mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-12-29 01:05:29 +00:00
fortify: Add compile-time FORTIFY_SOURCE tests
While the run-time testing of FORTIFY_SOURCE is already present in LKDTM, there is no testing of the expected compile-time detections. In preparation for correctly supporting FORTIFY_SOURCE under Clang, adding additional FORTIFY_SOURCE defenses, and making sure FORTIFY_SOURCE doesn't silently regress with GCC, introduce a build-time test suite that checks each expected compile-time failure condition. As this is relatively backwards from standard build rules in the sense that a successful test is actually a compile _failure_, create a wrapper script to check for the correct errors, and wire it up as a dummy dependency to lib/string.o, collecting the results into a log file artifact. Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
3009f891bb
commit
be58f71037
@ -7323,6 +7323,15 @@ L: netdev@vger.kernel.org
|
||||
S: Maintained
|
||||
F: drivers/net/ethernet/nvidia/*
|
||||
|
||||
FORTIFY_SOURCE
|
||||
M: Kees Cook <keescook@chromium.org>
|
||||
L: linux-hardening@vger.kernel.org
|
||||
S: Supported
|
||||
F: include/linux/fortify-string.h
|
||||
F: lib/test_fortify/*
|
||||
F: scripts/test_fortify.sh
|
||||
K: \b__NO_FORTIFY\b
|
||||
|
||||
FPGA DFL DRIVERS
|
||||
M: Wu Hao <hao.wu@intel.com>
|
||||
R: Tom Rix <trix@redhat.com>
|
||||
|
2
lib/.gitignore
vendored
2
lib/.gitignore
vendored
@ -4,3 +4,5 @@
|
||||
/gen_crc32table
|
||||
/gen_crc64table
|
||||
/oid_registry_data.c
|
||||
/test_fortify.log
|
||||
/test_fortify/*.log
|
||||
|
33
lib/Makefile
33
lib/Makefile
@ -360,3 +360,36 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o
|
||||
obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o
|
||||
|
||||
obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) += devmem_is_allowed.o
|
||||
|
||||
# FORTIFY_SOURCE compile-time behavior tests
|
||||
TEST_FORTIFY_SRCS = $(wildcard $(srctree)/$(src)/test_fortify/*-*.c)
|
||||
TEST_FORTIFY_LOGS = $(patsubst $(srctree)/$(src)/%.c, %.log, $(TEST_FORTIFY_SRCS))
|
||||
TEST_FORTIFY_LOG = test_fortify.log
|
||||
|
||||
quiet_cmd_test_fortify = TEST $@
|
||||
cmd_test_fortify = $(CONFIG_SHELL) $(srctree)/scripts/test_fortify.sh \
|
||||
$< $@ "$(NM)" $(CC) $(c_flags) \
|
||||
$(call cc-disable-warning,fortify-source)
|
||||
|
||||
targets += $(TEST_FORTIFY_LOGS)
|
||||
clean-files += $(TEST_FORTIFY_LOGS)
|
||||
clean-files += $(addsuffix .o, $(TEST_FORTIFY_LOGS))
|
||||
$(obj)/test_fortify/%.log: $(src)/test_fortify/%.c \
|
||||
$(src)/test_fortify/test_fortify.h \
|
||||
$(srctree)/include/linux/fortify-string.h \
|
||||
$(srctree)/scripts/test_fortify.sh \
|
||||
FORCE
|
||||
$(call if_changed,test_fortify)
|
||||
|
||||
quiet_cmd_gen_fortify_log = GEN $@
|
||||
cmd_gen_fortify_log = cat </dev/null $(filter-out FORCE,$^) 2>/dev/null > $@ || true
|
||||
|
||||
targets += $(TEST_FORTIFY_LOG)
|
||||
clean-files += $(TEST_FORTIFY_LOG)
|
||||
$(obj)/$(TEST_FORTIFY_LOG): $(addprefix $(obj)/, $(TEST_FORTIFY_LOGS)) FORCE
|
||||
$(call if_changed,gen_fortify_log)
