             : /**
     269             :  * strscpy - Copy a C-string into a sized buffer
     270             :  *
     271             :  * @p: Where to copy the string to
     272             :  * @q: Where to copy the string from
     273             :  * @size: Size of destination buffer
     274             :  *
     275             :  * Copy the source string @q, or as much of it as fits, into the destination
     276             :  * @p buffer. The behavior is undefined if the string buffers overlap. The
     277             :  * destination @p buffer is always NUL terminated, unless it's zero-sized.
     278             :  *
     279             :  * Preferred to strlcpy() since the API doesn't require reading memory
     280             :  * from the source @q string beyond the specified @size bytes, and since
     281             :  * the return value is easier to error-check than strlcpy()'s.
     282             :  * In addition, the implementation is robust to the string changing out
     283             :  * from underneath it, unlike the current strlcpy() implementation.
     284             :  *
     285             :  * Preferred to strncpy() since it always returns a valid string, and
     286             :  * doesn't unnecessarily force the tail of the destination buffer to be
     287             :  * zero padded. If padding is desired please use strscpy_pad().
     288             :  *
     289             :  * Returns the number of characters copied in @p (not including the
     290             :  * trailing %NUL) or -E2BIG if @size is 0 or the copy of @q was truncated.
     291             :  */
     292             : __FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const POS q, size_t size)
     293             : {
     294             :         /* Use string size rather than possible enclosing struct size. */
     295       30904 :         const size_t p_size = __member_size(p);
     296       30904 :         const size_t q_size = __member_size(q);
     297       30904 :         size_t len;
     298             : 
     299             :         /* If we cannot get size of p and q default to call strscpy. */
     300       30904 :         if (p_size == SIZE_MAX && q_size == SIZE_MAX)
     301           2 :                 return __real_strscpy(p, q, size);
     302             : 
     303             :         /*
     304             :          * If size can be known at compile time and is greater than
     305             :          * p_size, generate a compile time write overflow error.
     306             :          */
     307       30902 :         if (__compiletime_lessthan(p_size, size))
     308           0 :                 __write_overflow();
     309             : 
     310             :         /* Short-circuit for compile-time known-safe lengths. */
     311       30902 :         if (__compiletime_lessthan(p_size, SIZE_MAX)) {
     312       30902 :                 len = __compiletime_strlen(q);
     313             : 
     314           0 :                 if (len < SIZE_MAX && __compiletime_lessthan(len, size)) {
     315           0 :                         __underlying_memcpy(p, q, len + 1);
     316           0 :                         return len;
     317             :                 }
     318             :         }
     319             : 
     320             :         /*
     321             :          * This call protects from read overflow, because len will default to q
     322             :          * length if it smaller than size.
     323             :          */
     324       30902 :         len = strnlen(q, size);
     325             :         /*
     326             :          * If len equals size, we will copy only size bytes which leads to
     327             :          * -E2BIG being returned.
     328             :          * Otherwise we will copy len + 1 because of the final '\O'.
     329             :          */
     330       30902 :         len = len == size ? size : len + 1;
     331             : 
     332             :         /*
     333             :          * Generate a runtime write overflow error if len is greater than
     334             :          * p_size.
     335             :          */
     336       30902 :         if (len > p_size)
     337           0 :                 fortify_panic(__func__);
     338             : 
     339             :         /*
     340             :          * We can now safely call vanilla strscpy because we are protected from:
     341             :          * 1. Read overflow thanks to call to strnlen().
     342             :          * 2. Write overflow thanks to above ifs.
     343             :          */
     344       30902 :         return __real_strscpy(p, q, len);
     345             : }
     346             : 
     347             : /* Defined after fortified strlen() to reuse it. */
     348             : extern size_t __real_strlcat(char *p, const char *q, size_t avail) __RENAME(strlcat);
     349             : /**
     350             :  * strlcat - Append a string to an existing string
     351             :  *
     352             :  * @p: pointer to %NUL-terminated string to append to
     353             :  * @q: pointer to %NUL-terminated string to append from
     354             :  * @avail: Maximum bytes available in @p
     355             :  *
     356             :  * Appends %NUL-terminated string @q after the %NUL-terminated
     357             :  * string at @p, but will not write beyond @avail bytes total,
     358             :  * potentially truncating the copy from @q. @p will stay
     359             :  * %NUL-terminated only if a %NUL already existed within
     360             :  * the @avail bytes of @p. If so, the resulting number of
     361             :  * bytes copied from @q will be at most "@avail - strlen(@p) - 1".
