• Daniel Micay's avatar
    include/linux/string.h: add the option of fortified string.h functions · 6974f0c4
    Daniel Micay authored
    This adds support for compiling with a rough equivalent to the glibc
    _FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
    overflow checks for string.h functions when the compiler determines the
    size of the source or destination buffer at compile-time.  Unlike glibc,
    it covers buffer reads in addition to writes.
    
    GNU C __builtin_*_chk intrinsics are avoided because they would force a
    much more complex implementation.  They aren't designed to detect read
    overflows and offer no real benefit when using an implementation based
    on inline checks.  Inline checks don't add up to much code size and
    allow full use of the regular string intrinsics while avoiding the need
    for a bunch of _chk functions and per-arch assembly to avoid wrapper
    overhead.
    
    This detects various overflows at compile-time in various drivers and
    some non-x86 core kernel code.  There will likely be issues caught in
    regular use at runtime too.
    
    Future improvements left out of initial implementation for simplicity,
    as it's all quite optional and can be done incrementally:
    
    * Some of the fortified string functions (strncpy, strcat), don't yet
      place a limit on reads from the source based on __builtin_object_size of
      the source buffer.
    
    * Extending coverage to more string functions like strlcat.
    
    * It should be possible to optionally use __builtin_object_size(x, 1) for
      some functions (C strings) to detect intra-object overflows (like
      glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
      approach to avoid likely compatibility issues.
    
    * The compile-time checks should be made available via a separate config
      option which can be enabled by default (or always enabled) once enough
      time has passed to get the issues it catches fixed.
    
    Kees said:
     "This is great to have. While it was out-of-tree code, it would have
      blocked at least CVE-2016-3858 from being exploitable (improper size
      argument to strlcpy()). I've sent a number of fixes for
      out-of-bounds-reads that this detected upstream already"
    
    [arnd@arndb.de: x86: fix fortified memcpy]
      Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
    [keescook@chromium.org: avoid panic() in favor of BUG()]
      Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
    [keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
    Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
    Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.orgSigned-off-by: default avatarDaniel Micay <danielmicay@gmail.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Daniel Axtens <dja@axtens.net>
    Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: Chris Metcalf <cmetcalf@ezchip.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    6974f0c4
Kconfig 33.8 KB