Re: linux-next: Tree for May 16 (security/landlock/ruleset.c)
From: Kees Cook <kees@kernel.org>
Date: 2025-05-20 16:47:43
Also in:
linux-next, lkml
On Tue, May 20, 2025 at 05:01:51PM +0300, Andy Shevchenko wrote:
On Mon, May 19, 2025 at 12:15:30PM -0700, Kees Cook wrote:quoted
On Mon, May 19, 2025 at 08:41:17PM +0200, Mickaël Salaün wrote:...quoted
quoted
From 6fbf66fdfd0a7dac809b77faafdd72c60112bb8d Mon Sep 17 00:00:00 2001From: Kees Cook <kees@kernel.org> Date: Mon, 19 May 2025 11:52:06 -0700 Subject: [PATCH] string.h: Provide basic sanity checks for fallback memcpy() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of defining memcpy() in terms of __builtin_memcpy() deep in arch/x86/include/asm/string_32.h, notice that it is needed up in the general string.h, as done with other common C String APIs. This allows us to add basic sanity checking for pathological "size" arguments to memcpy(). Besides the run-time checking benefit, this avoids GCC trying to be very smart about value range tracking[1] when CONFIG_PROFILE_ALL_BRANCHES=y but FORTIFY_SOURCE=n. Link: https://lore.kernel.org/all/202505191117.C094A90F88@keescook/ (local) [1] Reported-by: kernel test robot <redacted> Closes: https://lore.kernel.org/all/202501040747.S3LYfvYq-lkp@intel.com/ (local) Reported-by: Randy Dunlap <redacted> Closes: https://lore.kernel.org/all/e3754f69-1dea-4542-8de0-a567a14fb95b@infradead.org/ (local) Signed-off-by: Kees Cook <kees@kernel.org> --- Cc: "Mickaël Salaün" <mic@digikod.net> Cc: Thomas Gleixner <redacted> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: <x86@kernel.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Andy Shevchenko <andy@kernel.org> Cc: Uros Bizjak <redacted> Cc: <redacted> --- arch/x86/include/asm/string_32.h | 6 ------ include/linux/string.h | 13 +++++++++++++ 2 files changed, 13 insertions(+), 6 deletions(-)diff --git a/arch/x86/include/asm/string_32.h b/arch/x86/include/asm/string_32.h index e9cce169bb4c..74397c95fa37 100644 --- a/arch/x86/include/asm/string_32.h +++ b/arch/x86/include/asm/string_32.h@@ -145,12 +145,6 @@ static __always_inline void *__constant_memcpy(void *to, const void *from, #define __HAVE_ARCH_MEMCPY extern void *memcpy(void *, const void *, size_t); -#ifndef CONFIG_FORTIFY_SOURCE - -#define memcpy(t, f, n) __builtin_memcpy(t, f, n) - -#endif /* !CONFIG_FORTIFY_SOURCE */ - #define __HAVE_ARCH_MEMMOVE void *memmove(void *dest, const void *src, size_t n);diff --git a/include/linux/string.h b/include/linux/string.h index 01621ad0f598..ffcee31a14f9 100644 --- a/include/linux/string.h +++ b/include/linux/string.h@@ -3,6 +3,7 @@ #define _LINUX_STRING_H_ #include <linux/args.h> +#include <linux/bug.h>In case you are go with this change, please keep the headers in order.quoted
#include <linux/array_size.h>(should be located here)
Oops, yes, that was my intent but I typoed my insert, it seems. Fixed now; thanks! -Kees -- Kees Cook