     362             :  *
     363             :  * Do not use this function. While FORTIFY_SOURCE tries to avoid
     364             :  * read and write overflows, this is only possible when the sizes
     365             :  * of @p and @q are known to the compiler. Prefer building the
     366             :  * string with formatting, via scnprintf(), seq_buf, or similar.
     367             :  *
     368             :  * Returns total bytes that _would_ have been contained by @p
     369             :  * regardless of truncation, similar to snprintf(). If return
     370             :  * value is >= @avail, the string has been truncated.
     371             :  *
     372             :  */
     373             : __FORTIFY_INLINE
     374             : size_t strlcat(char * const POS p, const char * const POS q, size_t avail)
     375             : {
     376             :         const size_t p_size = __member_size(p);
     377             :         const size_t q_size = __member_size(q);
     378             :         size_t p_len, copy_len;
     379             :         size_t actual, wanted;
     380             : 
     381             :         /* Give up immediately if both buffer sizes are unknown. */
     382             :         if (p_size == SIZE_MAX && q_size == SIZE_MAX)
     383             :                 return __real_strlcat(p, q, avail);
     384             : 
     385             :         p_len = strnlen(p, avail);
     386             :         copy_len = strlen(q);
     387             :         wanted = actual = p_len + copy_len;
     388             : 
     389             :         /* Cannot append any more: report truncation. */
     390             :         if (avail <= p_len)
     391             :                 return wanted;
     392             : 
     393             :         /* Give up if string is already overflowed. */
     394             :         if (p_size <= p_len)
     395             :                 fortify_panic(__func__);
     396             : 
     397             :         if (actual >= avail) {
     398             :                 copy_len = avail - p_len - 1;
     399             :                 actual = p_len + copy_len;
     400             :         }
     401             : 
     402             :         /* Give up if copy will overflow. */
     403             :         if (p_size <= actual)
     404             :                 fortify_panic(__func__);
     405             :         __underlying_memcpy(p + p_len, q, copy_len);
     406             :         p[actual] = '\0';
     407             : 
     408             :         return wanted;
     409             : }
     410             : 
     411             : /* Defined after fortified strlcat() to reuse it. */
     412             : /**
     413             :  * strcat - Append a string to an existing string
     414             :  *
     415             :  * @p: pointer to NUL-terminated string to append to
     416             :  * @q: pointer to NUL-terminated source string to append from
     417             :  *
     418             :  * Do not use this function. While FORTIFY_SOURCE tries to avoid
     419             :  * read and write overflows, this is only possible when the
     420             :  * destination buffer size is known to the compiler. Prefer
     421             :  * building the string with formatting, via scnprintf() or similar.
     422             :  * At the very least, use strncat().
     423             :  *
     424             :  * Returns @p.
     425             :  *
     426             :  */
     427             : __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2)
     428             : char *strcat(char * const POS p, const char *q)
     429             : {
     430             :         const size_t p_size = __member_size(p);
     431             : 
     432             :         if (strlcat(p, q, p_size) >= p_size)
     433             :                 fortify_panic(__func__);
     434             :         return p;
     435             : }
     436             : 
     437             : /**
     438             :  * strncat - Append a string to an existing string
     439             :  *
     440             :  * @p: pointer to NUL-terminated string to append to
     441             :  * @q: pointer to source string to append from
     442             :  * @count: Maximum bytes to read from @q
     443             :  *
     444             :  * Appends at most @count bytes from @q (stopping at the first
     445             :  * NUL byte) after the NUL-terminated string at @p. @p will be
     446             :  * NUL-terminated.
     447             :  *
     448             :  * Do not use this function. While FORTIFY_SOURCE tries to avoid
     449             :  * read and write overflows, this is only possible when the sizes
     450             :  * of @p and @q are known to the compiler. Prefer building the
     451             :  * string with formatting, via scnprintf() or similar.
     452             :  *
     453             :  * Returns @p.