|
||||
|
||||
# Fake dependency to trigger the fortify tests.
|
||||
ifeq ($(CONFIG_FORTIFY_SOURCE),y)
|
||||
$(obj)/string.o: $(obj)/$(TEST_FORTIFY_LOG)
|
||||
endif
|
||||
|
5
lib/test_fortify/read_overflow-memchr.c
Normal file
5
lib/test_fortify/read_overflow-memchr.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memchr(small, 0x7A, sizeof(small) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/read_overflow-memchr_inv.c
Normal file
5
lib/test_fortify/read_overflow-memchr_inv.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memchr_inv(small, 0x7A, sizeof(small) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/read_overflow-memcmp.c
Normal file
5
lib/test_fortify/read_overflow-memcmp.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memcmp(small, large, sizeof(small) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/read_overflow-memscan.c
Normal file
5
lib/test_fortify/read_overflow-memscan.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memscan(small, 0x7A, sizeof(small) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/read_overflow2-memcmp.c
Normal file
5
lib/test_fortify/read_overflow2-memcmp.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memcmp(large, small, sizeof(small) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/read_overflow2-memcpy.c
Normal file
5
lib/test_fortify/read_overflow2-memcpy.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memcpy(large, instance.buf, sizeof(large))
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/read_overflow2-memmove.c
Normal file
5
lib/test_fortify/read_overflow2-memmove.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memmove(large, instance.buf, sizeof(large))
|
||||
|
||||
#include "test_fortify.h"
|
35
lib/test_fortify/test_fortify.h
Normal file
35
lib/test_fortify/test_fortify.h
Normal file
@ -0,0 +1,35 @@
|
||||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/printk.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/string.h>
|
||||
|
||||
void do_fortify_tests(void);
|
||||
|
||||
#define __BUF_SMALL 16
|
||||
#define __BUF_LARGE 32
|
||||
struct fortify_object {
|
||||
int a;
|
||||
char buf[__BUF_SMALL];
|
||||
int c;
|
||||
};
|
||||
|
||||
#define LITERAL_SMALL "AAAAAAAAAAAAAAA"
|
||||
#define LITERAL_LARGE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
const char small_src[__BUF_SMALL] = LITERAL_SMALL;
|
||||
const char large_src[__BUF_LARGE] = LITERAL_LARGE;
|
||||
|
||||
char small[__BUF_SMALL];
|
||||
char large[__BUF_LARGE];
|
||||
struct fortify_object instance;
|
||||
size_t size;
|
||||
|
||||
void do_fortify_tests(void)
|
||||
{
|
||||
/* Normal initializations. */
|
||||
memset(&instance, 0x32, sizeof(instance));
|
||||
memset(small, 0xA5, sizeof(small));
|
||||
memset(large, 0x5A, sizeof(large));
|
||||
|
||||
TEST;
|
||||
}
|
5
lib/test_fortify/write_overflow-memcpy.c
Normal file
5
lib/test_fortify/write_overflow-memcpy.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memcpy(instance.buf, large_src, sizeof(large_src))
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-memmove.c
Normal file
5
lib/test_fortify/write_overflow-memmove.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memmove(instance.buf, large_src, sizeof(large_src))
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-memset.c
Normal file
5
lib/test_fortify/write_overflow-memset.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
memset(instance.buf, 0x5A, sizeof(large_src))
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-strcpy-lit.c
Normal file
5
lib/test_fortify/write_overflow-strcpy-lit.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
strcpy(small, LITERAL_LARGE)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-strcpy.c
Normal file
5
lib/test_fortify/write_overflow-strcpy.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
strcpy(small, large_src)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-strlcpy-src.c
Normal file
5
lib/test_fortify/write_overflow-strlcpy-src.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
strlcpy(small, large_src, sizeof(small) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-strlcpy.c
Normal file
5
lib/test_fortify/write_overflow-strlcpy.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
strlcpy(instance.buf, large_src, sizeof(instance.buf) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-strncpy-src.c
Normal file
5
lib/test_fortify/write_overflow-strncpy-src.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
strncpy(small, large_src, sizeof(small) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-strncpy.c
Normal file
5
lib/test_fortify/write_overflow-strncpy.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
strncpy(instance.buf, large_src, sizeof(instance.buf) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
5
lib/test_fortify/write_overflow-strscpy.c
Normal file
5
lib/test_fortify/write_overflow-strscpy.c
Normal file
@ -0,0 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
#define TEST \
|
||||
strscpy(instance.buf, large_src, sizeof(instance.buf) + 1)
|
||||
|
||||
#include "test_fortify.h"
|
62
scripts/test_fortify.sh
Normal file
62
scripts/test_fortify.sh
Normal file
@ -0,0 +1,62 @@
|
||||
#!/bin/sh
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
set -e
|
||||
|
||||
# Argument 1: Source file to build.
|
||||
IN="$1"
|
||||
shift
|
||||
# Extract just the filename for error messages below.
|
||||
FILE="${IN##*/}"
|
||||
# Extract the function name for error messages below.
|
||||
FUNC="${FILE#*-}"
|
||||
FUNC="${FUNC%%-*}"
|
||||
FUNC="${FUNC%%.*}"
|
||||
# Extract the symbol to test for in build/symbol test below.
|
||||
WANT="__${FILE%%-*}"
|
||||
|
||||
# Argument 2: Where to write the build log.
|
||||
OUT="$1"
|
||||
shift
|
||||
TMP="${OUT}.tmp"
|
||||
|
||||
# Argument 3: Path to "nm" tool.
|
||||
NM="$1"
|
||||
shift
|
||||
|
||||
# Remaining arguments are: $(CC) $(c_flags)
|
||||
|
||||
# Clean up temporary file at exit.
|
||||
__cleanup() {
|
||||
rm -f "$TMP"
|
||||
}
|
||||
trap __cleanup EXIT
|
||||
|
||||
# Function names in warnings are wrapped in backticks under UTF-8 locales.
|
||||
# Run the commands with LANG=C so that grep output will not change.
|
||||
export LANG=C
|
||||
|
||||
status=
|
||||
# Attempt to build a source that is expected to fail with a specific warning.
|
||||
if "$@" -Werror -c "$IN" -o "$OUT".o 2> "$TMP" ; then
|
||||
# If the build succeeds, either the test has failed or the
|
||||
# warning may only happen at link time (Clang). In that case,
|
||||
# make sure the expected symbol is unresolved in the symbol list.
|
||||
# If so, FORTIFY is working for this case.
|
||||
if ! $NM -A "$OUT".o | grep -m1 "\bU ${WANT}$" >>"$TMP" ; then
|
||||
status="warning: unsafe ${FUNC}() usage lacked '$WANT' symbol in $IN"
|
||||
fi
|
||||
else
|
||||
# If the build failed, check for the warning in the stderr (gcc).
|
||||
if ! grep -q -m1 "error: call to .\b${WANT}\b." "$TMP" ; then
|
||||
status="warning: unsafe ${FUNC}() usage lacked '$WANT' warning in $IN"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$status" ]; then
|
||||
# Report on failure results, including compilation warnings.
|
||||
echo "$status" | tee "$OUT" >&2
|
||||
else
|
||||
# Report on good results, and save any compilation output to log.
|
||||
echo "ok: unsafe ${FUNC}() usage correctly detected with '$WANT' in $IN" >"$OUT"
|
||||
fi
|
||||
cat "$TMP" >>"$OUT"
|
Loading…
Reference in New Issue
Block a user