| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Apr 2023 11:27:10 -0700
From: Nick Desaulniers <ndesaulniers@...gle.com>
To: kernel test robot <lkp@...el.com>
Cc: Kees Cook <keescook@...omium.org>, linux-hardening@...r.kernel.org,
oe-kbuild-all@...ts.linux.dev, Andy Shevchenko <andy@...nel.org>,
Cezary Rojewski <cezary.rojewski@...el.com>,
Puyou Lu <puyou.lu@...il.com>, Mark Brown <broonie@...nel.org>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Brendan Higgins <brendan.higgins@...ux.dev>,
David Gow <davidgow@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Linux Memory Management List <linux-mm@...ck.org>,
Nathan Chancellor <nathan@...nel.org>,
Alexander Potapenko <glider@...gle.com>,
Zhaoyang Huang <zhaoyang.huang@...soc.com>,
Randy Dunlap <rdunlap@...radead.org>,
Geert Uytterhoeven <geert+renesas@...der.be>,
Miguel Ojeda <ojeda@...nel.org>,
Alexander Lobakin <aleksander.lobakin@...el.com>,
Liam Howlett <liam.howlett@...cle.com>,
Vlastimil Babka <vbabka@...e.cz>,
Dan Williams <dan.j.williams@...el.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Yury Norov <yury.norov@...il.com>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Sander Vanheule <sander@...nheule.net>,
Eric Biggers <ebiggers@...gle.com>,
"Masami Hiramatsu (Google)" <mhiramat@...nel.org>,
Andrey Konovalov <andreyknvl@...il.com>
Subject: Re: [PATCH v2 09/10] fortify: Add KUnit tests for runtime overflows
On Fri, Apr 7, 2023 at 5:33 PM kernel test robot <lkp@...el.com> wrote:
>
> Hi Kees,
>
> kernel test robot noticed the following build warnings:
>
> [auto build test WARNING on kees/for-next/hardening]
> [also build test WARNING on kees/for-next/pstore kees/for-next/kspp linus/master tip/x86/core v6.3-rc5 next-20230406]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/kunit-tool-Enable-CONFIG_FORTIFY_SOURCE-under-UML/20230408-032959
> base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
> patch link: https://lore.kernel.org/r/20230407192717.636137-9-keescook%40chromium.org
> patch subject: [PATCH v2 09/10] fortify: Add KUnit tests for runtime overflows
> config: openrisc-randconfig-r034-20230405 (https://download.01.org/0day-ci/archive/20230408/202304080811.nYP4KpPZ-lkp@intel.com/config)
> compiler: or1k-linux-gcc (GCC) 12.1.0
> reproduce (this is a W=1 build):
> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # https://github.com/intel-lab-lkp/linux/commit/d212962ef7682ee160bf38fa455475558f031759
> git remote add linux-review https://github.com/intel-lab-lkp/linux
> git fetch --no-tags linux-review Kees-Cook/kunit-tool-Enable-CONFIG_FORTIFY_SOURCE-under-UML/20230408-032959
> git checkout d212962ef7682ee160bf38fa455475558f031759
> # save the config file
> mkdir build_dir && cp config build_dir/.config
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=openrisc olddefconfig
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=openrisc SHELL=/bin/bash lib/
>
> If you fix the issue, kindly add following tag where applicable
> | Reported-by: kernel test robot <lkp@...el.com>
> | Link: https://lore.kernel.org/oe-kbuild-all/202304080811.nYP4KpPZ-lkp@intel.com/
>
> All warnings (new ones prefixed by >>):
>
> In file included from lib/fortify_kunit.c:28:
> lib/fortify_kunit.c: In function 'strnlen_test':
> >> lib/fortify_kunit.c:412:31: warning: 'strnlen' specified bound 33 exceeds source size 32 [-Wstringop-overread]
If we expect to validate the runtime behavior of fortify, but using
constants that the compiler can check for readability in this test,
then we might need to use the
_Pragma/__diag infrastructure from include/linux/compiler_types.h to
disable -Wstringop-overread; or disable it at the makefile level.
> 412 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
> include/kunit/test.h:584:38: note: in definition of macro 'KUNIT_BASE_BINARY_ASSERTION'
> 584 | const typeof(left) __left = (left); \
> | ^~~~
> include/kunit/test.h:776:9: note: in expansion of macro 'KUNIT_BINARY_INT_ASSERTION'
> 776 | KUNIT_BINARY_INT_ASSERTION(test, \
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~
> include/kunit/test.h:773:9: note: in expansion of macro 'KUNIT_EXPECT_EQ_MSG'
> 773 | KUNIT_EXPECT_EQ_MSG(test, left, right, NULL)
> | ^~~~~~~~~~~~~~~~~~~
> lib/fortify_kunit.c:412:9: note: in expansion of macro 'KUNIT_EXPECT_EQ'
> 412 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
> | ^~~~~~~~~~~~~~~
> lib/fortify_kunit.c:359:14: note: source object allocated here
> 359 | char buf[32];
> | ^~~
> lib/fortify_kunit.c:414:31: warning: 'strnlen' specified bound 34 exceeds source size 32 [-Wstringop-overread]
> 414 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
> include/kunit/test.h:584:38: note: in definition of macro 'KUNIT_BASE_BINARY_ASSERTION'
> 584 | const typeof(left) __left = (left); \
> | ^~~~
> include/kunit/test.h:776:9: note: in expansion of macro 'KUNIT_BINARY_INT_ASSERTION'
> 776 | KUNIT_BINARY_INT_ASSERTION(test, \
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~
> include/kunit/test.h:773:9: note: in expansion of macro 'KUNIT_EXPECT_EQ_MSG'
> 773 | KUNIT_EXPECT_EQ_MSG(test, left, right, NULL)
> | ^~~~~~~~~~~~~~~~~~~
> lib/fortify_kunit.c:414:9: note: in expansion of macro 'KUNIT_EXPECT_EQ'
> 414 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
> | ^~~~~~~~~~~~~~~
> lib/fortify_kunit.c:359:14: note: source object allocated here
> 359 | char buf[32];
> | ^~~
>
>
> vim +/strnlen +412 lib/fortify_kunit.c
>
> 387
> 388 static void strnlen_test(struct kunit *test)
> 389 {
> 390 struct fortify_padding pad = { };
> 391 int i, end = sizeof(pad.buf) - 1;
> 392
> 393 /* Fill 31 bytes with valid characters. */
> 394 for (i = 0; i < sizeof(pad.buf) - 1; i++)
> 395 pad.buf[i] = i + '0';
> 396 /* Trailing bytes are still %NUL. */
> 397 KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
> 398 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
> 399
> 400 /* String is terminated, so strnlen() is valid. */
> 401 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf)), end);
> 402 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
> 403 /* A truncated strnlen() will be safe, too. */
> 404 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf) / 2),
> 405 sizeof(pad.buf) / 2);
> 406 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
> 407
> 408 /* Make string unterminated, and recount. */
> 409 pad.buf[end] = 'A';
> 410 end = sizeof(pad.buf);
> 411 /* Reading beyond with strncpy() will fail. */
> > 412 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
> 413 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
> 414 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
> 415 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
> 416
> 417 /* Early-truncated is safe still, though. */
> 418 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
> 419 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
> 420
> 421 end = sizeof(pad.buf) / 2;
> 422 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
> 423 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
> 424 }
> 425
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests
--
Thanks,
~Nick Desaulniers
Powered by blists - more mailing lists