     454             :  *
     455             :  */
     456             : /* Defined after fortified strlen() and strnlen() to reuse them. */
     457             : __FORTIFY_INLINE __diagnose_as(__builtin_strncat, 1, 2, 3)
     458             : char *strncat(char * const POS p, const char * const POS q, __kernel_size_t count)
     459             : {
     460             :         const size_t p_size = __member_size(p);
     461             :         const size_t q_size = __member_size(q);
     462             :         size_t p_len, copy_len;
     463             : 
     464             :         if (p_size == SIZE_MAX && q_size == SIZE_MAX)
     465             :                 return __underlying_strncat(p, q, count);
     466             :         p_len = strlen(p);
     467             :         copy_len = strnlen(q, count);
     468             :         if (p_size < p_len + copy_len + 1)
     469             :                 fortify_panic(__func__);
     470             :         __underlying_memcpy(p + p_len, q, copy_len);
     471             :         p[p_len + copy_len] = '\0';
     472             :         return p;
     473             : }
     474             : 
     475             : __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size,
     476             :                                          const size_t p_size,
     477             :                                          const size_t p_size_field)
     478             : {
     479 54517427302 :         if (__builtin_constant_p(size)) {
     480             :                 /*
     481             :                  * Length argument is a constant expression, so we
     482             :                  * can perform compile-time bounds checking where
     483             :                  * buffer sizes are also known at compile time.
     484             :                  */
     485             : 
     486             :                 /* Error when size is larger than enclosing struct. */
     487 55224907305 :                 if (__compiletime_lessthan(p_size_field, p_size) &&
     488  5497400007 :                     __compiletime_lessthan(p_size, size))
     489           0 :                         __write_overflow();
     490             : 
     491             :                 /* Warn when write size is larger than dest field. */
     492 55224907305 :                 if (__compiletime_lessthan(p_size_field, size))
     493           0 :                         __write_overflow_field(p_size_field, size);
     494             :         }
     495             :         /*
     496             :          * At this point, length argument may not be a constant expression,
     497             :          * so run-time bounds checking can be done where buffer sizes are
     498             :          * known. (This is not an "else" because the above checks may only
     499             :          * be compile-time warnings, and we want to still warn for run-time
     500             :          * overflows.)
     501             :          */
     502             : 
     503             :         /*
     504             :          * Always stop accesses beyond the struct that contains the
     505             :          * field, when the buffer's remaining size is known.
     506             :          * (The SIZE_MAX test is to optimize away checks where the buffer
     507             :          * lengths are unknown.)
     508             :          */
     509 57244783082 :         if (p_size != SIZE_MAX && p_size < size)
     510           0 :                 fortify_panic("memset");
     511             : }
     512             : 
     513             : #define __fortify_memset_chk(p, c, size, p_size, p_size_field) ({       \
     514             :         size_t __fortify_size = (size_t)(size);                         \
     515             :         fortify_memset_chk(__fortify_size, p_size, p_size_field),       \
     516             :         __underlying_memset(p, c, __fortify_size);                      \
     517             : })
     518             : 
     519             : /*
     520             :  * __struct_size() vs __member_size() must be captured here to avoid
     521             :  * evaluating argument side-effects further into the macro layers.
     522             :  */
     523             : #ifndef CONFIG_KMSAN
     524             : #define memset(p, c, s) __fortify_memset_chk(p, c, s,                   \
     525             :                 __struct_size(p), __member_size(p))
     526             : #endif
     527             : 
     528             : /*
     529             :  * To make sure the compiler can enforce protection against buffer overflows,
     530             :  * memcpy(), memmove(), and memset() must not be used beyond individual
     531             :  * struct members. If you need to copy across multiple members, please use
     532             :  * struct_group() to create a named mirror of an anonymous struct union.
     533             :  * (e.g. see struct sk_buff.) Read overflow checking is currently only
     534             :  * done when a write overflow is also present, or when building with W=1.
