linux/arch/x86/boot/compressed
Daniel Micay 6974f0c455 include/linux/string.h: add the option of fortified string.h functions
This adds support for compiling with a rough equivalent to the glibc
_FORTIFY_SOURCE=1 feature, providing compile-time and runtime buffer
overflow checks for string.h functions when the compiler determines the
size of the source or destination buffer at compile-time.  Unlike glibc,
it covers buffer reads in addition to writes.

GNU C __builtin_*_chk intrinsics are avoided because they would force a
much more complex implementation.  They aren't designed to detect read
overflows and offer no real benefit when using an implementation based
on inline checks.  Inline checks don't add up to much code size and
allow full use of the regular string intrinsics while avoiding the need
for a bunch of _chk functions and per-arch assembly to avoid wrapper
overhead.

This detects various overflows at compile-time in various drivers and
some non-x86 core kernel code.  There will likely be issues caught in
regular use at runtime too.

Future improvements left out of initial implementation for simplicity,
as it's all quite optional and can be done incrementally:

* Some of the fortified string functions (strncpy, strcat), don't yet
  place a limit on reads from the source based on __builtin_object_size of
  the source buffer.

* Extending coverage to more string functions like strlcat.

* It should be possible to optionally use __builtin_object_size(x, 1) for
  some functions (C strings) to detect intra-object overflows (like
  glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative
  approach to avoid likely compatibility issues.

* The compile-time checks should be made available via a separate config
  option which can be enabled by default (or always enabled) once enough
  time has passed to get the issues it catches fixed.

Kees said:
 "This is great to have. While it was out-of-tree code, it would have
  blocked at least CVE-2016-3858 from being exploitable (improper size
  argument to strlcpy()). I've sent a number of fixes for
  out-of-bounds-reads that this detected upstream already"

[arnd@arndb.de: x86: fix fortified memcpy]
  Link: http://lkml.kernel.org/r/20170627150047.660360-1-arnd@arndb.de
[keescook@chromium.org: avoid panic() in favor of BUG()]
  Link: http://lkml.kernel.org/r/20170626235122.GA25261@beast
[keescook@chromium.org: move from -mm, add ARCH_HAS_FORTIFY_SOURCE, tweak Kconfig help]
Link: http://lkml.kernel.org/r/20170526095404.20439-1-danielmicay@gmail.com
Link: http://lkml.kernel.org/r/1497903987-21002-8-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-12 16:26:03 -07:00
..
.gitignore x86, boot: add new generated files to the appropriate .gitignore files 2009-06-02 21:13:30 -07:00
Makefile x86/boot: Use CROSS_COMPILE prefix for readelf 2017-05-21 13:04:27 +02:00
cmdline.c x86/KASLR: Parse all 'memmap=' boot option entries 2017-05-24 09:50:27 +02:00
cpuflags.c x86, boot: Rename get_flags() and check_flags() to *_cpuflags() 2013-10-13 04:08:56 -07:00
early_serial_console.c x86, boot: Don't compile early_serial_console.c when !CONFIG_EARLY_PRINTK 2014-08-17 14:58:24 -07:00
eboot.c x86/boot/efi: Define __KERNEL32_CS GDT on 64-bit configurations 2017-06-13 08:56:53 +02:00
eboot.h efi/libstub: Move Graphics Output Protocol handling to generic code 2016-04-28 11:33:57 +02:00
efi_stub_32.S x86, efi: EFI boot stub support 2011-12-12 14:26:10 -08:00
efi_stub_64.S x86/efi: Avoid triple faults during EFI mixed mode calls 2015-02-13 15:42:56 +00:00
efi_thunk_64.S x86/efi: Avoid triple faults during EFI mixed mode calls 2015-02-13 15:42:56 +00:00
error.c x86/boot: Fix Sparse warning by including required header file 2017-03-31 08:13:54 +02:00
error.h x86/boot: Declare error() as noreturn 2017-05-07 10:59:05 +02:00
head_32.S x86/efi: Allow invocation of arbitrary runtime services 2017-02-07 10:42:09 +01:00
head_64.S x86/boot/compressed: Enable 5-level paging during decompression stage 2017-06-13 08:56:53 +02:00
kaslr.c Merge branch 'x86-boot-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 13:40:38 -07:00
misc.c include/linux/string.h: add the option of fortified string.h functions 2017-07-12 16:26:03 -07:00
misc.h x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug 2017-06-30 08:53:14 +02:00
mkpiggy.c x86/KASLR: Clean up unused code from old 'run_size' and rename it to 'kernel_total_size' 2016-04-29 11:03:30 +02:00
pagetable.c x86/KASLR: Fix detection 32/64 bit bootloaders for 5-level paging 2017-06-30 08:56:53 +02:00
string.c x86/boot: Warn on future overlapping memcpy() use 2016-05-03 08:15:58 +02:00
vmlinux.lds.S x86/boot: Move compressed kernel to the end of the decompression buffer 2016-04-29 11:03:29 +02:00