     535             :  *
     536             :  * Mitigation coverage matrix
     537             :  *                                      Bounds checking at:
     538             :  *                                      +-------+-------+-------+-------+
     539             :  *                                      | Compile time  |   Run time    |
     540             :  * memcpy() argument sizes:             | write | read  | write | read  |
     541             :  *        dest     source   length      +-------+-------+-------+-------+
     542             :  * memcpy(known,   known,   constant)   |   y   |   y   |  n/a  |  n/a  |
     543             :  * memcpy(known,   unknown, constant)   |   y   |   n   |  n/a  |   V   |
     544             :  * memcpy(known,   known,   dynamic)    |   n   |   n   |   B   |   B   |
     545             :  * memcpy(known,   unknown, dynamic)    |   n   |   n   |   B   |   V   |
     546             :  * memcpy(unknown, known,   constant)   |   n   |   y   |   V   |  n/a  |
     547             :  * memcpy(unknown, unknown, constant)   |   n   |   n   |   V   |   V   |
     548             :  * memcpy(unknown, known,   dynamic)    |   n   |   n   |   V   |   B   |
     549             :  * memcpy(unknown, unknown, dynamic)    |   n   |   n   |   V   |   V   |
     550             :  *                                      +-------+-------+-------+-------+
     551             :  *
     552             :  * y = perform deterministic compile-time bounds checking
     553             :  * n = cannot perform deterministic compile-time bounds checking
     554             :  * n/a = no run-time bounds checking needed since compile-time deterministic
     555             :  * B = can perform run-time bounds checking (currently unimplemented)
     556             :  * V = vulnerable to run-time overflow (will need refactoring to solve)
     557             :  *
     558             :  */
     559             : __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
     560             :                                          const size_t p_size,
     561             :                                          const size_t q_size,
     562             :                                          const size_t p_size_field,
     563             :                                          const size_t q_size_field,
     564             :                                          const char *func)
     565             : {
     566 15799641473 :         if (__builtin_constant_p(size)) {
     567             :                 /*
     568             :                  * Length argument is a constant expression, so we
     569             :                  * can perform compile-time bounds checking where
     570             :                  * buffer sizes are also known at compile time.
     571             :                  */
     572             : 
     573             :                 /* Error when size is larger than enclosing struct. */
     574  4899412325 :                 if (__compiletime_lessthan(p_size_field, p_size) &&
     575  2981605194 :                     __compiletime_lessthan(p_size, size))
     576           0 :                         __write_overflow();
     577  4899572411 :                 if (__compiletime_lessthan(q_size_field, q_size) &&
     578  1528697883 :                     __compiletime_lessthan(q_size, size))
     579           0 :                         __read_overflow2();
     580             : 
     581             :                 /* Warn when write size argument larger than dest field. */
     582  4899412325 :                 if (__compiletime_lessthan(p_size_field, size))
     583           0 :                         __write_overflow_field(p_size_field, size);
     584             :                 /*
     585             :                  * Warn for source field over-read when building with W=1
     586             :                  * or when an over-write happened, so both can be fixed at
     587             :                  * the same time.
     588             :                  */
     589  4899412323 :                 if ((IS_ENABLED(KBUILD_EXTRA_WARN1) ||
     590           0 :                      __compiletime_lessthan(p_size_field, size)) &&
     591           0 :                     __compiletime_lessthan(q_size_field, size))
     592           0 :                         __read_overflow2_field(q_size_field, size);
     593             :         }
     594             :         /*
     595             :          * At this point, length argument may not be a constant expression,
     596             :          * so run-time bounds checking can be done where buffer sizes are
     597             :          * known. (This is not an "else" because the above checks may only
     598             :          * be compile-time warnings, and we want to still warn for run-time
     599             :          * overflows.)
     600             :          */
     601             : 
     602             :         /*
     603             :          * Always stop accesses beyond the struct that contains the
     604             :          * field, when the buffer's remaining size is known.
     605             :          * (The SIZE_MAX test is to optimize away checks where the buffer
     606             :          * lengths are unknown.)
     607             :          */
     608 16810250323 :         if ((p_size != SIZE_MAX && p_size < size) ||
     609             :             (q_size != SIZE_MAX && q_size < size))
     610           0 :                 fortify_panic(func);
     611             : 
     612             :         /*
     613             :          * Warn when writing beyond destination field size.
     614             :          *
     615             :          * We must ignore p_size_field == 0 for existing 0-element
     616             :          * fake flexible arrays, until they are all converted to
     617             :          * proper flexible arrays.
     618             :          *
     619             :          * The implementation of __builtin_*object_size() behaves
     620             :          * like sizeof() when not directly referencing a flexible
     621             :          * array member, which means there will be many bounds checks
     622             :          * that will appear at run-time, without a way for them to be
     623             :          * detected at compile-time (as can be done when the destination
     624             :          * is specifically the flexible array member).
     625             :          * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832
     626             :          */
     627 16810250375 :         if (p_size_field != 0 && p_size_field != SIZE_MAX &&
     628  4102536442 :             p_size != p_size_field && p_size_field < size)
     629           0 :                 return true;
     630             : 
     631             :         return false;
     632             : }
     633             : 
     634             : #define __fortify_memcpy_chk(p, q, size, p_size, q_size,                \
     635             :                              p_size_field, q_size_field, op) ({         \
     636             :         const size_t __fortify_size = (size_t)(size);                   \
     637             :         const size_t __p_size = (p_size);                               \
     638             :         const size_t __q_size = (q_size);                               \
     639             :         const size_t __p_size_field = (p_size_field);                   \
     640             :         const size_t __q_size_field = (q_size_field);                   \
     641             :         WARN_ONCE(fortify_memcpy_chk(__fortify_size, __p_size,          \
     642             :                                      __q_size, __p_size_field,          \
     643             :                                      __q_size_field, #op),              \
     644             :                   #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \
     645             :                   __fortify_size,                                       \
     646             :                   "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \
     647             :                   __p_size_field);                                      \
     648             :         __underlying_##op(p, q, __fortify_size);                        \
     649             : })
     650             : 
     651             : /*
     652             :  * Notes about compile-time buffer size detection:
     653             :  *
     654             :  * With these types...
     655             :  *
     656             :  *      struct middle {
     657             :  *              u16 a;
     658             :  *              u8 middle_buf[16];
     659             :  *              int b;
     660             :  *      };
     661             :  *      struct end {
     662             :  *              u16 a;
     663             :  *              u8 end_buf[16];
     664             :  *      };
     665             :  *      struct flex {
     666             :  *              int a;
     667             :  *              u8 flex_buf[];
     668             :  *      };
     669             :  *
     670             :  *      void func(TYPE *ptr) { ... }
     671             :  *
     672             :  * Cases where destination size cannot be currently detected:
     673             :  * - the size of ptr's object (seemingly by design, gcc & clang fail):
     674             :  *      __builtin_object_size(ptr, 1) == SIZE_MAX
     675             :  * - the size of flexible arrays in ptr's obj (by design, dynamic size):
     676             :  *      __builtin_object_size(ptr->flex_buf, 1) == SIZE_MAX
     677             :  * - the size of ANY array at the end of ptr's obj (gcc and clang bug):
     678             :  *      __builtin_object_size(ptr->end_buf, 1) == SIZE_MAX
     679             :  *      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836
     680             :  *
     681             :  * Cases where destination size is currently detected:
     682             :  * - the size of non-array members within ptr's object:
     683             :  *      __builtin_object_size(ptr->a, 1) == 2
     684             :  * - the size of non-flexible-array in the middle of ptr's obj:
     685             :  *      __builtin_object_size(ptr->middle_buf, 1) == 16
     686             :  *
     687             :  */
     688             : 
     689             : /*
     690             :  * __struct_size() vs __member_size() must be captured here to avoid
     691             :  * evaluating argument side-effects further into the macro layers.
     692             :  */
     693             : #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
     694             :                 __struct_size(p), __struct_size(q),                     \
     695             :                 __member_size(p), __member_size(q),                     \
     696             :                 memcpy)
     697             : #define memmove(p, q, s)  __fortify_memcpy_chk(p, q, s,                 \
     698             :                 __struct_size(p), __struct_size(q),                     \
     699             :                 __member_size(p), __member_size(q),                     \
     700             :                 memmove)
     701             : 
     702             : extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
     703             : __FORTIFY_INLINE void *memscan(void * const POS0 p, int c, __kernel_size_t size)
     704             : {
     705             :         const size_t p_size = __struct_size(p);
     706             : 
     707             :         if (__compiletime_lessthan(p_size, size))
     708             :                 __read_overflow();
     709             :         if (p_size < size)
     710             :                 fortify_panic(__func__);
     711             :         return __real_memscan(p, c, size);
     712             : }
     713             : 
     714             : __FORTIFY_INLINE __diagnose_as(__builtin_memcmp, 1, 2, 3)
     715             : int memcmp(const void * const POS0 p, const void * const POS0 q, __kernel_size_t size)
     716             : {
     717 >14976*10^7 :         const size_t p_size = __struct_size(p);
     718 >14976*10^7 :         const size_t q_size = __struct_size(q);
     719             : 
     720 >14975*10^7 :         if (__builtin_constant_p(size)) {
     721 >14326*10^7 :                 if (__compiletime_lessthan(p_size, size))
     722           0 :                         __read_overflow();
     723 >14326*10^7 :                 if (__compiletime_lessthan(q_size, size))
     724           0 :                         __read_overflow2();
     725             :         }
     726 >14976*10^7 :         if (p_size < size || q_size < size)
     727           0 :                 fortify_panic(__func__);
     728 >14975*10^7 :         return __underlying_memcmp(p, q, size);
     729             : }
     730             : 
     731             : __FORTIFY_INLINE __diagnose_as(__builtin_memchr, 1, 2, 3)
     732             : void *memchr(const void * const POS0 p, int c, __kernel_size_t size)
     733             : {
     734 60615660085 :         const size_t p_size = __struct_size(p);
     735             : 
     736 60615660085 :         if (__compiletime_lessthan(p_size, size))
     737           0 :                 __read_overflow();
     738 60615660085 :         if (p_size < size)
     739           0 :                 fortify_panic(__func__);
     740 60615660085 :         return __underlying_memchr(p, c, size);
     741             : }
     742             : 
     743             : void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
     744             : __FORTIFY_INLINE void *memchr_inv(const void * const POS0 p, int c, size_t size)
     745             : {
     746  1903047200 :         const size_t p_size = __struct_size(p);
     747             : 
     748  1901142312 :         if (__compiletime_lessthan(p_size, size))
     749           0 :                 __read_overflow();
     750  1901142312 :         if (p_size < size)
     751           0 :                 fortify_panic(__func__);
     752  1903047200 :         return __real_memchr_inv(p, c, size);
     753             : }
     754             : 
     755             : extern void *__real_kmemdup(const void *src, size_t len, gfp_t gfp) __RENAME(kmemdup)
     756             :                                                                     __realloc_size(2);
     757             : __FORTIFY_INLINE void *kmemdup(const void * const POS0 p, size_t size, gfp_t gfp)
     758             : {
     759        3646 :         const size_t p_size = __struct_size(p);
     760             : 
     761        3646 :         if (__compiletime_lessthan(p_size, size))
     762           0 :                 __read_overflow();
     763        3646 :         if (p_size < size)
     764           0 :                 fortify_panic(__func__);
     765        3646 :         return __real_kmemdup(p, size, gfp);
     766             : }
     767             : 
     768             : /**
     769             :  * strcpy - Copy a string into another string buffer
     770             :  *
     771             :  * @p: pointer to destination of copy
     772             :  * @q: pointer to NUL-terminated source string to copy
     773             :  *
     774             :  * Do not use this function. While FORTIFY_SOURCE tries to avoid
     775             :  * overflows, this is only possible when the sizes of @q and @p are
     776             :  * known to the compiler. Prefer strscpy(), though note its different
     777             :  * return values for detecting truncation.
     778             :  *
     779             :  * Returns @p.
     780             :  *
     781             :  */
     782             : /* Defined after fortified strlen to reuse it. */
     783             : __FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2)
     784             : char *strcpy(char * const POS p, const char * const POS q)
     785             : {
     786           0 :         const size_t p_size = __member_size(p);
     787           0 :         const size_t q_size = __member_size(q);
     788           0 :         size_t size;
     789             : 
     790             :         /* If neither buffer size is known, immediately give up. */
     791           0 :         if (__builtin_constant_p(p_size) &&
     792           0 :             __builtin_constant_p(q_size) &&
     793           0 :             p_size == SIZE_MAX && q_size == SIZE_MAX)
     794           0 :                 return __underlying_strcpy(p, q);
     795           0 :         size = strlen(q) + 1;
     796             :         /* Compile-time check for const size overflow. */
     797           0 :         if (__compiletime_lessthan(p_size, size))
     798           0 :                 __write_overflow();
     799             :         /* Run-time check for dynamic size overflow. */
     800           0 :         if (p_size < size)
     801           0 :                 fortify_panic(__func__);
     802           0 :         __underlying_memcpy(p, q, size);
     803           0 :         return p;
     804             : }
     805             : 
     806             : /* Don't use these outside the FORITFY_SOURCE implementation */
     807             : #undef __underlying_memchr
     808             : #undef __underlying_memcmp
     809             : #undef __underlying_strcat
     810             : #undef __underlying_strcpy
     811             : #undef __underlying_strlen
     812             : #undef __underlying_strncat
     813             : #undef __underlying_strncpy
     814             : 
     815             : #undef POS
     816             : #undef POS0
     817             : 
     818             : #endif /* _LINUX_FORTIFY_STRING_H_ */

Generated by: LCOV version 1.14